SANS ISC: IIS admins, help finding WebDAV remotely using nmap

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

If you are concerned about the recent IIS 6.0 WebDav Remote Auth Bypass vulnerability, you will be interested on detecting if you are running WebDAV and if you are vulnerable. You can do that locally or remotelly. I can identify scenarios were both methods are useful to audit internal or external web servers.

For local testing, please follow Adrien's diary from a couple of days ago.

For remote testing you can use our good friend nmap, and a new NSE script (http-iis-webdav-vuln) by Ron Bowes. I've been using it on a recent penetration test, but it can be equally used in your vulnerability assessments and pre-incident handling tasks following two easy steps:

• Download/Update & compile nmap from the SVN repository:

$ svn co --username guest --password "" svn://svn.insecure.org/nmap/
$ cd nmap
$ ./configure
$ make
$ sudo make install

• Run the script just against your IIS web servers (specify the web server port accordingly, "-p" option):

$ nmap -n -PN -p80 --script=http-iis-webdav-vuln <target_web_server.domain.com>

• The script doesn't work directly against HTTPS web servers. Therefore, you need to make use of the nmap's service detection capabilities ("-sV") to make it work:

$ nmap -n -PN -sV -p443 --script=http-iis-webdav-vuln <target_web_server.domain.com>

This NSE script launches a kind of dictionary attack, searching for potential web server folders. If you want to avoid it, because you just want to test an existing specific folder or subfolder, use the "--script-args=webdavfolder=<PATH>" option to specify it (all in one line):

$ nmap -n -PN -p80 --script=http-iis-webdav-vuln 
  --script-args=webdavfolder="protected/webdav/folder/" <target_web_server.domain.com>

This is a listing of the most common output you can get:

• WebDAV is disabled on a HTTP server:

80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.

• WebDAV is disabled on a HTTPS server:

443/tcp open  ssl/http Microsoft IIS webserver 6.0
|_ http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.
Service Info: OS: Windows

• WebDAV is enabled on a HTTP server, but no folder was found:

80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is ENABLED. No protected folder found; check not run. 
If you know a protected folder, add --script-args=webdavfolder=<path>

• WebDAV is enabled on a HTTP server, but the specified folder is not vulnerable:

80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is ENABLED. Could not determine vulnerability of folder: 
/protected/webdav/folder

• WebDAV is enabled on a HTTP server, and vulnerable folders were found:

80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav

Please, audit ALL your web servers before anybody else does! ... and don't forget to look at your web server logs to check if someone is already testing it!

--
Raul Siles
www.raulsiles.com