Security Hero Rotating Header Image

IIS admins, help finding WebDAV remotely using nmap, (Sun, May 24th)

IIS admins, help finding WebDAV remotely using nmap, (Sun, May 24th)

If you are concerned about the recent IIS 6.0 WebDav Remote Auth Bypass vulnerability, you will be interested on detecting if you are running WebDAV and if you are vulnerable. You can do that locally or remotelly. I can identify scenarios were both methods are useful to audit internal or external web servers.
For local testing, please follow Adrien’s diary from a couple of days ago.
For remote testing you can use our good friend nmap, and a new NSE script (http-iis-webdav-vuln) by Ron Bowes. I’ve been using it on a recent penetration test, but it can be equally used in your vulnerability assessments and pre-incident handling tasks following two easy steps:

Download/Update compile nmap from the SVN repository:

$ svn co –username guest –password svn://
$ cd nmap
$ ./configure
$ make
$ sudo make install

Run the script just against your IIS web servers (specify the web server port accordingly, -p option):

$ nmap -n -PN -p80 –script=http-iis-webdav-vuln

The script doesn’t work directly against HTTPS web servers. Therefore, you need to make use of the nmap’s service detection capabilities (-sV) to make it work:

$ nmap -n -PN -sV -p443 –script=http-iis-webdav-vuln

This NSE script launches a kind of dictionary attack, searching for potential web server folders. If you want to avoid it, because you just want to test an existing specific folder or subfolder, use the –script-args=webdavfolder=PATH option to specify it (all in one line):

$ nmap -n -PN -p80 –script=http-iis-webdav-vuln

Leave a Reply

Your email address will not be published. Required fields are marked *