IIS admins, help finding WebDAV remotely using nmap
Last Updated: 2009-05-24 05:47:47 UTC
by Raul Siles (Version: 2)
If you are concerned about the recent unpatched IIS 6.0 WebDav Remote Auth Bypass vulnerability (CVE-2009-1535), you will be interested on detecting if you are running WebDAV and if you are vulnerable. You can do that locally or remotelly. I can identify scenarios were both methods are useful to audit internal or external web servers.
For local testing, please follow Adrien's diary from a couple of days ago.
For remote testing you can use our good friend nmap, and a new NSE script (http-iis-webdav-vuln) by Ron Bowes and Andrew Orr. I've been using it on a recent penetration test, but it can be equally used in your vulnerability assessments and pre-incident handling tasks following two easy steps:
- Download/Update & compile nmap from the SVN repository:
$ svn co --username guest --password "" svn://svn.insecure.org/nmap/ $ cd nmap $ ./configure $ make $ sudo make install
- Run the script just against your IIS web servers (specify the web server port accordingly, "-p" option):
$ nmap -n -PN -p80 --script=http-iis-webdav-vuln <target_web_server.domain.com>
- The script doesn't work directly against HTTPS web servers. Therefore, you need to make use of the nmap's service detection capabilities ("-sV") to make it work:
$ nmap -n -PN -sV -p443 --script=http-iis-webdav-vuln <target_web_server.domain.com>
This NSE script launches a kind of dictionary attack, searching for potential web server folders. If you want to avoid it, because you just want to test an existing specific folder or subfolder, use the "--script-args=webdavfolder=<PATH>" option to specify it (all in one line):
$ nmap -n -PN -p80 --script=http-iis-webdav-vuln --script-args=webdavfolder="protected/webdav/folder/" <target_web_server.domain.com>
This is a listing of the most common output you can get:
- WebDAV is disabled on a HTTP server:
80/tcp open http |_ http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.
- WebDAV is disabled on a HTTPS server:
443/tcp open ssl/http Microsoft IIS webserver 6.0 |_ http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable. Service Info: OS: Windows
- WebDAV is enabled on a HTTP server, but no folder was found:
80/tcp open http |_ http-iis-webdav-vuln: WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>
- WebDAV is enabled on a HTTP server, but the specified folder is not vulnerable:
80/tcp open http |_ http-iis-webdav-vuln: WebDAV is ENABLED. Could not determine vulnerability of folder: /protected/webdav/folder
- WebDAV is enabled on a HTTP server, and vulnerable folders were found:
80/tcp open http |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav
Please, audit ALL your web servers before anybody else does! ... and don't forget to look at your web server logs to check if someone is already testing it!