WebDAV Scanning with Nmap

Greetings!

This morning I heard (from the security-basics mailing list, of all places) that there's a zero-day vulnerability going around for WebDAV on Windows 2003. I always like a good vulnerability early in the week, so I decided to write an Nmap script to find it!

The first open script I found was Metasploit's, so I had a look at how that works. It was so simple, I didn't even have to look at the source -- a packet capture was enough.

Read the module documentation

How do I use it?

At a high level, all you need to do is Update Nmap from SVN and run it with the following command:

--script=http-iis-webdav-vuln

In more detail...

Obtaining Nmap from SVN

Run the following command:

svn co --username guest --password "" svn://svn.insecure.org/nmap/

Then compile it:

cd nmap
./configure
make
sudo make install

What if I don't have SVN?

Then you're doing it the hard way...

  1. Make sure you're at
    Nmap 4.85 beta 9
    or higher.
  2. Find the script http.lua. It'll be in a folder called 'nselib'; for example, /usr/local/share/nmap/nselib/http.lua. Replace it with this version.
  3. In that folder (nselib), there's a directory called 'data'. Put folders.lst in it.
  4. Go up one directory, and there should be a directory called 'scripts'; for example, /usr/local/share/nmap/scripts. Put http-iis-webdav-vuln.nse in it.

Once you've done all that, you're good to go.

How do I run it?

Running it is as simple as running Nmap itself. Here's the simplest case:

nmap -sV --script=http-iis-webdav-vuln <target>

Every port running HTTP should be probed, but it'll take awhile. For a quicker check, try this:

nmap -p80,8080 --script=http-iis-webdav-vuln <target>

But keep in mind that it'll only check the two most common ports for Web servers.

Finally, if you know the name of a password-protected folder on the system, provide it directly:

nmap -p80,8080 --script=http-iis-webdav-vuln --script-args=webdavfolder=secret <target>

or

nmap -p80,8080 --script=http-iis-webdav-vuln --script-args=webdavfolder=\"my/folder/secret\" <target>

(note the backslashes -- they may not be required in the future)

How accurate is it?

This script relies on finding a password-protected folder, so it won't be 100% accurate. I have a list of around 850 common folder names, but that definitely won't find everything.

If you provide a folder name yourself using the webdavfolder argument, you're going to have a lot more luck. As far as I know, once it has the name of a real password-protected folder, it's 100% reliable. The trick is finding one.

Unfortunately, there doesn't appear to be a good way to check if a server has WebDAV enabled. So, there's no easy check that I know of.

How does it work?

This is the part I like -- how does it work?

Well, the answer is simple -- it works the same as the Metasploit Auxiliary module. Here's what it does:

Step 1: Find a password protected folder

I have a great big list of folders from a long time ago. I honestly don't know where I got it from, but if you created it and want credit, just hit me up. If you created it and you're pissed off that I stole it.. well, don't hit me up. :) -- But seriously, I don't want to take away anybody's credit, so let me know.

Anyway, it checks the error code for each folder. If the error is 404 Not Found or 200 OK, we don't care. In fact, we care about very little -- we're only looking for one error code: 401 Unauthorized.

Step 2: Exploit it!

After we find a password-protected folder, there's only one thing left to do: exploit it! This is done by putting a Unicode-encoded string at the beginning of the URL. Thus, "/private" becomes "/%c0%afprivate". If the error remains 401 Unauthorized, the server is not vulnerable (it may be non-IIS6, or it may not be using WebDAV). If the error becomes 207 Multi-status, we're vulnerable! That's it!

The script will list all folders found to be vulnerable.

How do I exploit it for real?

That's a great question! But, my answer is a cop out right now: I'll get back to you. I suspect that it's possible (and easy) to exploit with free tools, such as Paros and the freely available portion of Burp Suite, but I haven't had a chance to try it out. When I do, I'll post a new blog!

20 thoughts on “WebDAV Scanning with Nmap

  1. Reply

    Robert

    thank you for the post. However the ".nse" file that is available for download returns an error. I went to hxxp://nmap.org/nsedoc/scripts/http-iis-webdav-vuln.html and it appears to be working.

    Thanks

  2. Reply

    Ron Post author

    Aha, it's because we re-named the script after I uploaded it. Good catch!

    Ron

  3. Reply

    Cha0s

    The OPTIONS HTTP Method isn't reliable to detect if a webserver is WebDAV enabled?

    It returns a 'DAV:1,2' which is returned only when the IIS has WebDAV enabled.

    1. Reply

      Ron Post author

      OPTIONS can detect if it's enabled, but OPTIONS can be disabled (and it's best practise to do so -- I expect that most corporate environments disable it). Our method doesn't rely on OPTIONS, but seems to be totally reliable.

      We're planning on using OPTIONS as a backup plan if the '/' folder is password protected, though. At least then we'll have something.

  4. Reply

    Ron Post author

    So, we looked into it, and it turns out that you can't use OPTIONS if '/' is password protected. We've been unable to find any situation where OPTIONS would work and our way ('PROPFIND') wouldn't. On the other hand, there ARE situations where OPTIONS fails (due to being disabled on the server) but where PROPFIND still works, so we're going to continue using that as our default (and only) method of checking.

    We wrote an implementation that uses OPTIONS if the PROPFIND fails, but since we couldn't find any situation where PROPFIND fails, we decided not to commit it. It was adding extra complexity with no gain.

    Thanks for the suggestion, though!
    Ron

  5. Reply

    Pat

    Thanks for creating this tool !

    On some of the IIS servers that I run the tool against, I get the error "This web server is not supported".

    They are Windows 2003 servers.

    Any idea why I get this error?

  6. Reply

    Andrew

    Pat:

    That error shows up when a "propfind /" request returns neither a 501 nor a 207.

    We only ever received those two responses from our lab windows machines, but we assumed that some configurations may return something else. That is why if you add a '-d' to the nmap command line (debug mode, level 1), it will actually print out what type of response it recieves that is not 501 nor 207.

    So run it again with -d and paste the line (you can grep for PROPFIND) it outputs.

  7. Reply

    hoahongtim

    [b]This script relies on finding a password-protected folder, so it won’t be 100% accurate. I have a list of around 850 common folder names, but that definitely won’t find everything.[/b]

    Hi Mr,

    Can you send me file : folders.lst with 850 common folder names please, thank you veru much !

    Best regards,

    1. Reply

      Ron Post author

      @hoahongtim: it's linked in the list, http://www.skullsecurity.org/blogdata/folders.lst

      You can get much MUCH larger ones from an OWASP project whose name escapes me at the moment.

  8. Reply

    Pat

    @Andrew: I get the following with -d.

    Against port 80:
    ================

    NSE: http-iis-webdav-vuln: Root folder is not password protected, continuing...
    NSE: http-iis-webdav-vuln: PROPFIND request failed with "HTTP/1.1 403 Forbidden"

    Against port 443:
    ================
    NSE: http-iis-webdav-vuln: Root folder is not password protected, continuing...
    NSE: http-iis-webdav-vuln: PROPFIND request failed with "HTTP/1.1 411 Length Req
    uired".

  9. Reply

    Jellybean

    We were getting the same errors as Andrew and Pat - "PROPFIND request failed with HTTP/1/1 Length Required", then realized we had failed to put the http.lua and folders.lst files in the nselib and data folders respectively. (files available above) Once the new files were there, problem solved.

  10. Reply

    Cagri Ersen

    Hello,

    I get the error "This web server is not supported." on some win 2003 servers.

    Here is the -d output:
    PROPFIND request failed with "HTTP/1.1 400 Bad Request"
    (even if webdav is disabled or enabled)

    Any idea please ?

    Thanks.

  11. Reply

    Zack

    Hello Ron,

    I tried scanning in my local submit and it seems working ok, however when i scan a server outside of my segment (another office) the performance is very low, the result will take time.(even with -PN or T4, or even just with port 80)

    1. Reply

      Ron Post author

      @Zack: It's because the script is doing a bruteforce to find the folder. To improve performance, trim down the folders.lst file or replace it with a smaller set. The advantage is it'll do it in parallel, so while it takes a long time for one box, it won't take significantly longer for two or three or ten.

  12. Reply

    Zack

    Thank you for the explaination Ron, by the way netcat should be able to detect this one like checking the Webdav is enabled to an identified IIS.

    Thank you for letting us leave a reply without forcing us to create an account. It saves time

  13. Reply

    brandnewman

    Hi man i get this result:

    NSE: NSE Script Threads (1) running:
    NSE: Starting http-iis-webdav-vuln against xxxxxx:80.
    NSE: http-iis-webdav-vuln: Root folder is not password protected, continuing...
    NSE: http-iis-webdav-vuln: WebDAV is ENABLED (PROPFIND was successful).
    NSE: Finished http-iis-webdav-vuln against xxxxx:80.
    Completed NSE at 01:35, 6.44s elapsed
    NSE: Script Scanning completed.
    Host xxxxxx is up, received reset (0.00049s latency).
    Scanned at 2009-06-01 01:35:52 CLT for 6s
    Interesting ports on xxxxxx:
    PORT STATE SERVICE REASON
    80/tcp open http syn-ack
    |_ http-iis-webdav-vuln: WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=
    Final times for host: srtt: 486 rttvar: 3872 to: 100000

    Read from .: nmap-services.
    Nmap done: 1 IP address (1 host up) scanned in 6.66 seconds

    Is it really scanning the WHOLE folder.lst?

    1. Reply

      Ron Post author

      @brandnewman: Yes, unless something's gone horribly wrong.

  14. Reply

    josephine

    why do I scan using nmap window version . nmap say webdav is enable .
    But when I use backtrack to scan ,nmap say webdav is error . and it can't list my folder.

  15. Reply

    blackjack

    I scan a IIS server 6 on windows 2003 with nmap v5. But I have this error. please help me!
    PORT STATE SERVICE

    80/tcp open http

    |_http-iis-webdav-vuln: ERROR: This web server is not supported.

    1. Reply

      Ron Bowes Post author

      @blackjack -- it means that WebDAV isn't supported on the server, so you are probably non-vulnerable.

Leave a Reply

Your email address will not be published.