Greetings!
This morning I heard (from the security-basics mailing list, of all places) that there's a zero-day vulnerability going around for WebDAV on Windows 2003. I always like a good vulnerability early in the week, so I decided to write an Nmap script to find it!
The first open script I found was Metasploit's, so I had a look at how that works. It was so simple, I didn't even have to look at the source -- a packet capture was enough.
How do I use it?
At a high level, all you need to do is Update Nmap from SVN and run it with the following command:
--script=http-iis-webdav-vuln
In more detail...
Obtaining Nmap from SVN
Run the following command:
svn co --username guest --password "" svn://svn.insecure.org/nmap/
Then compile it:
cd nmap ./configure make sudo make install
What if I don't have SVN?
Then you're doing it the hard way...
- Make sure you're at
Nmap 4.85 beta 9 or higher. - Find the script http.lua. It'll be in a folder called 'nselib'; for example, /usr/local/share/nmap/nselib/http.lua. Replace it with this version.
- In that folder (nselib), there's a directory called 'data'. Put folders.lst in it.
- Go up one directory, and there should be a directory called 'scripts'; for example, /usr/local/share/nmap/scripts. Put http-iis-webdav-vuln.nse in it.
Once you've done all that, you're good to go.
How do I run it?
Running it is as simple as running Nmap itself. Here's the simplest case:
nmap -sV --script=http-iis-webdav-vuln <target>
Every port running HTTP should be probed, but it'll take awhile. For a quicker check, try this:
nmap -p80,8080 --script=http-iis-webdav-vuln <target>
But keep in mind that it'll only check the two most common ports for Web servers.
Finally, if you know the name of a password-protected folder on the system, provide it directly:
nmap -p80,8080 --script=http-iis-webdav-vuln --script-args=webdavfolder=secret <target>
or
nmap -p80,8080 --script=http-iis-webdav-vuln --script-args=webdavfolder=\"my/folder/secret\" <target>
(note the backslashes -- they may not be required in the future)
How accurate is it?
This script relies on finding a password-protected folder, so it won't be 100% accurate. I have a list of around 850 common folder names, but that definitely won't find everything.
If you provide a folder name yourself using the webdavfolder argument, you're going to have a lot more luck. As far as I know, once it has the name of a real password-protected folder, it's 100% reliable. The trick is finding one.
Unfortunately, there doesn't appear to be a good way to check if a server has WebDAV enabled. So, there's no easy check that I know of.
How does it work?
This is the part I like -- how does it work?
Well, the answer is simple -- it works the same as the Metasploit Auxiliary module. Here's what it does:
Step 1: Find a password protected folder
I have a great big list of folders from a long time ago. I honestly don't know where I got it from, but if you created it and want credit, just hit me up. If you created it and you're pissed off that I stole it.. well, don't hit me up. :) -- But seriously, I don't want to take away anybody's credit, so let me know.
Anyway, it checks the error code for each folder. If the error is 404 Not Found or 200 OK, we don't care. In fact, we care about very little -- we're only looking for one error code: 401 Unauthorized.
Step 2: Exploit it!
After we find a password-protected folder, there's only one thing left to do: exploit it! This is done by putting a Unicode-encoded string at the beginning of the URL. Thus, "/private" becomes "/%c0%afprivate". If the error remains 401 Unauthorized, the server is not vulnerable (it may be non-IIS6, or it may not be using WebDAV). If the error becomes 207 Multi-status, we're vulnerable! That's it!
The script will list all folders found to be vulnerable.
How do I exploit it for real?
That's a great question! But, my answer is a cop out right now: I'll get back to you. I suspect that it's possible (and easy) to exploit with free tools, such as Paros and the freely available portion of Burp Suite, but I haven't had a chance to try it out. When I do, I'll post a new blog!
thank you for the post. However the ".nse" file that is available for download returns an error. I went to hxxp://nmap.org/nsedoc/scripts/http-iis-webdav-vuln.html and it appears to be working.
Thanks
Aha, it's because we re-named the script after I uploaded it. Good catch!
Ron
The OPTIONS HTTP Method isn't reliable to detect if a webserver is WebDAV enabled?
It returns a 'DAV:1,2' which is returned only when the IIS has WebDAV enabled.
OPTIONS can detect if it's enabled, but OPTIONS can be disabled (and it's best practise to do so -- I expect that most corporate environments disable it). Our method doesn't rely on OPTIONS, but seems to be totally reliable.
We're planning on using OPTIONS as a backup plan if the '/' folder is password protected, though. At least then we'll have something.
So, we looked into it, and it turns out that you can't use OPTIONS if '/' is password protected. We've been unable to find any situation where OPTIONS would work and our way ('PROPFIND') wouldn't. On the other hand, there ARE situations where OPTIONS fails (due to being disabled on the server) but where PROPFIND still works, so we're going to continue using that as our default (and only) method of checking.
We wrote an implementation that uses OPTIONS if the PROPFIND fails, but since we couldn't find any situation where PROPFIND fails, we decided not to commit it. It was adding extra complexity with no gain.
Thanks for the suggestion, though!
Ron
Thanks for creating this tool !
On some of the IIS servers that I run the tool against, I get the error "This web server is not supported".
They are Windows 2003 servers.
Any idea why I get this error?
Pat:
That error shows up when a "propfind /" request returns neither a 501 nor a 207.
We only ever received those two responses from our lab windows machines, but we assumed that some configurations may return something else. That is why if you add a '-d' to the nmap command line (debug mode, level 1), it will actually print out what type of response it recieves that is not 501 nor 207.
So run it again with -d and paste the line (you can grep for PROPFIND) it outputs.
[b]This script relies on finding a password-protected folder, so it won’t be 100% accurate. I have a list of around 850 common folder names, but that definitely won’t find everything.[/b]
Hi Mr,
Can you send me file : folders.lst with 850 common folder names please, thank you veru much !
Best regards,
@hoahongtim: it's linked in the list, http://www.skullsecurity.org/blogdata/folders.lst
You can get much MUCH larger ones from an OWASP project whose name escapes me at the moment.
@Andrew: I get the following with -d.
Against port 80:
================
NSE: http-iis-webdav-vuln: Root folder is not password protected, continuing...
NSE: http-iis-webdav-vuln: PROPFIND request failed with "HTTP/1.1 403 Forbidden"
Against port 443:
================
NSE: http-iis-webdav-vuln: Root folder is not password protected, continuing...
NSE: http-iis-webdav-vuln: PROPFIND request failed with "HTTP/1.1 411 Length Req
uired".
We were getting the same errors as Andrew and Pat - "PROPFIND request failed with HTTP/1/1 Length Required", then realized we had failed to put the http.lua and folders.lst files in the nselib and data folders respectively. (files available above) Once the new files were there, problem solved.
Hello,
I get the error "This web server is not supported." on some win 2003 servers.
Here is the -d output:
PROPFIND request failed with "HTTP/1.1 400 Bad Request"
(even if webdav is disabled or enabled)
Any idea please ?
Thanks.
Hello Ron,
I tried scanning in my local submit and it seems working ok, however when i scan a server outside of my segment (another office) the performance is very low, the result will take time.(even with -PN or T4, or even just with port 80)
@Zack: It's because the script is doing a bruteforce to find the folder. To improve performance, trim down the folders.lst file or replace it with a smaller set. The advantage is it'll do it in parallel, so while it takes a long time for one box, it won't take significantly longer for two or three or ten.
Thank you for the explaination Ron, by the way netcat should be able to detect this one like checking the Webdav is enabled to an identified IIS.
Thank you for letting us leave a reply without forcing us to create an account. It saves time
Hi man i get this result:
NSE: NSE Script Threads (1) running:
NSE: Starting http-iis-webdav-vuln against xxxxxx:80.
NSE: http-iis-webdav-vuln: Root folder is not password protected, continuing...
NSE: http-iis-webdav-vuln: WebDAV is ENABLED (PROPFIND was successful).
NSE: Finished http-iis-webdav-vuln against xxxxx:80.
Completed NSE at 01:35, 6.44s elapsed
NSE: Script Scanning completed.
Host xxxxxx is up, received reset (0.00049s latency).
Scanned at 2009-06-01 01:35:52 CLT for 6s
Interesting ports on xxxxxx:
PORT STATE SERVICE REASON
80/tcp open http syn-ack
|_ http-iis-webdav-vuln: WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=
Final times for host: srtt: 486 rttvar: 3872 to: 100000
Read from .: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.66 seconds
Is it really scanning the WHOLE folder.lst?
@brandnewman: Yes, unless something's gone horribly wrong.
why do I scan using nmap window version . nmap say webdav is enable .
But when I use backtrack to scan ,nmap say webdav is error . and it can't list my folder.
I scan a IIS server 6 on windows 2003 with nmap v5. But I have this error. please help me!
PORT STATE SERVICE
80/tcp open http
|_http-iis-webdav-vuln: ERROR: This web server is not supported.
@blackjack -- it means that WebDAV isn't supported on the server, so you are probably non-vulnerable.