search

Scanning and Enumeration

hashtag
Scanning

root@kali:/home/kali# nmap -sC -sV -p 80 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-24 00:24 EST
Nmap scan report for 10.10.10.15
Host is up (0.092s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-ntlm-info: 
|   Target_Name: GRANNY
|   NetBIOS_Domain_Name: GRANNY
|   NetBIOS_Computer_Name: GRANNY
|   DNS_Domain_Name: granny
|   DNS_Computer_Name: granny
|_  Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Server Date: Tue, 24 Nov 2020 05:32:22 GMT
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Type: Microsoft-IIS/6.0
|_  WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

hashtag
Enumeration

The scan shows that the HTTP PUT method is allowed. This could possibly ive us the ability to save files on the web server. Since this is Microsoft IIS web server, the type of files it executes are ASP and ASPX.

ASP and ASPX are not allowed. However, TXT and HTML files are allowed. Recall, PUT HTTP method was not the only method, also have the MOVE HTTP Method. The MOVE method can be used to change file locations on the web server AND can also be used to RENAME files. LETS upload and HTML file on tlhe web server and rename it to change the extension to an ASPX file.

hashtag
Changing the Extension

This confirms that we can upload ASPX code on the server.

PreviousGrannyNextExploitation

Last updated