NSEDoc

• Index
• NSE Documentation

Categories

• auth
• default
• discovery
• dos
• exploit
• external
• intrusive
• malware
• safe
• version
• vuln

Scripts

• afp-showmount
• asn-query
• auth-owners
• auth-spoof
• banner
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• couchdb-databases
• couchdb-stats
• daap-get-library
• daytime
• db2-das-info
• db2-info
• dhcp-discover
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-zone-transfer
• finger
• ftp-anon
• ftp-bounce
• ftp-brute
• html-title
• http-auth
• http-date
• http-enum
• http-favicon
• http-headers
• http-iis-webdav-vuln
• http-malware-host
• http-methods
• http-open-proxy
• http-passwd
• http-trace
• http-userdir-enum
• http-vmware-path-vuln
• iax2-version
• imap-capabilities
• ipidseq
• irc-info
• ldap-brute
• ldap-rootdse
• lexmark-config
• mongodb-databases
• mongodb-info
• ms-sql-info
• mysql-brute
• mysql-databases
• mysql-empty-password
• mysql-info
• mysql-users
• mysql-variables
• nbstat
• nfs-showmount
• ntp-info
• oracle-sid-brute
• p2p-conficker
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• realvnc-auth-bypass
• robots.txt
• rpcinfo
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-os-discovery
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smbv2-enabled
• smtp-commands
• smtp-open-relay
• smtp-strangeport
• sniffer-detect
• snmp-brute
• snmp-netstat
• snmp-processes
• snmp-sysdescr
• snmp-win32-services
• snmp-win32-shares
• snmp-win32-software
• snmp-win32-users
• socks-open-proxy
• sql-injection
• ssh-hostkey
• sshv1
• ssl-cert
• ssl-enum-ciphers
• sslv2
• telnet-brute
• upnp-info
• whois
• x11-access

Libraries

• afp
• asn1
• base64
• bin
• bit
• citrixxml
• comm
• datafiles
• dns
• http
• imap
• ipOps
• json
• ldap
• listop
• match
• mongodb
• msrpc
• msrpcperformance
• msrpctypes
• mysql
• netbios
• nmap
• nsedebug
• openssl
• packet
• pcre
• pop3
• proxy
• shortport
• smb
• smbauth
• snmp
• ssh1
• ssh2
• stdnse
• strbuf
• strict
• tab
• unpwdb
• url

File http-iis-webdav-vuln

Download: http://nmap.org/svn/scripts/http-iis-webdav-vuln.nse

User Summary

Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020 http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx.

A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), then the folder is marked as vulnerable.

This script is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module.

For more information on this vulnerability and script, see:

• http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
• http://seclists.org/fulldisclosure/2009/May/att-134/IIS_Advisory_pdf.bin
• http://www.skullsecurity.org/blog/?p=271
• http://www.kb.cert.org/vuls/id/787932
• http://www.microsoft.com/technet/security/advisory/971492.mspx

Script Arguments

basefolder

The folder to start in; eg, "/web" will try "/web/xxx"

folderdb

The filename of an alternate list of folders.

webdavfolder

Selects a single folder to use, instead of using a built-in list

http-max-cache-size, http.useragent, pipeline

See the documentation for the http library.

Example Usage

nmap --script http-iis-webdav-vuln -p80,8080 <host>

Script Output

80/tcp open  http    syn-ack
|_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav

Requires

• http
• shortport

---

categories vuln intrusive

author Ron Bowes and Andrew Orr

copyright © Same as Nmap--See http://nmap.org/book/man-legal.html

Functions

get_response (host, port, folder)	Sends a PROPFIND request to the given host, and for the given folder. Returns a table reprenting a response.
go (host, port)	Checks a list of possible folders for the vulnerability. Returns a list of vulnerable folders.
go_single (host, port, folder)	Check a single folder on a single host for the vulnerability. Returns one of the enum_results codes.

Functions

get_response (host, port, folder)

Sends a PROPFIND request to the given host, and for the given folder. Returns a table reprenting a response.

Parameters

• host:
• port:
• folder:

go (host, port)

Checks a list of possible folders for the vulnerability. Returns a list of vulnerable folders.

Parameters

• host:
• port:

go_single (host, port, folder)

Check a single folder on a single host for the vulnerability. Returns one of the enum_results codes.

Parameters

• host:
• port:
• folder: