hi. take into account that the content of what is returned is configurable by the server administrator (that is just our default message). and turning head on as a supported method may stop the 406 message. but yes, SecureIIS can be identified by the fact that it does not send textual error data when it handles a request. As you have noted, SecureIIS was not inteded to be a stealth module, and the fact that an IIS web server returns a 406 error at all should be a good tip(i'm not positive IIS generates those naturally in any normal context). hope there isn't any confusion here. Ryan ----- Original Message ----- From: "Sacha Faust" <sachaat_private> To: <pen-testat_private> Sent: Monday, January 21, 2002 7:09 PM Subject: Detecting if SecureIIS from Eeye is installed > This is not something big and I don't consider it a bug but it's something > that migh be usefull > when trying to brake an IIS server. I don't have a copy of the software so I > don't know if this is cause by misconfiguration or something else. > While debugging after someone mentionned a problem with an early version of > Metis 1.1, > I saw that you can detect the presence of the SecureIIS product from Eeye by > issuing an HEAD request on any files or folder and looking at the return > data. > The SecureIIS will return HTTP error code 406 (Not Acceptable), > Content-Length: 1176 and Content-Type: text/html. It will also announce > itself in the reply message. Here is an example > > E:\Metis>nc -v www.site.com 80 > www.site.com [111.111.111.111] 80 (http) open > HEAD / > > HTTP/1.1 406 > Server: Microsoft-IIS/4.0 > Date: Tue, 22 Jan 2002 02:23:42 GMT > Content-Type: text/html > Content-Length: 1176 > > <HTML> > <BODY text=#000000 vLink=#ff9900 link=#ff9900 bgColor=#ffffff> > <TABLE cellSpacing=5 cellPadding=3 width=400> > <TBODY> > <TR> > <TD vAlign=center align=left width=400><FONT > face=Verdana,Arial,Helvetica > size=2><FONT size=3><B>SecureIIS application firewall security > alert</B></FONT><BR><BR><BR>HTTP Request caused a security alert, > please > contact our web master if you are getting this alert in error.<BR><BR> > <HR> > <BR><B>What is SecureIIS</B><BR>SecureIIS offers websites > running Microsoft Internet Information Server a broad range of > protection > > from common vulnerabilities, both known and unknown. Because SecureIIS > does not protect against specific vulnerabilities, but classes of > vulnerabilities, it allows for a much more far reaching layer of > security. > > <BR><BR> > <HR> > <BR>For more information on SecureIIS, please visit <A > > href="http://www.eeye.com/SecureIIS/">http://www.eeye.com/SecureIIS/><B > R><BR><B><FONT > color=#ff7000>eEye</FONT>Ö Digital Security</B> - <I>Vulnerability Is > Over...</I></FONT></TD></TR></TBODY></TABLE></BODY></HTML> > > > > > --------- > Sacha Faust > sachaat_private > Metis : http://www.ideahamster.org/tid.htm > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 08:32:08 PST