Penetration Testing mailing list archives

Detecting if SecureIIS from Eeye is installed

From: "Sacha Faust" <sacha () severus org>
Date: Mon, 21 Jan 2002 22:09:30 -0500

This is not something big and I don't consider it a bug but it's something
that migh be usefull
when trying to brake an IIS server. I don't have a copy of the software so I
don't know if this is cause by misconfiguration or something else.
While debugging after someone mentionned a problem with an early version of
Metis 1.1,
I saw that you can detect the presence of the SecureIIS product from Eeye by
issuing an HEAD request on any files or folder and looking at the return
data.
The SecureIIS will return HTTP error code 406 (Not Acceptable),
Content-Length: 1176 and Content-Type: text/html. It will also announce
itself in the reply message. Here is an example

E:\Metis>nc -v www.site.com 80
www.site.com [111.111.111.111] 80 (http) open
HEAD /

HTTP/1.1 406
Server: Microsoft-IIS/4.0
Date: Tue, 22 Jan 2002 02:23:42 GMT
Content-Type: text/html
Content-Length: 1176

<HTML>
<BODY text=#000000 vLink=#ff9900 link=#ff9900 bgColor=#ffffff>
<TABLE cellSpacing=5 cellPadding=3 width=400>
  <TBODY>
  <TR>
    <TD vAlign=center align=left width=400><FONT
face=Verdana,Arial,Helvetica
      size=2><FONT size=3><B>SecureIIS application firewall security
      alert</B></FONT><BR><BR><BR>HTTP Request caused a security alert,
please
      contact our web master if you are getting this alert in error.<BR><BR>
      <HR>
      <BR><B>What is SecureIIS</B><BR>SecureIIS offers websites
      running Microsoft Internet Information Server a broad range of
protection

      from common vulnerabilities, both known and unknown. Because SecureIIS
      does not protect against specific vulnerabilities, but classes of
      vulnerabilities, it allows for a much more far reaching layer of
security.

      <BR><BR>
      <HR>
      <BR>For more information on SecureIIS, please visit <A

href="http://www.eeye.com/SecureIIS/";>http://www.eeye.com/SecureIIS/</A><B
R><BR><B><FONT
      color=#ff7000>eEye</FONT>Ö Digital Security</B> - <I>Vulnerability Is
      Over...</I></FONT></TD></TR></TBODY></TABLE></BODY></HTML>




---------
Sacha Faust
sacha () severus org
Metis : http://www.ideahamster.org/tid.htm


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Detecting if SecureIIS from Eeye is installed Sacha Faust (Jan 22)
- Re: Detecting if SecureIIS from Eeye is installed Ryan Permeh (Jan 23)
  - Questions on GSM Penetration test ricci_ieong (Jan 24)
    - Re: Questions on GSM Penetration test Tom Buelens (Jan 25)
    - Re: Questions on GSM Penetration test M Lister (Jan 26)
    - Re: Questions on GSM Penetration test Tom Buelens (Jan 27)
    - Re: Questions on GSM Penetration test M Lister (Jan 27)
    - Re: Questions on GSM Penetration test Tom Buelens (Jan 27)
    - RE: Questions on GSM Penetration test Fernando Cardoso (Jan 28)
    - Re: Questions on GSM Penetration test Wouter Slegers (Jan 31)
    - Re: Questions on GSM Penetration test Martin Tomasek (Jan 27)

(Thread continues...)