Re: Detecting if SecureIIS from Eeye is installed

From: Ryan Permeh (ryan@eeye.com)
Date: 01/23/02


From: "Ryan Permeh" <ryan@eeye.com>
To: "Sacha Faust" <sacha@severus.org>, <pen-test@securityfocus.com>
Date: Tue, 22 Jan 2002 22:13:12 -0800

hi.
take into account that the content of what is returned is configurable by
the server administrator (that is just our default message). and turning
head on as a supported method may stop the 406 message. but yes, SecureIIS
can be identified by the fact that it does not send textual error data when
it handles a request. As you have noted, SecureIIS was not inteded to be a
stealth module, and the fact that an IIS web server returns a 406 error at
all should be a good tip(i'm not positive IIS generates those naturally in
any normal context).

hope there isn't any confusion here.

Ryan
----- Original Message -----
From: "Sacha Faust" <sacha@severus.org>
To: <pen-test@securityfocus.com>
Sent: Monday, January 21, 2002 7:09 PM
Subject: Detecting if SecureIIS from Eeye is installed

> This is not something big and I don't consider it a bug but it's something
> that migh be usefull
> when trying to brake an IIS server. I don't have a copy of the software so
I
> don't know if this is cause by misconfiguration or something else.
> While debugging after someone mentionned a problem with an early version
of
> Metis 1.1,
> I saw that you can detect the presence of the SecureIIS product from Eeye
by
> issuing an HEAD request on any files or folder and looking at the return
> data.
> The SecureIIS will return HTTP error code 406 (Not Acceptable),
> Content-Length: 1176 and Content-Type: text/html. It will also announce
> itself in the reply message. Here is an example
>
> E:\Metis>nc -v www.site.com 80
> www.site.com [111.111.111.111] 80 (http) open
> HEAD /
>
> HTTP/1.1 406
> Server: Microsoft-IIS/4.0
> Date: Tue, 22 Jan 2002 02:23:42 GMT
> Content-Type: text/html
> Content-Length: 1176
>
> <HTML>
> <BODY text=#000000 vLink=#ff9900 link=#ff9900 bgColor=#ffffff>
> <TABLE cellSpacing=5 cellPadding=3 width=400>
> <TBODY>
> <TR>
> <TD vAlign=center align=left width=400><FONT
> face=Verdana,Arial,Helvetica
> size=2><FONT size=3><B>SecureIIS application firewall security
> alert</B></FONT><BR><BR><BR>HTTP Request caused a security alert,
> please
> contact our web master if you are getting this alert in
error.<BR><BR>
> <HR>
> <BR><B>What is SecureIIS</B><BR>SecureIIS offers websites
> running Microsoft Internet Information Server a broad range of
> protection
>
> from common vulnerabilities, both known and unknown. Because
SecureIIS
> does not protect against specific vulnerabilities, but classes of
> vulnerabilities, it allows for a much more far reaching layer of
> security.
>
> <BR><BR>
> <HR>
> <BR>For more information on SecureIIS, please visit <A
>
> href="http://www.eeye.com/SecureIIS/">http://www.eeye.com/SecureIIS/><B
> R><BR><B><FONT
> color=#ff7000>eEye</FONT> Digital Security</B> - <I>Vulnerability
Is
> Over...</I></FONT></TD></TR></TBODY></TABLE></BODY></HTML>
>
>
>
>
> ---------
> Sacha Faust
>
sacha@severus.org
> Metis : http://www.ideahamster.org/tid.htm
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/



Relevant Pages