You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/network-services-pentesting/pentesting-web/iis-internet-information-services.md
+95-1Lines changed: 95 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -243,6 +243,46 @@ If you have filesystem or interactive access on the web server, co-located keys
243
243
244
244
With the key ring available, an operator running in the app’s identity can instantiate an IDataProtector with the same purposes and unprotect stored secrets. Misconfigurations that store the key ring with the app files make offline decryption trivial once the host is compromised.
245
245
246
+
247
+
## Harvesting IIS configuration and credentials with ApplicationHost.config / AppCmd
248
+
249
+
`ApplicationHost.config` is the root IIS configuration file and usually lives at `%windir%\system32\inetsrv\config\applicationHost.config`. Once you get local code execution on the server, enumerate it before dropping more tooling because it often reveals:
- globally registered native modules and per-app handlers/modules
256
+
257
+
Passwords stored there are usually **encrypted at rest** when configured through IIS Manager / AppCmd, but the local IIS management path can still return the **decrypted** values.
258
+
259
+
```cmd
260
+
:: Site / app / vdir mapping
261
+
%windir%\system32\inetsrv\appcmd.exe list site /config
262
+
%windir%\system32\inetsrv\appcmd.exe list app /config
263
+
%windir%\system32\inetsrv\appcmd.exe list vdir /config
264
+
265
+
:: App-pool identities / credentials
266
+
%windir%\system32\inetsrv\appcmd.exe list apppool /text:name
267
+
%windir%\system32\inetsrv\appcmd.exe list apppool "DefaultAppPool" /text:processModel.identityType
268
+
%windir%\system32\inetsrv\appcmd.exe list apppool "DefaultAppPool" /text:processModel.userName
269
+
%windir%\system32\inetsrv\appcmd.exe list apppool "DefaultAppPool" /text:processModel.password
270
+
271
+
:: Virtual-directory credentials
272
+
%windir%\system32\inetsrv\appcmd.exe list vdir "Default Web Site/" /text:userName
273
+
%windir%\system32\inetsrv\appcmd.exe list vdir "Default Web Site/" /text:password
274
+
```
275
+
276
+
If you already have command execution as the IIS worker, also review `applicationHost.config` directly to harvest **bindings**, **physical paths**, and **module registrations** that may not be obvious from the current site only. Don't stop at the live file: IIS also keeps configuration history by default under `%SystemDrive%\inetpub\history`, so older `CFGHISTORY_*` snapshots may preserve **previous bindings, paths, usernames, or encrypted password blobs** even after admins cleaned the active config. Quick triage:
277
+
278
+
```cmd
279
+
%windir%\system32\inetsrv\appcmd.exe list backups
280
+
dir /b C:\inetpub\history
281
+
dir /s /b C:\inetpub\history\applicationHost.config
282
+
```
283
+
284
+
For broader post-exploitation loot after OS execution, check [Windows Local Privilege Escalation](../../windows-hardening/windows-local-privilege-escalation/README.md).
285
+
246
286
## IIS fileless backdoors and in-memory .NET loaders (NET-STAR style)
247
287
248
288
The Phantom Taurus/NET-STAR toolkit shows a mature pattern for fileless IIS persistence and post‑exploitation entirely inside w3wp.exe. The core ideas are broadly reusable for custom tradecraft and for detection/hunting.
@@ -349,6 +389,33 @@ See detailed techniques and PoCs here:
Malicious or simply forgotten **IIS modules/handlers** are a recurring high-value finding: they expand the request pipeline, can introduce pre-auth attack surface, and are also a common **stealth persistence** mechanism once an attacker gets admin on the server. Native global modules are registered in `ApplicationHost.config`, while app-specific managed modules and handlers often live in `web.config`.
396
+
397
+
```cmd
398
+
:: Global native modules
399
+
%windir%\system32\inetsrv\appcmd.exe list config /section:system.webServer/globalModules
400
+
401
+
:: Per-site modules / handlers
402
+
%windir%\system32\inetsrv\appcmd.exe list config "Default Web Site/" /section:system.webServer/modules
403
+
%windir%\system32\inetsrv\appcmd.exe list config "Default Web Site/" /section:system.webServer/handlers
404
+
405
+
:: Fast triage for custom assemblies under the app root
406
+
dir /s /b C:\inetpub\wwwroot\bin\*.dll
407
+
```
408
+
409
+
Interesting hits include:
410
+
411
+
- custom DLLs loaded from an app `bin\` directory
412
+
- handlers for `*.ashx`, `*.axd`, WebDAV verbs, upload endpoints, or diagnostic pages
413
+
- third-party modules registered globally but enabled only for one application
414
+
- modules mapped through `appcmd install module` instead of normal app deployment
415
+
- assemblies parked in `%windir%\Microsoft.NET\assembly\` (GAC) and then referenced from IIS registration
416
+
417
+
Once you have admin on the server, a malicious module is often **quieter than an ASPX webshell** because it runs inside the legitimate IIS pipeline and can trigger only for a specific cookie, URL, header, or User-Agent. Real intrusions have used both **managed modules** and **GAC-registered assemblies** mapped into `w3wp.exe`, so if a registration points outside the app folder, treat it as suspicious until proven otherwise.
418
+
352
419
## Old IIS vulnerabilities worth looking for
353
420
354
421
@@ -397,6 +464,30 @@ ASPXAUTH uses the following info:
397
464
However, some people will use the **default values** of these parameters and will use as **cookie the email of the user**. Therefore, if you can find a web using the **same platform** that is using the ASPXAUTH cookie and you **create a user with the email of the user you want to impersonate** on the server under attack, you may be able to us**e the cookie from the second server in the first one** and impersonate the user.\
398
465
This attacked worked in this [**writeup**](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19).
399
466
467
+
468
+
## MachineKey loot → ViewState and auth-cookie abuse
469
+
470
+
If a **`web.config` / `machine.config` leak**, backup disclosure, path traversal, or local shell gives you a `<machineKey>`, treat it as **active RCE / impersonation material** and not only as a secret leak. The same `validationKey` / `decryptionKey` pair can usually be reused to:
471
+
472
+
- forge malicious `__VIEWSTATE` payloads
473
+
- decrypt or forge `.ASPXAUTH` / ASP.NET application cookies
474
+
- pivot across sibling IIS nodes that reuse the same static keys
475
+
476
+
In 2025, Microsoft documented real intrusions abusing **publicly disclosed ASP.NET machine keys**, and reported identifying **more than 3,000 exposed keys** in public sources. Therefore, if you recover one key pair from a single app, test whether the same keys are reused across the rest of the farm.
For the **legacy vs .NET 4.5+** details, `__VIEWSTATEGENERATOR`, `ViewStateUserKey`, split ViewState, and known-key bruteforce workflows, check [Exploiting `__VIEWSTATE`](../../pentesting-web/deserialization/exploiting-__viewstate-parameter.md) and [Exploiting `__VIEWSTATE` Knowing the Secret](../../pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md).
490
+
400
491
## IIS Authentication Bypass with cached passwords (CVE-2022-30209) <ahref="#id-3-iis-authentication-bypass"id="id-3-iis-authentication-bypass"></a>
401
492
402
493
[Full report here](https://blog.orange.tw/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.html): A bug in the code **didn't properly check for the password given by the user**, so an attacker whose **password hash hits a key** that is already in the **cache** will be able to login as that user .
-[Unit 42 – Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite](https://unit42.paloaltonetworks.com/phantom-taurus/)
-[Microsoft – Introduction to ApplicationHost.config](https://learn.microsoft.com/en-us/iis/get-started/planning-your-iis-architecture/introduction-to-applicationhostconfig)
523
+
-[Microsoft Threat Intelligence – Code injection attacks using publicly disclosed ASP.NET machine keys](https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/)
0 commit comments