naturalmovement
I front all my honeypots with the IIS landing page
precisely because it attracts black hat jagoffs.Nothing
makes me happier than knowing I've wasted hours of their
time chasing their own tails.
|
> p1necone
Why stop there? Front the honeypot with a real IIS
server, build a matryoshka doll of honeypots and see
how far people get.
|
> DaSHacka
Unless you're honeypotting in the IP range of an
established organization, all you're doing is getting
bot traffic.High-tier blackhats focus on big targets,
and low-tier ones focus on low-hanging fruits they
find off shodan or application 0days they've found.
|
> > bitwize
"Guys, guys, guys, listen, listen, listen. So I'm
in this computer, right? So I'm lookin' around,
lookin' around, throwing commands at it, I don't
know where it is or what it does or anything..."
|
> > > > amenghra
It's from Hackers:
https://www.scifiscripts.com/scripts/hacke
rs.txt#:~:text=Any...
|
> > > > > fragmede
You'know, there ought to be a way to
deep link into a tortent file.
|
> > > > > > enlightens
Yarn is usually the next best
thing but there seems to be
something off with the video in
this
casehttps://memes.getyarn.io/yarn-
clip/e9d8176d-e936-4224-a1d1-f...
|
> > > > bryanrasmussen
I think it's from hackers, Joey the
youngest hacker found the bad guys
computers, not sure if it's an accurate
quote since it's been years since I saw
it.
|
> > > > > egil
"They're trashing! They're trashing
our rights!"
|
> > > forgetfreeman
Some ATM in bumsville Idaho spit $700 into the
middle of the street.
|
> themafia
Noise is a really underrated security layer.
|
> > YeahThisIsMe
That's just security by obscurity, which is rated
pretty appropriately.
|
> > > close04
Obscurity is a perfectly adequate layer of
security. It shouldn't be the only layer but
those who argue against adding it heard at
some point "security through obscurity is not
security" and never dug deeper.
|
> > > > loneboat
... those who argue against adding it
heard at some point "security through
obscurity is not security" and never dug
deeper.Ironically, that makes them the
exact type of person who would be
successfully deterred by a layer of
obscurity.
|
> > > > seethishat
I agree. Hiding from a grizzly bear is a
good strategy. But if that fails, you will
need pepper spray and maybe a shotgun.Bear
Defense Plan: Hide, Non-lethal, Lethal.
|
> > > > > Alphanymous
You've said it just like it is,
prevention + preparation.
|
> raverbashing
Sounds like creating an url like
aspnet_client/admin.php returning a WebObjects header
might be a good hobby
|
> > kreyenborgi
Add in a zip bomb or two?
|
> > > MrDrMcCoy
Now you have me wondering how badly http gzip
content compression can be abused along those
lines.
|
> wil421
Tell me more...I opened a plex and Nintendo switch
port, the scans were out of control. I'd love to screw
over port scanner over.
|
> > fragmede
What does shodan.io run?
|
> > > wil421
Not sure but the IPs don't come back as
Chinese and the dns registries, domains, and
other data I could find was generated using US
address data. Lots of stuff like 123 stree,
where half the address was truncated.
|
Lammy
> IIS has a legacy behavior inherited from the old DOS 8.3
filename convention.Is this exposing the underlying OS's
behavior coupled with the fact that the IIS document root
is `C:\Inetpub` by default? Eight-dot-three filenames are
enabled by default on the C drive but disabled by default
on all other drives on Windows 10/11: PS>
(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows
NT\CurrentVersion').DisplayVersion
24H2
PS> fsutil 8dot3name query C:
The volume state is: 0 (8dot3 name creation is ENABLED)
The registry state is: 2 (Per volume setting - the
default)
Based on the above settings, 8dot3 name creation is
ENABLED on "C:"
PS> fsutil 8dot3name query U:
The volume state is: 1 (8dot3 name creation is DISABLED)
The registry state is: 2 (Per volume setting - the
default)
Based on the above settings, 8dot3 name creation is
DISABLED on "U:"
|
> Terr_
Tangentially, that reminds me of how a Windows update
created c:\inetpub on everybody's non-server
computers, to "increase protection" for unspecified
reasons.https://www.pcworld.com/article/2684062/why-is
-windows-11-la...
|
> > mook
That page eventually leads to the CVE page:
https://msrc.microsoft.com/update-guide/vulnerabil
ity/CVE-20...While that's still pretty vague, it
sounds like the issue was that something running
as SYSTEM (the page seems to indicate some part of
Windows Update) was not correctly checking if
inetpub was a symlink or something along those
lines. It also links to a script to set ACLs on
that directory; presumably that's not possible to
do if the directory doesn't exist.It would
probably be better to fix whatever component to
not have the link traversal bug, but maybe there's
some reason that makes the proper fix
infeasible...
|
> > Lammy
> to "increase protection" for unspecified
reasonsEverything old is new again
https://devblogs.microsoft.com/oldnewthing/2004111
6-00/?p=37... (2004)
|
> raesene9
The original research for this is at
https://soroush.me/downloadable/microsoft_iis_tilde_ch
aracte...
|
> logifail
> PS> (Get-ItemProperty -Path
'HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion').D
isplayVersion
> 24H2I got no response to that command on my W10 box,
turns out for older (eg LTSC) versions it appears to
need: (Get-ItemProperty -Path
'HKLM:\SOFTWARE\Microsoft\Windows
NT\CurrentVersion').ReleaseId
1809
|
> > Lammy
Whoops, seems like that's related to their naming
scheme change, and `ReleaseId` stopped
incrementing after Windows 10 "2009" (2009
September) got renamed to "20H2":
https://vxtwitter.com/bytenerd/status/139507111507
2966656 PS> (Get-ItemProperty -Path
'HKLM:\SOFTWARE\Microsoft\Windows
NT\CurrentVersion').ReleaseId
2009
PS> (Get-ItemProperty -Path
'HKLM:\SOFTWARE\Microsoft\Windows
NT\CurrentVersion').DisplayVersion
24H2
|
hstaab
The tone of this is something else
|
> andai
Several times, I wondered if Claude wrote it.
|
> > Stitch4223
One confusing part is that the blue screen is not
a reference to BSOD but to the IIS default page
with the blue squares. That's probably jargon.The
article lists all the tricks I've collected over
the years doing pentesting and then some, with
great tool references. The signal to noise ratio
is very high and there's little "here's why"
filler which instead might just be someone's way
of storytelling. The article drones on, but with
actual content as there is a lot to tell. It's
even light on features like trace.axd, but does
mention them and their purposes.I found it an
entertaining overview of taking apart unassuming
IIS servers and the point of "Recon harder. " is
made very well :)Edit: s/boring/unassuming + added
point was made very well
|
> > > 0x1d7
Yes, it's jargon. Blue screen is that default
page. Yellow screen of death is another one,
referring to when ASP.NET throws an exception
and you have detailed exceptions turned on
(which for public sites, you shouldn't).
|
> > merpkz
"This is the brute-force fallback when the smart
approaches fail, and honestly, it works more often
than you'd expect."Found the LLM generated part.
|
> > > suslik
Honestly, given how much claude-based prose I
was recently reading, I am worried I will soon
begin to write in this style naturally.
|
> > > da_grift_shift
Ding ding
ding!https://github.com/blader/humanizer/blob/
main/SKILL.md#33-co...
|
> > > > bstsb
ironically that guide is AI-generated
|
> > helloplanets
Would be a feat on its own to get Claude to write
on a topic like this.
|
> > > andai
I do think there was a lot of human effort
involved. The llm-isms (whether human or
machine generated!) cheapen the whole thing,
which is a shame.I rather read bad awkward
human writing than LLM generated paragraph
number 9 billion.
|
> > Tiberium
It did, this article is clearly LLM-written/edited
|
> > kitd
Get Claude to fix IIS, or is that not allowed any
more?
|
xmcp123
Oh man this takes me back.Once upon a time, all server
logs were basically unusable because of the amount of IIS
scanners out there. There was a directory traversal that
was literally just url encoding "../" that absolutely lit
the internet on fire for many months.
|
> 0x1d7
Those traversal attempts are still very common, right
next to the PHP/WordPress script kiddie attacks.
|
> > RetroTechie
Wondering how far back that goes.. Win95 still
vulnerable?(Edit: I mean active attempts to
exploit in the wild)
|
> > dpoloncsak
"The White Noise of the Internet" as they call it
|
t1234s
Does anyone use IIS anymore?
|
> prussian
I do. As others have replied, Windows
Server--including IIS, means you have a domain joined
machine, likely with an SPN of HOST/MACHINE.DOMAIN.
Windows services and IIS App Pool Identities log in
with an (g)MSA or virtual accounts (NT Service*) and
you get a fully working and managed Kerberos
experience without having to deal with 30, 60, 90 day
password rotations.
Log into your MS SQL Server with Kerberos, log into
some other webapp's oauth2 flow with Kerberos, etc, it
all just works.
You can use WinRM with your native Windows shell
without having to do anything special, and even
technically bypass 2FA since that's just how it really
works.Can you do all this on Linux? Yes.
Will it ever be set up correctly? Depends where you
work, but based on my experience so far, not likely.
|
> > zamalek
> with Kerberos, etc, it all just worksI worked
with customer's AD environments in the 2010's and
I remember whiteboards of figuring out customer
Kerberos config. "it all just works" is not my
recollection of that 3-headed beast lmao.
|
> samplatt
Way, WAY too many corporate IT divisions.
|
> naturalmovement
Some banks still use IIS.Every large company big
enough to host an intranet is running IIS somewhere,
possibly everywhere. It integrates well with AD so
some really complex tasks become stupid simple.It's
seeing less and less usage as the world moves to AWS
which is equally stupid because you're tied to one
vendor's proprietary products (Amazon) again. Except
this time you don't own the hardware.Public sector IT
loves IIS. Check your municipality's tax or property
website it's probably got .aspx scripts out the
ass.I've seen it hosting European web apps, public
sector if I recall. Lots of bespoke .NET applications
out there with SQL Server backends running entire
local governments.Asian countries especially China and
Taiwan love IIS and use it to host anything and
everything. This is a personal observation.Sure the
world has mostly moved on, but there's tons of legacy
code out there that keeps cities and really important
organizations humming that runs on IIS and it's never
changing.You think that's bad, there's still places
out there running AS/400 stuff on the web, Lotus
Notes, and Novell Groupwise (gasp).
|
> > forkerenok
Heyyy what's wrong with novel groupwise?
|
> > > raesene9
Well its document management feature didn't
used to have Anti-Virus support which caused
me a load of problems back in the 90's when
Word Macro viruses were common. :P
|
> qingcharles
Yeah, I regularly speak to folks still running IIS on
Windows Server. There are a lot of old apps out there,
sadly. Some really, really important ones.
|
> AznHisoka
A lot of big corps still use
it.https://bloomberry.com/data/windows-server/
|
> bartnp
Yep.And as an ignoramus: what it is that you are
supposed to be using nowadays?Think in the context of
a small company making enterprise .NET (framework)
code where Windows is the world, cloud wouldn't fly
with the customers, SOAP is still king and your one IT
guy is too busy to notice anything happened after
2010. Suppose also that entire software rewrites are
impossibly impractical, and that while you'd love to
take some security gains, you just don't have the
capacity to do configuration deep dives let alone to
gamble on something complex like Kubernetes.
|
> chainingsolid
I've seen it used to deliver 'apps' that 90% of a
business's employees use. (EX: Met/Team) in the
Metrology (calibration) space.
|
> thedougd
Amazingly some companies like Hyland still ship
software that requires IIS. Bonus add are the pages
and pages of setup instructions.
|
> > pjmlp
Sitecore, Microsoft as two other examples.Sitecore
on the classical XP/XM stack, they don't seem to
be bothered to update it to modern .NET, as the
new products moved away from .NET (XM Cloud and
co).Microsoft still has stuff like Dynamics 365,
running .NET Framework.
|
> > robotnikman
And NCR from my experience.
|
> swarnie
I would say 75% of my webservers are IIS.Nothing
internet facing mind.
|
> > > swarnie
Really simple.I read the prerequisites of
whatever software im asked to install and do
what it says.I'm not spending the next 3 years
of my life trying to make some monitoring
platform run on WebLogic i have other jobs to
do in 4-8-12 hours.
|
> > > > jabroni_salad
this is one of the funniest recurring
threads on HN. developers finding out what
other developers are requiring from their
customers. Bonus points for developers
finding out that non-cloud solutions still
dominate some industries.
|
> > > > > forgetfreeman
Cloud's got nothing to do with it. The
thought of standing up a windows box
to serve anything other than profiles
and user surveillance is simply
foreign. Budget webhosting has been a
thing for a long time and standing up
a *nix VM is also no big deal. In 25
years in industry I never once saw an
IIS server used in the wild. shrug
|
> > > > > > swarnie
I'm surprised by this, maybe its
industry specific.An 80:20 split
of windows server to everything
else has been pretty common in the
areas I've worked both as a <10
day contactor and as a FTE.
|
> > > > > > forgetfreeman
Era may also be a major factor.
When I was coming up through the
ranks it was common wisdom, even
in corporate windows-centric
shops, that IIS was a
vulnerability factory on par with
sendmail.
|
> vlan0
The entire solarwinds platform(barf)
|
> formerly_proven
The text uses target.com as a placeholder but they
actually also have an IIS blue screen:
https://knslsd.target.com/
|
> jimt1234
Back in the early-2000s, I passed the Microsoft
certification exam for IIS. I had never even heard of
the product (I was told my company had some extra
credits at the testing center, I was there taking
another exam (Solaris 8 certification), so I figured
why not?) I know, MCSE exams were notoriously simple
back then, but good god - usually, for every question,
3 of the 4 possible answers didn't even make sense.
Anyway, I figured there was no way IIS would last if
any dipshit could become "certified" in the product.
|
> > bitwize
That's the value add. Any dipshit can be trained
in the Windows server stack, so you can staff your
back office with dipshits. For a while in the
early 2000s-before the cloud era-Windows was
routinely found to have a lower TCO than Linux as
a server OS for precisely this reason. More actual
deployments too, especially in corporate
intranets.
|
> dagaci
IIS also sits at the back of a many "modern" cloud web
type services.
|
> > sebazzz
Yup, Windows Azure App Service is just IIS.
|
> pjmlp
Yes, plenty of Microsoft shops still depend on .NET
Framework based applications, or even classical
ASP.For modern .NET no one is really using IIS any
longer.
|
> mpyne
Tons of the Navy's public websites still run on it.
|
> y2244
Lots and lotsA lot of Microsoft devs know very little
Linux historically as they used windows and are
comfortable with itDecreasing due to cloud and Nodejs
takeup
|
> esikich
Yes, but typically just internal corporate intraweb
stuff from what I've seen.
|
> catmanjan
SharePoint uses it extensively
|
AuthAuth
Ah webpage formatting cooked but otherwise a fun read
|
Group_B
Would love to see a write yo on nginx!
|
sytelus
This is extremely well done design (at least on full
desktop browsers). Amazing content as well.
|
> aix1
> This is extremely well done design (at least on full
desktop browsers).I can't tell if you're being
sarcastic, but on my full desktop browser the side bar
overlaps the main panel, putting text on top of other
text.P.S. Other than this, I do like the presentation.
|
> > Shellban
It looks decent on my 1920x1080p window running on
a 4K monitor, but I have overlapping problems on
my M1 Macbook.
|
> mopsi
"Amazing" is a little generous for script kiddie stuff
from the early 2000s.The author has yet to learn the
extent to which civilization depends on people not
being cunts to one another for no good reason.
|
> > BalinKing
The lead says "how I approach IIS targets during
bug bounty" (emphasis mine), so (assuming the
author is being truthful) I'm guessing the tone of
the title is just for fun.
|
> > caspper69
Ah yes, the lulz, the great American pastime.
|
NooneAtAll3
what's the deal with left sidebar overlapping the main
text?
|