"Guys, guys, guys, listen, listen, listen. So I'm in this computer, right? So I'm lookin' around, lookin' around, throwing commands at it, I don't know where it is or what it does or anything..."
I think it's from hackers, Joey the youngest hacker found the bad guys computers, not sure if it's an accurate quote since it's been years since I saw it.
Obscurity is a perfectly adequate layer of security. It shouldn't be the only layer but those who argue against adding it heard at some point "security through obscurity is not security" and never dug deeper.
> IIS has a legacy behavior inherited from the old DOS 8.3 filename convention.
Is this exposing the underlying OS's behavior coupled with the fact that the IIS document root is `C:\Inetpub` by default? Eight-dot-three filenames are enabled by default on the C drive but disabled by default on all other drives on Windows 10/11:
PS> (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').DisplayVersion
24H2
PS> fsutil 8dot3name query C:
The volume state is: 0 (8dot3 name creation is ENABLED)
The registry state is: 2 (Per volume setting - the default)
Based on the above settings, 8dot3 name creation is ENABLED on "C:"
PS> fsutil 8dot3name query U:
The volume state is: 1 (8dot3 name creation is DISABLED)
The registry state is: 2 (Per volume setting - the default)
Based on the above settings, 8dot3 name creation is DISABLED on "U:"
Tangentially, that reminds me of how a Windows update created c:\inetpub on everybody's non-server computers, to "increase protection" for unspecified reasons.
While that's still pretty vague, it sounds like the issue was that something running as SYSTEM (the page seems to indicate some part of Windows Update) was not correctly checking if inetpub was a symlink or something along those lines. It also links to a script to set ACLs on that directory; presumably that's not possible to do if the directory doesn't exist.
It would probably be better to fix whatever component to not have the link traversal bug, but maybe there's some reason that makes the proper fix infeasible…
Once upon a time, all server logs were basically unusable because of the amount of IIS scanners out there. There was a directory traversal that was literally just url encoding “../“ that absolutely lit the internet on fire for many months.
One confusing part is that the blue screen is not a reference to BSOD but to the IIS default page with the blue squares. That’s probably jargon.
The article lists all the tricks I’ve collected over the years doing pentesting and then some, with great tool references. The signal to noise ratio is very high and there’s little “here’s why” filler which instead might just be someone’s way of storytelling. The article drones on, but with actual content as there is a lot to tell. It’s even light on features like trace.axd, but does mention them and their purposes.
I found it an entertaining overview of taking apart unassuming IIS servers and the point of “Recon harder. ” is made very well :)
Edit: s/boring/unassuming + added point was made very well
Yes, it's jargon. Blue screen is that default page. Yellow screen of death is another one, referring to when ASP.NET throws an exception and you have detailed exceptions turned on (which for public sites, you shouldn't).
Why is it stupid to flag genuinely LLM-written content? It might've been thought out by a human, but the final version is clearly LLM-written or extremely heavily LLM-edited.
> Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
While few read them, it might be helpful if @dang threw in the ", or LLM generated content".
I do. As others have replied, Windows Server--including IIS, means you have a domain joined machine, likely with an SPN of HOST/MACHINE.DOMAIN.
Windows services and IIS App Pool Identities log in with an (g)MSA or virtual accounts (NT Service*) and you get a fully working and managed Kerberos experience without having to deal with 30, 60, 90 day password rotations.
Log into your MS SQL Server with Kerberos, log into some other webapp's oauth2 flow with Kerberos, etc, it all just works.
You can use WinRM with your native Windows shell without having to do anything special, and even technically bypass 2FA since that's just how it really works.
Can you do all this on Linux? Yes.
Will it ever be set up correctly? Depends where you work, but based on my experience so far, not likely.
Every large company big enough to host an intranet is running IIS somewhere, possibly everywhere. It integrates well with AD so some really complex tasks become stupid simple.
It's seeing less and less usage as the world moves to AWS which is equally stupid because you're tied to one vendor's proprietary products (Amazon) again. Except this time you don't own the hardware.
Public sector IT loves IIS. Check your municipality's tax or property website it's probably got .aspx scripts out the ass.
I've seen it hosting European web apps, public sector if I recall. Lots of bespoke .NET applications out there with SQL Server backends running entire local governments.
Asian countries especially China and Taiwan love IIS and use it to host anything and everything. This is a personal observation.
Sure the world has mostly moved on, but there's tons of legacy code out there that keeps cities and really important organizations humming that runs on IIS and it's never changing.
You think that's bad, there's still places out there running AS/400 stuff on the web, Lotus Notes, and Novell Groupwise (gasp).
Well its document management feature didn't used to have Anti-Virus support which caused me a load of problems back in the 90's when Word Macro viruses were common. :P
Yeah, I regularly speak to folks still running IIS on Windows Server. There are a lot of old apps out there, sadly. Some really, really important ones.
this is one of the funniest recurring threads on HN. developers finding out what other developers are requiring from their customers. Bonus points for developers finding out that non-cloud solutions still dominate some industries.
Back in the early-2000s, I passed the Microsoft certification exam for IIS. I had never even heard of the product (I was told my company had some extra credits at the testing center, I was there taking another exam (Solaris 8 certification), so I figured why not?) I know, MCSE exams were notoriously simple back then, but good god - usually, for every question, 3 of the 4 possible answers didn't even make sense. Anyway, I figured there was no way IIS would last if any dipshit could become "certified" in the product.
That's the value add. Any dipshit can be trained in the Windows server stack, so you can staff your back office with dipshits. For a while in the early 2000s—before the cloud era—Windows was routinely found to have a lower TCO than Linux as a server OS for precisely this reason. More actual deployments too, especially in corporate intranets.
The lead says "how I approach IIS targets during bug bounty" (emphasis mine), so (assuming the author is being truthful) I'm guessing the tone of the title is just for fun.
There's like 90,000 computer fraud reports sent to the federal government every year and about 400 prosecutions total. Most of those are concentrated in whatever niche abuse category the government is focused on at the time (right now, crypto/phishing/ransomware).
note: Don't take this as your cue to start messing around with black hat. Don't become the guy trying to explain to your cell mate who's doing 50 years for a violent crimes what a unauthenticated supabase table is and why you deleted it.
Nothing makes me happier than knowing I've wasted hours of their time chasing their own tails.
reply