The server reveals its internal IP address when specifying a WebDAV PROPFIND request.
Issue a PROPFIND request with a HTTP v1.1 empty Host header:
telnet example.com 80
Connected to example.com.
Escape character is '^]'.
PROPFIND / HTTP/1.1
HTTP/1.1 302 Redirect
Date: Tue, 08 Jun 2010 07:05:08 GMT
Object Moved This document may be found here
Reconfigure IIS to return the FQDN value instead:
If a PPTP service has been detected, as part of the protocol the software (and/or hardware) vendor is meant to disclose this information. Generally the server hostname is also revealed, which may aid in an attack.
There are many ways to determine this, but a simple scenario would be to create a new "dial-up" connection within Windows with a connection type of VPN -> PPTP and connect whilst running a Wireshark packet capture.
By following the captured stream within Wireshark and looking at the protocol dissector, the vendor and hostname will be disclosed.
IIS + .NET may reveal sensitive information when an exception occurs.
Often this information may include the system path to the webroot (i.e. C:\Inetpub\wwwroot) which may further aid in attacks where a malicious user may upload content, but is not sure where the file is located on the remote system.
By requesting a document with an .ashx extention, the server reveals the path (e.g. D:\sites\secret\uploads). It also reveals the version of .NET in the footer, such as "Microsoft .NET Framework Version:1.1.4322.2407; ASP.NET Version:1.1.4322.2407". The Framework version can then be used to check for known vulnerabilities, such as NULL byte issues.
Within the Machine.config or Web.config file, specify a directive of "customErrors" of either "RemoteOnly" or "On".
See also: http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx
The version of Outlook Web Access contains a URL redirection vulnerability. However, this would require user interaction to be abused such as embedded URL within an email that is clicked on.
It is possible to provide an arbitrary "url" value.
Informational only. Microsoft expects this to be resolved in Exchange 2007.
The portal requires users submit a username and password to authenticate. This communication is not encrypted.
Check the HTML source code on the form page, and examine whether the FORM ACTION is GET/POST to a HTTPS:// URI.
1) Enable SSL and disable HTTP for the portal
2) Use two-factor tokens (one time password) for strong authentication.
3) Modify the HTML source to ensure the data is POST'ed to a HTTPS URL.
1.In Microsoft Windows, open Administrative Tools, and then click Internet Information Services (IIS) Manager.
IIS Manager appears.
2.Under Internet Information Services, expand Servername (local computer), expand Web Sites, right-click either Websitename or Default Website, and then click Properties.
The Web Site Properties dialog box appears.
3.Click the Home Directory tab, and then click Configuration.
The Application Configuration Settings dialog box appears.
4.Click the Debugging tab.
5.Change the radio button from "Send detailed ASP error messages to client" to "Send the following text error messages" and specify an error.
The FTP service reveals the Operating System type via the 'SYST' command.
This is historically used to determine how to handle file types as many OSes format data differently.
# telnet ftp.microsoft.com 21
Connected to ftp.microsoft.com.
Escape character is '^]'.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
230-Welcome to FTP.MICROSOFT.COM. Also visit http://www.microsoft.com/downloads.
230 User logged in.
221 Thank you for using Microsoft products.
Connection closed by foreign host.