Category Archives: IIS

MS KB2871997: Update to Improve Credentials Protection and Management

Nessus Output:

Description
The remote host is missing one or more of the following Microsoft updates: KB2871997, KB2973351, KB2975625, KB2982378, KB2984972, KB2984976, KB2984981, KB2973501, or KB3126593. 
These updates are needed to improve the protection against possible credential theft.
- For Windows 7 / 2008 R2 :
KB2984972, KB2871997, KB2982378, and KB2973351 are required; also, KB2984976 (if KB2592687 is installed) or KB2984981 (if KB2830477 is installed).
- For Windows 8 / 2012 :
KB2973501, KB2871997, and KB2973351 are required.
- For Windows 8.1 / 2012 R2 :
KB2973351 (if Update 1 is installed) or KB2975625 (if Update 1 isn't installed).
These updates provide additional protection for the Local Security Authority (LSA), add a restricted administrative mode for Credential Security Support Provider (CredSSP), 
introduce support for the protected account-restricted domain user category, enforce stricter authentication policies, add additional protection for users' credentials, and add a restricted administrative mode for Remote Desktop Connection and Remote Desktop Protocol.
Solution
Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 2012, 8.1, and 2012 R2.

Output
A required registry setting is missing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0
More information: https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest-part-1/

Continue reading

SSL Version 2 and 3 Protocol Detection

Nessus Output:

Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. 
An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.
NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, 
any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.

Solution
Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.1 (with approved cipher suites) or higher instead.

Continue reading

Missing or Permissive Content-Security-Policy HTTP Response Header

Nessus Output

Synopsis :

The remote web server does not take steps to mitigate a class of web
application vulnerabilities.

Description :

The remote web server in some responses sets a permissive
Content-Security-Policy (CSP) response header or does not set one at
all.

The CSP header has been proposed by the W3C Web Application Security
Working Group as a way to mitigate cross-site scripting and
clickjacking attacks.

Continue reading

No Custom Errors implemented

Often, during a penetration test on web applications, we come up against many error codes generated from applications or web servers. It’s possible to cause these errors to be displayed by using a particular requests, either specially crafted with tools or created manually. These codes are very useful to penetration testers during their activities, because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.

Continue reading

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)

Nessus Output

Description

The version of Windows running on the remote host is affected by a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.

Continue reading

Audit XML configuration files

A quick example to query a xml config file to retrieve a specific security setting

Powershell:

Select-Xml -path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config -XPath "/configuration/system.web/membership/providers/add" | 
Select-Object -ExpandProperty node | 
Select-Object passwordFormat
 
passwordFormat
--------------
Hashed