Read/Write IUSER privs on
Results 1 to 5 of 5

Thread: Read/Write IUSER privs on

  1. #1
    Member
    Join Date
    Jul 2002
    Posts
    38

    Read/Write IUSER privs on

    I am attempting to identify servers within our DMZ with read/write privileges granted to the IUSER account. Although I could write a quick script to get this information from servers in the domain, I want to see how difficult it would be to get this information from the outside. I know these privs should have never been granted in the first place and it was done by someone managing the web sites.

    Does anyone know of a tool to test for IUSER read/write privs? Once upon a time, I had a tool that attempted to write a zero byte file to any directories on a web site that it could find; if it succeeded, it reported back that read/write privs were available at the "X" directory on the server. The trick is to find the sub-directories under the web site root folder and then see if read/write is enabled at that level. Any assistance would be greatly appreciated...

    ...aberration...
    [shadow]
    \"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science.\"
    ~ Albert Einstein ~ [/shadow]

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Try running a Nessus scan against all your machines. It will check for any vulnerability you want. Just set it to check for only user permission vulnerabilities, input the list of IP's and away you go. And yes...do this from outside the firewall, although it should not make much difference.

  3. #3
    Member
    Join Date
    Jul 2002
    Posts
    38
    Thanks for the reply--I had planned on using nmap, but I wasn't sure if there was a check to determine directory level privs below the web site root directory. This will be my first encounter with Nessus, but from what I have heard, it's pretty effective... Thanks again.

    ...aberration...
    [shadow]
    \"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science.\"
    ~ Albert Einstein ~ [/shadow]

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    dumpsec does a good job at it (actually, you'll probably be amazed at how easy this does it... I know I was!)
    http://www.somarsoft.com/

    Ammo
    Credit travels up, blame travels down -- The Boss

  5. #5
    Member
    Join Date
    Jul 2002
    Posts
    38
    I have used dumpsec quite a bit in the past and I find it to be very useful, but the problem is that I am approaching this server as if I am an outsider. I want to see the vulnerabilities the same way Johnny HaXor see them. So, for example, if a scanner will reveal write privs to a web site subdirectory, I want to know that s/he can see that. There has been some debate within my organization as to whether an outsider can actually see if write privs exist to a specific web site directory. I'm trying to test my theory... The first issue I can see is that the haXor wouldn't know the directory structure of the web site (would a site crawler give them that info?). Once (or even if) they obtain the directory structure of the site, how can they figure out what privs are associated with the site directories (experiment with each one?). I was originally looking for a scanner that could find the directory structure (a site crawler integrated with the scanner) and then attempt to place a zero byte file in each directory to validate read/write privs on each subdirectory.

    Any other ideas would be welcome!

    ...aberration...
    [shadow]
    \"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science.\"
    ~ Albert Einstein ~ [/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •