Telnet to port 80 of IIS 4.0 web server - can you do a file listing?

[Valhalla1]

Is there any way to view a file listing of a web server (this particular one is IIS 4), a listing of the files and subdirectories of a web folder?

Like, when a website doesn't have an index.html in a subdirectory, then your browser just shows a listing of files. Well, how can you get a listing of the files if it DOES have an index.html? I tried telnetting to port 80 of the server, but "dir" and "ls" commands gave me nothing, I dont even know what commands i CAN issue. Any help?

 

[err]

easy fix :

if your web server doesn;t have index.htm you can list all the files and subdirectories in your webserver..

do this:
open mmc, right click on your website, select properties
select home directory tab, click on directory browsing allowed...

that's it !

Make sure the NTFS permission is right though so that everything works and secured.

eRr

 

[Valhalla1]

heeh.. well, see the problem is, its not my webserver. theres s cheezy "challenge" on a website, and one of the steps is to find a "secret" page on the server, which isn't linked anywhere or on the source, and it hints that you have to get a directory listing of the files. My only guess was to telnet port 80 on the server, I dont have admin access to it

 

[Skippy]

You cant "telnet to port 80" if there is no telnet running on that port. Telnet runs on port 23 by default. You are so l33t.

 

[err]

On IIS, there is an admin port to manage IIS remotely...

this port are all different... it depends on the administrator... For instance, my IIS use to run on port 9987 ... I then change it to 6555 ... it's to my heart content..

once you figure out how to get into the web admin site, you have to know the admin login and password...

The IIS must also be configured so that it can be managed remotely... otherwise you have no chance

go here for some more hacking info:

http://www.iishack.com[/e]

eRr

 

[tmj]

Skippy - you can telnet to any port you want. e.g.:

Start -> Run -> "telnet www.intel.com 80"

Type "GET /" in the telnet window and see what happens. He's not trying to telnet, he's just using Telnet as a client to retrieve some data from the server.

 

[Valhalla1]

skippy -
okay, I'm not exactly known as one to start or involve myself in flames here on this BBS, but I'd suggest you figure out what you're talking about before you mouth off. Yes, you can telnet to port 80, you can telnet to whatever the hell port you want. No one here claimed to be "leet", but I think you better take that foot out of your mouth, you don't look to smart with it shoved in there.


And thanks to those who actually had something to offer as a solution.

 

[Mark R]

If there is no index.htm(l) file, then the server will automatically serve up a directory listing (unless this is disabled).

If directory browsing is disabled then you cannot list directory contents remotely without using a remote administration tool (and appropriate authorisation).

If you do use telnet to access port 80, make sure you set it to ANSI terminal mode, otherwise the VT100/VT220 control characters will confuse the server, and nothing useful will happen.

 

[Valhalla1]

hrm.. I was using telnet.exe w/ Windows 2000, so if thats not the default settings, I'll have to use a term. emulator I guess. But even with telnetting to port 80, is there even a command to get a directory listing? I mean, what commands can you issue? GET, (maybe?) and what else? I couldn't enter anything, perhaps if I emulate the right settings I can enter HELP or ? but I was getting nothing

 

[Skippy]

"perhaps if I emulate the right settings I can enter HELP or ? but I was getting nothing"

Perhaps if you knew anything about hacking a secure IIS server you would know you are going the wrong way about it.

Any secure IIS site is going to have a firewall in front of it packet filtering by packet TYPE not just port.

Very few secure IIS installs run html admin, its just too much of a risk. The ones that do are secured with SSL to stop password/username sniffing and authenticate by means of not just username/password but also client side certificate.

Directory browsing will also be disabled as will unathenticated anonymous connections. IIS uses a specific account to handle anon connections behind the scenes.

The best you could hope for is to use NetCat to connect to the server's port 80 and d/l the site header.

BTW, I make 100k plus options for running among other things IIS 4.0 and 5.0 e-commerce servers. I love to toy with monkeys like yourself that try to get into our sites at least a couple of times a week. After playing with them for a while I usually send their IP's to the FBI's CCD.

Have fun, I bet you cant even get the site header. (Unless the admin is as naive as you are)

 

[Valhalla1]

hrm.. 100k/year admin'ing sites, and you STILL thought you could only connect to port 23 via telnet?


http://nontester.nmebase.com/main/hack/thecream.htm


the site is wanting you to do it. And I am CCNA certified, soon to be CCNP, so I know any admin worth their sh!t is going to have multiple access lists on their routers to stop such activity. I don't know why you feel the need to be such a jackass, if you didn't want to answer my question, then keep your mouth shut. I think SOMEBODY wasn't breast fed! tsk tsk

 

[rahvin]

Ya know talking about how "big" your salary is doesn't mean sh!t about how much you know, although it may be a statement about how stupid an employer is. MSCE means nothing these days. A simple script kiddie trying to get into a server is nothing compared to someone that KNOWS what they are doing. That said I don't know how to do something like that with NT, I'm more interested in security on linux systems.