URLScan for IIS Detection

2003-06-05T00:00:00
ID URLSCAN_DETECT.NASL
Type nessus
Reporter This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-07-02T00:00:00

Description

The remote web server is using URLScan to protect itself, which is a good thing.

However since it is possible to determine that URLScan is installed, an attacker may safely assume that the remote web server is Internet Information Server.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

#
# Ref: 
#  Date: Sat, 31 May 2003 13:58:58 +1200
#  From: Stephen Cope <mail@nonsense.kimihia.org.nz>
#  To: bugtraq@securityfocus.com
#  Subject: URLScan detection


include("compat.inc");


if (description)
{
 script_id(11699);
 script_version("1.25");
 script_cvs_date("Date: 2019/11/22");

 script_bugtraq_id(7767);
 
 script_name(english: "URLScan for IIS Detection");
 script_summary(english: "Detects the presence of URLScan");

 script_set_attribute(attribute:"synopsis", value:"URLScan is installed.");
 script_set_attribute(attribute:"description", value:
"The remote web server is using URLScan to protect itself, which is a
good thing.

However since it is possible to determine that URLScan is installed,
an attacker may safely assume that the remote web server is Internet
Information Server.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Jun/0");
 script_set_attribute(attribute:"solution", value:"None");
 script_set_attribute(attribute:"risk_factor", value:"None");

 script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/05");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:urlscan");
 script_set_attribute(attribute:"asset_inventory", value:"True");
 script_end_attributes();

 script_category(ACT_GATHER_INFO); 
 script_copyright(english:"This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english: "Web Servers");

 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, embedded: 0);

#
# Method#1 : do a HTTP HEAD on a regular nonexistent page and
# a forbidden fruit, and compare the results (if UseFastPathReject
# is disabled, we will identify the remote urlscan server).
# 

r = http_send_recv3(port: port, method: 'HEAD', item:"/someunexistantstuff" + rand() + rand() + ".html");
res = tolower(r[2]);
if ("<!doctype" >< res || "<html>" >< res) exit(0);

r = http_send_recv3(port: port, method: 'HEAD', item: "/someunexistantstuff.exe");
res2 = tolower(r[2]);

flag = 0;
if( "<!doctype" >< res2 || "<html>" >< res2 ) { flag = 1; }

#
# Method#2 : Compare the results for a HTTP GET for a nonexistent
# page and a forbidden page (is UseFastPathReject is set, then we'll
# note several differences). 
# If UseFastPathReject is set, we will receive a very very small error
# message, whereas we will receive a much longer one if it's not
# 
r = http_send_recv3(port: port, method: 'GET', item:"/someunexistantantsutff" + rand() + rand() + ".html");
if (isnull(r) || r[0] !~ "^HTTP/[0-9]\.[0-9] 404 ") exit(0);

r2 = http_send_recv3(port: port, method: 'GET', item:"/someunexistantantsutff.exe");
if (isnull(r2) || r2[0] !~ "^HTTP/[0-9]\.[0-9] 404 ") exit(0);

if (strlen(r[2]) > 2 * strlen(r2[2]) && flag) security_note(port);