HTTP based detection of Microsoft Internet Information Services
(IIS) and the underlying Microsoft Windows operating system version.
# SPDX-FileCopyrightText: 2009 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.900710");
script_version("2024-06-11T05:05:40+0000");
script_tag(name:"last_modification", value:"2024-06-11 05:05:40 +0000 (Tue, 11 Jun 2024)");
script_tag(name:"creation_date", value:"2009-05-20 10:26:22 +0200 (Wed, 20 May 2009)");
script_tag(name:"cvss_base", value:"0.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
script_name("Microsoft Internet Information Services (IIS) Detection (HTTP)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2009 Greenbone AG");
script_family("Product detection");
script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl",
"DDI_Directory_Scanner.nasl", "global_settings.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
# nb: Don't add a IIS/banner script_mandatory_keys because the VT is also doing a detection based
# on standard/404 pages or redirects.
script_tag(name:"summary", value:"HTTP based detection of Microsoft Internet Information Services
(IIS) and the underlying Microsoft Windows operating system version.");
script_tag(name:"qod_type", value:"remote_banner");
exit(0);
}
include("http_func.inc");
include("port_service_func.inc");
include("cpe.inc");
include("host_details.inc");
include("os_func.inc");
port = http_get_port( default:80 );
host = http_host_name( dont_add_port:TRUE );
banner = http_get_remote_headers( port:port );
if( ! banner || banner !~ "^HTTP/1\.[01] [0-9]{3}" )
exit( 0 );
detected = FALSE;
version = "unknown";
if( concl = egrep( string:banner, pattern:"^Server\s*:\s*(Microsoft-)?IIS", icase:TRUE ) ) {
concluded = chomp( concl );
detected = TRUE;
vers = eregmatch( pattern:"Server\s*:\s*(Microsoft-)?IIS/([0-9.]+)", string:concl, icase:TRUE );
if( ! isnull( vers[2] ) )
version = vers[2];
}
# For Proxy setups where e.g. an nginx is in front of the IIS.
if( ! detected || version == "unknown" ) {
check_urls = make_list( "/vt-test-non-existent.html", "/vt-test/vt-test-non-existent.html" );
# We might also be able to catch the IIS banner if we're calling an .aspx file so we're
# adding the first found .asp/.aspx file to the list.
asp_list = http_get_kb_file_extensions( port:port, host:host, ext:"asp*" );
if( asp_list[0] )
check_urls = make_list( check_urls, asp_list[0] );
# Some found systems had also responded with a redirect, following the redirect might
# also help to grab the banner.
if( banner =~ "^HTTP/1\.[01] 30[0-9]" ) {
loc = http_extract_location_from_redirect( port:port, data:banner, current_dir:"/" );
if( loc )
check_urls = make_list( check_urls, loc );
}
foreach check_url( check_urls ) {
banner = http_get_remote_headers( port:port, file:check_url );
if( ! banner || banner !~ "^HTTP/1\.[01] [0-9]{3}" )
continue;
if( concl = egrep( string:banner, pattern:"^Server\s*:\s*(Microsoft-)?IIS", icase:TRUE ) ) {
detected = TRUE;
vers = eregmatch( pattern:"Server\s*:\s*(Microsoft-)?IIS/([0-9.]+)", string:concl, icase:TRUE );
if( ! isnull( vers[2] ) ) {
if( concluded )
concluded += '\n';
concluded += chomp( concl );
concl_url = http_report_vuln_url( port:port, url:check_url, url_only:TRUE );
version = vers[2];
}
break;
}
}
}
if( detected ) {
install = port + "/tcp";
set_kb_item( name:"IIS/installed", value:TRUE );
set_kb_item( name:"microsoft/iis/detected", value:TRUE );
set_kb_item( name:"microsoft/iis/http/detected", value:TRUE );
# nb: To tell http_can_host_asp and http_can_host_php from http_func.inc that the service is
# supporting these.
replace_kb_item( name:"www/" + port + "/can_host_php", value:"yes" );
replace_kb_item( name:"www/" + port + "/can_host_asp", value:"yes" );
cpe = build_cpe( value:version, exp:"^([0-9.]+)", base:"cpe:/a:microsoft:internet_information_services:" );
if( ! cpe )
cpe = "cpe:/a:microsoft:internet_information_services";
register_product( cpe:cpe, location:install, port:port, service:"www" );
log_message( data:build_detection_report( app:"Microsoft Internet Information Services (IIS)",
version:version,
install:install,
cpe:cpe,
concludedUrl:concl_url,
concluded:concluded ),
port:port );
# nb:
# - Based on https://en.wikipedia.org/wiki/Internet_Information_Services#History
# - Some IIS versions are shipped with two or more OS variants so registering all here
# - IMPORTANT: Before registering two or more OS make sure that all OS variants have reached their
# EOL as we currently can't control / prioritize which of the registered OS is chosen for the
# "BestOS" and we would e.g. report a Server 2012 as EOL if Windows 8 was chosen
# - The "keep" is used below to mark the ones with OS variants matching the important note above
# which shouldn't be registered yet
banner_type = "Microsoft IIS HTTP Server banner";
SCRIPT_DESC = "Microsoft Internet Information Services (IIS) Detection (HTTP)";
if( version != "unknown" ) {
if( version == "10.0" ) {
# keep: os_register_and_report( os:"Microsoft Windows Server 2016", cpe:"cpe:/o:microsoft:windows_server_2016", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
# keep: os_register_and_report( os:"Microsoft Windows 10", cpe:"cpe:/o:microsoft:windows_10", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
os_register_and_report( os:"Microsoft Windows Server 2016 or Microsoft Windows 10", cpe:"cpe:/o:microsoft:windows", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "8.5" ) {
# keep: os_register_and_report( os:"Microsoft Windows Server 2012 R2", cpe:"cpe:/o:microsoft:windows_server_2012:r2", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
# keep: os_register_and_report( os:"Microsoft Windows 8.1", cpe:"cpe:/o:microsoft:windows_8.1", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
os_register_and_report( os:"Microsoft Windows Server 2012 R2 or Microsoft Windows 8.1", cpe:"cpe:/o:microsoft:windows", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "8.0" ) {
# keep: os_register_and_report( os:"Microsoft Windows Server 2012", cpe:"cpe:/o:microsoft:windows_server_2012", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
# keep: os_register_and_report( os:"Microsoft Windows 8", cpe:"cpe:/o:microsoft:windows_8", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
os_register_and_report( os:"Microsoft Windows Server 2012 or Microsoft Windows 8", cpe:"cpe:/o:microsoft:windows", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "7.5" ) {
# keep: os_register_and_report( os:"Microsoft Windows Server 2008 R2", cpe:"cpe:/o:microsoft:windows_server_2008:r2", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
# keep: os_register_and_report( os:"Microsoft Windows 7", cpe:"cpe:/o:microsoft:windows_7", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
os_register_and_report( os:"Microsoft Windows Server 2008 R2 or Microsoft Windows 7", cpe:"cpe:/o:microsoft:windows", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "7.0" ) {
# keep: os_register_and_report( os:"Microsoft Windows Server 2008", cpe:"cpe:/o:microsoft:windows_server_2008", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
# keep: os_register_and_report( os:"Microsoft Windows Vista", cpe:"cpe:/o:microsoft:windows_vista", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
os_register_and_report( os:"Microsoft Windows Server 2008 or Microsoft Windows Vista", cpe:"cpe:/o:microsoft:windows", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "6.0" ) {
os_register_and_report( os:"Microsoft Windows Server 2003 R2", cpe:"cpe:/o:microsoft:windows_server_2003:r2", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
os_register_and_report( os:"Microsoft Windows Server 2003", cpe:"cpe:/o:microsoft:windows_server_2003", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
os_register_and_report( os:"Microsoft Windows XP Professional x64", cpe:"cpe:/o:microsoft:windows_xp:-:-:x64", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "5.1" ) {
os_register_and_report( os:"Microsoft Windows XP Professional", cpe:"cpe:/o:microsoft:windows_xp", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "5.0" ) {
os_register_and_report( os:"Microsoft Windows 2000", cpe:"cpe:/o:microsoft:windows_2000", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "4.0" ) {
os_register_and_report( os:"Microsoft Windows NT 4.0 Option Pack", cpe:"cpe:/o:microsoft:windows_nt:4.0", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "3.0" ) {
os_register_and_report( os:"Microsoft Windows NT 4.0 SP2", cpe:"cpe:/o:microsoft:windows_nt:4.0:sp2", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "2.0" ) {
os_register_and_report( os:"Microsoft Windows NT", version:"4.0", cpe:"cpe:/o:microsoft:windows_nt", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else if( version == "1.0" ) {
os_register_and_report( os:"Microsoft Windows NT", version:"3.51", cpe:"cpe:/o:microsoft:windows_nt", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
}
else {
os_register_and_report( os:"Microsoft Windows", cpe:"cpe:/o:microsoft:windows", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
# nb: We also want to report an unknown OS if none of the above patterns for Windows is matching
os_register_unknown_banner( banner:concluded, banner_type_name:banner_type, banner_type_short:"iis_http_banner", port:port );
}
} else {
os_register_and_report( os:"Microsoft Windows", cpe:"cpe:/o:microsoft:windows", banner_type:banner_type, port:port, banner:concluded, desc:SCRIPT_DESC, runs_key:"windows" );
# nb: Here we don't want to report an unknown OS as the version wasn't extracted...
}
}
exit( 0 );