[滲透測試] 修正 IIS 目錄列舉弱點問題

markdown ### 問題 近期收到客戶傳來的滲透測試報告，其中一項弱點為 IIS 目錄列舉 弱點描述：Microsoft IIS 中的部分版本可以利用特殊手法對 Windows 8.3 短文件名規範的檔案或目錄進行猜測。 ### 網站環境 - Windows Server 2019 - IIS 10 - ASP.NET Core 3.1 ### 掃描工具 [IIS Short Name Scanner](https://github.com/irsdl/iis-shortname-scanner/) ``` java -jar iis_shortname_scanner.jar 0 20 http://192.168.0.220:8000 ``` 測試結果 ``` # IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017) - scan initiated 2022/03/22 00:22:15 Target: http://192.168.0.220:8000/ |_ Result: Vulnerable! |_ Used HTTP method: DEBUG |_ Suffix (magic part): \a.aspx |_ Extra information: |_ Number of sent requests: 703 |_ Identified directories: 0 |_ Indentified files: 10 |_ APPSET~1.JSO |_ APPSET~2.JSO |_ NETCOR~1.DLL |_ NETCOR~1.EXE |_ NETCOR~1.JSO |_ NETCOR~1.PDB |_ NETCOR~2.DLL |_ NETCOR~2.JSO |_ NETCOR~2.PDB |_ WEB~1.CON |_ Actual file name = WEB ``` ### 解決方法 1. 關閉 NtfsDisable8dot3NameCreation 執行 `regedit` 修改機碼 `HKEY_Local_Machine\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation`

2. 移除指定目錄及其子目錄的 8.3 檔案名 ``` fsutil 8dot3name strip /l mylogfile.log /s d:\Web\MySite ``` 3. 在 IIS 的站台 - 篩選要求 在 URL 項目中，增加拒絕序列 `~`

再測試結果：Not vulnerable or no item was found. ``` # IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017) - scan initiated 2022/03/22 00:23:28 Target: http://192.168.0.220:8000/ |_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again. |_ Warning(s): |_ Question mark character was blocked: you may have a lot of false positives. -＞ manual check is needed. |_ File extensions could not be verified. you may have false positive results. -＞ manual check is needed. |_ Extra information: |_ Number of sent requests: 144 ``` ### 結語 我自己的測試，在 IIS 增加篩選要求的拒絕序列 ~ 即可達到防掃目的，但若有主機權限，當然最好從根本直接關閉機碼。 此次的測試網站是以 IIS + .NET Core 的網站來做測試，會出現這弱點，我也另外而針對 ASP.NET MVC 的網站做相同的測試並沒有出現此問題。所以若是用 IIS 來架設 .NET Core 的網站時，最好多做第三項的篩選要求動作！ ### References - [IIS Short Name Scanner](https://github.com/irsdl/iis-shortname-scanner/) - [NtfsDisable8dot3NameCreation](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?WT.mc_id=DT-MVP-5002629) - [fsutil 8dot3name](https://docs.microsoft.com/zh-tw/windows-server/administration/windows-commands/fsutil-8dot3name?WT.mc_id=DT-MVP-5002629) - [web中間件漏洞之IIS篇](https://kknews.cc/code/l3rjb4z.html) - [如何修復IIS列舉 8.3filename 的風險](https://hackmd.io/@Not/HkYCJET2S)