Humiliating IIS servers for fun and jail time

(mll.sh)

312 points by denysvitali15 hours ago

10 comments

naturalmovement14 hours ago
I front all my honeypots with the IIS landing page precisely because it attracts black hat jagoffs.Nothing makes me happier than knowing I've wasted hours of their time chasing their own tails.
- p1necone13 hours ago
 Why stop there? Front the honeypot with a real IIS server, build a matryoshka doll of honeypots and see how far people get.
- DaSHacka11 hours ago
 Unless you're honeypotting in the IP range of an established organization, all you're doing is getting bot traffic.High-tier blackhats focus on big targets, and low-tier ones focus on low-hanging fruits they find off shodan or application 0days they've found.
 - bitwize8 hours ago
 "Guys, guys, guys, listen, listen, listen. So I'm in this computer, right? So I'm lookin' around, lookin' around, throwing commands at it, I don't know where it is or what it does or anything..."
 - wildlogic8 hours ago
 joey, is that you!?
 - stavros8 hours ago
 Where's that from?
 - amenghra4 hours ago
 It's from Hackers: <a href="https://www.scifiscripts.com/scripts/hackers.txt#:~:text=Anyways" rel="nofollow">https://www.scifiscripts.com/scripts/hackers.txt#:~:text=Any...</a>
 fragmede4 hours ago
 You'know, there ought to be a way to deep link into a tortent file.
 enlightens43 minutes ago
 Yarn is usually the next best thing but there seems to be something off with the video in this case<a href="https://memes.getyarn.io/yarn-clip/e9d8176d-e936-4224-a1d1-f2ef15eb9271" rel="nofollow">https://memes.getyarn.io/yarn-clip/e9d8176d-e936-4224-a1d1-f...</a>
 - bryanrasmussen7 hours ago
 I think it's from hackers, Joey the youngest hacker found the bad guys computers, not sure if it's an accurate quote since it's been years since I saw it.
 egil5 hours ago
 "They're trashing! They're trashing our rights!"
 - forgetfreeman8 hours ago
 Some ATM in bumsville Idaho spit $700 into the middle of the street.
- raverbashing3 hours ago
 Sounds like creating an url like aspnet_client/admin.php returning a WebObjects header might be a good hobby
- wil42111 hours ago
 Tell me more…I opened a plex and Nintendo switch port, the scans were out of control. I’d love to screw over port scanner over.
 - fragmede4 hours ago
 What does shodan.io run?
- themafia14 hours ago
 Noise is a really underrated security layer.
 - YeahThisIsMe7 hours ago
 That's just security by obscurity, which is rated pretty appropriately.
 - close045 hours ago
 Obscurity is a perfectly adequate layer of security. It shouldn't be the only layer but those who argue against adding it heard at some point "security through obscurity is not security" and never dug deeper.
 - seethishat1 hour ago
 I agree. Hiding from a grizzly bear is a good strategy. But if that fails, you will need pepper spray and maybe a shotgun.Bear Defense Plan: Hide, Non-lethal, Lethal.
 Alphanymous20 minutes ago
 You've said it just like it is, prevention + preparation.
 - l23k45 hours ago
 [dead]
Lammy12 hours ago
> IIS has a legacy behavior inherited from the old DOS 8.3 filename convention.Is this exposing the underlying OS's behavior coupled with the fact that the IIS document root is `C:\Inetpub` by default? Eight-dot-three filenames are enabled by default on the C drive but disabled by default on all other drives on Windows 10/11:<pre><code> PS> (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').DisplayVersion 24H2 PS> fsutil 8dot3name query C: The volume state is: 0 (8dot3 name creation is ENABLED) The registry state is: 2 (Per volume setting - the default) Based on the above settings, 8dot3 name creation is ENABLED on "C:" PS> fsutil 8dot3name query U: The volume state is: 1 (8dot3 name creation is DISABLED) The registry state is: 2 (Per volume setting - the default) Based on the above settings, 8dot3 name creation is DISABLED on "U:"</code></pre>
- Terr_10 hours ago
 Tangentially, that reminds me of how a Windows update created c:\inetpub on everybody's non-server computers, to "increase protection" for unspecified reasons.<a href="https://www.pcworld.com/article/2684062/why-is-windows-11-latest-update-creating-a-mysterious-inetpub-folder.html" rel="nofollow">https://www.pcworld.com/article/2684062/why-is-windows-11-la...</a>
 - mook6 hours ago
 That page eventually leads to the CVE page: <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204" rel="nofollow">https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...</a>While that's still pretty vague, it sounds like the issue was that something running as SYSTEM (the page seems to indicate some part of Windows Update) was not correctly checking if inetpub was a symlink or something along those lines. It also links to a script to set ACLs on that directory; presumably that's not possible to do if the directory doesn't exist.It would probably be better to fix whatever component to not have the link traversal bug, but maybe there's some reason that makes the proper fix infeasible…
 - Lammy10 hours ago
 > to "increase protection" for unspecified reasonsEverything old is new again <a href="https://devblogs.microsoft.com/oldnewthing/20041116-00/?p=37303" rel="nofollow">https://devblogs.microsoft.com/oldnewthing/20041116-00/?p=37...</a> (2004)
- logifail1 hour ago
 > PS> (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion').DisplayVersion > 24H2I got no response to that command on my W10 box, turns out for older (eg LTSC) versions it appears to need:<pre><code> (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ReleaseId 1809</code></pre>
- raesene97 hours ago
 The original research for this is at <a href="https://soroush.me/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf" rel="nofollow">https://soroush.me/downloadable/microsoft_iis_tilde_characte...</a>
xmcp1232 hours ago
Oh man this takes me back.Once upon a time, all server logs were basically unusable because of the amount of IIS scanners out there. There was a directory traversal that was literally just url encoding “../“ that absolutely lit the internet on fire for many months.
- 0x1d731 minutes ago
 Those traversal attempts are still very common, right next to the PHP/WordPress script kiddie attacks.
hstaab14 hours ago
The tone of this is something else
- andai12 hours ago
 Several times, I wondered if Claude wrote it.
 - Stitch422311 hours ago
 One confusing part is that the blue screen is not a reference to BSOD but to the IIS default page with the blue squares. That’s probably jargon.The article lists all the tricks I’ve collected over the years doing pentesting and then some, with great tool references. The signal to noise ratio is very high and there’s little “here’s why” filler which instead might just be someone’s way of storytelling. The article drones on, but with actual content as there is a lot to tell. It’s even light on features like trace.axd, but does mention them and their purposes.I found it an entertaining overview of taking apart unassuming IIS servers and the point of “Recon harder. ” is made very well :)Edit: s/boring/unassuming + added point was made very well
 - 0x1d731 minutes ago
 Yes, it's jargon. Blue screen is that default page. Yellow screen of death is another one, referring to when ASP.NET throws an exception and you have detailed exceptions turned on (which for public sites, you shouldn't).
 - merpkz8 hours ago
 "This is the brute-force fallback when the smart approaches fail, and honestly, it works more often than you’d expect."Found the LLM generated part.
 - suslik8 hours ago
 Honestly, given how much claude-based prose I was recently reading, I am worried I will soon begin to write in this style naturally.
 - xeyownt6 hours ago
 Found the LLM generated comment.... can we stop this stupid trend to flag everything as LLM generated?
 - Tiberium5 hours ago
 Why is it stupid to flag genuinely LLM-written content? It might've been thought out by a human, but the final version is clearly LLM-written or extremely heavily LLM-edited.
 0x1d719 minutes ago
 HN guidelines ask you to not do this.> Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.While few read them, it might be helpful if @dang threw in the ", or LLM generated content".
 gpvos3 hours ago
 It's mostly boring. About 50% of comments of HN are about this at the moment, drowning out actual discussion.If someone writes an interesting article using LLM, I don't mind.
 - Kwpolska6 hours ago
 Can we stop this stupid trend to generate prose using LLMs?
 - shantnutiwari5 hours ago
 "... can we stop this stupid trend to flag everything as LLM generated?"I have trying to fight this war and lose-- this default lazy behaviour "I dont like this post so it must be llm" followed by some idiotic exampleIts become a fad here. Half the people dont read any post, just skim it and post "this is llm" and move on
 - helloplanets8 hours ago
 Would be a feat on its own to get Claude to write on a topic like this.
 - andai4 hours ago
 I do think there was a lot of human effort involved. The llm-isms (whether human or machine generated!) cheapen the whole thing, which is a shame.I rather read bad awkward human writing than LLM generated paragraph number 9 billion.
 - Tiberium9 hours ago
 It did, this article is clearly LLM-written/edited
 - kitd6 hours ago
 Get Claude to fix IIS, or is that not allowed any more?
- MagicMoonlight8 hours ago
 [dead]
t1234s12 hours ago
Does anyone use IIS anymore?
- samplatt10 hours ago
 Way, WAY too many corporate IT divisions.
- naturalmovement11 hours ago
 Some banks still use IIS.Every large company big enough to host an intranet is running IIS somewhere, possibly everywhere. It integrates well with AD so some really complex tasks become stupid simple.It's seeing less and less usage as the world moves to AWS which is equally stupid because you're tied to one vendor's proprietary products (Amazon) again. Except this time you don't own the hardware.Public sector IT loves IIS. Check your municipality's tax or property website it's probably got .aspx scripts out the ass.I've seen it hosting European web apps, public sector if I recall. Lots of bespoke .NET applications out there with SQL Server backends running entire local governments.Asian countries especially China and Taiwan love IIS and use it to host anything and everything. This is a personal observation.Sure the world has mostly moved on, but there's tons of legacy code out there that keeps cities and really important organizations humming that runs on IIS and it's never changing.You think that's bad, there's still places out there running AS/400 stuff on the web, Lotus Notes, and Novell Groupwise (gasp).
 - forkerenok8 hours ago
 Heyyy what's wrong with novel groupwise?
 - raesene97 hours ago
 Well its document management feature didn't used to have Anti-Virus support which caused me a load of problems back in the 90's when Word Macro viruses were common. :P
- qingcharles12 hours ago
 Yeah, I regularly speak to folks still running IIS on Windows Server. There are a lot of old apps out there, sadly. Some really, really important ones.
- y22442 hours ago
 Lots and lotsA lot of Microsoft devs know very little Linux historically as they used windows and are comfortable with itDecreasing due to cloud and Nodejs takeup
- dagaci3 hours ago
 IIS also sits at the back of a many "modern" cloud web type services.
- thedougd11 hours ago
 Amazingly some companies like Hyland still ship software that requires IIS. Bonus add are the pages and pages of setup instructions.
- AznHisoka10 hours ago
 A lot of big corps still use it.<a href="https://bloomberry.com/data/windows-server/" rel="nofollow">https://bloomberry.com/data/windows-server/</a>
- catmanjan1 hour ago
 SharePoint uses it extensively
- vlan012 hours ago
 The entire solarwinds platform(barf)
- swarnie8 hours ago
 I would say 75% of my webservers are IIS.Nothing internet facing mind.
 - forgetfreeman8 hours ago
 but...why?
 - swarnie8 hours ago
 Really simple.I read the prerequisites of whatever software im asked to install and do what it says.I'm not spending the next 3 years of my life trying to make some monitoring platform run on WebLogic i have other jobs to do in 4-8-12 hours.
 - jabroni_salad28 minutes ago
 this is one of the funniest recurring threads on HN. developers finding out what other developers are requiring from their customers. Bonus points for developers finding out that non-cloud solutions still dominate some industries.
- esikich10 hours ago
 Yes, but typically just internal corporate intraweb stuff from what I've seen.
- mpyne12 hours ago
 Tons of the Navy's public websites still run on it.
- formerly_proven4 hours ago
 The text uses target.com as a placeholder but they actually also have an IIS blue screen: <a href="https://knslsd.target.com/" rel="nofollow">https://knslsd.target.com/</a>
- jimt12348 hours ago
 Back in the early-2000s, I passed the Microsoft certification exam for IIS. I had never even heard of the product (I was told my company had some extra credits at the testing center, I was there taking another exam (Solaris 8 certification), so I figured why not?) I know, MCSE exams were notoriously simple back then, but good god - usually, for every question, 3 of the 4 possible answers didn't even make sense. Anyway, I figured there was no way IIS would last if any dipshit could become "certified" in the product.
 - bitwize8 hours ago
 That's the value add. Any dipshit can be trained in the Windows server stack, so you can staff your back office with dipshits. For a while in the early 2000s—before the cloud era—Windows was routinely found to have a lower TCO than Linux as a server OS for precisely this reason. More actual deployments too, especially in corporate intranets.
AuthAuth13 hours ago
Ah webpage formatting cooked but otherwise a fun read
Group_B13 hours ago
Would love to see a write yo on nginx!
sytelus13 hours ago
This is extremely well done design (at least on full desktop browsers). Amazing content as well.
- aix19 hours ago
 > This is extremely well done design (at least on full desktop browsers).I can't tell if you're being sarcastic, but on my full desktop browser the side bar overlaps the main panel, putting text on top of other text.P.S. Other than this, I do like the presentation.
 - Shellban9 hours ago
 It looks decent on my 1920x1080p window running on a 4K monitor, but I have overlapping problems on my M1 Macbook.
- mopsi13 hours ago
 "Amazing" is a little generous for script kiddie stuff from the early 2000s.The author has yet to learn the extent to which civilization depends on people not being cunts to one another for no good reason.
 - BalinKing12 hours ago
 The lead says "how I approach IIS targets during bug bounty" (emphasis mine), so (assuming the author is being truthful) I'm guessing the tone of the title is just for fun.
 - caspper6913 hours ago
 Ah yes, the lulz, the great American pastime.
 - deadbabe13 hours ago
 Civilization has a way of dealing with these individuals: prison.
 - dakolli10 hours ago
 There's like 90,000 computer fraud reports sent to the federal government every year and about 400 prosecutions total. Most of those are concentrated in whatever niche abuse category the government is focused on at the time (right now, crypto/phishing/ransomware).note: Don't take this as your cue to start messing around with black hat. Don't become the guy trying to explain to your cell mate who's doing 50 years for a violent crimes what a unauthenticated supabase table is and why you deleted it.
 - cindyllm13 hours ago
 [dead]
NooneAtAll39 hours ago
what's the deal with left sidebar overlapping the main text?
kahf569 hours ago
good entertainment