Microsoft IIS Hacking Guide

Comprehensive commands and techniques for IIS server penetration testing

6 Phases80+ CommandsCopy Ready

Phase 1

Reconnaissance & Discovery

Google Dorks

1Search by page title

intitle:"IIS Windows Server" site:*.target.com

2Search in page content

intext:"IIS Windows Server" site:*.target.com

3Search in URL

inurl:"IIS Windows Server" site:*.target.com

Shodan Dorks

1Search for IIS servers

http.title:"IIS"

2Search by organization

org:"target" http.title:"IIS Windows Server"

3Search via SSL certificate

Ssl:"Company Inc." http.title:"IIS Windows Server"

4Search for specific version

hostname:".target.com" "Microsoft-IIS/6.0"

5Search by product and version

product:"Microsoft IIS httpd" version:"7.5"

6Search via certificate CN

Ssl.cert.subject.CN:"target.com" http.title:"IIS Windows Server"

FOFA Dorks

1Search in page body

body="iis-8.5"

2Search for IIS servers

server="Microsoft-IIS"

3Search for specific version

server="Microsoft-IIS/8.5"

4Search with host filter

server="Microsoft-IIS" && host=".example.com"

5Search with domain filter

server="Microsoft-IIS" && domain="example.com"

Hunter.how Dorks

1Search by title and domain

web.title="IIS Windows Server" and domain="target.com"

2Search in headers

header.server=="Microsoft-IIS/10" and domain="target.com"

Header Verification

1Check response headers

curl -I https://target.com

Nmap Scanning

1Version and script scan

nmap -p 80,443 -sV -sC target.com

2Shortname brute scan

nmap -p 80,443 --script http-iis-short-name-brute target.com

Phase 2

Subdomain Enumeration

Passive Enumeration

1Subfinder

subfinder -d example.com -all -silent -o subfinder.txt

2Assetfinder

assetfinder --subs-only example.com > assetfinder.txt

3Amass Passive

amass enum -passive -d example.com -o amass_passive.txt

4Findomain

findomain -t example.com -u findomain.txt

5Chaos

chaos -d example.com > chaos.txt

6Wayback URLs

waybackurls example.com | unfurl -u domains > wayback.txt

Active Enumeration

1Amass Active

amass enum -active -d example.com -o amass_active.txt

2DNSX

dnsx -d example.com -resp -o dnsx.txt

3PureDNS Bruteforce

puredns bruteforce wordlist.txt example.com -o puredns.txt

Merge Results

1Merge and deduplicate

cat *.txt | sort -u > all_subdomains.txt

Live Host Filtering

1Filter IIS servers

cat all_subdomains.txt | httpx-toolkit -mc 200 -sc -td -title -server | grep IIS

2Filter IIS 7.5

cat all_subdomains.txt | httpx-toolkit -mc 200 -sc -td -title -server | grep -i "IIS/7.5"

3Filter IIS 8.5

cat all_subdomains.txt | httpx-toolkit -mc 200 -sc -td -title -server | grep -i "IIS/8.5"

4Filter IIS 10.0

cat all_subdomains.txt | httpx-toolkit -mc 200 -sc -td -title -server | grep -i "IIS/10.0"

Phase 3

Targeted Scanning

Nuclei Templates

1Shortname detection

cat all_subdomains.txt | nuclei -t /nuclei-templates/http/misconfiguration/iis-shortname-detect.yaml

2All IIS templates

cat all_subdomains.txt | nuclei -tags iis

3CVE vulnerability scan

cat all_subdomains.txt | nuclei -tags cve

Shortscan Tool

1Basic scan

shortscan http://target.com/

2Scan with expansion

shortscan http://target.com/ -F

3Scan target list

shortscan @targets.txt -F

4Scan specific folder

shortscan http://target.com/admin

5Scan folder with /

shortscan http://target.com/admin/

Phase 4

Advanced Fuzzing

Basic Fuzzing

1Basic scan

ffuf -u "https://target.com/FUZZ" -c -ac -fs 0 -w iis.txt

2Scan with extensions

ffuf -u "https://target.com/FUZZ" -c -ac -fs 0 -w iis.txt -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

Wordlists

1Dirbuster Medium

ffuf -u "https://target.com/FUZZ" -c -ac -fs 0 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

2Seclists Big

ffuf -u "https://target.com/FUZZ" -c -ac -fs 0 -w /usr/share/seclists/Discovery/Web-Content/big.txt -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

Prefix Variations

1prefix: domain

ffuf -w iis.txt -u https://example.com/domainFUZZ -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

2prefix: prod

ffuf -w iis.txt -u https://example.com/prodFUZZ -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

3prefix: dev

ffuf -w iis.txt -u https://example.com/devFUZZ -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

4prefix: stage

ffuf -w iis.txt -u https://example.com/stageFUZZ -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

5prefix: api

ffuf -w iis.txt -u https://example.com/apiFUZZ -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

6prefix: admin

ffuf -w iis.txt -u https://example.com/adminFUZZ -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

Suffix Variations

1suffix: domain

ffuf -w iis.txt -u https://example.com/FUZZdomain -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

2suffix: prod

ffuf -w iis.txt -u https://example.com/FUZZprod -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

3suffix: dev

ffuf -w iis.txt -u https://example.com/FUZZdev -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

4suffix: api

ffuf -w iis.txt -u https://example.com/FUZZapi -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

Hyphen & Underscore

1hyphen: -domain

ffuf -w iis.txt -u https://example.com/FUZZ-domain -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

2hyphen: domain-

ffuf -w iis.txt -u https://example.com/domain-FUZZ -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

3underscore: _domain

ffuf -w iis.txt -u https://example.com/FUZZ_domain -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

4underscore: domain_

ffuf -w iis.txt -u https://example.com/domain_FUZZ -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

Version Variations

1suffix: v1

ffuf -w iis.txt -u https://example.com/FUZZv1 -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

2prefix: v1

ffuf -w iis.txt -u https://example.com/v1FUZZ -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

3suffix: -2024

ffuf -w iis.txt -u https://example.com/FUZZ-2024 -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar

Phase 5

Shortname Exploitation

Extension-Specific Search

1Search for RAR files

ffuf -u "https://target.com/FUZZ.rar" -c -ac -fs 0 -w iis.txt

2RAR with Seclists

ffuf -u "https://target.com/FUZZ.rar" -c -ac -fs 0 -w /usr/share/seclists/Discovery/Web-Content/big.txt

Multi-Extension Scan

1Scan multiple extensions

ffuf -u "https://target.com/FUZZ" -c -ac -fs 0 -w iis.txt -e .exe,.dll,.rar,.zip,.7z,.bak,.svc,.aspx

Fullname Resolution

1Expand MEDIVEST~1

ffuf -u "https://target.com/MEDIVESTFUZZ" -c -ac -fs 0 -w payloads/payloads/iis.txt -e .exe,.dll,.rar -fc 403

2Scan specific folder

ffuf -u "https://target.com/FTP-Contacts/FUZZ" -c -ac -fs 0 -w payloads/payloads/iis.txt -e .json,.js,.svc,.html,.htm,.txt,.zip,.asmx,.aspx,.7z,.ashx,.asp,.xml,.exe,.dll,.gz,.xsl,.bak,.old,.rar -fc 403

Phase 6

Version-Specific Vulnerabilities

IIS 6.0

Windows Server 2003

Critical

Weaknesses

WebDAV enabled by default
PUT upload misconfiguration
Classic ASP applications
Weak request filtering
Shortname vulnerability (8.3)
Outdated SSL/TLS protocols
Exposed ISAPI Extensions

Test Focus: shortname, WebDAV, legacy ASP, weak TLS, ViewState

IIS 7.0 / 7.5

Windows Server 2008 / 2008 R2

High

Weaknesses

Shortname vulnerability (8.3) common
Frequent WebDAV misconfigurations
Request filtering bypass
Invalid ViewState in legacy ASP.NET
TRACE may be enabled
Weak or predictable MachineKey

Test Focus: shortname, WebDAV, ViewState, weak TLS

IIS 8.0 / 8.5

Windows Server 2012 / 2012 R2

Medium

Weaknesses

Shortname may still exist
Weak upload validation
WebDAV in migrated environments
Legacy ASP.NET components
TLS misconfiguration
Verbose error pages

Test Focus: handler misconfig, upload abuse, legacy configs

IIS 10.0

Windows Server 2016+

Low

Weaknesses

Secure by default - issues mostly from misconfig
Exposed debug endpoints (trace.axd)
Insecure file upload logic
Weak path permissions
Azure App Service errors
Legacy .NET applications

Test Focus: application logic, access control, debug exposure, backup leaks

Reference

Important File Extensions

.json

Config files, API responses, stored data

.js

JavaScript files that may expose endpoints or keys

.svc

WCF service endpoints

.html

Static web pages

.htm

Legacy web page format

.txt

Notes, logs, or exposed data

.zip

Compressed backups or archived content

.asmx

XML web services

.aspx

ASP.NET pages

.7z

Archived or packed files

.ashx

HTTP handlers for APIs or file processing

.asp

Legacy Active Server Pages

.xml

Configs, data files, or service responses

.exe

Executables, installers, or internal tools

.dll

Application libraries that may be directly accessible

.gz

Compressed backup or log files

.xsl

Stylesheets used for XML transformation

.bak

Backup copies of important files

.old

Old versions of server files

.rar

Archives containing site data or backups