I got dinged on an external penetration test against one of my web servers last week. It was deemed a low priority, but it needed to be fixed. It seems that it was rather easy to get the internal IP address of the server:
Well oops! (nc = netcat in the illustration above)
It’s actually an easy fix. The appropriate Knowledge Base article is “FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0.” I didn’t need to mess with service packs or hotfixes as I was already current. I just needed to jump to the bottom of that page to the “More Information” section.
First, I turned on the UseHostName property via the example from the KB article. However, the host name isn’t the same as the web server DNS name and, frankly, that gave me an even worse security issue (the host name has an internal domain name appended!).
Fortunately, the very next option on the page details how to set the SetHostName property.
To set the SetHostName property, follow these steps:
- Click Start, click Run, type cmd, and then click OK to open a command prompt.
- Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following:
- Type the following command, where x is your site identifier and hostname is the alternate host name that you want to use:
cscript adsutil.vbs set w3svc/x/SetHostName hostname
Worked great and problem solved. I reckon I should add this to my build documentation to ensure I remember to do it for future servers.
So, suppose you’re doing a penetration test and you had the internal IP of a publicly exposed web server. What would you do next?