Search Explore
  • naturalmovement · 22 days ago

    I front all my honeypots with the IIS landing page precisely because it attracts black hat jagoffs.

    Nothing makes me happier than knowing I've wasted hours of their time chasing their own tails.

    • themafia · 22 days ago

      Noise is a really underrated security layer.

      • YeahThisIsMe · 22 days ago

        That's just security by obscurity, which is rated pretty appropriately.

        • close04 · 22 days ago

          Obscurity is a perfectly adequate layer of security. It shouldn't be the only layer but those who argue against adding it heard at some point "security through obscurity is not security" and never dug deeper.

          • seethishat · 21 days ago

            I agree. Hiding from a grizzly bear is a good strategy. But if that fails, you will need pepper spray and maybe a shotgun.

            Bear Defense Plan: Hide, Non-lethal, Lethal.

            • Alphanymous · 21 days ago

              You've said it just like it is, prevention + preparation.

            • loneboat · 21 days ago

              ... those who argue against adding it heard at some point "security through obscurity is not security" and never dug deeper.

              Ironically, that makes them the exact type of person who would be successfully deterred by a layer of obscurity.

        • p1necone · 22 days ago

          Why stop there? Front the honeypot with a real IIS server, build a matryoshka doll of honeypots and see how far people get.

          • wil421 · 22 days ago

            Tell me more…I opened a plex and Nintendo switch port, the scans were out of control. I’d love to screw over port scanner over.

            • fragmede · 22 days ago

              What does shodan.io run?

              • wil421 · 21 days ago

                Not sure but the IPs don’t come back as Chinese and the dns registries, domains, and other data I could find was generated using US address data. Lots of stuff like 123 stree, where half the address was truncated.

            • DaSHacka · 22 days ago

              Unless you're honeypotting in the IP range of an established organization, all you're doing is getting bot traffic.

              High-tier blackhats focus on big targets, and low-tier ones focus on low-hanging fruits they find off shodan or application 0days they've found.

              • bitwize · 22 days ago

                "Guys, guys, guys, listen, listen, listen. So I'm in this computer, right? So I'm lookin' around, lookin' around, throwing commands at it, I don't know where it is or what it does or anything..."

                • forgetfreeman · 22 days ago

                  Some ATM in bumsville Idaho spit $700 into the middle of the street.

                  • wildlogic · 22 days ago

                    joey, is that you!?

                    • stavros · 22 days ago

                      Where's that from?

                      • bryanrasmussen · 22 days ago

                        I think it's from hackers, Joey the youngest hacker found the bad guys computers, not sure if it's an accurate quote since it's been years since I saw it.

                        • egil · 22 days ago

                          "They're trashing! They're trashing our rights!"

                          • giancarlostoro · 21 days ago

                            "HACK THE PLANET!"

                  • raverbashing · 21 days ago

                    Sounds like creating an url like aspnet_client/admin.php returning a WebObjects header might be a good hobby

                    • kreyenborgi · 21 days ago

                      Add in a zip bomb or two?

                      • MrDrMcCoy · 21 days ago

                        Now you have me wondering how badly http gzip content compression can be abused along those lines.

                  • hstaab · 22 days ago

                    The tone of this is something else

                    • andai · 22 days ago

                      Several times, I wondered if Claude wrote it.

                      • Stitch4223 · 22 days ago

                        One confusing part is that the blue screen is not a reference to BSOD but to the IIS default page with the blue squares. That’s probably jargon.

                        The article lists all the tricks I’ve collected over the years doing pentesting and then some, with great tool references. The signal to noise ratio is very high and there’s little “here’s why” filler which instead might just be someone’s way of storytelling. The article drones on, but with actual content as there is a lot to tell. It’s even light on features like trace.axd, but does mention them and their purposes.

                        I found it an entertaining overview of taking apart unassuming IIS servers and the point of “Recon harder. ” is made very well :)

                        Edit: s/boring/unassuming + added point was made very well

                        • 0x1d7 · 21 days ago

                          Yes, it's jargon. Blue screen is that default page. Yellow screen of death is another one, referring to when ASP.NET throws an exception and you have detailed exceptions turned on (which for public sites, you shouldn't).

                        • Tiberium · 22 days ago

                          It did, this article is clearly LLM-written/edited

                          • merpkz · 22 days ago

                            "This is the brute-force fallback when the smart approaches fail, and honestly, it works more often than you’d expect."

                            Found the LLM generated part.

                            • suslik · 22 days ago

                              Honestly, given how much claude-based prose I was recently reading, I am worried I will soon begin to write in this style naturally.

                                • bstsb · 21 days ago

                                  ironically that guide is AI-generated

                              • helloplanets · 22 days ago

                                Would be a feat on its own to get Claude to write on a topic like this.

                                • andai · 22 days ago

                                  I do think there was a lot of human effort involved. The llm-isms (whether human or machine generated!) cheapen the whole thing, which is a shame.

                                  I rather read bad awkward human writing than LLM generated paragraph number 9 billion.

                                • kitd · 22 days ago

                                  Get Claude to fix IIS, or is that not allowed any more?

                              • AuthAuth · 22 days ago

                                Ah webpage formatting cooked but otherwise a fun read

                                • sytelus · 22 days ago

                                  This is extremely well done design (at least on full desktop browsers). Amazing content as well.

                                  • mopsi · 22 days ago

                                    "Amazing" is a little generous for script kiddie stuff from the early 2000s.

                                    The author has yet to learn the extent to which civilization depends on people not being cunts to one another for no good reason.

                                    • caspper69 · 22 days ago

                                      Ah yes, the lulz, the great American pastime.

                                      • BalinKing · 22 days ago

                                        The lead says "how I approach IIS targets during bug bounty" (emphasis mine), so (assuming the author is being truthful) I'm guessing the tone of the title is just for fun.

                                      • aix1 · 22 days ago

                                        > This is extremely well done design (at least on full desktop browsers).

                                        I can't tell if you're being sarcastic, but on my full desktop browser the side bar overlaps the main panel, putting text on top of other text.

                                        P.S. Other than this, I do like the presentation.

                                        • Shellban · 22 days ago

                                          It looks decent on my 1920x1080p window running on a 4K monitor, but I have overlapping problems on my M1 Macbook.

                                      • Group_B · 22 days ago

                                        Would love to see a write yo on nginx!

                                        • Lammy · 22 days ago

                                          > IIS has a legacy behavior inherited from the old DOS 8.3 filename convention.

                                          Is this exposing the underlying OS's behavior coupled with the fact that the IIS document root is `C:\Inetpub` by default? Eight-dot-three filenames are enabled by default on the C drive but disabled by default on all other drives on Windows 10/11:

                                            PS> (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').DisplayVersion
                                            24H2
                                          
                                            PS> fsutil 8dot3name query C:
                                            The volume state is: 0 (8dot3 name creation is ENABLED)
                                            The registry state is: 2 (Per volume setting - the default)
                                            Based on the above settings, 8dot3 name creation is ENABLED on "C:"
                                          
                                            PS> fsutil 8dot3name query U:
                                            The volume state is: 1 (8dot3 name creation is DISABLED)
                                            The registry state is: 2 (Per volume setting - the default)
                                            Based on the above settings, 8dot3 name creation is DISABLED on "U:"
                                              • mook · 22 days ago

                                                That page eventually leads to the CVE page: https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

                                                While that's still pretty vague, it sounds like the issue was that something running as SYSTEM (the page seems to indicate some part of Windows Update) was not correctly checking if inetpub was a symlink or something along those lines. It also links to a script to set ACLs on that directory; presumably that's not possible to do if the directory doesn't exist.

                                                It would probably be better to fix whatever component to not have the link traversal bug, but maybe there's some reason that makes the proper fix infeasible…

                                                • logifail · 21 days ago

                                                  > PS> (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion').DisplayVersion > 24H2

                                                  I got no response to that command on my W10 box, turns out for older (eg LTSC) versions it appears to need:

                                                    (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ReleaseId
                                                    1809
                                                • t1234s · 22 days ago

                                                  Does anyone use IIS anymore?

                                                  • vlan0 · 22 days ago

                                                    The entire solarwinds platform(barf)

                                                    • qingcharles · 22 days ago

                                                      Yeah, I regularly speak to folks still running IIS on Windows Server. There are a lot of old apps out there, sadly. Some really, really important ones.

                                                      • mpyne · 22 days ago

                                                        Tons of the Navy's public websites still run on it.

                                                        • thedougd · 22 days ago

                                                          Amazingly some companies like Hyland still ship software that requires IIS. Bonus add are the pages and pages of setup instructions.

                                                          • robotnikman · 21 days ago

                                                            And NCR from my experience.

                                                            • pjmlp · 21 days ago

                                                              Sitecore, Microsoft as two other examples.

                                                              Sitecore on the classical XP/XM stack, they don't seem to be bothered to update it to modern .NET, as the new products moved away from .NET (XM Cloud and co).

                                                              Microsoft still has stuff like Dynamics 365, running .NET Framework.

                                                            • naturalmovement · 22 days ago

                                                              Some banks still use IIS.

                                                              Every large company big enough to host an intranet is running IIS somewhere, possibly everywhere. It integrates well with AD so some really complex tasks become stupid simple.

                                                              It's seeing less and less usage as the world moves to AWS which is equally stupid because you're tied to one vendor's proprietary products (Amazon) again. Except this time you don't own the hardware.

                                                              Public sector IT loves IIS. Check your municipality's tax or property website it's probably got .aspx scripts out the ass.

                                                              I've seen it hosting European web apps, public sector if I recall. Lots of bespoke .NET applications out there with SQL Server backends running entire local governments.

                                                              Asian countries especially China and Taiwan love IIS and use it to host anything and everything. This is a personal observation.

                                                              Sure the world has mostly moved on, but there's tons of legacy code out there that keeps cities and really important organizations humming that runs on IIS and it's never changing.

                                                              You think that's bad, there's still places out there running AS/400 stuff on the web, Lotus Notes, and Novell Groupwise (gasp).

                                                              • forkerenok · 22 days ago

                                                                Heyyy what's wrong with novel groupwise?

                                                                • raesene9 · 22 days ago

                                                                  Well its document management feature didn't used to have Anti-Virus support which caused me a load of problems back in the 90's when Word Macro viruses were common. :P

                                                              • samplatt · 22 days ago

                                                                Way, WAY too many corporate IT divisions.

                                                                • esikich · 22 days ago

                                                                  Yes, but typically just internal corporate intraweb stuff from what I've seen.

                                                                    • jimt1234 · 22 days ago

                                                                      Back in the early-2000s, I passed the Microsoft certification exam for IIS. I had never even heard of the product (I was told my company had some extra credits at the testing center, I was there taking another exam (Solaris 8 certification), so I figured why not?) I know, MCSE exams were notoriously simple back then, but good god - usually, for every question, 3 of the 4 possible answers didn't even make sense. Anyway, I figured there was no way IIS would last if any dipshit could become "certified" in the product.

                                                                      • bitwize · 22 days ago

                                                                        That's the value add. Any dipshit can be trained in the Windows server stack, so you can staff your back office with dipshits. For a while in the early 2000s—before the cloud era—Windows was routinely found to have a lower TCO than Linux as a server OS for precisely this reason. More actual deployments too, especially in corporate intranets.

                                                                      • swarnie · 22 days ago

                                                                        I would say 75% of my webservers are IIS.

                                                                        Nothing internet facing mind.

                                                                        • forgetfreeman · 22 days ago

                                                                          but...why?

                                                                          • swarnie · 22 days ago

                                                                            Really simple.

                                                                            I read the prerequisites of whatever software im asked to install and do what it says.

                                                                            I'm not spending the next 3 years of my life trying to make some monitoring platform run on WebLogic i have other jobs to do in 4-8-12 hours.

                                                                            • jabroni_salad · 21 days ago

                                                                              this is one of the funniest recurring threads on HN. developers finding out what other developers are requiring from their customers. Bonus points for developers finding out that non-cloud solutions still dominate some industries.

                                                                              • forgetfreeman · 21 days ago

                                                                                Cloud's got nothing to do with it. The thought of standing up a windows box to serve anything other than profiles and user surveillance is simply foreign. Budget webhosting has been a thing for a long time and standing up a *nix VM is also no big deal. In 25 years in industry I never once saw an IIS server used in the wild. shrug

                                                                                • swarnie · 21 days ago

                                                                                  I'm surprised by this, maybe its industry specific.

                                                                                  An 80:20 split of windows server to everything else has been pretty common in the areas I've worked both as a <10 day contactor and as a FTE.

                                                                                  • forgetfreeman · 20 days ago

                                                                                    Era may also be a major factor. When I was coming up through the ranks it was common wisdom, even in corporate windows-centric shops, that IIS was a vulnerability factory on par with sendmail.

                                                                        • formerly_proven · 22 days ago

                                                                          The text uses target.com as a placeholder but they actually also have an IIS blue screen: https://knslsd.target.com/

                                                                          • dagaci · 21 days ago

                                                                            IIS also sits at the back of a many "modern" cloud web type services.

                                                                            • sebazzz · 19 days ago

                                                                              Yup, Windows Azure App Service is just IIS.

                                                                            • y2244 · 21 days ago

                                                                              Lots and lots

                                                                              A lot of Microsoft devs know very little Linux historically as they used windows and are comfortable with it

                                                                              Decreasing due to cloud and Nodejs takeup

                                                                              • catmanjan · 21 days ago

                                                                                SharePoint uses it extensively

                                                                                • prussian · 21 days ago

                                                                                  I do. As others have replied, Windows Server--including IIS, means you have a domain joined machine, likely with an SPN of HOST/MACHINE.DOMAIN. Windows services and IIS App Pool Identities log in with an (g)MSA or virtual accounts (NT Service*) and you get a fully working and managed Kerberos experience without having to deal with 30, 60, 90 day password rotations. Log into your MS SQL Server with Kerberos, log into some other webapp's oauth2 flow with Kerberos, etc, it all just works. You can use WinRM with your native Windows shell without having to do anything special, and even technically bypass 2FA since that's just how it really works.

                                                                                  Can you do all this on Linux? Yes. Will it ever be set up correctly? Depends where you work, but based on my experience so far, not likely.

                                                                                  • zamalek · 21 days ago

                                                                                    > with Kerberos, etc, it all just works

                                                                                    I worked with customer's AD environments in the 2010's and I remember whiteboards of figuring out customer Kerberos config. "it all just works" is not my recollection of that 3-headed beast lmao.

                                                                                  • bartnp · 21 days ago

                                                                                    Yep.

                                                                                    And as an ignoramus: what it is that you are supposed to be using nowadays?

                                                                                    Think in the context of a small company making enterprise .NET (framework) code where Windows is the world, cloud wouldn't fly with the customers, SOAP is still king and your one IT guy is too busy to notice anything happened after 2010. Suppose also that entire software rewrites are impossibly impractical, and that while you'd love to take some security gains, you just don't have the capacity to do configuration deep dives let alone to gamble on something complex like Kubernetes.

                                                                                    • chainingsolid · 21 days ago

                                                                                      I've seen it used to deliver 'apps' that 90% of a business's employees use. (EX: Met/Team) in the Metrology (calibration) space.

                                                                                      • pjmlp · 21 days ago

                                                                                        Yes, plenty of Microsoft shops still depend on .NET Framework based applications, or even classical ASP.

                                                                                        For modern .NET no one is really using IIS any longer.

                                                                                      • NooneAtAll3 · 22 days ago

                                                                                        what's the deal with left sidebar overlapping the main text?

                                                                                        • kahf56 · 22 days ago

                                                                                          good entertainment

                                                                                          • xmcp123 · 21 days ago

                                                                                            Oh man this takes me back.

                                                                                            Once upon a time, all server logs were basically unusable because of the amount of IIS scanners out there. There was a directory traversal that was literally just url encoding “../“ that absolutely lit the internet on fire for many months.

                                                                                            • 0x1d7 · 21 days ago

                                                                                              Those traversal attempts are still very common, right next to the PHP/WordPress script kiddie attacks.

                                                                                              • dpoloncsak · 21 days ago

                                                                                                "The White Noise of the Internet" as they call it

                                                                                                • RetroTechie · 19 days ago

                                                                                                  Wondering how far back that goes.. Win95 still vulnerable?

                                                                                                  (Edit: I mean active attempts to exploit in the wild)