Search | Research | Contact Us Tuesday October 10, 2021
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 eBay And Amazon Still Vulnerable
  6 PEAR XML_RPC Library Remote Code Execution
  7 When Small Mistakes Can Cause Big Problems
  8 Woltlab Burning Board SQL Injection Vulnerability
  9 WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
IISamDiscover And IISamCrack Now Available
May 02, 2022


Recently I noticed that the Microsoft IIS Accounts Manager could be used to verify accounts much like the VRFY and EXPN commands with sendmail. Turns out that David Lichtfield discovered this vuln years earlier, but I don't think it was ever an official BID until I posted the issue to BugTraq. Anyway, below is a link to the example code that I wrote. The versions posted at BugTraq are the same, but the formatting got completely trashed. IISamCrack attempts to enumerate weak passwords using a dictionary style attck on the Microsoft IIS Accounts Manager. IISamDiscover uses the Accounts Manager User Existence Disclosure Vulnerability to confirm or deny the exsistance of a user on the machine using a list of probable usernames.

Downloads:
IIS Accounts Manager Auth Enumeration utility
IIS Accounts Manager User Enumeration Utility