NOTE: If Index Information Server running under Internet Information Server.
service.pwd is our goal, although lots of servers are not password protected
and can be exploited easily. queryhit.htm if found can be used to get service.pwd
search for
"#filename=*.pwd"
Systems by default will have ftp service running.
C:\InetPub\ftproot is the default location for the ftp service which
by default runs on the standard port 21.
Select the Allow Anonymous Connections check box to allow users using the username "anonymous" to log into your FTP server. Use the User Name and Password dialog boxes to establish the WindowsáNT user account to use for permissions for all anonymous connections. By default, Internet Information Server creates and uses the account IUSR_computername for all anonymous logons. Note that the password is used only within WindowsáNT ; anonymous users do not log on using this user name and password.
Typically, anonymous FTP users will use "anonymous" as the user name and their e-mail address as the password. The FTP service then uses the IUSR_computername account as the logon account for permissions.
When you installed Internet Information Server, Setup created the account IUSR_computername in the WindowsáNT User Manager for Domains and in Internet Service Manager. This account was assigned a random password for both in Internet Service Manager and in the WindowsáNT User Manager for Domains. If you change the password, you must change it in both places and make sure it matches.
FrontPage creates a directory _vti_pvt for the root web and for each FrontPage sub-web. For each FrontPage web with unique permissions, the _vti_pvt directory contains two files for the FrontPage web that the access file points to:
service.pwd contains the list of users and passwords for the FrontPage web.
service.grp contains the list of groups (one group for authors and one for administrators in FrontPage).
On Netscape servers, there are no service.grp files. The Netscape password files are:
administrators.pwd for administrators
authors.pwd for authors and administrators
users.pwd for users, authors, and administrators
NOTE: Name and password are case sensitive
Scanning PORT 80 or 443 options:
GET /_vti_inf.html #Ensures that frontpage server extensions
are installed.
GET /_vti_pvt/service.pwd #Contains the encrypted password files.
Not used on IIS and WebSite servers
GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted
names and passwords of authors.
GET /_vti_pvt/administrators.pwd
GET /_vti_log/author.log #If author.log is there it will need to
be cleaned to cover your tracks
GET /samples/search/queryhit.htm
Other ways of obtaining service.pwdhttp://ftpsearch.com/index.html
search for service.pwdhttp://www.alstavista.digital.com
advanced search for link:"/_vti_pvt/service.pwd"
Attempt to connect to the server using FTP.
port 21
login anonymous
password guest@unknown
the anonymous login will use the internally created IISUSR_computername
account to assign NT permissions.
An incorrect configuration may leave areas vulnerable to attack.
If service.pwd is obtained it will look similar to this: