Attacking and Defending Microsoft IIS - BSides Canberra 2024 Training

Published: 22/09/2024

I’ll be running a 3 hour training session at BSides Canberra 2024 this coming Friday at 9am which is free for all attendees. Checkout the event at https://cfp.bsidescbr.com.au/bsides-canberra-2024/talk/MKHDNA/ for location and session details.

Internet around the BSides venue is notoriously bad so rather than ask a room full of people to pull down 6-7gb of files at once, I figured I’d write up a quick “what you’ll need” blog post.

Looking forward to seeing you all on Friday!

Operating System

This training session will require a recent version of Windows (server or desktop). I have tested with Windows 11 Home and Pro as well as Windows Server 2022. VMs are fine however nothing we will be doing will be dangerous so using a host OS is fine.

Visual Studio 2022 Community Edition

Download Link: https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community&channel=Release&version=VS2022&source=VSLandingPage&cid=2030&passive=false

While not strictly required, if you want to have the best experience with the training session, Visual Studio is highly recommended.

While installing you’ll reach a screen similar to the following: img Tick the ASP.NET and web development box in the central panel. If you want to shave ~1gb off the install, untick everything from the right hand list except .NET Framework 4.8 development tools.

To verify your install is ready to go, create a new project and ensure the Class Library (.NET Framework) template is available. img

DNSpy

Download Link: https://github.com/dnSpyEx/dnSpy/releases

Download the latest release for your architecture.

WinDBG

Microsoft has made installation of WinDBG a little tricky unless you are fully plugged into their ecosystem. If you are on a desktop version of Windows and have a Microsoft account linked up to the Microsoft store, you can download WinDBG either directly from the Microsoft store or from https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/#install-windbg-with-windows-package-manager

If you are on a Server build on Windows or otherwise don’t have access to the Microsoft Store, download WinDBG from https://windbg.download.prss.microsoft.com/dbazure/prod/1-2407-24003-0/windbg.msixbundle then install it via PowerShell with the following command

Add-AppxPackage .windbg.msixbundle

NetExt

NetExt is a plugin for WinDGB which greatly assists with the analysis of IIS memory dumps. The easiest way to install it is to download Install-NetExt.ps1 and NetExt-2.1.65.5000.zip from https://github.com/rodneyviana/netext/releases/tag/2.1.65.5000 then run the PowerShell script. The PowerShell script expects the zip file to be in your Downloads directory.

Process Hacker

Download Link (Portable): https://sourceforge.net/projects/processhacker/files/processhacker2/processhacker-2.39-bin.zip/download

Download Link (Installer): https://sourceforge.net/projects/processhacker/files/processhacker2/processhacker-2.39-setup.exe/download

Download and extract/install.

YSoSerial

Download Link: https://github.com/pwntester/ysoserial.net/releases/tag/v1.36

Download and extract the latest release from the releases page. I recommend renaming the folder post extraction to reduce its length when we run YSoSerial from the terminal

Slides/Code snippets

I’ll publish another post on Thursday evening containing the slides and code snippets used during the session.