IIS 7 server ip adress tracking

[temopampara]

hello guys...

i have a network with a IIS 7 server somewhere in the network and

i). it is only accessible within network(that means we must have to be connected with the same network to access this server, otherwise from outside of the network it is not accessible).

ii). It is only accessible through IE(internet explorer). If we try to use some other browser then "server not found" error is occurred. It is worth to mention here is that we to use non-FQDN (none fully qualified domain names to access the server) a FQDN is a domain name having dot "." in it for example server.com. instead we use https://server and thats it.

iii). On the network computers we have limited privileges so we cannot install some software to trace the ip addresses of the server.

Now the question is "how can we get the ip adress of the server ?"(beside privilege escalation or getting higher privileges on the network or system).

Note: i have googled it several times but cannot find some usefull info yet.

[pretentious]

hello guys...
have a network with a IIS 7 server somewhere in the network and

i). it is only accessible within network(that means we must have to be connected with the same network to access this server, otherwise from outside of the network it is not accessible).

This means there are a limited number of IP addresses that it could have(192.168.0.1/24 can only have 254? hosts. find out what your internal IP address is and you can brute force it

ii). It is only accessible through IE(internet explorer). If we try to use some other browser then "server not found" error is occurred. It is worth to mention here is that we to use non-FQDN (none fully qualified domain names to access the server) a FQDN is a domain name having dot "." in it for example server.com. instead we use https://server and thats it.

if you're able to spoof the user agent, you should be able to get around this. I don't know how relivant the non-FQDN thing is.

iii). On the network computers we have limited privileges so we cannot install some software to trace the ip addresses of the server.

so i guess spoofing is out of the question then?

Now the question is "how can we get the ip adress of the server ?"(beside privilege escalation or getting higher privileges on the network or system).

I'd probably try and ping every possible host in the subnet, as long as IIS will respond to pings which I don't know. That's also assuming that you're in the same subnet. Which OS are you using btw

-- Fri Apr 11, 2014 7:27 pm --

Code: Select all

#!/usr/bin/perl
for $i (2..253){
   system("timeout 1 ping -c 1 192.168.0.$i");
}


Something that i hacked together while working my way through half a semester of lecture slides. That's for linux. I'm sure windows will have a colse equivelant, It doesn't tell which specific host is the IIS server but it's where I'd start

[cyberdrain]

i). it is only accessible within network(that means we must have to be connected with the same network to access this server, otherwise from outside of the network it is not accessible).

ii). It is only accessible through IE(internet explorer). If we try to use some other browser then "server not found" error is occurred. It is worth to mention here is that we to use non-FQDN (none fully qualified domain names to access the server) a FQDN is a domain name having dot "." in it for example server.com. instead we use https://server and thats it.

iii). On the network computers we have limited privileges so we cannot install some software to trace the ip addresses of the server.

I have yet to find a network that's so tightly controlled it won't run portable apps. Most of the time you're able to run Firefox or other portable software and use a spoofed user agent, which will fix i), ii) and iii). Also, be sure that Internet Explorer doesn't include any specific cookies or settings the server recognizes, otherwise every browser will get an error message. I'm going to guess that 'limited privileges' means you have to use a non-administrator account, something every sane network administrator will probably do. If you meant 'group policy' then it's a whole different matter.

Have you tried netstat or either ping/tracert/nslookup https://server? If those are blocked, copy them to the desktop, rename them and run again or run them from a .BAT file. And I agree with pretentious: why is it relevant that it's a non-FQDN? Additionally, I'm pretty sure a network administrator (if you are not) won't be happy if he finds you scanning his network, so be sure to have permission (we won't help you do something illegal).

Which OS are you using btw

I'm going to assume Windows Vista/7 as host and Windows Server 2008 as target judging by the use of Internet Explorer and IIS 7.

[0phidian]

If you know the domain name then just use nslookup.
From command line:

Code: Select all

nslookup server.com

[temopampara]

Which OS are you using btw

Thanks for help guys..
i can boot the system from USB drive it means i can use any linux based OS. for the time being i am using Backtrack 5 from a USB drive.