Gets clear-text credentials by mapping IIS Servers and getting IIS appPools, vDirectories, usernames & passwords.
Requires local admin permissions on the target servers(s), as well as port 5985 (winrm) accessible on all target hosts.
By default, Microsoft Web Server identities’ passwords (e.g. Application Pools, virtual directories etc.) can be extracted as clear-text by any local admin.
This can be, for example, a developer on an IIS box with RDP access, yet the credentials of the appPool/vDir exposed may be of a 'strong' user account, e.g. privileged service account.
This can make adversaries life easier and leveraged for easy access, rather than “poking around” with NTLM hashes, misconfigurations etc.
This is a quite common finding in enterprise environments, where many organizations (still) do not use MSAs/gMSAs for this purpose.
Hence, this tool comes to aid Red/Blue/Purple/SOC/Threat hunting/whatever team to map out those servers and accounts, to help secure those IIS boxes in a better way.
Run Get-IISCredentials.ps1 powershell script to map all IIS Servers & Credentials.
You can run it for all the servers in the entire Active Directory domain, or target a specific host.
It Uses WinRM to detect the w3svc service, and then again WinRM to run appcmd.exe and collect the credentials. Port 5985 need to be open and accessible, and WinRM running.
- Use Managed Service Accounts
MSA/gMSAs are a secure alternative to user service accounts (also for eliminating SPNs, Scheduled Tasks, SQL etc.) - Consider encrypting sensitive sections of the web.config
You can use ASP.NET RSA to encrypt sections of the configuration. this is also useful for other sensitive data, e.g. database connection strings.
You'll need to grant the ASP.NET identity read access to the default RSA key container.
Then, you can encrypt the section(s) using aspnet_regiis.exe, e.g.
aspnet_regiis -pef "sectionName" "physicalPathToApplication"
For more information, see https://learn.microsoft.com/en-us/previous-versions/aspnet/dtkwfdky(v=vs.100) - Protect AppPool credentials using Configuration Locks
This can be another option to limit access, e.g.
appcmd lock config -section:system.webServer/security - Alternative: Use Secrets Management solutions
Vaults, e.g. Azure Key Vault, AWS Secrets Manager etc.
The ultimate goal of this step is to eventually reduce unnecessary admin access from your IIS boxes, so start by mapping the local ADMINISTRATORS on IIS Servers. You can do this by SCCM, PingCastle local admins scanner, any agent on the target, whatever.
If you want to query it remotely using PowerShell, you can try:
$s = 'SRV1','SRV2','SRV3’;
Invoke-Command -ComputerName $s -Command {$env:COMPUTERNAME; Get-LocalGroupMember administrators}
You can also use WinNT provider (rpc) if you don't want/can't use WinRM.
- Limit wide-admin access to the IIS box to specific & trusted accounts. Start by removing unnecessary local admins.
- Limit Access to Application Pool Credentials
Restrict ACL on web.config file only to appPool identity. - Leverage JEA (Just Enough Access), which is a Secure constrained Role-Based remote access using PowerShell.
Instead of full local access as admin, you can limit identities to run specific CLI commands and tasks, using PSSession-Configuration settings.
e.g. a developer/QA staff can have only start-stop service permissions, or just ability to run net stop WAS, net start W3SVC, etc.
Obviously, like many other scripts (especially of mine), it's just a tool.. not bad, nor good. that part is up to you 😄
Red teams can ‘enjoy’ and use this script as well to harvest clear-text credentials, once they have local admin access to host(s).
Keep in mind that you can detect the full domain servers run quite easily by the multiple access requests, via WinRM (spanning wsmprovhost.exe process), on multiple hosts.
In addition, your EDR/Sysmon/Whatever will log not only wsmprovhost.exe process on the IIS box(es), but also that it executed appcmd.exe (with wsmprovhost.exe as parent process).
This may be a bit unusual for most enviroments.
Feedback is always welcome!