What Is It?

WebDAV stands for Web Distributed Authoring and Versioning.

The WebDAV protocol provides a framework for users to create, change and move documents on a server, typically a web server or web share.

Metasploit Modules

To check for WebDAV, you can use a couple of different modules:

webdav scanner

Scan for WebDAV:

msf auxiliary(webdav_scanner) > run

[*] 10.0.0.27 (Apache/2.2.8 (Ubuntu) DAV/2) WebDAV disabled.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(webdav_scanner) >

Looks like it is turned off...

webdav internal ip

we can use another scanner module to check for internal IPs with WebDAV enabled:

msf > use auxiliary/scanner/http/webdav_internal_ip
msf auxiliary(webdav_internal_ip) > show options

Module options (auxiliary/scanner/http/webdav_internal_ip):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       Path to use
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf auxiliary(webdav_internal_ip) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(webdav_internal_ip) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(webdav_internal_ip) >

webdav website content

Similarly with the next scanner:

msf auxiliary(webdav_website_content) > use auxiliary/scanner/http/webdav_website_content
msf auxiliary(webdav_website_content) > show options

Module options (auxiliary/scanner/http/webdav_website_content):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       Path to use
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf auxiliary(webdav_website_content) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(webdav_website_content) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(webdav_website_content) >

If you manage to find a writable directory, you can use it to get a remote shell: http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html

Davtest

You can also test out DAV using the davtest command line utility.

Also used here: https://www.youtube.com/watch?v=JoV1aSuy1XU&t=21m52s

Check that you've got a copy:

# which davtest

Scan

You can scan a WebDAV server using the davtest program by specifying the url:

root@morpheus:~# davtest -url 10.0.0.27/dav
********************************************************
 Testing DAV connection
OPEN		SUCCEED:		10.0.0.27/dav
********************************************************
NOTE	Random string for this session: HE4bxEUNq5
********************************************************
 Creating directory
MKCOL		FAIL
********************************************************
 Sending test files
PUT	cgi	FAIL
PUT	shtml	FAIL
PUT	cfm	FAIL
PUT	pl	FAIL
PUT	php	FAIL
PUT	html	FAIL
PUT	jsp	FAIL
PUT	asp	FAIL
PUT	txt	FAIL
PUT	aspx	FAIL
PUT	jhtml	FAIL

********************************************************
/usr/bin/davtest Summary:

root@morpheus:~#

This output is more helpful than the Metasploitable WebDAV scanner - it shows us that the DAV server is open and running, but that we can't do any actions. This might be an authorization problem that we could get around with an exploit. And once we have access through WebDAV, being able to edit/add files on a remote server is a gateway to getting in and getting shells.

Action Failures

From the davtest scan, we saw a bunch of actions failed. I guess that means we need credentials to do anything. (?)

Cadaver

Cadaver is a utility for dealing with WebDAV systems on the command line.

Some background here: http://web.cs.sunyit.edu/~yanarej/Labs430/Lab_7__Exploitation.pdf

Flags

Metasploit any and all resources related to metasploit on this wiki MSF - on the metasploit framework generally Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload. Category:Security  · Category:Metasploit  · Category:Kali Flags  · Template:MetasploitFlag  · e

Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack. Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres Metasploitable Networking: Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind Metasploitable Services: distcc: Metasploitable/distcc Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...) Fuzzing  · American Fuzzy Lop Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableRedTeamFlag  · e

Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions. Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping  · Metasploitable/Defenses/Detecting Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports Metasploitable Networking Defenses: Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableBlueTeamFlag  · e