There are many steps involved when securing your servers. One step is to locate low hanging fruits to get a clear picture of what we’re dealing with in an automated way. Vulnerability scanners comes naturally here. From time to time I stumble across ASP.NET servers running in debug mode. It happens from time to time that lazy developers do this. I’ve been in an old school mode recently trying to document how to do things manually instead of relying on just the scanners. Today I’ll show you how to find out if a ASP.NET server runs in debug mode by using simple tools over HTTP(s). We will not be touching the consequences of running in debug mode or how to exploit it further.
We’re not doing anything fancy here, so we’ll stick with some basic tools. In general we need at least two tools depending on if the target uses HTTPS or plain HTTP.
Netcat and Telnet
Given that you have permission to test a server, connecting to it is quite simple. We can use Netcat or Telnet if the server doesn’t use HTTPS, or OpenSSL if the server uses HTTPS. I am using Kali Linux in this example as a base.
$ nc host port or $ telnet host port
$ openssl s_client -connect host:port
Ready, set, go!
By now you should be connected and the terminal should be awaiting input. The main idea here is to send over a HTTP request that’ll trigger the debugging system. We’ll make use of the DEBUG verb. This verb doesn’t belong to the HTTP standard, it’s Microsoft specific. Next, in the same request, we must tell the debugger to do something. Since we’re only going to verify that the server runs in debug mode, let’s just tell it to stop debugging. The following should make this theory clear.
DEBUG / HTTP/1.1 Host: hostname_here Command: stop-debug
If the remote server runs in debug mode you should see a response looking like
HTTP/1.1 200 OK Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: blahblahblah Content-Length: 2 OK
Anything else than a HTTP 200 OK message indicates that the target is not in debug mode, or you might have a typo to fix.
For more information on ASP.NET debug mode, visit:
- OWASP on ASP.NET misconfigurations
- The infamous Debug=True Attribute in ASP.NET
- Microsoft Support ticket mentioning the DEBUG verb
- A great article on remote debugging