There are many steps involved when securing your servers. One step is to locate low hanging fruits to get a clear picture of what we’re dealing with in an automated way. Vulnerability scanners comes naturally here. From time to time I stumble across ASP.NET servers running in debug mode. It happens from time to time that lazy developers do this. I’ve been in an old school mode recently trying to document how to do things manually instead of relying on just the scanners. Today I’ll show you how to find out if a ASP.NET server runs in debug mode by using simple tools over HTTP(s). We will not be touching the consequences of running in debug mode or how to exploit it further.

Tools

We’re not doing anything fancy here, so we’ll stick with some basic tools. In general we need at least two tools depending on if the target uses HTTPS or plain HTTP.

Netcat and Telnet

Given that you have permission to test a server, connecting to it is quite simple. We can use Netcat or Telnet if the server doesn’t use HTTPS, or OpenSSL if the server uses HTTPS. I am using Kali Linux in this example as a base.


$ nc host port

or

$ telnet host port

OpenSSL


$ openssl s_client -connect host:port

Ready, set, go!

By now you should be connected and the terminal should be awaiting input. The main idea here is to send over a HTTP request that’ll trigger the debugging system. We’ll make use of the DEBUG verb. This verb doesn’t belong to the HTTP standard, it’s Microsoft specific. Next, in the same request, we must tell the debugger to do something. Since we’re only going to verify that the server runs in debug mode, let’s just tell it to stop debugging. The following should make this theory clear.


DEBUG / HTTP/1.1
Host: hostname_here
Command: stop-debug

If the remote server runs in debug mode you should see a response looking like


HTTP/1.1 200 OK
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: blahblahblah
Content-Length: 2

OK

Anything else than a HTTP 200 OK message indicates that the target is not in debug mode, or you might have a typo to fix.

Resources

For more information on ASP.NET debug mode, visit:

Advertisements