Dump password of application pool user from IIS >= 6.0

IIS Application pools are used to separate sets of IIS worker processes that share the same configuration and application boundaries. Application pools used to isolate our web application for better security, reliability, and availability and performance and keep running with out impacting each other . The worker process serves as the process boundary that separates each application pool so that when one worker process or application is having an issue or recycles, other applications or worker processes are not affected.
One Application Pool can have multiple worker process. (Ref:http://technet.microsoft.com/en-us/library/cc735247%28WS.10%29.aspx)

Main Point to Remember:
1. Isolation of Different Web Application
2. Individual worker process for different web application
3. More reliably web application
4. Better Performance

It may happen that while managing or testing multiple web applications we create many application pool(s) in the IIS. Thus, there is always the possibility that we may forget the password of an account that we have used for the some application pool. In order to retrieve the credentials we can use the utility called APPCMD.

Let’s Start

1. Let us assume that we have forgotten the password of the account that is used by a “Demo User” application pool.

Application Pool

2. Open the command prompt by browsing Start menu -> Accessories -> Command Prompt. Right click on Command prompt and select “Run as Administrator” option from the context menu.

Tip: You can also select CMD and press CTRL + Shift + Enter to Start Command Prompt as Administrator or with Machine Administrator rights

3. Browse the following path on command prompt “%systemroot%system32inetsrv” and run APPCMD list apppool “Demo User” /text:*

(The directory will most likely be C:WindowsSystem32inetsrv)

Replace “Demo User” with the App Pool name of which you want to retrieve the password.

Command

4. Under the [processModel] section you will get the username and password which is in Clear Text .

Output showing credentials

Remediation & POC

The remediation for this is very simple; use service accounts like Network Service, Network, etc. So, even if someone has access to the system and tries same steps as above to retrieve the user account password, he wont be able to do that.

1. Application pool “Dos” with Network Service account

Application Pool for Network Service

2. Running the same command as we ran in earlier in this post i.e. APPCMD list apppool “Dos” /text:*

Command

3. Checking the output

Output for Network Service

Note

The above technique which we have tested against IIS 6.0 will also work with IIS 7.0 and IIS 7.5, as these versions also provide support for the utility for legacy reasons.

I guess this highlights why least-privilege is so important when assigning privileges to application services on servers. In a scenario where the server is compromised, the  Final word for IIS administrators, always use a least-privilege user account for SharePoint or any other web application installation or deployment, simply means that Application Pool account should not have more permissions than needed.

Dhiraj

Dhiraj Ranka

Dhiraj Ranka is currently working as Senior Security Analyst at Network Intelligence, Mumbai for more than four years. He is additionally involved in intensive research and Web-based applications testing, intended primarily for executing vulnerability assessment projects and delivering trainings.

Be the first to comment

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.