View IIS AppPool Passwords in Plain Text with WebAdministration Module

I have been learning more about IIS this past month, and have discovered something interesting…

First off, PowerShell and IIS are really great friends. For everything I have needed to do for AppPools, websites, bindings, etc. PowerShell has been able to do it all very nicely. Though, in attempting to find out how AppPool identity credentials are stored, I found that the WebAdministration Module allows you to view those passwords in plain text (tested on IIS v8).

I couldn’t find much about this being done via the PSDrive that becomes available when importing the WebAdministration Module, but I found an article that talks about using AppCmd.exe to do the same thing:

Decrypting IIS Passwords to Break Out of The DMZ: Part 2 [NetSPI]

In addition to that approach, the following will also dump all Usernames and Passwords for accounts being used to run the AppPools:

Import-Module WebAdministration
(ls IIS:\AppPools | Get-ItemProperty).ProcessModel | select UserName,Password

Output:

PasswordPlainText

Wow. Now, if you used those two lines in a ScriptBlock run by Invoke-Command — you can potentially grab all service account names and passwords from IIS servers running on your network (granted you have permissions, the WebAdministration module is present, remoting enabled, etc.).

I found an interesting use for this: if I am going to be adding new IIS web servers to a farm, I can automate the configuration of AppPool credentials by simply querying an example server on the network:

# Computer that has IIS identity/passwords to pull
$SourceComputerName = "WebServer01"

# Pull all websites, and thus pull all nested usernames and passwords (if any)
$AppPoolInfo = Invoke-Command -ComputerName $SourceComputerName -ScriptBlock {
  Import-Module WebAdministration
  ls IIS:\AppPools | Get-ItemProperty
}

foreach ($NewWebSiteName in $NewWebSites) {
  $WebAppPool = ($AppPoolInfo | where {$_.Name -like "$NewWebsiteName"}).ProcessModel
  $null = Set-ItemProperty -Path "IIS:\AppPools\$NewWebSiteName" -Name ProcessModel -Value @{
    'identityType'="SpecificUser"
    'userName'=$WebAppPool.UserName
    'password'=$WebAppPool.Password
  }
  Clear-Variable WebAppPool
}

# List all usernames/passwords
# $AppPoolInfo.processModel | select UserName,Password

What I gather, is that this is a feature — not a vulnerability / exploit. This seems to be the intended behaviour. The passwords are stored in an encrypted format within the applicationHost.config file, but can be converted to visible plain text with either AppCmd.exe or the WebAdministration Module in PowerShell.

I may be posting more on some IIS content in the near future, otherwise, I should have some more content up soon.

Advertisements

One thought on “View IIS AppPool Passwords in Plain Text with WebAdministration Module

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s