Deploying a WebDAV Server

There are various reasons why having a webDAV server comes in handy. The main reason I created one was to execute a malicious Outlook rule attack as part of a pentest as described here. In my case, I configured the webDAV server to be read-only so that my executables do not get erroneously or maliciously overwritten. These instructions are for deploying a webDAV server on a Digital Ocean instance, but similar steps would be used for other cloud providers.

Here we go!

Create and then sign into your Digital Ocean account at https://www.digitalocean.com/. For improved security, enable two-factor authentication on your account.

Click on the “Create Droplet” button at the top of the page.

Click “Create Droplet” in Digital Ocean

Choose the default Ubuntu release (at the time of writing this was 16.04.1), and the cheapest server option, as shown in the images below. Accept other defaults and add your SSH key for logging into your new server. Optionally, set a hostname for your server. Finally, click the big green “Create” button at the bottom of the page to create your instance.

 

 

Digital Ocean Droplet Creation Options

That was easy! Now you have a server deployed on the internet.

Successfully Created Digital Ocean Instance (aka Droplet)

First, let’s do some housekeeping on our new instance. Connect to your new instance like so:

SSH Access to Server

Disable the ability to SSH to your server using a password so that SSH access requires your private key. Edit the file at /etc/ssh/sshd_config by uncommenting the “PasswordAuthentication” line and setting the value to “no”:

Disable SSH Access via Password

Then, restart the SSH service so that your changes take effect.

SSH Configuration Edit and Service Restart

You can verify that SSH access via password has been disabled by trying to SSH from a server that does not have your private key, as shown below. The first attempt was made before the configuration change and prompts the user to enter their password. The second attempt simply denies the user access.

Confirm SSH Key Access Only

Update your server with the following two commands (repeat this often to keep the system up to date):

apt-get update

apt-get dist-upgrade

Install Apache with the following command:

apt-get install apache2

Enable Apache webDAV functionality:

a2enmod dav

a2enmod dav_fs

Enable Apache WebDAV Modules

Create a webdav directory at /var/www and set www-data as the owner.

Create WebDAV Directory and Set Owner

Configure Apache for read-only access to files in the webdav directory by editing your /etc/apache2/sites-available/000-default.conf file to match the following (comments removed for brevity):

<VirtualHost *:80>

        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log

        CustomLog ${APACHE_LOG_DIR}/access.log combined

  Alias /webdav /var/www/webdav

  <Location /webdav>

    Options Indexes

    DAV On

    <LimitExcept GET HEAD OPTIONS PROPFIND>

      Deny from all

    </LimitExcept>

    Satisfy all

  </Location>

</VirtualHost>

Restart Apache and visit your new webDAV server from a web browser at: http:///webdav/

Command to Restart Apache

Initial WebDAV Directory Listing

Congratulations, you now have a webDAV server!.  Now, put some files in there you would like to access. A simple example is given below.

Refresh your web browser to see the file listing.

WebDAV Directory Listing and File Access

The interesting thing about a webDAV server is that you can access the files from File Explorer by entering the network address as follows:

\\159.203.131.191\webdav

Access WebDAV Files Through Windows File Explorer

Be patient, as it takes a bit of time to load the directory listing after entering the network address. Attempting to open one of these files from the File Explorer gives the following error:

File Permission Error Blocks File Open

This is due to a file permission error because file ownership belongs to “root” instead of the “www-data” user under which Apache runs.

Test Files Owned by Root (Causes Permission Error)

To fix the permission issue, change the ownership of the files as shown below:

Test File Ownership Changed to www-data

The test file can now be opened by clicking on the link in File Explorer.

Test File Opened from WebDAV Server via File Explorer

Forgetting to properly set the file permissions will foil your malicious Outlook rule attempt! The image below shows an example of the pop-up the user will get when the Outlook rule attempts to fire when the permissions on the WebDAV server are not correct.

https://lh3.googleusercontent.com/1wbagPP5VGN-0G6b6xLeeC0QyV2tj5yW-BN5owzkumZ6p2-rSBqsMV98hrvxrHPSv66Y833kbodBHY_THtfQZVXey7ZnXGG5ApsQmy3BzJhevVkvY0l7WIyR8y1Rc4IgPqfD406H

Outlook Rule Error with Incorrect File Permission on WebDAV Server

In addition, your Malicious Outlook Rule will be automatically disabled as indicated by the red text and no check mark in the check box.

https://lh3.googleusercontent.com/6E1T5GfgoRJ1Sd1jlup4knzozxsMcRPyLjectW2maV1kGyZC-lU8d4yvB7Ve_ritRmjhJdyRTema67iqBsvNwaCkXDBJDNgDIJd1YQZ7uqqOPcxtRwAystKmcLxa4WqaR7Bkj6fa

Automatically Disabled Rule on Error