Brute Force In IIS (Internet Information Services)

OWASP 2013-A2 OWASP 2017-A2 OWASP 2021-A7 CAPEC-151 CWE-151 WASC-12

Brute force is a trial-and-error method of attack. It is used to obtain sensitive information. This information includes such user password, PIN number etc. In a brute force attack, an automated software is used to generate values using permutation and combination. This process continues until the barrier is broken. Brute force attacks are used by criminals to crack encrypted data. This method is used by security analysts to test network security. There are other names for brute force attack like brute force cracking or simply brute force. If a server is configured to use basic authentication or Integrated Windows authentication, then it is vulnerable to brute force attack on the password of the local machine admin account. If a server is using Windows IIS, it will have a default page localstart.asp. If the authentication is done by Integrated Windows authentication, it will be vulnerable to brute force attack. Default username of localstart.asp is “administrator” and the attacker can use brute force attack to guess the password.


Microsoft’s IIS server has a default page “localstart.asp”. This page is protected by NTLM authentication by default. An attacker can use a brute force attack to gain the authentication credentials. The resultant will give the attacker admin access.


Using this vulnerability, an attacker can:-

  • exploit the vulnerable application using injection attacks.
  • steal sensitive information about the application.

Mitigation / Precaution

Beagle recommends the following impacts:-

  • Empty the local machine.
  • Remove all authentication schemes from localstart file.
  • If localstart file is not required for the application, we recommend to delete it from the web server. Deleting this file will not the attackers to launch brute force authentication.
  • Update the server’s IIS to IIS7 or higher version.
  • Try to implement CAPTCHA in the application to enhance the security.

Latest Articles