documentation/modules/auxiliary/scanner/http/iis_internal_ip.md
IIS, under various conditions, may respond to a request for /, /images, or /default.htm with HTTP/1.0
with a 300 HTTP response and a location header that contains an internal (192.x.x.x, 10.x.x.x, or 172.x.x.x)
IP address. It may also respond to a 'PROPFIND' request with a blank host header that contains the internal
IP address in then body
use auxiliary/scanner/http/iis_internal_ipset RHOSTS [ip]runmsf > use auxiliary/scanner/http/iis_internal_ip
msf auxiliary(scanner/http/iis_internal_ip) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf auxiliary(scanner/http/iis_internal_ip) > set rport 443
rport => 443
msf auxiliary(scanner/http/iis_internal_ip) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf auxiliary(scanner/http/iis_internal_ip) > set verbose true
verbose => true
rmsf auxiliary(scanner/http/iis_internal_ip) > run
[*] 2.2.2.2:443 - Requesting GET / HTTP/1.0
[+] Location Header: https://10.1.1.20/home
[+] Result for 2.2.2.2 found Internal IP: 10.1.1.20
[*] 2.2.2.2:443 - Requesting GET /images HTTP/1.0
[*] 2.2.2.2:443 - Requesting GET /default.htm HTTP/1.0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed