In my last blog I showed how to use native Windows tools to break out of DMZ networks by decrypting database connection strings in IIS web.config files, and using them to pivote through SQL Servers. If you're interested it can be found at Decrypting IIS Passwords to Break Out of the DMZ: Part 1. In this blog I'll cover how to decrypt application pool and virtual directory credentials stored in the IIS applicationHost.config file, and use them to pivot through services commonly available through the DMZ firewall. This should be interesting to administrators and penetration testers trying to gain a better understanding what the applicationHost.config does and its value to attackers.
more here.............https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
more here.............https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2