It is interesting that global.asa has never caught eyes of penetration testers while fingerprinting an IIS web server.(Could not find any tool that does it).
I have a simple python script called gr.py, which does a get request fo
global.asa, prints Web Server version reported and HTTP status returned.
#!/usr/bin/env python
import httplib
import sys
if __name__=="__main__":
if len(sys.argv) != 2:
sys.exit(0)
z=httplib.HTTPConnection(sys.argv[1])
z.request('GET','/global.asa')
a=z.getresponse()
print '+ Web Server: ' + a.getheader('Server')
print '+ Status : %d' % (a.status)
lets run it on a few webservers and see.
#gr.py ccb3.nic.in
+ Web Server: Microsoft-IIS/5.0
+ Status : 500
#gr.py www.santabanta.com
+ Web Server: Microsoft-IIS/6.0
+ Status : 404
As you can see for IIS versions below 6.0 the server
returns a 500 status and the webrowser says
HTTP Error 500-15 - Requests for global.asa not allowed
Internet Information Services
Seems this was fixed with IIS 6.0 in Windows 2003 server,
the server returns 404.