23.-IIS-tilde-enumeration

1. IIS Tilde Enumeration Concept

• IIS generates 8.3 short file names for files and directories.

• These short names can be accessed using the tilde (~) character in URLs.

• This technique helps uncover hidden resources.

• The 8.3 filename format consists of 8 characters, a period, and a 3-character extension.

  • Example: SecretDocuments becomes SECRET~1

  • Example file: somefile.txt becomes SOMEFI~1.TXT

• If two files have similar names, the number after the tilde increments.

• Affected Versions: IIS 5.0, IIS 6.0, IIS 7.0, IIS 7.5, IIS 8.0, IIS 8.5.

---

2. Enumeration Process

1. Send HTTP requests with tilde and character combinations.

2. Analyze server responses (200 OK indicates a valid short name).

3. Iteratively refine the short name.

4. Once the short name is found, access files within that directory.

---

3. Enumeration Commands and Tools

Nmap Port and Service Scan

nmap -p- -sV -sC --open <target_ip>

• Scans all ports, performs service version detection, runs default scripts, and displays open ports.

IIS ShortName Scanner (Java)

java -jar iis_shortname_scanner.jar 0 5 http://<target_ip>/

• Automates tilde enumeration.

• Requires Java to be installed.

Wordlist Generation (egrep and sed)

egrep -r ^transf /usr/share/wordlists/* | sed 's/^[^:]*://' > /tmp/list.txt

• Generates a wordlist from files containing the string transf.

Gobuster Directory Bruteforcing

gobuster dir -u http://<target_ip>/ -w /tmp/list.txt -x .aspx,.asp

• Brute-forces directories and files using the generated wordlist and specified extensions.

---

4. Command Breakdown

Nmap:

• -p- : Scan all ports.

• -sV : Perform service version detection.

• -sC : Run default scripts.

• --open : Show only open ports.

IIS ShortName Scanner:

• 0 : Start position.

• 5 : Maximum length of short file name.

• http://<target_ip>/ : Target URL.

egrep:

• -r : Recursive search.

• ^transf : Lines starting with "transf".

sed:

• 's/^[^:]*://' : Remove text before the first colon.

Gobuster:

• -u : Target URL.

• -w : Wordlist file.

• -x : File extensions.

---

5. Practical Example

Sample Enumeration Output:

200 OK - /SECRET~1
200 OK - /DOCUME~1/FILE.TXT
403 Forbidden - /ADMIN~1

This output suggests:

• /SECRET~1 is a valid directory.

• /DOCUME~1/FILE.TXT is an accessible file.

• /ADMIN~1 exists but is restricted.

---

6. Mitigation Strategies

• Disable 8.3 File Name Support:

  fsutil behavior set disable8dot3 1

• Block tilde-based requests using URL Rewrite Rules in IIS.

• Harden IIS configuration by restricting directory listings and permissions.

• Regularly update IIS to mitigate known vulnerabilities.

---

7. Key Points

• IIS tilde enumeration exploits a vulnerability in IIS's handling of short file names.

• Tools like IIS ShortName Scanner and Gobuster automate the enumeration process.

• Wordlists can be generated to target specific file names.

• Nmap is used for initial port and service enumeration.

• Java is required to run the IIS short name scanner.

• Gobuster and wordlist generation help find the full file name from the 8.3 short file name.

• Mitigation strategies should be implemented to prevent unauthorized access.