Internet Information Services (IIS)
Internet Information Services (IIS) is a niche web-server developed by Microsoft and mainly used on Active Directory networks.
IIS Pentester Notes β οΈ
IIS Tilde Enumeration
Windows 8.3 filename, often called short name, is a mechanism on old versions of Windows to create an alias for long filenames. It's still present in modern versions of Windows.
$ echo "x" > areallylongfilename.extension
$ dir /x
... AREALL~1.EXT areallylongfilename.extension
$ type AREALL~1.EXT
The tilde number ~1 is an incremental value that can be iterated if there are multiple files matching "AREALL[...].EXT".
This can be used on an IIS server to discover files, while it doesn't expose the full name of the file. You can use IIS-ShortName-Scanner (1.2k β) or its newer implementation shortscan (0.4k β).
$ go install github.com/bitquark/shortscan/cmd/shortscan@latest
$ sudo ln -s /home/<username>/go/bin/shortscan /usr/local/bin/shortscan
$ shortscan http://10.129.189.72
You may then try to brute force the full name from text_found, while shortscan will display potential values that you may try first.
$ grep -r ^text_found /usr/share/wordlists/ | sed 's/^[^:]*://' > custom.lst
$ gobuster dir -u URL -w custom.lst -x extension
π» To-do π»
Stuff that I found, but never read/used yet.
-
%WinDir%\System32\Inetsrv\Config\ApplicationHost.config: configuration file - Window Version to infer IIS version (default one)
- IIS v6 RCE (
iis_webdav_scstoragepathfromurl)