Internet Information Services (IIS)

Internet Information Services (IIS) is a niche web-server developed by Microsoft and mainly used on Active Directory networks.

IIS Pentester Notes ☠️

IIS Tilde Enumeration


Windows 8.3 filename, often called short name, is a mechanism on old versions of Windows to create an alias for long filenames. It's still present in modern versions of Windows.

$ echo "x" > areallylongfilename.extension
$ dir /x
... AREALL~1.EXT areallylongfilename.extension
$ type AREALL~1.EXT

The tilde number ~1 is an incremental value that can be iterated if there are multiple files matching "AREALL[...].EXT".

This can be used on an IIS server to discover files, while it doesn't expose the full name of the file. You can use IIS-ShortName-Scanner (1.2k ⭐) or its newer implementation shortscan (0.4k ⭐).

$ go install
$ sudo ln -s /home/<username>/go/bin/shortscan /usr/local/bin/shortscan
$ shortscan

You may then try to brute force the full name from text_found, while shortscan will display potential values that you may try first.

$ grep -r ^text_found /usr/share/wordlists/ | sed 's/^[^:]*://' > custom.lst
$ gobuster dir -u URL -w custom.lst -x extension

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • %WinDir%\System32\Inetsrv\Config\ApplicationHost.config: configuration file
  • Window Version to infer IIS version (default one)


  • IIS v6 RCE (iis_webdav_scstoragepathfromurl)