Re: [NSE] http-iis-short-name-brute.nse

[Paulino Calderon Pale <paulino () calderonpale com>]

On 09/18/2012 04:18 PM, David Fifield wrote:
> On Sun, Sep 16, 2012 at 05:12:19PM +0200, Dev (nmap) wrote:
> > Hi List,
> >
> > Attached is a NSE implementation of "iis-shortname-scanner-poc" from
> > http://code.google.com/p/iis-shortname-scanner-poc/ .
> >
> > The script searches for the short name of files and dirs, example output:
> >
> > PORT   STATE SERVICE REASON
> > 80/tcp open  http
> > | http-iis-short-name-brute:
> > |   Folders
> > |     aspnet~1
> > |   Files
> > |     sql~1.bak
> > |_    test~1.php
> >
> > It still needs some testing, but currently I don't have access to an
> > affected IIS installation. Any chance someone  here has access to an
> > IIS installation and can test it (or grant me permission to test on
> > the platform) ?
> This script is fine with me, if you can get some testing results.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
Hi list,

This week at work I stumbled again with this vulnerability and the 
script worked flawlessly in one instance but it returned false positive 
results against another server (All pages were returning 404 and the 
script was saving them as valid directories). I'm attaching the updated 
version with my patch. This version worked as expected in my environment 
but I would appreciate some help testing it against different ASP.NET 
versions.

What do you guys think about including this script to the repository? 
None of the major commercial scanners detected this vulnerability except 
for Nmap and it has come very handy during pentests...

Cheers!

Attachment: http-iis-short-name-brute.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/