http-iis-short-name-brute.nse BUG?

[Richard Miles <richard.k.miles () googlemail com>]

Hi,

I'm testing http-iis-short-name-brute.nse and I think that I found two
bugs, or I don't know how to use it properly. I downloaded it from archive
http://seclists.org/nmap-dev/2012/q3/907

1) I tried against the vulnerable test page developed by the original
scanner POC (http://www.sdl.me/challe~1) and I got this results:

PORT   STATE SERVICE
80/tcp open  http
| http-iis-short-name-brute:
|   Folders
|     challe~1
|   Files
|     acsecr~1.htm
|     test1~1.asp
|     test2~1.asm
|     test2~1.asp
|     validf~1.htm
|     validf~2.htm
|_    welcom~1.htm

This looks good, however, if I try to open any of them on my browser all
return 404 (PAGE NOT FOUND), examples:

http://www.sdl.me/challe~1/
http://www.sdl.me/challe~1/acsecr~1.htm
http://www.sdl.me/acsecr~1.htm

Is it a BUG on the script? Or am I doing something wrong?

2) I tried against a internal hosts that I know that is vulnerable, but I
can't make the script work since the application is not running at port 80,
in practice it's running at port 8091 and the script do not scan it:

PORT     STATE SERVICE
8091/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

I called it on the following way:

nmap -PN -sT -sC -p8091 --script http-iis-short-name-brute 10.10.2.9

There is a way to force it?

Thanks.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/