Nmap Development mailing list archives
Re: http-iis-short-name-brute.nse BUG?
From: "Dev (nmap)" <dev.kyckel () gmail com>
Date: Wed, 26 Sep 2012 00:38:26 +0200
Hi Richard, Thanks for testing the script.In regards to your first question, the script only finds the short name of the files, this means the first 6 letters in the file/folder name and the last 3 letters of the extension. This means that in the case of, say, 'test~1.asp', the full file name is known, since only 4 letters have been found, and it seems that the extension also has been found since '.asp' is a valid extension. But since only 3 letters of the extension can be found, the real extension might be (and in this case, it is) '.aspx'.
If you'd like to know more about the inter-workings, the original POC author has written a more in depth description of the method: http://code.google.com/p/iis-shortname-scanner-poc/ in the research file.
The script requires that the service is identified as a 'http' service, so you could try to add the '-sV' option to your command.
Hope this helps. Regards, Jesper
I'm testing http-iis-short-name-brute.nse and I think that I found two bugs, or I don't know how to use it properly. I downloaded it from archive http://seclists.org/nmap-dev/2012/q3/9071) I tried against the vulnerable test page developed by the original scanner POC (http://www.sdl.me/challe~1 <http://www.sdl.me/challe%7E1>) and I got this results:PORT STATE SERVICE 80/tcp open http | http-iis-short-name-brute: | Folders | challe~1 | Files | acsecr~1.htm | test1~1.asp | test2~1.asm | test2~1.asp | validf~1.htm | validf~2.htm |_ welcom~1.htmThis looks good, however, if I try to open any of them on my browser all return 404 (PAGE NOT FOUND), examples:http://www.sdl.me/challe~1/ <http://www.sdl.me/challe%7E1/>http://www.sdl.me/challe~1/acsecr~1.htm <http://www.sdl.me/challe%7E1/acsecr%7E1.htm>http://www.sdl.me/acsecr~1.htm <http://www.sdl.me/acsecr%7E1.htm> Is it a BUG on the script? Or am I doing something wrong?2) I tried against a internal hosts that I know that is vulnerable, but I can't make the script work since the application is not running at port 80, in practice it's running at port 8091 and the script do not scan it:PORT STATE SERVICE 8091/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds I called it on the following way: nmap -PN -sT -sC -p8091 --script http-iis-short-name-brute 10.10.2.9 There is a way to force it? Thanks.
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-iis-short-name-brute.nse BUG? Richard Miles (Sep 25)
- Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 25)
- Re: http-iis-short-name-brute.nse BUG? Patrik Karlsson (Sep 25)
- Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 26)
- Re: http-iis-short-name-brute.nse BUG? Richard Miles (Sep 26)
- Re: http-iis-short-name-brute.nse BUG? Richard Miles (Sep 26)
- Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 27)
- Re: http-iis-short-name-brute.nse BUG? Richard Miles (Sep 28)
- Re: http-iis-short-name-brute.nse BUG? Patrik Karlsson (Sep 25)
- Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 25)