Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http-iis-short-name-brute.nse BUG?

From: Patrik Karlsson <patrik () cqure net>
Date: Wed, 26 Sep 2012 02:33:16 +0200
On Wed, Sep 26, 2012 at 12:38 AM, Dev (nmap) <dev.kyckel () gmail com> wrote:


Hi Richard,

Thanks for testing the script.

In regards to your first question, the script only finds the short name of
the files, this means the first 6 letters in the file/folder name and the
last 3 letters of the extension. This means that in the case of, say,
'test~1.asp', the full file name is known, since only 4 letters have been
found, and it seems that the extension also has been found since '.asp' is
a valid extension.  But since only 3 letters of the extension can be found,
the real extension might be (and in this case, it is) '.aspx'.

If you'd like to know more about the inter-workings, the original POC
author has written a more in depth description of the method:
http://code.google.com/p/iis-**shortname-scanner-poc/<http://code.google.com/p/iis-shortname-scanner-poc/>in the 
research file.

The script requires that the service is identified as a 'http' service, so
you could try to add the '-sV' option to your command.

Hope this helps.

Regards,


Jesper



You could also force script execution by prefixing the script with a plus
(+) which would execute it against any open port.
Comparing to -sV it's a little faster as Nmap doesn't do any version or
application detection.

//Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: