Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http-iis-short-name-brute.nse BUG?

From: Richard Miles <richard.k.miles () googlemail com>
Date: Wed, 26 Sep 2012 16:58:25 -0500
Hi Jesper,

Thanks for point the research paper, based on it I see the issue is not
that important as I was expecting, my current understand is that we can't
access the files via shortnames, we need to guess the full name to access
it.

If we can't find it by simple guessing name, looking at google and look for
fuzzdb database for a similar name. Well, in practice many times this
approach will fail, so I guess the only reliable way is to brute-force the
discovered shortnames. Do you know any tool able to do it? Or maybe could
you add it as a script for nmap? :)

Also, do you know any trick to obtain contents of web.config? On my test
machine obviously it listed it, but I can't download since the webserver
(IIS) do not serves it. There is any trick (maybe ADS related) to force
download of this file?

Thanks

On Tue, Sep 25, 2012 at 5:38 PM, Dev (nmap) <dev.kyckel () gmail com> wrote:


Hi Richard,

Thanks for testing the script.

In regards to your first question, the script only finds the short name of
the files, this means the first 6 letters in the file/folder name and the
last 3 letters of the extension. This means that in the case of, say,
'test~1.asp', the full file name is known, since only 4 letters have been
found, and it seems that the extension also has been found since '.asp' is
a valid extension.  But since only 3 letters of the extension can be found,
the real extension might be (and in this case, it is) '.aspx'.

If you'd like to know more about the inter-workings, the original POC
author has written a more in depth description of the method:
http://code.google.com/p/iis-**shortname-scanner-poc/<http://code.google.com/p/iis-shortname-scanner-poc/>in the 
research file.

The script requires that the service is identified as a 'http' service, so
you could try to add the '-sV' option to your command.

Hope this helps.

Regards,


Jesper

 I'm testing http-iis-short-name-brute.nse and I think that I found two

bugs, or I don't know how to use it properly. I downloaded it from archive
http://seclists.org/nmap-dev/**2012/q3/907<http://seclists.org/nmap-dev/2012/q3/907>

1) I tried against the vulnerable test page developed by the original
scanner POC (http://www.sdl.me/challe~1 <http://www.sdl.me/challe%7E1>**)
and I got this results:


PORT   STATE SERVICE
80/tcp open  http
| http-iis-short-name-brute:
|   Folders
|     challe~1
|   Files
|     acsecr~1.htm
|     test1~1.asp
|     test2~1.asm
|     test2~1.asp
|     validf~1.htm
|     validf~2.htm
|_    welcom~1.htm

This looks good, however, if I try to open any of them on my browser all
return 404 (PAGE NOT FOUND), examples:

http://www.sdl.me/challe~1/ <http://www.sdl.me/challe%7E1/**>
http://www.sdl.me/challe~1/**acsecr~1.htm<http://www.sdl.me/challe~1/acsecr~1.htm><
http://www.sdl.me/challe%7E1/**acsecr%7E1.htm<http://www.sdl.me/challe%7E1/acsecr%7E1.htm>



http://www.sdl.me/acsecr~1.htm <http://www.sdl.me/acsecr%7E1.**htm<http://www.sdl.me/acsecr%7E1.htm>





Is it a BUG on the script? Or am I doing something wrong?

2) I tried against a internal hosts that I know that is vulnerable, but I
can't make the script work since the application is not running at port 80,
in practice it's running at port 8091 and the script do not scan it:

PORT     STATE SERVICE
8091/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

I called it on the following way:

nmap -PN -sT -sC -p8091 --script http-iis-short-name-brute 10.10.2.9

There is a way to force it?

Thanks.





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: