Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http-iis-short-name-brute.nse BUG?

From: Richard Miles <richard.k.miles () googlemail com>
Date: Wed, 26 Sep 2012 16:58:50 -0500
Hi Patrik,

It worked very well, thanks. :)

On Tue, Sep 25, 2012 at 7:33 PM, Patrik Karlsson <patrik () cqure net> wrote:




On Wed, Sep 26, 2012 at 12:38 AM, Dev (nmap) <dev.kyckel () gmail com> wrote:


Hi Richard,

Thanks for testing the script.

In regards to your first question, the script only finds the short name
of the files, this means the first 6 letters in the file/folder name and
the last 3 letters of the extension. This means that in the case of, say,
'test~1.asp', the full file name is known, since only 4 letters have been
found, and it seems that the extension also has been found since '.asp' is
a valid extension.  But since only 3 letters of the extension can be found,
the real extension might be (and in this case, it is) '.aspx'.

If you'd like to know more about the inter-workings, the original POC
author has written a more in depth description of the method:
http://code.google.com/p/iis-**shortname-scanner-poc/<http://code.google.com/p/iis-shortname-scanner-poc/>in the 
research file.

The script requires that the service is identified as a 'http' service,
so you could try to add the '-sV' option to your command.

Hope this helps.

Regards,


Jesper



You could also force script execution by prefixing the script with a plus
(+) which would execute it against any open port.
Comparing to -sV it's a little faster as Nmap doesn't do any version or
application detection.

//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: