Nmap Development mailing list archives

Re: http-iis-short-name-brute.nse BUG?

From: "Dev (nmap)" <dev.kyckel () gmail com>
Date: Thu, 27 Sep 2012 17:24:37 +0200

Hi Richard,

I've thought about adding some kind of procedure fordetecting/brute-forcing the last part of the name, maybe by combiningthe found folders with "http-folders.txt", but I haven't come up withanything useful yet. But if I do, I'll add it to the script.

In regards to the web.config file, the only thing I can think of rightnow, is the MS10-070 vulnerability.


- Jesper

Hi Jesper,

Thanks for point the research paper, based on it I see the issue isnot that important as I was expecting, my current understand is thatwe can't access the files via shortnames, we need to guess the fullname to access it.

If we can't find it by simple guessing name, looking at google andlook for fuzzdb database for a similar name. Well, in practice manytimes this approach will fail, so I guess the only reliable way is tobrute-force the discovered shortnames. Do you know any tool able to doit? Or maybe could you add it as a script for nmap? :)

Also, do you know any trick to obtain contents of web.config? On mytest machine obviously it listed it, but I can't download since thewebserver (IIS) do not serves it. There is any trick (maybe ADSrelated) to force download of this file?


Thanks

On Tue, Sep 25, 2012 at 5:38 PM, Dev (nmap) <dev.kyckel () gmail com<mailto:dev.kyckel () gmail com>> wrote:


    Hi Richard,

    Thanks for testing the script.

    In regards to your first question, the script only finds the short
    name of the files, this means the first 6 letters in the
    file/folder name and the last 3 letters of the extension. This
    means that in the case of, say, 'test~1.asp', the full file name
    is known, since only 4 letters have been found, and it seems that
    the extension also has been found since '.asp' is a valid
    extension.  But since only 3 letters of the extension can be
    found, the real extension might be (and in this case, it is) '.aspx'.

    If you'd like to know more about the inter-workings, the original
    POC author has written a more in depth description of the method:
    http://code.google.com/p/iis-shortname-scanner-poc/ in the
    research file.

    The script requires that the service is identified as a 'http'
    service, so you could try to add the '-sV' option to your command.

    Hope this helps.

    Regards,


    Jesper

        I'm testing http-iis-short-name-brute.nse and I think that I
        found two bugs, or I don't know how to use it properly. I
        downloaded it from archive
        http://seclists.org/nmap-dev/2012/q3/907

        1) I tried against the vulnerable test page developed by the
        original scanner POC (http://www.sdl.me/challe~1
        <http://www.sdl.me/challe%7E1> <http://www.sdl.me/challe%7E1>)
        and I got this results:


        PORT   STATE SERVICE
        80/tcp open  http
        | http-iis-short-name-brute:
        |   Folders
        |     challe~1
        |   Files
        |     acsecr~1.htm
        |     test1~1.asp
        |     test2~1.asm
        |     test2~1.asp
        |     validf~1.htm
        |     validf~2.htm
        |_    welcom~1.htm

        This looks good, however, if I try to open any of them on my
        browser all return 404 (PAGE NOT FOUND), examples:

        http://www.sdl.me/challe~1/ <http://www.sdl.me/challe%7E1/>
        <http://www.sdl.me/challe%7E1/>
        http://www.sdl.me/challe~1/acsecr~1.htm
        <http://www.sdl.me/challe%7E1/acsecr%7E1.htm>
        <http://www.sdl.me/challe%7E1/acsecr%7E1.htm>
        http://www.sdl.me/acsecr~1.htm
        <http://www.sdl.me/acsecr%7E1.htm>
        <http://www.sdl.me/acsecr%7E1.htm>


        Is it a BUG on the script? Or am I doing something wrong?

        2) I tried against a internal hosts that I know that is
        vulnerable, but I can't make the script work since the
        application is not running at port 80, in practice it's
        running at port 8091 and the script do not scan it:

        PORT     STATE SERVICE
        8091/tcp open  unknown

        Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

        I called it on the following way:

        nmap -PN -sT -sC -p8091 --script http-iis-short-name-brute
        10.10.2.9

        There is a way to force it?

        Thanks.


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

http-iis-short-name-brute.nse BUG? Richard Miles (Sep 25)
- Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 25)
  - Re: http-iis-short-name-brute.nse BUG? Patrik Karlsson (Sep 25)
    - Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 26)
    - Re: http-iis-short-name-brute.nse BUG? Richard Miles (Sep 26)
  - Re: http-iis-short-name-brute.nse BUG? Richard Miles (Sep 26)
    - Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 27)
    - Re: http-iis-short-name-brute.nse BUG? Richard Miles (Sep 28)