Nmap Development mailing list archives
Re: http-iis-short-name-brute.nse BUG?
From: "Dev (nmap)" <dev.kyckel () gmail com>
Date: Thu, 27 Sep 2012 17:24:37 +0200
Hi Richard,I've thought about adding some kind of procedure for detecting/brute-forcing the last part of the name, maybe by combining the found folders with "http-folders.txt", but I haven't come up with anything useful yet. But if I do, I'll add it to the script.
In regards to the web.config file, the only thing I can think of right now, is the MS10-070 vulnerability.
- Jesper
Hi Jesper,Thanks for point the research paper, based on it I see the issue is not that important as I was expecting, my current understand is that we can't access the files via shortnames, we need to guess the full name to access it.If we can't find it by simple guessing name, looking at google and look for fuzzdb database for a similar name. Well, in practice many times this approach will fail, so I guess the only reliable way is to brute-force the discovered shortnames. Do you know any tool able to do it? Or maybe could you add it as a script for nmap? :)Also, do you know any trick to obtain contents of web.config? On my test machine obviously it listed it, but I can't download since the webserver (IIS) do not serves it. There is any trick (maybe ADS related) to force download of this file?ThanksOn Tue, Sep 25, 2012 at 5:38 PM, Dev (nmap) <dev.kyckel () gmail com <mailto:dev.kyckel () gmail com>> wrote:Hi Richard, Thanks for testing the script. In regards to your first question, the script only finds the short name of the files, this means the first 6 letters in the file/folder name and the last 3 letters of the extension. This means that in the case of, say, 'test~1.asp', the full file name is known, since only 4 letters have been found, and it seems that the extension also has been found since '.asp' is a valid extension. But since only 3 letters of the extension can be found, the real extension might be (and in this case, it is) '.aspx'. If you'd like to know more about the inter-workings, the original POC author has written a more in depth description of the method: http://code.google.com/p/iis-shortname-scanner-poc/ in the research file. The script requires that the service is identified as a 'http' service, so you could try to add the '-sV' option to your command. Hope this helps. Regards, Jesper I'm testing http-iis-short-name-brute.nse and I think that I found two bugs, or I don't know how to use it properly. I downloaded it from archive http://seclists.org/nmap-dev/2012/q3/907 1) I tried against the vulnerable test page developed by the original scanner POC (http://www.sdl.me/challe~1 <http://www.sdl.me/challe%7E1> <http://www.sdl.me/challe%7E1>) and I got this results: PORT STATE SERVICE 80/tcp open http | http-iis-short-name-brute: | Folders | challe~1 | Files | acsecr~1.htm | test1~1.asp | test2~1.asm | test2~1.asp | validf~1.htm | validf~2.htm |_ welcom~1.htm This looks good, however, if I try to open any of them on my browser all return 404 (PAGE NOT FOUND), examples: http://www.sdl.me/challe~1/ <http://www.sdl.me/challe%7E1/> <http://www.sdl.me/challe%7E1/> http://www.sdl.me/challe~1/acsecr~1.htm <http://www.sdl.me/challe%7E1/acsecr%7E1.htm> <http://www.sdl.me/challe%7E1/acsecr%7E1.htm> http://www.sdl.me/acsecr~1.htm <http://www.sdl.me/acsecr%7E1.htm> <http://www.sdl.me/acsecr%7E1.htm> Is it a BUG on the script? Or am I doing something wrong? 2) I tried against a internal hosts that I know that is vulnerable, but I can't make the script work since the application is not running at port 80, in practice it's running at port 8091 and the script do not scan it: PORT STATE SERVICE 8091/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds I called it on the following way: nmap -PN -sT -sC -p8091 --script http-iis-short-name-brute 10.10.2.9 There is a way to force it? Thanks.
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-iis-short-name-brute.nse BUG? Richard Miles (Sep 25)
- Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 25)
- Re: http-iis-short-name-brute.nse BUG? Patrik Karlsson (Sep 25)
- Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 26)
- Re: http-iis-short-name-brute.nse BUG? Richard Miles (Sep 26)
- Re: http-iis-short-name-brute.nse BUG? Richard Miles (Sep 26)
- Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 27)
- Re: http-iis-short-name-brute.nse BUG? Richard Miles (Sep 28)
- Re: http-iis-short-name-brute.nse BUG? Patrik Karlsson (Sep 25)
- Re: http-iis-short-name-brute.nse BUG? Dev (nmap) (Sep 25)