Re: http-iis-short-name-brute.nse BUG?

[Richard Miles <richard.k.miles () googlemail com>]

Hi Jesper,

If you end up doing such a script please let me know, I will love to test
it and I'm sure it will be helpful to others.

Unfortunately with MS10-070 we depend of another vuln and don't require the
tilde enumeration, also, I don't see it often with framework 4. With
version 2 it's not possible to download files.

Thanks.

On Thu, Sep 27, 2012 at 10:24 AM, Dev (nmap) <dev.kyckel () gmail com> wrote:

>  Hi Richard,
>
> I've thought about adding some kind of procedure for
> detecting/brute-forcing the last part of the name, maybe by combining the
> found folders with "http-folders.txt", but I haven't come up with anything
> useful yet. But if I do, I'll add it to the script.
>
> In regards to the web.config file, the only thing I can think of right
> now, is the MS10-070 vulnerability.
>
> - Jesper
>
>  Hi Jesper,
>
> Thanks for point the research paper, based on it I see the issue is not
> that important as I was expecting, my current understand is that we can't
> access the files via shortnames, we need to guess the full name to access
> it.
>
> If we can't find it by simple guessing name, looking at google and look
> for fuzzdb database for a similar name. Well, in practice many times this
> approach will fail, so I guess the only reliable way is to brute-force the
> discovered shortnames. Do you know any tool able to do it? Or maybe could
> you add it as a script for nmap? :)
>
> Also, do you know any trick to obtain contents of web.config? On my test
> machine obviously it listed it, but I can't download since the webserver
> (IIS) do not serves it. There is any trick (maybe ADS related) to force
> download of this file?
>
> Thanks
>
> On Tue, Sep 25, 2012 at 5:38 PM, Dev (nmap) <dev.kyckel () gmail com> wrote:
>
> > Hi Richard,
> >
> > Thanks for testing the script.
> >
> > In regards to your first question, the script only finds the short name
> > of the files, this means the first 6 letters in the file/folder name and
> > the last 3 letters of the extension. This means that in the case of, say,
> > 'test~1.asp', the full file name is known, since only 4 letters have been
> > found, and it seems that the extension also has been found since '.asp' is
> > a valid extension.  But since only 3 letters of the extension can be found,
> > the real extension might be (and in this case, it is) '.aspx'.
> >
> > If you'd like to know more about the inter-workings, the original POC
> > author has written a more in depth description of the method:
> > http://code.google.com/p/iis-shortname-scanner-poc/ in the research file.
> >
> > The script requires that the service is identified as a 'http' service,
> > so you could try to add the '-sV' option to your command.
> >
> > Hope this helps.
> >
> > Regards,
> >
> >
> > Jesper
> >
> >  I'm testing http-iis-short-name-brute.nse and I think that I found two
> > > bugs, or I don't know how to use it properly. I downloaded it from archive
> > > http://seclists.org/nmap-dev/2012/q3/907
> > >
> > >  1) I tried against the vulnerable test page developed by the original
> > > scanner POC (http://www.sdl.me/challe~1 <http://www.sdl.me/challe%7E1>)
> > > and I got this results:
> > >
> > >
> > > PORT   STATE SERVICE
> > > 80/tcp open  http
> > > | http-iis-short-name-brute:
> > > |   Folders
> > > |     challe~1
> > > |   Files
> > > |     acsecr~1.htm
> > > |     test1~1.asp
> > > |     test2~1.asm
> > > |     test2~1.asp
> > > |     validf~1.htm
> > > |     validf~2.htm
> > > |_    welcom~1.htm
> > >
> > > This looks good, however, if I try to open any of them on my browser all
> > > return 404 (PAGE NOT FOUND), examples:
> > >
> > >  http://www.sdl.me/challe~1/ <http://www.sdl.me/challe%7E1/>
> > > http://www.sdl.me/challe~1/acsecr~1.htm <
> > > http://www.sdl.me/challe%7E1/acsecr%7E1.htm>
> > > http://www.sdl.me/acsecr~1.htm <http://www.sdl.me/acsecr%7E1.htm>
> > >
> > >
> > > Is it a BUG on the script? Or am I doing something wrong?
> > >
> > > 2) I tried against a internal hosts that I know that is vulnerable, but
> > > I can't make the script work since the application is not running at port
> > > 80, in practice it's running at port 8091 and the script do not scan it:
> > >
> > > PORT     STATE SERVICE
> > > 8091/tcp open  unknown
> > >
> > > Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
> > >
> > > I called it on the following way:
> > >
> > > nmap -PN -sT -sC -p8091 --script http-iis-short-name-brute 10.10.2.9
> > >
> > > There is a way to force it?
> > >
> > > Thanks.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/