Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] http-iis-short-name-brute.nse

From: Martin Holst Swende <martin () swende se>
Date: Sun, 16 Sep 2012 19:26:32 +0200
Hi,

Cool, I wasn't aware of this until now!

I browsed through the script, and have a comment :
- When brute-forcing the extensions, you test each character
alphabetically (right?), which would take on average (26+10)/2 = 18
requests per character to get right. If the script instead first tried
the most common suffixes it would probably go way faster. (It could
probably be even more advanced, e.g combining the approaches by guessing
one character at a time according to a tree-structure based on common
suffixes. )

Regards,
Martin Holst Swende

On 09/16/2012 05:12 PM, Dev (nmap) wrote:

Hi List,

Attached is a NSE implementation of "iis-shortname-scanner-poc" from
http://code.google.com/p/iis-shortname-scanner-poc/ .

The script searches for the short name of files and dirs, example output:

PORT   STATE SERVICE REASON
80/tcp open  http
| http-iis-short-name-brute:
|   Folders
|     aspnet~1
|   Files
|     sql~1.bak
|_    test~1.php

It still needs some testing, but currently I don't have access to an
affected IIS installation. Any chance someone  here has access to an
IIS installation and can test it (or grant me permission to test on
the platform) ?


- Jesper


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: