Nmap Development mailing list archives
Re: [NSE] http-iis-short-name-brute.nse
From: "Dev (nmap)" <dev.kyckel () gmail com>
Date: Sun, 16 Sep 2012 23:15:49 +0200
I just did a quick frequency analysis of http-folders.txt and came up with the following sequence:
"esatirocnplmdbguwhfvykxj2q01z4589367"On second thought though, the ordering is irrelevant, since the script tries all chars anyways. If for example the first letter of a name has been determined, all other chars are tested in the second position of the name. So while the above sequence might initially detect names faster, the overall run-time should be the same.
- Jesper
Hi, Cool, I wasn't aware of this until now! I browsed through the script, and have a comment :- When brute-forcing the extensions, you test each character alphabetically (right?), which would take on average (26+10)/2 = 18 requests per character to get right. If the script instead first tried the most common suffixes it would probably go way faster. (It could probably be even more advanced, e.g combining the approaches by guessing one character at a time according to a tree-structure based on common suffixes. )Regards, Martin Holst Swende On 09/16/2012 05:12 PM, Dev (nmap) wrote:Hi List,Attached is a NSE implementation of "iis-shortname-scanner-poc" from http://code.google.com/p/iis-shortname-scanner-poc/ .The script searches for the short name of files and dirs, example output:PORT STATE SERVICE REASON 80/tcp open http | http-iis-short-name-brute: | Folders | aspnet~1 | Files | sql~1.bak |_ test~1.phpIt still needs some testing, but currently I don't have access to an affected IIS installation. Any chance someone here has access to an IIS installation and can test it (or grant me permission to test on the platform) ?- Jesper _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived athttp://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-iis-short-name-brute.nse Dev (nmap) (Sep 16)
- Re: [NSE] http-iis-short-name-brute.nse Martin Holst Swende (Sep 16)
- Re: [NSE] http-iis-short-name-brute.nse Dev (nmap) (Sep 16)
- Re: [NSE] http-iis-short-name-brute.nse Dev (nmap) (Sep 16)
- Re: [NSE] http-iis-short-name-brute.nse David Fifield (Sep 18)
- Re: [NSE] http-iis-short-name-brute.nse Martin Holst Swende (Sep 16)