Nmap Development mailing list archives
Re: [NSE] http-iis-short-name-brute.nse
From: Paulino Calderon Pale <paulino () calderonpale com>
Date: Fri, 16 Nov 2012 08:49:17 -0600
On 09/18/2012 04:18 PM, David Fifield wrote:
On Sun, Sep 16, 2012 at 05:12:19PM +0200, Dev (nmap) wrote:Hi List, Attached is a NSE implementation of "iis-shortname-scanner-poc" from http://code.google.com/p/iis-shortname-scanner-poc/ . The script searches for the short name of files and dirs, example output: PORT STATE SERVICE REASON 80/tcp open http | http-iis-short-name-brute: | Folders | aspnet~1 | Files | sql~1.bak |_ test~1.php It still needs some testing, but currently I don't have access to an affected IIS installation. Any chance someone here has access to an IIS installation and can test it (or grant me permission to test on the platform) ?This script is fine with me, if you can get some testing results. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi,I'm working on a pentest where I stumbled across a vulnerable IIS installation but this NSE script does not work properly on ASP.NET 4.0.x. I used the original PoC scanner and I was able to get the shortnames so I've confirmed the installation is vulnerable. Unfortunately I did not have enough time yesterday to look into the problem but I will try today to at least get a copy of the script trace for further debugging. I will also be posting a script to exploit the denial of service condition after I clean it up.
Cheers. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-iis-short-name-brute.nse Paulino Calderon Pale (Nov 16)