Re: [NSE] http-iis-short-name-brute.nse

[Paulino Calderon Pale <paulino () calderonpale com>]

On 09/18/2012 04:18 PM, David Fifield wrote:
> On Sun, Sep 16, 2012 at 05:12:19PM +0200, Dev (nmap) wrote:
> > Hi List,
> >
> > Attached is a NSE implementation of "iis-shortname-scanner-poc" from
> > http://code.google.com/p/iis-shortname-scanner-poc/ .
> >
> > The script searches for the short name of files and dirs, example output:
> >
> > PORT   STATE SERVICE REASON
> > 80/tcp open  http
> > | http-iis-short-name-brute:
> > |   Folders
> > |     aspnet~1
> > |   Files
> > |     sql~1.bak
> > |_    test~1.php
> >
> > It still needs some testing, but currently I don't have access to an
> > affected IIS installation. Any chance someone  here has access to an
> > IIS installation and can test it (or grant me permission to test on
> > the platform) ?
> This script is fine with me, if you can get some testing results.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
Hi,

I'm working on a pentest where I stumbled across a vulnerable IIS 
installation but this NSE script does not work properly on ASP.NET 
4.0.x. I used the original PoC scanner and I was able to get the 
shortnames so I've confirmed the installation is vulnerable. 
Unfortunately I did not have enough time yesterday to look into the 
problem but I will try today to at least get a copy of the script trace 
for further debugging. I will also be posting a script to exploit the 
denial of service condition after I clean it up.

Cheers.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/