Nmap Development mailing list archives

Re: [NSE] http-iis-short-name-brute.nse

From: Juhani Toivonen <juhani.toivonen () cs helsinki fi>
Date: Mon, 21 Oct 2013 08:32:57 +0300

On Oct 21, 2013, at 5:13 AM, Paulino Calderon Pale <paulino () calderonpale com> wrote:

On 09/18/2012 04:18 PM, David Fifield wrote:

On Sun, Sep 16, 2012 at 05:12:19PM +0200, Dev (nmap) wrote:

Hi List,

Attached is a NSE implementation of "iis-shortname-scanner-poc" from
http://code.google.com/p/iis-shortname-scanner-poc/ .

The script searches for the short name of files and dirs, example output:

PORT   STATE SERVICE REASON
80/tcp open  http
| http-iis-short-name-brute:
|   Folders
|     aspnet~1
|   Files
|     sql~1.bak
|_    test~1.php

It still needs some testing, but currently I don't have access to an
affected IIS installation. Any chance someone  here has access to an
IIS installation and can test it (or grant me permission to test on
the platform) ?

This script is fine with me, if you can get some testing results.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Hi list,

This week at work I stumbled again with this vulnerability and the script worked flawlessly in one instance but it 
returned false positive results against another server (All pages were returning 404 and the script was saving them 
as valid directories). I'm attaching the updated version with my patch. This version worked as expected in my 
environment but I would appreciate some help testing it against different ASP.NET versions.

What do you guys think about including this script to the repository? None of the major commercial scanners detected 
this vulnerability except for Nmap and it has come very handy during pentests...

Cheers!
<http-iis-short-name-brute.nse>_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Hi all,

The script seems fine, but I would suggest renaming the class from "scanner" to something like "IISShortNameScanner" to 
avoid mixup with "Scanner"  (from java.util).

Cheers,
Juhani Toivonen
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] http-iis-short-name-brute.nse Paulino Calderon Pale (Oct 20)
- Re: [NSE] http-iis-short-name-brute.nse Juhani Toivonen (Oct 20)
- Re: [NSE] http-iis-short-name-brute.nse Fyodor (Oct 21)
  - Re: [NSE] http-iis-short-name-brute.nse Paulino Calderon Pale (Oct 30)