IIS Tilde Enumeration Vulnerability
Upcoming SlideShare
Loading in...5
×
 

IIS Tilde Enumeration Vulnerability

on

  • 2,595 views

New IIS tilde enumeration vulnerability exploiting script.

New IIS tilde enumeration vulnerability exploiting script.

Statistics

Views

Total Views
2,595
Views on SlideShare
2,571
Embed Views
24

Actions

Likes
1
Downloads
20
Comments
0

1 Embed 24

http://www.slideee.com 24

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Start with a storyAsk people to think about their daily lives…Pick something that at the time appeared so small…such a little thing but over time it grewSame thing happens in penetration testingYou sometimes get a whole bunch of small things. Sometimes they remain small But sometimes you can chain them together Or sometimes a small vuln is the mother-load

IIS Tilde Enumeration Vulnerability IIS Tilde Enumeration Vulnerability Presentation Transcript

  • IIS Tilde Enumeration (re)Exploited Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 1
  • Who am I? ◦ Pentester ◦ NoVA Hacker ◦ PwnWiki.io curator / czar ◦ Recon-ng module writer ◦ SANS Mentor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 2
  • Sometimes it is the little things… Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 3 View slide
  • Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 4 View slide
  • What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 5
  • An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 6 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
  • Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
  • How can I do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8
  • tilde_enum.py https://github.com/WebBreacher/tilde_enum Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9 $ ./tilde_enum.py -h usage: tilde_enum.py [-h] [-b] [-d DIRWORDLIST] [-f] [-u URL] [-v] wordlist Exploits and expands the file names found from the tilde enumeration vuln positional arguments: wordlist the wordlist file optional arguments: -h, --help show this help message and exit -b brute force backup extension, extensions -d DIRWORDLIST an optional wordlist for directory name content -f force testing of the server even if the headers do not report it as an IIS system -u URL URL to scan -v verbose output
  • tilde_enum.py Example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
  • tilde_enum.py Example con’t Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they should work, try the file name with the first or second instead of all of them. [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
  • Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12
  • Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 13
  • Conclusions Investigate the low risk vulns Challenge yourself to enhance your tools ◦ Don’t settle  Create! Share with the community Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
  • Questions https://github.com/WebBreacher/tilde_enum http://soroush.secproject.com/downloadable/microsoft_iis_ tilde_character_vulnerability_feature.pdf IIS TILDE ENUMERATION 15 Micah Hoffman @WebBreacher Novahackers.com Micah Hoffman @WebBreacher