IIS Tilde Enumeration Vulnerability


Published on

New IIS tilde enumeration vulnerability exploiting script.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Start with a storyAsk people to think about their daily lives…Pick something that at the time appeared so small…such a little thing but over time it grewSame thing happens in penetration testingYou sometimes get a whole bunch of small things. Sometimes they remain small But sometimes you can chain them together Or sometimes a small vuln is the mother-load
  • IIS Tilde Enumeration Vulnerability

    1. 1. IIS Tilde Enumeration (re)Exploited Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 1
    2. 2. Who am I? ◦ Pentester ◦ NoVA Hacker ◦ PwnWiki.io curator / czar ◦ Recon-ng module writer ◦ SANS Mentor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 2
    3. 3. Sometimes it is the little things… Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 3
    4. 4. Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 4
    5. 5. What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 5
    6. 6. An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 6 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
    7. 7. Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
    8. 8. How can I do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8
    9. 9. tilde_enum.py https://github.com/WebBreacher/tilde_enum Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9 $ ./tilde_enum.py -h usage: tilde_enum.py [-h] [-b] [-d DIRWORDLIST] [-f] [-u URL] [-v] wordlist Exploits and expands the file names found from the tilde enumeration vuln positional arguments: wordlist the wordlist file optional arguments: -h, --help show this help message and exit -b brute force backup extension, extensions -d DIRWORDLIST an optional wordlist for directory name content -f force testing of the server even if the headers do not report it as an IIS system -u URL URL to scan -v verbose output
    10. 10. tilde_enum.py Example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
    11. 11. tilde_enum.py Example con’t Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they should work, try the file name with the first or second instead of all of them. [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
    12. 12. Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12
    13. 13. Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 13
    14. 14. Conclusions Investigate the low risk vulns Challenge yourself to enhance your tools ◦ Don’t settle  Create! Share with the community Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
    15. 15. Questions https://github.com/WebBreacher/tilde_enum http://soroush.secproject.com/downloadable/microsoft_iis_ tilde_character_vulnerability_feature.pdf IIS TILDE ENUMERATION 15 Micah Hoffman @WebBreacher Novahackers.com Micah Hoffman @WebBreacher