IIS Tilde Enumeration Vulnerability
Upcoming SlideShare
Loading in...5

IIS Tilde Enumeration Vulnerability



New IIS tilde enumeration vulnerability exploiting script.

New IIS tilde enumeration vulnerability exploiting script.



Total Views
Views on SlideShare
Embed Views



1 Embed 24

http://www.slideee.com 24



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Start with a storyAsk people to think about their daily lives…Pick something that at the time appeared so small…such a little thing but over time it grewSame thing happens in penetration testingYou sometimes get a whole bunch of small things. Sometimes they remain small But sometimes you can chain them together Or sometimes a small vuln is the mother-load

IIS Tilde Enumeration Vulnerability IIS Tilde Enumeration Vulnerability Presentation Transcript

  • IIS Tilde Enumeration (re)Exploited Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 1
  • Who am I? ◦ Pentester ◦ NoVA Hacker ◦ PwnWiki.io curator / czar ◦ Recon-ng module writer ◦ SANS Mentor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 2
  • Sometimes it is the little things… Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 3 View slide
  • Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 4 View slide
  • What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 5
  • An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 6 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
  • Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
  • How can I do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8
  • tilde_enum.py https://github.com/WebBreacher/tilde_enum Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9 $ ./tilde_enum.py -h usage: tilde_enum.py [-h] [-b] [-d DIRWORDLIST] [-f] [-u URL] [-v] wordlist Exploits and expands the file names found from the tilde enumeration vuln positional arguments: wordlist the wordlist file optional arguments: -h, --help show this help message and exit -b brute force backup extension, extensions -d DIRWORDLIST an optional wordlist for directory name content -f force testing of the server even if the headers do not report it as an IIS system -u URL URL to scan -v verbose output
  • tilde_enum.py Example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
  • tilde_enum.py Example con’t Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they should work, try the file name with the first or second instead of all of them. [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
  • Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12
  • Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 13
  • Conclusions Investigate the low risk vulns Challenge yourself to enhance your tools ◦ Don’t settle  Create! Share with the community Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
  • Questions https://github.com/WebBreacher/tilde_enum http://soroush.secproject.com/downloadable/microsoft_iis_ tilde_character_vulnerability_feature.pdf IIS TILDE ENUMERATION 15 Micah Hoffman @WebBreacher Novahackers.com Micah Hoffman @WebBreacher