MH
Uploaded byMicah Hoffman
PPTX, PDF1,363 views

Everyone Matters In Infosec 2014

The document discusses the IIS tilde enumeration vulnerability, detailing its exploitation and mitigation methods, as presented by Micah Hoffman. It introduces a Python script for more effective directory and file name enumeration compared to existing tools, highlighting its potential and limitations. The author encourages contributions and further exploration in the field of information security.

Embed presentation

Download to read offline
Everyone matters in infosec IIS TILDE ENUMERATION (RE)EXPLOITED Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 1
Who am I? ◦ Infosec Engineer / Pentester ◦ NoVA Hacker ◦ PwnWiki.io Curator ◦ Recon-ng module Writer ◦ SANS Instructor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 2 Novahackers.com
Sometimes it is the little things… Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 3
We can all contribute Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 4 System Admins Management Developers Testers Database Admins Students
Ask yourself…. Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 5
Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 6
What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9
How can we do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10
tilde_enum.py Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
tilde_enum.py (con’t) Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they [snip] [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
Demo 13Micah Hoffman @WebBreacher IIS TILDE ENUMERATION
Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x yet Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 15
Continue to… Investigate the mysteries Ask questions ◦ What if? ◦ Reach out to others Share / Give back Challenge yourself ◦ Enhance your tools / processes / skills ◦ Don’t settle  Create! Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 16
Questions? https://github.com/WebBreacher/tilde_enum EVERYONE MATTERS IN INFOSEC 17Micah Hoffman @WebBreacher

More Related Content

PPTX
Kali kinux1
byMohammad Mafi
 
PPTX
IIS Tilde Enumeration Vulnerability
byMicah Hoffman
 
PPTX
SANS @Night Talk: SQL Injection Exploited
byMicah Hoffman
 
PDF
Anatomy of a Cloud Hack
byNotSoSecure Global Services
 
PPTX
Securing Hadoop with OSSEC
byVic Hargrave
 
PDF
20+ Ways To Bypass Your Macos Privacy Mechanisms
bySecuRing
 
PPTX
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...
byCisco DevNet
 
PDF
Nessus and Reporting Karma
byn|u - The Open Security Community
 
Kali kinux1
byMohammad Mafi
 
IIS Tilde Enumeration Vulnerability
byMicah Hoffman
 
SANS @Night Talk: SQL Injection Exploited
byMicah Hoffman
 
Anatomy of a Cloud Hack
byNotSoSecure Global Services
 
Securing Hadoop with OSSEC
byVic Hargrave
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
bySecuRing
 
DEVNET-2003 Coding 203: Python - User Input, File I/O, Logging and REST API C...
byCisco DevNet
 
Nessus and Reporting Karma
byn|u - The Open Security Community
 

What's hot

PDF
Windows 8 fuzz
byOlav Tvedt
 
PPTX
Injection flaw teaser
byNotSoSecure Global Services
 
PDF
[Wroclaw #7] Why So Serial?
byOWASP
 
PDF
iThome CyberSec2021 Container Security
byJie Liau
 
PPTX
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
byDan Vasile
 
PPTX
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
byDan Vasile
 
PDF
Protecting Your Internet Route Integrity
byJie Liau
 
PDF
Null bhopal Sep 2016: What it Takes to Secure a Web Application
byAnant Shrivastava
 
PPTX
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
byDan Vasile
 
PDF
Présentation et démo ELK/SIEM/Wazuh
byclevernetsystemsgeneva
 
PDF
Are you ready to be hacked?
byDaniel Kanchev
 
PDF
Pentesting iOS Apps
byHerman Duarte
 
PPTX
Lateral Movement with PowerShell
bykieranjacobsen
 
PDF
Automated Infrastructure Security: Monitoring using FOSS
bySonatype
 
PPTX
Fatcat Automatic Web SQL Injector by Sandeep Kamble
byClubHack
 
PDF
My tryst with sourcecode review
byAnant Shrivastava
 
PPTX
Apache Struts2 CVE-2017-5638
byRiyaz Walikar
 
PPTX
Web Application firewall-Mod security
byRomansh Yadav
 
PDF
Prepare to defend thyself with Blue/Green
bySonatype
 
PPTX
Mod security
byShruthi Kamath
 
Windows 8 fuzz
byOlav Tvedt
 
Injection flaw teaser
byNotSoSecure Global Services
 
[Wroclaw #7] Why So Serial?
byOWASP
 
iThome CyberSec2021 Container Security
byJie Liau
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
byDan Vasile
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
byDan Vasile
 
Protecting Your Internet Route Integrity
byJie Liau
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
byAnant Shrivastava
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
byDan Vasile
 
Présentation et démo ELK/SIEM/Wazuh
byclevernetsystemsgeneva
 
Are you ready to be hacked?
byDaniel Kanchev
 
Pentesting iOS Apps
byHerman Duarte
 
Lateral Movement with PowerShell
bykieranjacobsen
 
Automated Infrastructure Security: Monitoring using FOSS
bySonatype
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
byClubHack
 
My tryst with sourcecode review
byAnant Shrivastava
 
Apache Struts2 CVE-2017-5638
byRiyaz Walikar
 
Web Application firewall-Mod security
byRomansh Yadav
 
Prepare to defend thyself with Blue/Green
bySonatype
 
Mod security
byShruthi Kamath
 

Viewers also liked

PPTX
Top 10 Mentor Tips
byMicah Hoffman
 
PDF
Audit
byMark Ellzey Thomas
 
PDF
Protecting confidential files using SE-Linux
byGiuseppe Paterno'
 
PDF
SHOWDOWN: Threat Stack vs. Red Hat AuditD
byThreat Stack
 
PDF
Linux audit framework
byTorstein Hansen
 
PDF
How To Train Your Python
byJordi Riera
 
PPT
Open Audit
byncspa
 
PDF
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
byThreat Stack
 
PDF
Dealing with Linux Malware
byMichael Boelen
 
PDF
Whitepaper: User Audit Options for Linux and Solaris
byObserveIT
 
PDF
Python build your security tools.pdf
byTECHNOLOGY CONTROL CO.
 
PDF
MySQL Day Paris 2016 - MySQL Enterprise Edition
byOlivier DASINI
 
PDF
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
byShawn Wells
 
PDF
Network Security and Analysis with Python
bypycontw
 
PDF
Linux Security Scanning with Lynis
byMichael Boelen
 
PDF
Handling of compromised Linux systems
byMichael Boelen
 
PDF
Linux Hardening
byMichael Boelen
 
PPTX
PowerShell for Penetration Testers
byNikhil Mittal
 
PDF
Linux Security for Developers
byMichael Boelen
 
PPTX
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 
Top 10 Mentor Tips
byMicah Hoffman
 
Audit
byMark Ellzey Thomas
 
Protecting confidential files using SE-Linux
byGiuseppe Paterno'
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
byThreat Stack
 
Linux audit framework
byTorstein Hansen
 
How To Train Your Python
byJordi Riera
 
Open Audit
byncspa
 
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
byThreat Stack
 
Dealing with Linux Malware
byMichael Boelen
 
Whitepaper: User Audit Options for Linux and Solaris
byObserveIT
 
Python build your security tools.pdf
byTECHNOLOGY CONTROL CO.
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
byOlivier DASINI
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
byShawn Wells
 
Network Security and Analysis with Python
bypycontw
 
Linux Security Scanning with Lynis
byMichael Boelen
 
Handling of compromised Linux systems
byMichael Boelen
 
Linux Hardening
byMichael Boelen
 
PowerShell for Penetration Testers
byNikhil Mittal
 
Linux Security for Developers
byMichael Boelen
 
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 

Recently uploaded

PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
December Patch Tuesday
byIvanti
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
The year in review - MarvelClient in 2025
bypanagenda
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
December Patch Tuesday
byIvanti
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
AI Technology important knowledge ......
byutkarshj2007
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 

Everyone Matters In Infosec 2014

  • 1.
    Everyone matters in infosec IIS TILDEENUMERATION (RE)EXPLOITED Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 1
  • 2.
    Who am I? ◦Infosec Engineer / Pentester ◦ NoVA Hacker ◦ PwnWiki.io Curator ◦ Recon-ng module Writer ◦ SANS Instructor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 2 Novahackers.com
  • 3.
    Sometimes it isthe little things… Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 3
  • 4.
    We can allcontribute Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 4 System Admins Management Developers Testers Database Admins Students
  • 5.
    Ask yourself…. Micah Hoffman@WebBreacher EVERYONE MATTERS IN INFOSEC 5
  • 6.
    Low Risk Web Vulnerabilities Thingsnot directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 6
  • 7.
    What is thisvuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
  • 8.
    An example Micah Hoffman@WebBreacher IIS TILDE ENUMERATION 8 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
  • 9.
    Tilde Java POCScanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9
  • 10.
    How can wedo it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10
  • 11.
    tilde_enum.py Micah Hoffman @WebBreacherIIS TILDE ENUMERATION 11 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
  • 12.
    tilde_enum.py (con’t) Micah Hoffman@WebBreacher IIS TILDE ENUMERATION 12 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they [snip] [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
  • 13.
    Demo 13Micah Hoffman @WebBreacherIIS TILDE ENUMERATION
  • 14.
    Shortcomings…for now Doesn’t findall the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x yet Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
  • 15.
    Future Features Better file/dirdetection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 15
  • 16.
    Continue to… Investigate themysteries Ask questions ◦ What if? ◦ Reach out to others Share / Give back Challenge yourself ◦ Enhance your tools / processes / skills ◦ Don’t settle  Create! Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 16
  • 17.

Editor's Notes

  • #2 Every start something out that you thought was one thing and morphed to another? Yeah, that is this talk.
  • #3 As a senior infosec engineer, I mentor junior staff.They ask “How can I contribute?” “What can I do…I don’t have my [insert cert here]?”I tell them…
  • #4 This is so true!I’ve been backpacking and had that annoying buzzing in my tent. I didn’t sleep at all.Same is true for vulnerabilities. Sometimes the small ones matter the most. Don’t ignore them.