This document discusses IIS tilde enumeration, a vulnerability that allows determining if certain files or directories exist on a system by checking HTTP response codes. It presents a Python tool called tilde_enum.py that exploits this vulnerability to recursively enumerate files and directories using wordlists. The tool represents an improvement over existing Java tools by providing full file and directory names rather than just 8.3 versions, and allowing deeper recursion. However, it is still limited in some ways such as not finding all possible files. Future enhancements are proposed to address limitations.

1. IIS Tilde
Enumeration
(re)Exploited
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 1

2. Who am I?
◦ Pentester
◦ NoVA Hacker
◦ PwnWiki.io curator / czar
◦ Recon-ng module writer
◦ SANS Mentor (SEC542)
◦ Hiker / Backpacker
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 2

3. Sometimes it is the little
things…
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 3

4. Low Risk Web
Vulnerabilities
Things not directly exploitable
Information Leakage
◦ Directory Listings
◦ Detailed Errors
◦ Configuration Pages
◦ IIS Tilde Enumeration
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 4

5. What is this vuln?
IIS Tilde Enumeration Vulnerability
◦ Use HTTP response codes (400 or 404) to determine if a
certain file/dir is on the system
http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability
_feature.pdf
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 5

6. An example
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 6
When completed, 8.3 file names are revealed
(ex., docume~1.htm)
From the original PDF report…

7. Tilde Java POC Scanner
Pros
◦ POC that there is a vuln
◦ Free on Google Code
◦ Fast
Cons
◦ Java
◦ Not recursive
◦ Only gives 8.3 names
◦ Can’t surf to 8.3 files =
Low Risk Vuln
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7

8. How can I do it better?
Make it in Python
Guess the file and dir names using wordlists
◦ Get us real, full file and dir names
Recursivenessitivity
◦ Go deep
Verbosity
◦ Show me whatcha finding
◦ Gimme response sizes (reduce False Positives)
Rate limiting for those ‘fragile’ systems
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8

9. tilde_enum.py
https://github.com/WebBreacher/tilde_enum
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9
$ ./tilde_enum.py -h
usage: tilde_enum.py [-h] [-b] [-d DIRWORDLIST] [-f] [-u URL] [-v] wordlist
Exploits and expands the file names found from the tilde enumeration vuln
positional arguments:
wordlist the wordlist file
optional arguments:
-h, --help show this help message and exit
-b brute force backup extension, extensions
-d DIRWORDLIST an optional wordlist for directory name content
-f force testing of the server even if the headers do not
report it as an IIS system
-u URL URL to scan
-v verbose output

10. tilde_enum.py Example
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10
$ ./tilde_enum.py -u http://iis
/pentest/fuzzdb/discovery/predictableres/raft-small-words-
lowercase.txt
[-] Testing with dummy file request http://iis/lJP7ROxEoS.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 1635
[-] Testing with user-submitted http://iis
[-] URLUser -> HTTP Code: 200, Response Length: 1433
[+] The server is reporting that it is IIS (Microsoft-
IIS/6.0).
[+] The server is vulnerable to the tilde enumeration
vulnerability (IIS/5|6.x)..
[+] Found a new directory: docume
[+] Found a new directory: javasc
[+] Found file: parame . xml
[+] Found file: 765432 . htm
[+] Found file: _vti_i . htm
[+] Found a new directory: _vti_s
[-] Finished doing the 8.3 enumeration for /.

11. tilde_enum.py Example
con’t
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11
---------- FINAL OUTPUT ------------------------------
[*] We found files for you to look at:
[*] http://iis/_vti_inf.html - Size 1754
[*] http://iis/documentation/advertising.html - Size 227
[*] http://iis/documentation/default.aspx - Size 1433
[*] http://iis/javascript/321.xlsx - Size 227
[*] http://iis/parameter.xml - Size 1307
[*] Here are all the 8.3 names we found.
[*] If any of these are 6 chars and look like they should
work, try the file name with the first or second instead of
all of them.
[*] http://iis/documentation/advert~1.htm
[*] http://iis/documentation/defaul~1.asp
[*] http://iis/765432~1.htm
[*] http://iis/_vti_i~1.htm
[*] http://iis/parame~1.xml
[*] http://iis/javascript/321~1.xls

12. Shortcomings…for now
Doesn’t find all the files
◦ < 3 char file names
◦ ab.htm->abJHG7.htm
◦ Some other files are just
missed
◦ Odd file names
(test.htm.bak, Copy of
micah.html)
◦ Words not in the word list
Can DoS fragile servers
Needs more ‘real-world’ testing
No IIS7.x
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12

13. Future Features
Better file/dir detection
Peek into authentication-required dirs
Pull back file content and store locally
IIS7 support
Your suggestions
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 13

14. Conclusions
Investigate the low risk vulns
Challenge yourself to enhance your tools
◦ Don’t settle  Create!
Share with the community
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14

15. Questions
https://github.com/WebBreacher/tilde_enum
http://soroush.secproject.com/downloadable/microsoft_iis_
tilde_character_vulnerability_feature.pdf
IIS TILDE ENUMERATION 15
Micah Hoffman
@WebBreacher
Novahackers.com
Micah Hoffman @WebBreacher