![tilde_enum.py
https://github.com/WebBreacher/tilde_enum
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9
$ ./tilde_enum.py -h
usage: tilde_enum.py [-h] [-b] [-d DIRWORDLIST] [-f] [-u URL] [-v] wordlist
Exploits and expands the file names found from the tilde enumeration vuln
positional arguments:
wordlist the wordlist file
optional arguments:
-h, --help show this help message and exit
-b brute force backup extension, extensions
-d DIRWORDLIST an optional wordlist for directory name content
-f force testing of the server even if the headers do not
report it as an IIS system
-u URL URL to scan
-v verbose output](https://image.slidesharecdn.com/iistildeenum2014-140310215038-phpapp01/85/IIS-Tilde-Enumeration-Vulnerability-9-320.jpg)
![tilde_enum.py Example
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10
$ ./tilde_enum.py -u http://iis
/pentest/fuzzdb/discovery/predictableres/raft-small-words-
lowercase.txt
[-] Testing with dummy file request http://iis/lJP7ROxEoS.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 1635
[-] Testing with user-submitted http://iis
[-] URLUser -> HTTP Code: 200, Response Length: 1433
[+] The server is reporting that it is IIS (Microsoft-
IIS/6.0).
[+] The server is vulnerable to the tilde enumeration
vulnerability (IIS/5|6.x)..
[+] Found a new directory: docume
[+] Found a new directory: javasc
[+] Found file: parame . xml
[+] Found file: 765432 . htm
[+] Found file: _vti_i . htm
[+] Found a new directory: _vti_s
[-] Finished doing the 8.3 enumeration for /.](https://image.slidesharecdn.com/iistildeenum2014-140310215038-phpapp01/85/IIS-Tilde-Enumeration-Vulnerability-10-320.jpg)
![tilde_enum.py Example
con’t
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11
---------- FINAL OUTPUT ------------------------------
[*] We found files for you to look at:
[*] http://iis/_vti_inf.html - Size 1754
[*] http://iis/documentation/advertising.html - Size 227
[*] http://iis/documentation/default.aspx - Size 1433
[*] http://iis/javascript/321.xlsx - Size 227
[*] http://iis/parameter.xml - Size 1307
[*] Here are all the 8.3 names we found.
[*] If any of these are 6 chars and look like they should
work, try the file name with the first or second instead of
all of them.
[*] http://iis/documentation/advert~1.htm
[*] http://iis/documentation/defaul~1.asp
[*] http://iis/765432~1.htm
[*] http://iis/_vti_i~1.htm
[*] http://iis/parame~1.xml
[*] http://iis/javascript/321~1.xls](https://image.slidesharecdn.com/iistildeenum2014-140310215038-phpapp01/85/IIS-Tilde-Enumeration-Vulnerability-11-320.jpg)
IIS Tilde Enumeration Vulnerability
- 1. IIS Tilde Enumeration (re)Exploited Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 1
- 2. Who am I? ◦ Pentester ◦ NoVA Hacker ◦ PwnWiki.io curator / czar ◦ Recon-ng module writer ◦ SANS Mentor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 2
- 3. Sometimes it is the little things… Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 3
- 4. Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 4
- 5. What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 5
- 6. An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 6 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…
- 7. Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
- 8. How can I do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8
- 9. tilde_enum.py https://github.com/WebBreacher/tilde_enum Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9 $ ./tilde_enum.py -h usage: tilde_enum.py [-h] [-b] [-d DIRWORDLIST] [-f] [-u URL] [-v] wordlist Exploits and expands the file names found from the tilde enumeration vuln positional arguments: wordlist the wordlist file optional arguments: -h, --help show this help message and exit -b brute force backup extension, extensions -d DIRWORDLIST an optional wordlist for directory name content -f force testing of the server even if the headers do not report it as an IIS system -u URL URL to scan -v verbose output
- 10. tilde_enum.py Example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.
- 11. tilde_enum.py Example con’t Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they should work, try the file name with the first or second instead of all of them. [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls
- 12. Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12
- 13. Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 13
- 14. Conclusions Investigate the low risk vulns Challenge yourself to enhance your tools ◦ Don’t settle Create! Share with the community Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
- 15. Questions https://github.com/WebBreacher/tilde_enum http://soroush.secproject.com/downloadable/microsoft_iis_ tilde_character_vulnerability_feature.pdf IIS TILDE ENUMERATION 15 Micah Hoffman @WebBreacher Novahackers.com Micah Hoffman @WebBreacher
Editor's Notes
- #4: Start with a storyAsk people to think about their daily lives…Pick something that at the time appeared so small…such a little thing but over time it grewSame thing happens in penetration testingYou sometimes get a whole bunch of small things. Sometimes they remain small But sometimes you can chain them together Or sometimes a small vuln is the mother-load