IIS Tilde Enumeration Vulnerability

100 %
0 %
Information about IIS Tilde Enumeration Vulnerability

Published on March 11, 2014

Author: webbreacher

Source: slideshare.net


New IIS tilde enumeration vulnerability exploiting script.

IIS Tilde Enumeration (re)Exploited Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 1

Who am I? ◦ Pentester ◦ NoVA Hacker ◦ PwnWiki.io curator / czar ◦ Recon-ng module writer ◦ SANS Mentor (SEC542) ◦ Hiker / Backpacker Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 2

Sometimes it is the little things… Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 3

Low Risk Web Vulnerabilities Things not directly exploitable Information Leakage ◦ Directory Listings ◦ Detailed Errors ◦ Configuration Pages ◦ IIS Tilde Enumeration Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 4

What is this vuln? IIS Tilde Enumeration Vulnerability ◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability _feature.pdf Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 5

An example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 6 When completed, 8.3 file names are revealed (ex., docume~1.htm) From the original PDF report…

Tilde Java POC Scanner Pros ◦ POC that there is a vuln ◦ Free on Google Code ◦ Fast Cons ◦ Java ◦ Not recursive ◦ Only gives 8.3 names ◦ Can’t surf to 8.3 files = Low Risk Vuln Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7

How can I do it better? Make it in Python Guess the file and dir names using wordlists ◦ Get us real, full file and dir names Recursivenessitivity ◦ Go deep Verbosity ◦ Show me whatcha finding ◦ Gimme response sizes (reduce False Positives) Rate limiting for those ‘fragile’ systems Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8

tilde_enum.py https://github.com/WebBreacher/tilde_enum Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9 $ ./tilde_enum.py -h usage: tilde_enum.py [-h] [-b] [-d DIRWORDLIST] [-f] [-u URL] [-v] wordlist Exploits and expands the file names found from the tilde enumeration vuln positional arguments: wordlist the wordlist file optional arguments: -h, --help show this help message and exit -b brute force backup extension, extensions -d DIRWORDLIST an optional wordlist for directory name content -f force testing of the server even if the headers do not report it as an IIS system -u URL URL to scan -v verbose output

tilde_enum.py Example Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10 $ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words- lowercase.txt [-] Testing with dummy file request http://iis/lJP7ROxEoS.htm [-] URLNotThere -> HTTP Code: 404, Response Length: 1635 [-] Testing with user-submitted http://iis [-] URLUser -> HTTP Code: 200, Response Length: 1433 [+] The server is reporting that it is IIS (Microsoft- IIS/6.0). [+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: docume [+] Found a new directory: javasc [+] Found file: parame . xml [+] Found file: 765432 . htm [+] Found file: _vti_i . htm [+] Found a new directory: _vti_s [-] Finished doing the 8.3 enumeration for /.

tilde_enum.py Example con’t Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11 ---------- FINAL OUTPUT ------------------------------ [*] We found files for you to look at: [*] http://iis/_vti_inf.html - Size 1754 [*] http://iis/documentation/advertising.html - Size 227 [*] http://iis/documentation/default.aspx - Size 1433 [*] http://iis/javascript/321.xlsx - Size 227 [*] http://iis/parameter.xml - Size 1307 [*] Here are all the 8.3 names we found. [*] If any of these are 6 chars and look like they should work, try the file name with the first or second instead of all of them. [*] http://iis/documentation/advert~1.htm [*] http://iis/documentation/defaul~1.asp [*] http://iis/765432~1.htm [*] http://iis/_vti_i~1.htm [*] http://iis/parame~1.xml [*] http://iis/javascript/321~1.xls

Shortcomings…for now Doesn’t find all the files ◦ < 3 char file names ◦ ab.htm->abJHG7.htm ◦ Some other files are just missed ◦ Odd file names (test.htm.bak, Copy of micah.html) ◦ Words not in the word list Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12

Future Features Better file/dir detection Peek into authentication-required dirs Pull back file content and store locally IIS7 support Your suggestions Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 13

Conclusions Investigate the low risk vulns Challenge yourself to enhance your tools ◦ Don’t settle  Create! Share with the community Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14

Questions https://github.com/WebBreacher/tilde_enum http://soroush.secproject.com/downloadable/microsoft_iis_ tilde_character_vulnerability_feature.pdf IIS TILDE ENUMERATION 15 Micah Hoffman @WebBreacher Novahackers.com Micah Hoffman @WebBreacher

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Microsoft IIS tilde character “~” Vulnerability/Feature ...

3 Short File/Folder Name DisclosureMicrosoft IIS tilde character “~” Vulnerability/Feature – 29 June 2012 –Soroush Dalili (SecProject.com - @irsdl ...
Read more

security - Fixing the IIS tilde vulnerability - Server Fault

Fixing the IIS tilde vulnerability. up vote 6 down vote favorite. One of our IIS servers (IIS 7.5, Server 2008 R2) is apparently "vulnerable" to the tilde ...
Read more

Microsoft IIS tilde directory enumeration ...

Web Vulnerability Scanner . Vulnerability Scanner; Indepth Crawl & Analysis; Highest Detection Rate; ... Microsoft IIS tilde directory enumeration ...
Read more

GitHub - WebBreacher/tilde_enum: Takes a URL and checks ...

WebBreacher / tilde_enum. Code. Issues 2. ... The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x).. [+] Found a new directory: ...
Read more

asp.net - IIS tilde vulnerability issue - Stack Overflow

IIS tilde vulnerability issue. up vote 2 down vote favorite. 1. Here is issue that we have on one of our site: ... IIS URL Rewrite issue with Tilde (~) 0.
Read more

Tilde Enumeration | WebBreacher's Hacking and Hiking Blog

The Vulnerability. A while ago I found a bunch of web servers that had the Microsoft IIS Tilde Enumeration vulnerability on them. You can read more about ...
Read more

Azure Web Site Tilde Enumeration Vulnerability

Azure Web Site Tilde Enumeration Vulnerability. Microsoft Azure > ... The paths you are discovering are the default IIS content in inetpub ...
Read more

IIS tilde vulnerability | Computer Security Is My Interest!

This entry was posted in My Advisories, Security Articles and tagged IIS Tilde bug, IIS Tilde character, IIS tilde feature, IIS tilde vulnerability, ...
Read more

Microsoft IIS tilde directory enumeration vulnerability.

Hi Dev Central Guru's Does any know of a good way to combat the latest Microsoft IIS tilde directory enumeration vulnerability? Need an effective way to ...
Read more