Re: http-iis-short-name-brute.nse BUG?

["Dev (nmap)" <dev.kyckel () gmail com>]

On 2012-09-26 02:33, Patrik Karlsson wrote:
> On Wed, Sep 26, 2012 at 12:38 AM, Dev (nmap) <dev.kyckel () gmail com 
> <mailto:dev.kyckel () gmail com>> wrote:
>
>     Hi Richard,
>
>     Thanks for testing the script.
>
>     In regards to your first question, the script only finds the short
>     name of the files, this means the first 6 letters in the
>     file/folder name and the last 3 letters of the extension. This
>     means that in the case of, say, 'test~1.asp', the full file name
>     is known, since only 4 letters have been found, and it seems that
>     the extension also has been found since '.asp' is a valid
>     extension.  But since only 3 letters of the extension can be
>     found, the real extension might be (and in this case, it is) '.aspx'.
>
>     If you'd like to know more about the inter-workings, the original
>     POC author has written a more in depth description of the method:
>     http://code.google.com/p/iis-shortname-scanner-poc/ in the
>     research file.
>
>     The script requires that the service is identified as a 'http'
>     service, so you could try to add the '-sV' option to your command.
>
>     Hope this helps.
>
>     Regards,
>
>
>     Jesper
>
>
> You could also force script execution by prefixing the script with a 
> plus (+) which would execute it against any open port.
> Comparing to -sV it's a little faster as Nmap doesn't do any version 
> or application detection.
>
> //Patrik
>
> --
> Patrik Karlsson
> http://www.cqure.net
> http://twitter.com/nevdull77
Thanks for the tip! I didn't know that.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/