Nmap Development mailing list archives
Re: [NSE] http-iis-short-name-brute.nse
From: "Dev (nmap)" <dev.kyckel () gmail com>
Date: Sun, 16 Sep 2012 19:43:00 +0200
Good point. I'll see if I can find some statistics on the most common files and folders (maybe nselib/data/http-folders can be used). Would you happen to have access to an IIS installation for testing purposes ? :)
- Jesper On 2012-09-16 19:26, Martin Holst Swende wrote:
Hi, Cool, I wasn't aware of this until now! I browsed through the script, and have a comment :- When brute-forcing the extensions, you test each character alphabetically (right?), which would take on average (26+10)/2 = 18 requests per character to get right. If the script instead first tried the most common suffixes it would probably go way faster. (It could probably be even more advanced, e.g combining the approaches by guessing one character at a time according to a tree-structure based on common suffixes. )Regards, Martin Holst Swende On 09/16/2012 05:12 PM, Dev (nmap) wrote:Hi List,Attached is a NSE implementation of "iis-shortname-scanner-poc" from http://code.google.com/p/iis-shortname-scanner-poc/ .The script searches for the short name of files and dirs, example output:PORT STATE SERVICE REASON 80/tcp open http | http-iis-short-name-brute: | Folders | aspnet~1 | Files | sql~1.bak |_ test~1.phpIt still needs some testing, but currently I don't have access to an affected IIS installation. Any chance someone here has access to an IIS installation and can test it (or grant me permission to test on the platform) ?- Jesper _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived athttp://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-iis-short-name-brute.nse Dev (nmap) (Sep 16)
- Re: [NSE] http-iis-short-name-brute.nse Martin Holst Swende (Sep 16)
- Re: [NSE] http-iis-short-name-brute.nse Dev (nmap) (Sep 16)
- Re: [NSE] http-iis-short-name-brute.nse Dev (nmap) (Sep 16)
- Re: [NSE] http-iis-short-name-brute.nse David Fifield (Sep 18)
- Re: [NSE] http-iis-short-name-brute.nse Martin Holst Swende (Sep 16)