Internet Information Server is a extensible web server created by Microsoft for use within the NT (3.1 - WS 2016) family. It supports different protocols like
NNTP (Network News Transfer Protocol). ISS implements also different authentication mechanisms (like HTTP basic authentication) .
Microsoft invented a filename convention called
SFN (short filename) to support legacy programs (e.g. MS-DOS) accessing a file with a long filename. Creating a file, also creates a
SFN based copy (look it up via
dir /x) considering the following rules:
example.txt => EXAMPLE.TXT (<= 8 chars; convert to uppercase) if-filename-longer-than-8-chars.txt => IF-FIL~1.txt (first 6 chars + "~" + incrementing number)
This manner can be used in combination with IIS's behavior when requesting an existent vs. a nonexistent file (HTTP status-code
200/404/400) to enumerate files on the server. Example:
test.com/*~1*/.aspx => 404: valid (one/more files available with SFN) test.com/a*~1*/.aspx => 404: valid (starts with "A") test.com/aa*~1*/.aspx => 400: invalid (the second letter is not "A") test.com/ac*~1*/.aspx => 404: valid (the second letter is "C") test.com/acsecr~1/.aspx => 400: invalid (it's not a folder and it has an extension) test.com/acsecr~1.%3f%3f%3f/.aspx => 404: valid (extension has 3 or more chars; %3f = ? [URL-encoded])
Multiple tools are automating the process of enumeration:
tilde_enum (this script tries to go further).
Tool #1 (Java): https://github.com/irsdl/iis-shortname-scanner
Tool #2: https://github.com/WebBreacher/tilde_enum