Presentation about how everyone, no matter what their role in securing an organizing is, can make a difference. Sometimes it is about taking a little vulnerability like the IIS Tilde Directory Enumeration vulnerability and making a better exploitation tool. Or perhaps contributing in other ways.
6. Low Risk Web
Vulnerabilities
Things not directly exploitable
Information Leakage
◦ Directory Listings
◦ Detailed Errors
◦ Configuration Pages
◦ IIS Tilde Enumeration
Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 6
7. What is this vuln?
IIS Tilde Enumeration Vulnerability
◦ Use HTTP response codes (400 or 404) to determine if a
certain file/dir is on the system
http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability
_feature.pdf
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 7
8. An example
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 8
When completed, 8.3 file names are revealed
(ex., docume~1.htm)
From the original PDF report…
9. Tilde Java POC Scanner
Pros
◦ POC that there is a vuln
◦ Free on Google Code
◦ Fast
Cons
◦ Java
◦ Not recursive
◦ Only gives 8.3 names
◦ Can’t surf to 8.3 files =
Low Risk Vuln
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 9
10. How can we do it better?
Make it in Python
Guess the file and dir names using wordlists
◦ Get us real, full file and dir names
Recursivenessitivity
◦ Go deep
Verbosity
◦ Show me whatcha finding
◦ Gimme response sizes (reduce False Positives)
Rate limiting for those ‘fragile’ systems
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 10
11. tilde_enum.py
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 11
$ ./tilde_enum.py -u http://iis
/pentest/fuzzdb/discovery/predictableres/raft-small-words-
lowercase.txt
[-] Testing with dummy file request http://iis/lJP7ROxEoS.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 1635
[-] Testing with user-submitted http://iis
[-] URLUser -> HTTP Code: 200, Response Length: 1433
[+] The server is reporting that it is IIS (Microsoft-
IIS/6.0).
[+] The server is vulnerable to the tilde enumeration
vulnerability (IIS/5|6.x)..
[+] Found a new directory: docume
[+] Found a new directory: javasc
[+] Found file: parame . xml
[+] Found file: 765432 . htm
[+] Found file: _vti_i . htm
[+] Found a new directory: _vti_s
[-] Finished doing the 8.3 enumeration for /.
12. tilde_enum.py (con’t)
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 12
---------- FINAL OUTPUT ------------------------------
[*] We found files for you to look at:
[*] http://iis/_vti_inf.html - Size 1754
[*] http://iis/documentation/advertising.html - Size 227
[*] http://iis/documentation/default.aspx - Size 1433
[*] http://iis/javascript/321.xlsx - Size 227
[*] http://iis/parameter.xml - Size 1307
[*] Here are all the 8.3 names we found.
[*] If any of these are 6 chars and look like they [snip]
[*] http://iis/documentation/advert~1.htm
[*] http://iis/documentation/defaul~1.asp
[*] http://iis/765432~1.htm
[*] http://iis/_vti_i~1.htm
[*] http://iis/parame~1.xml
[*] http://iis/javascript/321~1.xls
14. Shortcomings…for now
Doesn’t find all the files
◦ < 3 char file names
◦ ab.htm->abJHG7.htm
◦ Some other files are just
missed
◦ Odd file names
(test.htm.bak, Copy of
micah.html)
◦ Words not in the word list
Can DoS fragile servers
Needs more ‘real-world’ testing
No IIS7.x yet
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 14
15. Future Features
Better file/dir detection
Peek into authentication-required dirs
Pull back file content and store locally
IIS7 support
Your suggestions
Micah Hoffman @WebBreacher IIS TILDE ENUMERATION 15
16. Continue to…
Investigate the mysteries
Ask questions
◦ What if?
◦ Reach out to others
Share / Give back
Challenge yourself
◦ Enhance your tools / processes / skills
◦ Don’t settle Create!
Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC 16
Every start something out that you thought was one thing and morphed to another? Yeah, that is this talk.
As a senior infosec engineer, I mentor junior staff.They ask “How can I contribute?” “What can I do…I don’t have my [insert cert here]?”I tell them…
This is so true!I’ve been backpacking and had that annoying buzzing in my tent. I didn’t sleep at all.Same is true for vulnerabilities. Sometimes the small ones matter the most. Don’t ignore them.