Microsoft IIS Server Shortnames & Tilde Magic 🪄

Firas Al-Koussa
4 min readMay 30, 2024

--

Introduction

When diving into security testing for IIS (Internet Information Services) servers, my initial focus is often on identifying the tilde (~) vulnerability. This vulnerability can reveal the existence of files and directories based on their short names. While the information disclosed might seem minor, it can be a critical step towards more significant exploitation.

What is the Tilde Vulnerability?

The tilde vulnerability exploits the way IIS handles legacy 8.3 filenames. When a request is made with a tilde character, the server might respond with a truncated filename, like “example~1.txt” instead of “examplefile.txt”. This allows attackers to infer the presence of files and directories without knowing their full names.

Shortname Scanner Results

Guessing the Full Names 🤔

Once we identify potential filenames or directories, the challenge is to guess the full names. This process can be a blend of:

  1. Experience and Common Sense: Leveraging knowledge of common naming conventions and patterns.
  2. Fuzzing: Using automated tools to systematically try different names.

A particularly effective method is to take the partial names discovered by a tool like ShortScan by BitQuark and search for them on GitHub. This technique has come to my attention after it was presented by Godfather Orwa.

Because I tend to face a lot of IIS servers, I decided to semi-automate the process. To do so, I developed a script where I feed the partial names into the script and it would fetch suggestions from GitHub based on file and directory names out there on the platform.

This script can automate the process, making it faster and more efficient to identify valid names.

Developing GSNW — GitHub Shortname Wordlist 🔧

Here’s a simple approach to do this:

  1. Run ShortScan to identify partial file and folder names.
  2. Use GSNW (Github Short Name Wordlist) to search GitHub for files that match these partial names, providing you with suggestions for the full names.

Real; World Scenario — Bug Bounty 🐞

I encountered a subdomain that was running IIS/7.5 which was vulnerable to the Tilde vulnerability. Running shortname scanner on it revealed some directory names and file names.

One of the interesting directories was SAPMAI~1. Running the GSNW tool on the keyword quickly gave me ideas as to what the file or directory could be.

A Quick search and boom! We get some hits to try. We can also add those words to our word list that we usually use when running shortname scanner.

GSNW Generator on SAPMAI

The Actual Finding 🐘

To deliver on my initial promise, here is how I hacked a multinational company using the same exact method.

  1. It’s crucial to have your hands on all assets the company runs. It’s not just subdomain enumeration, it’s asset discovery.
  2. Run the short name scanner on all the Microsoft assets.
cat assets.txt | httpx -silent -td | grep Microsoft | xargs -I {} shortscanner -w iis_wordlist.txt {}

3. I got a partial directory name called WHATTH~ — So I fed the keyword to GSNW and drum roll…🥁

Not surprised anymore…

4. Inside this directory, ran shortscan again and got a hit for partial_asset_name with a .zip extension.

5. Knew the full asset name obviously, so downloaded the zip file and was able to access a DLL file.

6. De-compiled the DLL file using DotPeek

7. Got credentials for a an exposed service.

*Actually me when I’ve reported a critical using this same exact method and decided to share it with everyone here :)* 👇

This method not only saves time but also increases the accuracy of identifying critical files and directories that could be misconfigured.

Releasing the GSNW tool Saturday 1st of June on my GitHub — Follow me on Twitter (X) to get notified when it’s up.

https://twitter.com/retkoussa

💡 Tip: Always ensure you have the necessary permissions and are operating within legal and ethical boundaries when performing security testing. Happy hunting.

--

--

Firas Al-Koussa
Firas Al-Koussa

Written by Firas Al-Koussa

Penetration Tester - AppSec | OSCP, eWPTXv2, CRTP, SANS GMON - Views are my own. Check the about section to reach me!

Responses (3)