everyone matters in infosec 2014

1

Everyone matters in infosecIIS TILDE ENUMERATION (RE)EXPLOITED

Micah Hoffman @WebBreacher EVERYONE MATTERS IN INFOSEC

2

Who am I?◦ Infosec Engineer / Pentester◦ NoVA Hacker◦ PwnWiki.io Curator◦ Recon-ng module Writer◦ SANS Instructor (SEC542)◦ Hiker / Backpacker


Novahackers.com

3

Sometimes it is the little things…


4

We can all contribute


System Admins

Management

Developers

Testers

Database Admins

Students

5

Ask yourself….


6

Low Risk Web Vulnerabilities

Things not directly exploitable

Information Leakage◦ Directory Listings◦ Detailed Errors◦ Configuration Pages◦ IIS Tilde Enumeration


IIS TILDE ENUMERATION 7

What is this vuln? IIS Tilde Enumeration Vulnerability

◦ Use HTTP response codes (400 or 404) to determine if a certain file/dir is on the system

http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf

Micah Hoffman @WebBreacher


An example


When completed, 8.3 file names are revealed (ex., docume~1.htm)

From the original PDF report…


Tilde Java POC Scanner Pros

◦ POC that there is a vuln◦ Free on Google Code◦ Fast

Cons◦ Java◦ Not recursive◦ Only gives 8.3 names◦ Can’t surf to 8.3 files =

Low Risk Vuln



How can we do it better?

Make it in Python

Guess the file and dir names using wordlists◦ Get us real, full file and dir names

Recursivenessitivity◦ Go deep

Verbosity◦ Show me whatcha finding◦ Gimme response sizes (reduce False Positives)

Rate limiting for those ‘fragile’ systems



tilde_enum.py


$ ./tilde_enum.py -u http://iis /pentest/fuzzdb/discovery/predictableres/raft-small-words-lowercase.txt

[-] Testing with dummy file request http://iis/lJP7ROxEoS.htm[-] URLNotThere -> HTTP Code: 404, Response Length: 1635[-] Testing with user-submitted http://iis[-] URLUser -> HTTP Code: 200, Response Length: 1433[+] The server is reporting that it is IIS (Microsoft-IIS/6.0).[+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..[+] Found a new directory: docume[+] Found a new directory: javasc[+] Found file: parame . xml[+] Found file: 765432 . htm[+] Found file: _vti_i . htm[+] Found a new directory: _vti_s[-] Finished doing the 8.3 enumeration for /.


tilde_enum.py (con’t)


---------- FINAL OUTPUT ------------------------------[*] We found files for you to look at:[*] http://iis/_vti_inf.html - Size 1754[*] http://iis/documentation/advertising.html - Size 227[*] http://iis/documentation/default.aspx - Size 1433[*] http://iis/javascript/321.xlsx - Size 227[*] http://iis/parameter.xml - Size 1307

[*] Here are all the 8.3 names we found.[*] If any of these are 6 chars and look like they [snip][*] http://iis/documentation/advert~1.htm[*] http://iis/documentation/defaul~1.asp[*] http://iis/765432~1.htm[*] http://iis/_vti_i~1.htm[*] http://iis/parame~1.xml[*] http://iis/javascript/321~1.xls

13IIS TILDE ENUMERATION

Demo



Shortcomings…for now Doesn’t find all the files

◦ < 3 char file names◦ ab.htm->abJHG7.htm

◦ Some other files are just missed◦ Odd file names (test.htm.bak,

Copy of micah.html)◦ Words not in the word list

Can DoS fragile servers Needs more ‘real-world’ testing No IIS7.x yet



Future Features Better file/dir detection

Peek into authentication-required dirs

Pull back file content and store locally

IIS7 support

Your suggestions


16

Continue to… Investigate the mysteries Ask questions

◦ What if?◦ Reach out to others

Share / Give back Challenge yourself

◦ Enhance your tools / processes / skills◦ Don’t settle Create!


17

Questions?https://github.com/WebBreacher/tilde_enum

EVERYONE MATTERS IN INFOSECMicah Hoffman @WebBreacher

everyone matters in infosec 2014

Technology

suggestions micah hoffman

example micah hoffman

cont micah hoffman

http code

system http

u http

fragile systems micah

little things micah