irsdl / iis-shortname-scanner Goto Github PK

I have this error when i want to check if an URL is vulnerable

To reduce false positive results when every single letter in a file/directory name is detected as a new instance.
This may lead to missing some of the files when they use similar names but will reduce false positives dramatically.
Example:
|_ INDEX1
|_ Actual directory name = INDEX
|_ INDEX2
|_ Actual directory name = INDEX
|_ INDEX3
|_ Actual directory name = INDEX
|_ INDE1
|_ Actual directory name = INDE
|_ INDE2
|_ Actual directory name = INDE
|_ INDE3
|_ Actual directory name = INDE
|_ IND1
|_ Actual directory name = IND
|_ IND2
|_ Actual directory name = IND
|_ IND3
|_ Actual directory name = IND
|_ IN1
|_ Actual directory name = IN
|_ IN2
|_ Actual directory name = IN
|_ IN3
|_ Actual directory name = IN
|_ I1
|_ Actual directory name = I
|_ I2
|_ Actual directory name = I
|_ I~3
|_ Actual directory name = I

Hi there. I´m get this message on a particular host that I'm scanning.

I triggered shortname scanner with:

java -jar iis_shortname_scanner.jar 2 1 https://host

The scanner just keeps adding seconds to the sleep:

Testing request method: "DEBUG" with magic part: "\a.aspx" ...
Number of threads should be reduced - can be too late but reduced to:1
Sleep for 3 seconds...
Number of threads should be reduced - can be too late but reduced to:1
Sleep for 4 seconds...
Number of threads should be reduced - can be too late but reduced to:1
Sleep for 5 seconds...
Number of threads should be reduced - can be too late but reduced to:1
Sleep for 6 seconds...
Number of threads should be reduced - can be too late but reduced to:1
Sleep for 7 seconds...
Number of threads should be reduced - can be too late but reduced to:1
Sleep for 8 seconds...

I am using the version 2.3.8.

how I can show the full name of directory ?

An option to save all the outputs in a log file.
This should be done via the config file.

A simple shell file that can accept list of IPs from a text file and pass it to the app to create a nice output.
The wrapper should mirror the options (other than the text file) to the main jar file too.

Hi Soroush

Using OpenJDK10 the following error is produced. This may be due to additional java security restrictions. Am currently just using an older Java 8 JRE instead (as haven't got free time to triage) but thought it best to make you aware of the issue incase you want to take a look and fix it :)

Cheers

Stuart

Scanning...

Testing request method: "DEBUG" with magic part: "\a.aspx" ...
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by IISShortNameScanner.IIS_ShortName_Scanner (file:/root/IIS-ShortName-Scanner/iis_shortname_scanner.jar) to field java.net.HttpURLConnection.method
WARNING: Please consider reporting this to the maintainers of IISShortNameScanner.IIS_ShortName_Scanner
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Hello,

I don't use "&" character in cookie(config.xml;entry key=cookies).

Note 1: Edit config.xml file to change the scanner settings, for instance to add additional headers.
Note 2: Sometimes it does not work for the first time and you need to try again.

Hi there.

I detected a wrong behavior where shortname scanner reports the asset as vulnerable.

In this case it was a cisco web panel with basic authentication. I did know with was a cisco at that time. But this may cause false positives even with it is a IIS with basic authentication.

In the case of HTTP code 401 in all methods, I guess the scanner should mark the asset as not vulnerable and indicated the URL is protected with authentication.

Hello,

Thanks you for the awesome tool, but is there any way of making DEBUG requests work on jdk17+ ? I have tried both iis_shortname_scanner_jdk7.jar and iis_shortname_scanner.jar but there is always the error

HTTPReqResponse() - Retry: 9
java.lang.reflect.InaccessibleObjectException: Unable to make field private final sun.net.www.protocol.https.DelegateHttpsURLConnection sun.net.www.protocol.https.HttpsURLConnectionImpl.delegate accessible: module java.base does not "opens sun.net.www.protocol.https" to unnamed module @763d9750
	at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354)
	at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297)
	at java.base/java.lang.reflect.Field.checkCanSetAccessible(Field.java:178)
	at java.base/java.lang.reflect.Field.setAccessible(Field.java:172)
	at IISShortNameScanner.IIS_ShortName_Scanner.setRequestMethodUsingWorkaroundForJREBug(IIS_ShortName_Scanner.java:1538)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1401)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1520)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1520)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1520)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1520)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1520)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1520)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1520)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1520)
	at IISShortNameScanner.IIS_ShortName_Scanner.HTTPReqResponse(IIS_ShortName_Scanner.java:1520)
	at IISShortNameScanner.IIS_ShortName_Scanner.isReliable(IIS_ShortName_Scanner.java:1202)
	at IISShortNameScanner.IIS_ShortName_Scanner.doScan(IIS_ShortName_Scanner.java:544)
	at IISShortNameScanner.IIS_ShortName_Scanner.main(IIS_ShortName_Scanner.java:269)

The host was confirmed to be vulnerable using DEBUG requests via the IIS Tilde Enum Scanner burp plugin, but because of this error this tool does not find anything.

Java HttpURLConnection does not support custom HTTP methods:
http://stackoverflow.com/questions/25163131/httpurlconnection-invalid-http-method-patch

Therefore, it is not possible to use methods like DEBUG at the moment! DEBUG verb is useful when it is enabled and even IIS8.5 can become vulnerable to it!

Hi @irsdl,

I updated the IIS Short Name (8.3) scanner and I discovered that the current version may have false-negative results.

Latest Version

java -jar iis_shortname_scanner.jar 'https://target.remote/'
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
Do you want to use proxy [Y=Yes, Anything Else=No]? 
# IIS Short Name (8.3) Scanner version 2023.1 - scan initiated 2023/04/25 23:02:38
Target: https://target.remote/
|_ Result: Not vulnerable or no item was found. It was not possible to get proper/different error messages from the server. Check the inputs and try again.
|_ Extra information:
  |_ Number of sent requests: 2

OPTIONS /*~1*/a.aspx HTTP/1.1
Accept-Encoding: gzip, deflate
Host: target.remote
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.5
Date: Wed, 26 Apr 2023 04:02:36 GMT
Connection: close
Content-Length: 75

The page cannot be displayed because an internal server error has occurred.

OPTIONS /1234567890*~1*/a.aspx HTTP/1.1
Accept-Encoding: gzip, deflate
Host: target.remote
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.5
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Wed, 26 Apr 2023 04:02:38 GMT
Connection: close
Content-Length: 0

Older Version

java -jar ./iis_shortname_scanner.jar 'https://target.remote/' 
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
# IIS Short Name (8.3) Scanner version 2.4 - scan initiated 2023/04/25 23:09:03
Target: https://target.remote/
|_ Result: Vulnerable!
|_ Used HTTP method: OPTIONS
|_ Suffix (magic part): /a.aspx
|_ Extra information:
  |_ Number of sent requests: 9

The older version is able to enumerate the files. The server's responses for the older version are the same as above.

@alexlauerman for 318-465-9054 @[email protected]
gp

"How much delay do you want after each request in milliseconds [default=0]?"
and
"Do you want to use proxy [Y=Yes, Anything Else=No]?"

As Java 7 is getting harder to install on newer Linux distributions, I was forced to try the scanner with Java 8 and later.
Even if I rebuild the jar file using Java other than 7 and then run the new jar file using Java other than 7, the scanner would report false positives.
In fact, it looks like every possible pattern is found somehow when run with Java 8 (for example). I have filtering rules in AWS WAF in front of the actual IIS server which block any HTTP request with tilde symbol in it, but somehow the scanner thinks it found the pattern.
The list of "found" 8dot3 patterns would go way beyond the scrollback of my terminal.
An example:

File: %$%%$%~3.Z
File: %$%$$~1.1W1
File: %$$S~2.4WZ
File: %S$%%~3.1
File: %$`~2.4Z1
Dir: %$%%$))~1
File: %$$%$~1.W4Z
File: %$$%$`~1.11
Dir: %$%%$%`~1
File: %$%%)~1.1W
Dir: %S$%%)~1W4
File: %$%%$)~3.7
File: %$`~2.4Z4
File: %S$%~2.7Z
Dir: %$%%$))~2
File: %$%%$)~1.Z
File: %$%%)~2.14
File: %$`~2.741

There are no files in wwwroot that would match these patterns, I am 100% sure of it.

The scanner works as expected when using Java 7, no vulnerabilities are found (I know that, I've applied all the recommendations for mitigation of this vulnerability). But my customer is using Java 8 and keeps telling me that I did a bad job because the scanner on his machine (using Java 8) shows that the server is still vulnerable.

Please advise.
Thank you.

Current format is similar to nmap and has too many unwanted characters which is not easy for copy/paste.
Also should include the path from the root of the website.

Hello,

I want to scan with SSRF(Server Side Request Forgery).

URL: http://www.site.com/proxy.asp?url=http://192.168.10.5/
But your scanner can't scan to 192.168.10.5. Only site.com.

I'm not sure what's happening here. I've used this tool quite a bit for several years and I've run it against a box that appears to have the tool stuck in some kind of loop and I'm unsure why/how to fix it.

Seems to start with 1 then 2, then 3, then 4 etc characters. Doesn't seem to detect web.config there though and I'm not sure why.
Running the tool with default options.

Any suggestions would be welcome.

Sometimes it creates a lot of noise when it cannot detect last character of an extension by selecting everything.
The right output should be like this:
myfile~1.ht? (possible characters: [c, m, x] )

It would be cool to have a proper GitHub release with the compiled files, to keep them seperate from the source.

Add Brute force for file guessing

dose this tool only work wit java 7 and is there anywere this can be setup and running in a distro like kali linux
without java problems which might conflict with tools like burpsuite

how I can show the full name of directory ?

When I try to scan a target it says the default config file is missing.

mac os java1.7 Running the jar does not respond

Google.com

Originally posted by @cajun6978 in #26 (comment)

Testing a number of directories in a website at the same time. This should be implemented via the config file to add new directories when it is needed.
If directories start with "/" (absolute paths), it should try them from the root of website; otherwise, it should try them on the current path.

Error during compiling scanner.java

C:\Program Files\Java\jdk1.7.0_45\bin>javac.exe "C:\Program Files\Java\jdk1.7.0_
45\bin\java_scanner\scanner.java" -Xlint:unchecked
C:\Program Files\Java\jdk1.7.0_45\bin\java_scanner\scanner.java:1206: warning: [
unchecked] unchecked call to add(E) as a member of the raw type LinkedList
taskQueue.add(task);
^
where E is a type-variable:
E extends Object declared in class LinkedList
1 warning

Request to reserve the jdk8 or jdk11 version of the tool

To create a nmap style output for pentesters:
https://nmap.org/nsedoc/scripts/http-iis-short-name-brute.html

Press ENTER to "quite" --> "quit" 👎

or maybe we want the app to be quite good or just quiet?!