Microsoft IIS short file name enumeration is a technique used to discover the filenames and directories on a web server running IIS. This method exploits a feature in IIS related to how it handles file and directory names. This vulnerability is kind of the gift that keeps on giving. As of writing, it’s been around for well over a decade.
IIS supports the 8.3 filename format, a legacy from the old DOS days, where filenames were limited to 8 characters plus a 3 character extension. When a file or directory is created with a long name (more than 8 characters), IIS also creates an alias following the 8.3 convention. For example, a file named “exampledocument.txt” might also have a shortname like “EXAMPL~1.TXT”.
The enumeration technique involves sending specially crafted HTTP requests to the server and interpreting the responses to guess the shortnames of files and directories. This is typically done by trying different combinations of characters for the shortname and observing the server’s response. For instance, a request for “EXAMPL~1.TXT” might return a different HTTP status code than a request for a non-existent shortname.
The vulnerability arises because the responses can be used to infer the existence or absence of certain files or directories, even when directory listing is disabled. By iteratively guessing and refining these short names, an attacker can enumerate a list of files and directories on the server. This information can be used for various malicious purposes, such as identifying sensitive files or directories, crafting more targeted attacks, or gaining unauthorized access.
But don’t just take it from us, go read it directly from the discoverer here.
Well, for us penetration testers and bug bounties hunters, this vulnerability could lead to some significant findings. It can potentially discover files and directories that normal brute forcing would not have found. And I’m sure you know where this could go. Imagine you discover some sensitive PII disclosure in a file, or an admin panel using default credentials.
To mitigate this vulnerability, server administrators can disable 8.3 name creation on their NTFS file systems, or use URL rewrite rules to prevent this type of probing.
To disable the function, change the following registry value & reboot the system
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
NtfsDisable8dot3NameCreation
Set it to 1 (Default value is 2 for 2012 & up, earlier it was 0)
Yes! Even the latest versions of IIS are vulnerable, and thankfully, there are tools out there to help you. Check out Shortscan or Portswigger’s IIS Tilde Enumeration Scanner. It’s become something that you should default scan for whenever you come across IIS, and many large scale bug bounty automation setups include this in their numerous checks.
As always, reach out to Brackish if you want all your short file names enumerated!