Sep 18, 2020
Using IIS shortname scanner, gets you 50% of the way there, by giving you the short names of files and folders on the server. However, the problem of identifying the rest of the file or folder name is still sometimes a challenge. Here is what the output from IIS Shortname Scanner could look like:
Testing request method: "DEBUG" with magic part: "\a.aspx" ... File: WEB~1.CON File: GLOBAL~1.ASA File: PACKAG~1.CON File: LOG4NE~1.CON File: WEB-CO~1.CON File: SITEBA~1.ZIP Dir: PROPER~1COS [-] PROPER~1.S # IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017) Target: http://REDACTED/bidsservice/ |_ Result: Vulnerable! |_ Used HTTP method: DEBUG |_ Suffix (magic part): \a.aspx |_ Extra information: |_ Number of sent requests: 701 |_ Identified directories: 1 |_ PROPER~1 |_ Indentified files: 6 |_ GLOBAL~1.ASA |_ LOG4NE~1.CON |_ PACKAG~1.CON |_ SITEBA~1.ZIP |_ WEB-CO~1.CON |_ WEB~1.CON |_ Actual file name = WEB Finished in: 13 second(s)
There are two main approaches you can take:
At the end of the first video I made on hacking IIS, I mentioned that I found a zip file in the docroot on an IIS server, that contained all of the application source code and secrets. This led to roughly a $3000 finding:
This was done by first running IIS shortname scanner, and then by using Google BigQuery to generate a list of zip files that start with the shortnames. I have found this to be an effective method in many cases, and it certainly does help.
Now, before we go into the “how” section, I want to share an anecdote:
Accidentally just ran a query on BigQuery that cost me $120 US (27 TB processed), ouch— shubs (@infosec_au) September 13, 2020
Before we start scouring through GitHub’s dataset, I want to make sure you avoid what happened to me. Some people on twitter suggested setting a quota for BigQuery so you cannot overspend, and that is solid advice here.
The pricing for BiqQuery is not so bad. The first terabyte of processing is free every month, and every terabyte after costs $5. See here for more details.
Typically, a single query against the GitHub dataset can be 300-500 GB of processing. With further optimization, you can bring these costs down.
To do this, go to https://console.cloud.google.com/iam-admin/quotas and set a quota for “BigQuery API - Query usage per day”:
Also, grab this Chrome Extension so that you can see the estimated costs per query.
Using BigQuery is incredibly simple to use. Instead of going into depth around how to use BigQuery for offensive purposes, I would like to direct you to the following resources we have already written or presented about:
This guide will help you get setup for BigQuery.
If you go through the resources above, you will truly understand the power of BigQuery when it comes to application security.
So, let’s go back to the example output I provided for IIS shortname scanner at the top of this blog post.
Did you notice
SITEBA~1.ZIP in the output?
Here is how you would pull down all files starting with
siteba and end with
.zip using BigQuery:
SELECT * FROM `bigquery-public-data.github_repos.files` WHERE (REGEXP_CONTAINS(path, r'(\/(?i)siteba[a-z0-9A-Z]+\.zip|^siteba[a-z0-9A-Z]+\.zip)')) LIMIT 1000
This returns the following:
Nice. I hadn’t considered that the file name could be called
sitebase.zip. In my head, I thought it could be something like
This is how BigQuery helps you in your process for guessing the correct file or folder name. It may not directly lead to the results but it will get you closer.
Why not just try all of the zip files available on BigQuery as a standard process in my testing? Sure, that’s an option too.
After reading this blog post, if you’ve tried BigQuery, and are still looking for the rest of the file or folder name, I then suggest using crunch to generate an appropriate wordlist to bruteforce the rest of the path with.
I cover some more concepts about IIS hacking in the video embedded below:
Find out how Assetnote can help you lock down your external attack surface.
Use the lead form below, or alternatively contact us via email by clicking here.