webbreacher / tilde_enum Goto Github PK

Introduce a -w param that inserts a "wait" time for x msec between requests

Make this go fast using multi-threads or multi-process

Take what the https://code.google.com/p/iis-shortname-scanner-poc/ does an implement them in Python.

Can't seem to get this tool to accept the wordlist I specified.

python2 tilde_enum.py -u 'https://www.sometarget.com' -d '/root/tools/fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/raft-small-words-lowercase.txt'
[-] Testing with dummy file request https://www.sometarget.com/whVrHG1NsM.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 725
[-] Testing with user-submitted https://www.sometarget.com
[-] URLUser -> HTTP Code: 200, Response Length: 18159
[!] [Error] Can't read the wordlist file you entered.

python2.7 tilde_enum.py -u "http://iis" -d raft-small-words-lowercase.txt
[-] Testing with dummy file request http://iis/z2iTM60Jt3.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 1899
[-] Testing with user-submitted http://iis
[-] URLUser -> HTTP Code: 200, Response Length: 12128
[!] [Error] Can't read the wordlist file you entered.

Currently the script just dies on us if the server cert can't be verified. You can fix this by creating a urllib2 context:

# Ignore SSL issues context
import ssl
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

and in getWebServerResponse:

response = urllib2.urlopen(req, context=ctx)

Surprisingly, still finding this script useful from time to time, but need support for self-signed certs :)

Hi,
got 200 code back error,

Server is vulnerable and this script working well https://github.com/irsdl/IIS-ShortName-Scanner....
Server vulnerable with HTTP method OPTIONS. Is it able to choose a http method using Your code, or need to reprogram ?

Thanks

Right now, if you pass http://www.example.com/testing/ to the script it'll do the test of that full URL but it'll strip off the "dir" part when finding files. Fix dat!

For all responses, display content length

Have the script descend into subdirs instead of just doing root

Current we only work on IIS5/6 servers. IIS7 according to the paper uses response codes inside the body of the response instead of server header response codes.

for each file found in the 8.3 format, try a ~2 and ~3 in addition to the ~1 to see if there are multiple files there with the same root.

Will need to come up with a way of presenting this. Actually, does this matter since each of them would have the same "lookup" in the word list? So if we found 'parame1.htm' and 'parame2.htm' we'd look up in the word list PARAME and so both of the files could be found.

Running the following command I get the error below. I have tried multiple wordlists and get the same results.

./tilde_enum.py -u https://iis -w /usr/share/dirb/wordlists/vulns/iis.txt
[-] Testing with dummy file request https://iis/cl3qBgsLMr.htm
[-] URLNotThere -> HTTP Code: 404, Response Length: 5199
[-] Testing with user-submitted https://iis
[-] URLUser -> HTTP Code: 200, Response Length: 0
[+] The server is reporting that it is IIS (Microsoft-IIS/7.5).
[+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..
[+] Found file: ac_run . js
[+] Found a directory: afrore
[+] Found a directory: alanfl
Traceback (most recent call last):
File "./tilde_enum.py", line 672, in
if name == "main": main()
File "./tilde_enum.py", line 515, in main
findings = checkEightDotThreeEnum(url.scheme + '://' + url.netloc, check_string, url.path)
File "./tilde_enum.py", line 317, in checkEightDotThreeEnum
fileOrDir(files, url, stub)
File "./tilde_enum.py", line 252, in fileOrDir
checkForDirectory(url+stub)
File "./tilde_enum.py", line 241, in checkForDirectory
if resp.code == 404:
AttributeError: 'URLError' object has no attribute 'code'

In final output note which files/dirs were and were not expanded.

@darkmatter1505 - Please put issues with the code/bugs, in the issues tab and not as comments in the code. I've moved your question here.

When running the script with options -v -f -w /usr/share/golismero/wordlist/fuzzdb/Discovery/PredictableRes/raft-small-directories-lowercase.txt --no-check-certificate

I get the following:
[-] URLUser -> HTTP Code: 200, Response Length: 89616
[+] HTTP Response Codes: {'user_length': 89616, 'not_there_length': 46926, 'user_code': 200, 'not_there_code': 404}
[+] Opened wordlist /usr/share/golismero/wordlist/fuzzdb/Discovery/PredictableRes/raft-small-directories-lowercase.txt successfully
[+] The server is reporting that it is IIS (Microsoft-IIS/7.5).
[+] The server is vulnerable to the tilde enumeration vulnerability (IIS/5|6.x)..
[+] Found file: asp . a
[+] Found file: ind . a
[+] Found file: web . a
[-] Finished doing the 8.3 enumeration for /.
Files: {'/': ['asp.a', 'ind.a', 'web.a']}
Dirs: []
[-] Now starting the word guessing using word list calls
[-] File name (asp) too short to look up in word list. We will use it to bruteforce.
Traceback (most recent call last):
File "./tilde_enum.py", line 668, in
if name == "main": main()
File "./tilde_enum.py", line 521, in main
performLookups(findings, url_good)
File "./tilde_enum.py", line 339, in performLookups
filename_matches.append(filename)
UnboundLocalError: local variable 'filename_matches' referenced before assignment

Any assistance would be helpful.

Line 47 sets the chars variable to include the space character. However, the program does not URL encode the space before making a web request. As a result, the program issues invalid HTTP requests.

The space should be URL encoded before making the web request or removed from the list of characters to test

right now when we find a new dir we check http://url/dirname/ if the web server is not configured to display some default page there, we'll get a 404 (dir listings forbidden) which gives us a false negative.

This enhancement is to cycle through a list of default file names (iisstart.ht, default.asp, index.htm...) when checking if the dir is there or not.

Add the ability to send requests through a proxy (like Burp Suite Pro) for logging, inspection, tunneling, etc.

The following code is a quick way add support for this feature:

import urllib2
parser.add_argument('-p', dest='proxy',default='', help='Use a proxy host:port')
if args.proxy:
    print bcolors.PURPLE + '[-]  Using proxy for requests: ' + args.proxy
    proxy = urllib2.ProxyHandler({'http': args.proxy, 'https': args.proxy})
    opener = urllib2.build_opener(proxy)
    urllib2.install_opener(opener)

Hi. I contacted you on Twitter, here are the issues I'm having with the scanner...

I ran this scan on 3 different websites and received 3 different errors, one for each scan...
(1)
File "C:\Users\Me\Desktop\Downloads\tilde_enum-master (1)\tilde_enum-master\tilde_enum.py", line 255, in checkEightDotThreeEnum
if resp1.code == 404: # Got the first valid char
AttributeError: 'int' object has no attribute 'code'

(2)
File "C:\Users\Me\Desktop\Downloads\tilde_enum-master (1)\tilde_enum-master\tilde_enum.py", line 231, in checkForDirectory
if resp.code == 404:
AttributeError: 'URLError' object has no attribute 'code'

(3)
[Error] Can't read the wordlist file you entered.

Details: The word list I am using is the one recommended in the tilde_enum instructions (the ones from fuzzdb) I downloaded fuzzdb-1.09.tgz then copied the folders PredictableRes and FileNameBruteForce and placed them into my tilde_enum master file just to keep things organized.

The wordlists I used were: raft small-words.txt and raft medium-words.txt

I also ran the scan using the small-words and medium words text found in the original PredictableRes and FileNameBruteForce folders from the fuzzdb download directory to make sure the error wasn't a result of the files being screwed or something when I copied them to my tilde_enum folder...I received the same error

My system: I am running Windows 8.1 (rolls eyes)

Thanks for your help!!

Going inside protected dirs:
/AuthNeeded::$Index_Allocation/~1/.aspx
Or
/AuthNeeded:$I30:$Index_Allocation/~1/.aspx

I have been getting this error with the last couple of sites I have tried to scan.

Traceback (most recent call last):
File "../../Tools/tilde_enum-master/tilde_enum.py", line 669, in
if name == "main": main()
File "../../Tools/tilde_enum-master/tilde_enum.py", line 512, in main
findings = checkEightDotThreeEnum(url.scheme + '://' + url.netloc, check_string, url.path)
File "../../Tools/tilde_enum-master/tilde_enum.py", line 314, in checkEightDotThreeEnum
fileOrDir(files, url, stub)
File "../../Tools/tilde_enum-master/tilde_enum.py", line 245, in fileOrDir
filename = findExtension(url, stub)
File "../../Tools/tilde_enum-master/tilde_enum.py", line 203, in findExtension
if resp1a.code == 404: # Got the first valid char
AttributeError: 'int' object has no attribute 'code'