Tilde Games: Exploiting 8.3 Shortnames on IIS Servers
1 min read
Summary
IIS tilde enumeration is a vulnerability that allows attackers to discover hidden files and directories on a Microsoft Windows server running IIS (Internet Information Services), and determine the names of existing files or directories located on the target server, but which are not directly accessible.
This is done through brute-forcing MS-DOS era 8.3 filenames — these are files that have a maximum of eight characters for the name and three for the extension, such as secret1.txt or admin1.aspx.
These vulnerabilities are rarer these days, but can be exploited when a server supports long filenames but also generates these short name aliases for backward compatibility.
Using certain tools, attackers can compare responses from the target server when requesting non-existent files with different tilde substitutions to identify when a response differs, indicating the presence of a short name that can be brute-forced.
The advantage of this technique is that it works even on non-public files, it narrows the attack surface by reducing the number of possible paths that need to be brute-forced, and it leaks partial names.