An IIS short filename enumeration tool.
Shortscan is designed to quickly determine which files with short filenames exist on an IIS webserver. Once a short filename has been identified the tool will try to automatically identify the full filename.
In addition to standard discovery methods Shortscan also uses a unique checksum matching approach to attempt to find the long filename where the short filename is based on Windows' propriatary shortname collision avoidance checksum algorithm (more on this research at a later date).
Using a recent version of go:
go install github.com/bitquark/shortscan/cmd/shortscan@latest To build (and optionally install) locally:
go get && go build go install Shortscan is easy to use with minimal configuration. Basic usage looks like:
$ shortscan http://example.org/ You can also specify a file containing a list of URLs to be scanned:
$ shortscan @urls.txt This example sets multiple custom headers by using --header/-H multiple times:
shortscan -H 'Host: gibson' -H 'Authorization: Basic ZGFkZTpsMzN0' To check whether a site is vulnerable without performing file enumeration use:
shortscan --isvuln The following options allow further tweaks:
🌀 Shortscan v0.9.2 · an IIS short filename enumeration tool by bitquark Usage: main [--wordlist FILE] [--header HEADER] [--concurrency CONCURRENCY] [--timeout SECONDS] [--output format] [--verbosity VERBOSITY] [--fullurl] [--norecurse] [--stabilise] [--patience LEVEL] [--characters CHARACTERS] [--autocomplete mode] [--isvuln] URL [URL ...] Positional arguments: URL url to scan (multiple URLs can be provided; a file containing URLs can be specified with an «at» prefix, for example: @urls.txt) Options: --wordlist FILE, -w FILE combined wordlist + rainbow table generated with shortutil --header HEADER, -H HEADER header to send with each request (use multiple times for multiple headers) --concurrency CONCURRENCY, -c CONCURRENCY number of requests to make at once [default: 20] --timeout SECONDS, -t SECONDS per-request timeout in seconds [default: 10] --output format, -o format output format (human = human readable; json = JSON) [default: human] --verbosity VERBOSITY, -v VERBOSITY how much noise to make (0 = quiet; 1 = debug; 2 = trace) [default: 0] --fullurl, -F display the full URL for confirmed files rather than just the filename [default: false] --norecurse, -n don't detect and recurse into subdirectories (disabled when autocomplete is disabled) [default: false] --stabilise, -s attempt to get coherent autocomplete results from an unstable server (generates more requests) [default: false] --patience LEVEL, -p LEVEL patience level when determining vulnerability (0 = patient; 1 = very patient) [default: 0] --characters CHARACTERS, -C CHARACTERS filename characters to enumerate [default: JFKGOTMYVHSPCANDXLRWEBQUIZ8549176320-_()&'!#$%@^{}~] --autocomplete mode, -a mode autocomplete detection mode (auto = autoselect; method = HTTP method magic; status = HTTP status; distance = Levenshtein distance; none = disable) [default: auto] --isvuln, -V bail after determining whether the service is vulnerable [default: false] --help, -h display this help and exit --version display version and exit The shortscan project includes a utility named shortutil which can be used to perform various short filename operations and to make custom rainbow tables for use with the tool.
You can create a rainbow table from an existing wordlist like this:
shortutil wordlist input.txt > output.rainbow To generate a one-off checksum for a file:
shortutil checksum index.html Run shortutil <command> --help for a definiteive list of options for each command.
Shortutil v0.3 · a short filename utility by bitquark Usage: main <command> [<args>] Options: --help, -h display this help and exit Commands: wordlist add hashes to a wordlist for use with, for example, shortscan checksum generate a one-off checksum for the given filename A custom wordlist was built for shortscan. For full details see pkg/shortscan/resources/README.md
Original IIS short filename research by Soroush Dalili.
Additional research and this project by bitquark.