Takes a URL and then exploits the IIS tilde 8.3 enumeration vuln (https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/, http://www.acunetix.com/vulnerabilities/microsoft-iis-tilde-direc/, http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf) and tries to get you full file and directory names.
This is an attempt to take the cool POC scanner at https://github.com/irsdl/iis-shortname-scanner/tree/master/ and get you the rest of the file/directory names so you can retrieve them.
Feed this script a URL and also a word list of potential file/dir names. The script will look up the roots in your word list and then try them with appropriate extensions.
For word lists, the fuzzdb word lists are pretty good. We sometimes use the https://code.google.com/p/fuzzdb/source/browse/trunk/discovery/PredictableRes/raft-small-words-lowercase.txt (or large or medium) for this work.
This is not a directory enumerator (i.e., tries all words in a list against a web server). It will only find directories that have names longer than 8 characters (since only then will they have 8.3 names and be recognized by the vulnerability). You should still try to enumerate directories using a word list and DirBuster or Burp Intruder or something.
Just as a note: on Windows computers you can view 8.3 names in the command prompt window by using the
dir /x command. One of the columns will be the 8.3 name (if there is one).
git clone https://github.com/WebBreacher/tilde_enum
Find wordlists to use at this GitHub repo. Or download some handy ones below.
tilde_enum.py [-h] [-c COOKIES] [-d DIRWORDLIST] [-f] [-p PROXY] [-s SNOOZE] [-u URL] [-v] [-w WORDLIST] [--no-check-certificate]
Exploits and expands the file names found from the tilde enumeration vuln optional arguments: -h, --help show this help message and exit -c COOKIES cookies to be used in the request -d DIRWORDLIST an optional wordlist for directory name content -f force testing of the server even if the headers do not report it as an IIS system -p PROXY Use a proxy host:port -s SNOOZE time in seconds to sleep/wait between requests -u URL URL to scan -v verbose output -w WORDLIST the word list to be used for guessing files --no-check-certificate don't verify the SSL certificate