Lets be clear, I’m all about the offensive side of information security. I’m a pentester and I enjoy popping, rooting, owning and pwning all the things. I am aware that what we do is there to assist and encourage better defensive countermeasures but I just leave that to the experts. My colleague sitting nearby has the more unfortunate “defensive” job consisting of writing detections for all the evil things I do.
Recently I was running a web application assessment for a client whose system was running IIS 6.0 on Windows 2003 server. Much foosball and coffee had already gone into this assessment yet I still didn’t have the “Oh Shit, how did you find that?” discovery that makes developers curl up in a ball and rock themselves to sleep. These developers where smarter than most and this was not their first assessment either. They had learned from previous tests to be vigilant about input sanitation and the usual bag of tricks.
I was pretty much ready to swap my Nerf Gun for Microsoft Word and start typing up my findings when I saw this article by Soroush Dalili about using a 17 year old technique to enumerate directories on < IIS 7.0 using the good old “~1” from the 8dot3 days of Windows.
A bit of history for you kids and nostalgia for us old-timers about the 8dot3 days of Windows was that in older versions of … read more