Shortscan is a powerful tool designed for identifying short filenames on IIS web servers and attempting to resolve them into their full filenames. This guide provides an overview of its functionality, installation, usage, and advanced features.
Functionality
-
Purpose: Shortscan identifies files with short filenames (8.3 format) on IIS web servers.
-
Advanced Techniques: It uses Windows' proprietary shortname collision avoidance checksum algorithm to match short filenames with their long counterparts.
-
Flexibility: Supports both standard discovery methods and checksum-based matching for enhanced accuracy.
Installation
Quick Install
To install Shortscan using Go:
go install github.com/bitquark/shortscan/cmd/shortscan@latest
Manual Install
To build and install locally:
go get && go build
go install
Usage
Basic Usage
To scan a single URL:
shortscan http://example.org/
To scan multiple URLs from a file:
shortscan @urls.txt
Examples
-
Setting multiple custom headers:
shortscan -H 'Host: example' -H 'Authorization: Basic ZGFkZTpsMzN0'
-
Checking vulnerability without enumerating files:
shortscan --isvuln
Advanced Features
Shortscan offers various advanced options for customization:
|
Option |
Description |
Default Value |
|
--wordlist FILE |
Use a custom wordlist/rainbow table generated with shortutil. |
None |
|
--header HEADER |
Add custom headers to requests (can be used multiple times). |
None |
|
--concurrency CONCURRENCY |
Number of concurrent requests. |
20 |
|
--timeout SECONDS |
Timeout for each request in seconds. |
10 |
|
--output format |
Output format (human or json). |
human |
|
--verbosity VERBOSITY |
Set verbosity level (0: quiet, 1: debug, 2: trace). |
0 |
|
--fullurl |
Show full URLs for confirmed files instead of just filenames. |
False |
|
--norecurse |
Disable recursion into subdirectories. |
False |
|
--stabilise |
Stabilize results from unstable servers (increases requests). |
False |
|
--patience LEVEL |
Patience level for vulnerability detection (0: patient, 1: very patient). |
0 |
|
--characters CHARACTERS |
Characters to enumerate in filenames. |
Default character set |
|
--autocomplete mode |
Set autocomplete detection mode (auto, method, status, distance, or none). |
auto |
Utility: Shortutil
Shortutil is a companion utility for Shortscan that helps with filename operations and creating custom rainbow tables.
Examples:
-
Generate a rainbow table from a wordlist:
shortutil wordlist input.txt > output.rainbow
-
Compute a checksum for a specific file:
shortutil checksum index.html
For detailed usage of each command, run:
shortutil <command> --help
Wordlist Support
Shortscan supports custom wordlists, which can be created using the Shortutil tool. These wordlists enhance the tool's ability to identify filenames efficiently.
Conclusion
Shortscan is an essential tool for penetration testers and cybersecurity professionals working with IIS servers.
Its combination of speed, precision, and advanced techniques makes it highly effective for identifying vulnerabilities related to short filenames. You can learn more and Download Shortscan in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here
