Shortscan - Identifying and Resolving Short Filenames on IIS Web Servers

Shortscan - Identifying and Resolving Short Filenames on IIS Web Servers

Shortscan is a powerful tool designed for identifying short filenames on IIS web servers and attempting to resolve them into their full filenames. This guide provides an overview of its functionality, installation, usage, and advanced features.

Functionality

  • Purpose: Shortscan identifies files with short filenames (8.3 format) on IIS web servers.

  • Advanced Techniques: It uses Windows' proprietary shortname collision avoidance checksum algorithm to match short filenames with their long counterparts.

  • Flexibility: Supports both standard discovery methods and checksum-based matching for enhanced accuracy.

Installation

Quick Install

To install Shortscan using Go:

go install github.com/bitquark/shortscan/cmd/shortscan@latest

Manual Install

To build and install locally:

go get && go build

go install

Usage

Basic Usage

To scan a single URL:

shortscan http://example.org/

To scan multiple URLs from a file:

shortscan @urls.txt

Examples

  • Setting multiple custom headers:

shortscan -H 'Host: example' -H 'Authorization: Basic ZGFkZTpsMzN0'

  • Checking vulnerability without enumerating files:

shortscan --isvuln

Advanced Features

Shortscan offers various advanced options for customization:

Option

Description

Default Value

--wordlist FILE

Use a custom wordlist/rainbow table generated with shortutil.

None

--header HEADER

Add custom headers to requests (can be used multiple times).

None

--concurrency CONCURRENCY

Number of concurrent requests.

20

--timeout SECONDS

Timeout for each request in seconds.

10

--output format

Output format (human or json).

human

--verbosity VERBOSITY

Set verbosity level (0: quiet, 1: debug, 2: trace).

0

--fullurl

Show full URLs for confirmed files instead of just filenames.

False

--norecurse

Disable recursion into subdirectories.

False

--stabilise

Stabilize results from unstable servers (increases requests).

False

--patience LEVEL

Patience level for vulnerability detection (0: patient, 1: very patient).

0

--characters CHARACTERS

Characters to enumerate in filenames.

Default character set

--autocomplete mode

Set autocomplete detection mode (auto, method, status, distance, or none).

auto

Utility: Shortutil

Shortutil is a companion utility for Shortscan that helps with filename operations and creating custom rainbow tables.

Examples:

  • Generate a rainbow table from a wordlist:

shortutil wordlist input.txt > output.rainbow

  • Compute a checksum for a specific file:

shortutil checksum index.html

For detailed usage of each command, run:

shortutil <command> --help

Wordlist Support

Shortscan supports custom wordlists, which can be created using the Shortutil tool. These wordlists enhance the tool's ability to identify filenames efficiently.

Conclusion

Shortscan is an essential tool for penetration testers and cybersecurity professionals working with IIS servers.

Its combination of speed, precision, and advanced techniques makes it highly effective for identifying vulnerabilities related to short filenames. You can learn more and Download Shortscan in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog