search

blacklanternsecurity / bbot

A recursive internet scanner for hackers.
https://www.blacklanternsecurity.com/bbot/
GNU General Public License v3.0
6.4k stars 500 forks source link

IIS Shortnames Results #1554

Closed Sh4d0wHunt3rX closed 4 months ago

Sh4d0wHunt3rX commented 4 months ago

I got many results from IIS shortnames module. I'm new to this type of vulnerability, however, when I check the hostnames, I don't see anything specific, seems no IIS there.

image

For example: https://tti.varonis.io:631/

image

liquidsec commented 4 months ago

I am unable to replicate this. Can you run it on the CLI against a single host and share the output?

Sh4d0wHunt3rX commented 4 months ago

If I scan like this, there won't be any report of vulnerability:

bbot -t tti.varonis.io -m iis_shortnames portscan

But, this is from my original report:

{"type": "VULNERABILITY", "id": "VULNERABILITY:6977d04655ad436fd62ee270f32a531e21dc3423", "scope_description": "in-scope", "data": {"host": "tti.varonis.io", "severity": "LOW", "description": "IIS Shortname Vulnerability Detected. Potentially Vulnerable Method/Techniques: [GET (403/503 HTTP Code)]", "url": "https://tti.varonis.io:631/"}, "host": "tti.varonis.io", "resolved_hosts": [], "dns_children": {}, "web_spider_distance": 0, "scope_distance": 0, "scan": "SCAN:34c4984e740a3bc89ebd7ed259e0a96bedea70d4", "timestamp": 1720526295.838513, "parent": "URL:9f02566831647f5205e6c0f4b9162579bd3e27bf", "tags": ["low", "in-scope"], "module": "iis_shortnames", "module_sequence": "iis_shortnames", "discovery_context": "iis_shortnames detected low VULNERABILITY: IIS shortname enumeration", "discovery_path": ["Scan 2024-07-09_15-14-41 seeded with DNS_NAME: varonis.com", "internetdb queried Shodan's InternetDB API for \"varonis.com (45.60.150.169)\" and found OPEN_TCP_PORT: varonis.com:6000", "sslcert parsed SSL certificate at varonis.com:6000 and found DNS_NAME: api.app.varonis.io", "dnsbrute tried 4,989 subdomains against \"app.varonis.io\" and found DNS_NAME: docs.app.varonis.io", "certspotter searched certspotter API for \"varonis.io\" and found DNS_NAME: aue.messaging.api.varonis.io", "securitytrails searched securitytrails API for \"varonis.io\" and found DNS_NAME: tti.varonis.io", "portscan executed a TCP SYN scan against tti.varonis.io and found: OPEN_TCP_PORT: tti.varonis.io:631", "httpx visited tti.varonis.io:631 and got status code 503 at https://tti.varonis.io:631/", "iis_shortnames detected low VULNERABILITY: IIS shortname enumeration"]}
liquidsec commented 4 months ago

@amiremami, do you have the latest dev as of last night?

I think this might be caused by weird responses from a WAF. THis would obviously be super unpredictable and nearly impossible to replicate. But, in this update that went in to dev late last night, these now require 3 confirmations.

I'm hoping you say you weren't using this latest version when that was emitted, because I think this would be almost impossible with the new confirmation system.

Sh4d0wHunt3rX commented 4 months ago

This scan has been done with BBOT v2.0.0.4258rc. I'm doing another scan now with v2.0.0.4263rc and seems the result is much better and more accurate.

liquidsec commented 4 months ago

Got it, well please reopen this if you encounter this again, but I am fairly confident that last update to iis_shortnames should prevent it going forward