Description

Each time you create a new file on Windows, the operating system also generates an MS-DOS-compatible short file name in 8.3 format, to allow MS-DOS-based or 16-bit Windows-based programs to access files which have a long name. The MS-DOS short file format allows filenames to be up to 8 characters in length, followed by a period (.) and an extension of up to 3 characters.

Step 1: Fingerprint an IIS Webserver

Step 2: Use the Shortname Scanner Tool

https://github.com/bitquark/shortscan.

Step 3: Fuzz for Full Name

Manually guessing is not efficient, we can use a `fuzzer` with a proper wordlist to fuzz for file `secret*.txt`. In order to do this we can use:

1. Google `BigQuery` to create our fuzzing wordlist.
2. ChatGPT to create our fuzzing wordlist
3. Grepping existing wordlist to create our fuzzing wordlist

Google BigQuery

SELECT path FROM `bigquery-public-data.github_repos.files` WHERE (REGEXP_CONTAINS(path, r'(\/(?i)siteba[a-z0-9A-Z]+\.zip|^siteba[a-z0-9A-Z]+\.zip)')) LIMIT 100

ChatGPT

  give me 100 common files with the regex secret*.txt

  1. secretfile.txt
  2. secret1.txt
  3. secret2.txt
  4. secret_document.txt
  5. secret_report.txt
  6. secret_notes.txt
  7. secret_backup.txt
  8. secret_info.txt
  9. secret_final.txt
  10. secret_archive.txt
  ...

Existing Wordlists

cat SecLists/Discovery/Web-Content/* | grep -E '^secret'

• Resources