IIS

Shortscan

$ shortscan http://example.org/

Tips:

Results from shortscan can be queries in github using path

For example, if shortscan resturn something like DSO_fi~..., one can query github for path:/DSO_fi in order to find files with this very same start.

Use AI!

Generate a large wordlist for filenames starting with DSO_fi

Virtual directories

Once access to an IIS is granted, it is possible to list vdirs with

%systemroot%\system32\inetsrv\AppCmd.exe list sites

Output will show all avaiable virtual directories with the server. The following command retrieves more information about each:

%systemroot%\system32\inetsrv\AppCmd.exe list vdir /app.name:"<VDIR>/"

Leakage of objrefs

https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/