loading
loading
Fuzzing
An IIS short filename enumeration tool.
overview
shortscan exploits the 8.3 short filename behavior in Microsoft IIS to recover the names of files and directories the server never meant to expose. Older IIS configurations generate legacy short names like SECRET~1.TXT for long filenames, and the server's response to requests for those names leaks enough to rebuild the start of the real name one character at a time.
The tool drives that reconstruction efficiently. It walks a defined character set, recurses into discovered subdirectories, and reads the server's hints through several autocomplete-detection modes: HTTP method magic, status codes, and Levenshtein distance. A patience setting and a stabilise mode pull coherent results from servers that respond inconsistently under load, and a shortutil-built wordlist plus rainbow table turns the recovered 8.3 fragments back into full filenames.
On Trickest, shortscan is a Fuzzing node that takes a file of URLs and writes a file and a folder of recovered names. Reach for it against IIS targets to surface hidden admin pages, backup archives, and config files, then feed the names into a content-discovery or scanning stage.
use cases
Enumerate 8.3 short names to reconstruct files and directories the server exposes through legacy naming, including backups and config files.
Run with --isvuln to bail the moment shortscan decides whether the service leaks short names, when you only need a yes or no on a host.
Feed recovered short-name fragments into a directory-fuzzing stage to expand them into full paths worth requesting.
Raise --patience and enable --stabilise so the tool still produces coherent autocomplete results when a server responds inconsistently under load.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| urls | FILE | · | File of URLs to scan. |
| output | STRING | --output | Output format: human (readable) or json (default human). |
| is-vuln | BOOLEAN | --isvuln | Bail after determining whether the service is vulnerable. |
| wordlist | FILE | --wordlist | Combined wordlist and rainbow table generated with shortutil. |
| header | STRING | --header | Header to send with each request (repeat for multiple headers). |
| concurrency | STRING | --concurrency | Number of requests to make at once (default 20). |
| patience | STRING | --patience | Patience level when determining vulnerability (0 patient, 1 very patient). |
| autocomplete | STRING | --autocomplete | Autocomplete detection mode: auto, method, status, distance, or none. |
Showing key inputs. shortscan exposes 15 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| urls | FILE | · | urls to scan |
| header | STRING | --header | header to send with each request (use multiple times for multiple headers) |
| output | STRING | --output | output format (human = human readable; json = JSON) [default: human] |
| is-vuln | BOOLEAN | --isvuln | bail after determining whether the service is vulnerable [default: false] |
| timeout | STRING | --timeout | per-request timeout in seconds [default: 10] |
| full-url | BOOLEAN | --fullurl | display the full URL for confirmed files rather than just the filename [default: false] |
| patience | STRING | --patience | patience level when determining vulnerability (0 = patient; 1 = very patient) [default: 0] |
| wordlist | FILE | --wordlist | combined wordlist + rainbow table generated with shortutil |
| stabilise | BOOLEAN | --stabilise | attempt to get coherent autocomplete results from an unstable server (generates more requests) [default: false] |
| verbosity | STRING | --verbosity | how much noise to make (0 = quiet; 1 = debug; 2 = trace) [default: 0] |
| characters | STRING | --characters | filename characters to enumerate [default: JFKGOTMYVHSPCANDXLRWEBQUIZ8549176320-_()&'!#$%@^{}~] |
| no-recurse | BOOLEAN | --norecurse | don't detect and recurse into subdirectories (disabled when autocomplete is disabled) [default: false] |
| concurrency | STRING | --concurrency | number of requests to make at once [default: 20] |
| header-file | FILE | --header-file | headers to send with each request (one per line) |
| autocomplete | STRING | --autocomplete | autocomplete detection mode (auto = autoselect; method = HTTP method magic; status = HTTP status; distance = Levenshtein distance; none = disable) [default: auto] |
example
# confirm the host leaks 8.3 names, then enumerate with a wordlistshortscan --isvuln http://example.com/shortscan --wordlist resources/rainbow.txt --output json --fullurl --concurrency 40 http://example.com/Shortscan v0.9.1 · an IIS short filename enumeration tool by bitquark━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━URL: http://example.com/Running: Microsoft-IIS/10.0Vulnerable: Yes!━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ADMIN~1.ASP File Admin (Admin.asp, Admin.aspx)BACKUP~1.ZIP File Backup (Backup.zip)CONFIG~1.BAK File Config (Config.bak)UPLOAD~1 Dir Uploadsguidance
Use shortscan against Microsoft IIS targets to recover hidden file and directory names through 8.3 short-name leakage. It is IIS-specific. For general directory brute force, pair it with a content-discovery fuzzer that expands the recovered fragments.
Looks for exposed files on any web server. Broader server-agnostic checks, not IIS short-name specific.
Tests for request smuggling rather than filename leakage. A different IIS-and-proxy class of bug.
Subdomain resolution rather than path enumeration. Runs earlier in a recon pipeline.
faq
related
Website directory and file brute forcing at extreme scale.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, wired to run across a list of target URLs.
A fast web fuzzer written in Go, run across a URL list with folder output.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, packaged for virtual host discovery.
A file of IIS URLs feeds shortscan, which enumerates 8.3 short names and writes the recovered filenames as a queryable output.
Facts on this page come from the live Trickest tool library.