🌀 Shortscan Overview

Shortscan is a command-line tool designed to rapidly enumerate short filenames on Microsoft IIS web servers. When IIS is configured in a specific way, it can reveal the 8.3 format (or "short filename") of files and directories that exist on the server, even if their long filenames are not guessable.

This vulnerability can lead to the discovery of sensitive files, such as configuration files, source code backups, or unlisted endpoints.

Key Features

• Fast Enumeration: Leverages concurrency to quickly scan for existing short filenames.
• Full Filename Discovery: Once a short filename is identified, Shortscan attempts to automatically discover the corresponding full filename using several advanced techniques.
• Checksum Matching: Implements a unique checksum matching approach to find long filenames where the short filename is based on Windows' proprietary shortname collision avoidance checksum algorithm.
• Recursive Scanning: Automatically detects and scans subdirectories found during enumeration.
• Flexible Configuration: Offers a wide range of options to control concurrency, timeouts, headers, character sets, and more.
• Multiple Output Formats: Provides human-readable output for interactive use and JSON output for easy integration with other tools and scripts.
• Companion Utility: Includes shortutil, a tool for creating custom rainbow tables and performing short filename operations.

How It Works

Shortscan operates in a multi-stage process to first identify if a server is vulnerable and then enumerate its files. It sends specially crafted requests and analyzes the server's responses—differences in HTTP status codes, response bodies, or behavior with non-standard HTTP methods—to infer the existence of files.

For a deeper dive into the methodology, see the Core Concepts page.

Getting Started

Ready to find some files? Head over to the Installation page to get started, then follow the Quick Start guide to run your first scan.