Preventing Web-based Directory Enumeration Attacks Against IIS
I received an interesting tip from Munish about how to prevent directories from being easily identified in IIS. I’ve updated my original post about directory enumeration with the following info:
Setting the “Hidden” Attribute to Hide Files in IIS
Hiding directories in IIS seems to be as easy as setting the “hidden” attribute:
cd c:\Inetpub\wwwroot
attrib +h myprivatedirectory
Now when an attacker browses to http://yoursite/myprivatedirectory they will get a 404 “Not Found” message instead of a 403 “Directory Listing Denied”. However, files inside the directory are still accessible (e.g. http://yoursite/myprivatedirectory/somefile.htm). This is a simple way to defeat directory enumeration attacks from tools such as http-dir-enum and DirBuster.
Leave a Reply
You must be logged in to post a comment.