I pulled an internal IP out of a Location header inside 30 seconds: curl -v --http1.0 http://example.com returned Location: https://192.168.5.237/owa/ straight from a publicly facing Exchange box. That single line told me the internal subnet and the server hostname. Most people stop at the IIS blue screen; that's where the real work starts.
Shodan, Google Dorks, and Active Fingerprinting
Before touching a target, let Shodan do the heavy lifting. A query like ssl:"target.com" http.title:"IIS" or org:"target" http.title:"IIS" surfaces staging servers and forgotten admin panels that nobody bothered to firewall. Google dorks catch ASP.NET artifacts: site:target.com ext:aspx, inurl:_vti_bin, or intext:"X-Powered-By: ASP.NET". Stack wildcards like site:*.*.target.com intitle:"IIS" to find nested subdomains basic enumeration misses.
Active fingerprinting with a raw request confirms the server type. Hit port 80 with nc or 443 with openssl s_client and look for Server: Microsoft-IIS/10.0. At scale, pipe targets through httpx -td | grep IIS and you have a clean list for nuclei.
Internal IP Disclosure and the HTTPAPI 2.0 Dead End
Many IIS setups, especially Exchange or OWA fronts, hand over their internal network info for free with an HTTP/1.0 request. The X-FEServer header leaks the internal hostname - file it away for pivot attacks.
You'll also hit servers that respond with a generic HTTPAPI 2.0 404. That's not a dead end. It means the IIS instance is bound to a specific virtual host, and your Host header doesn't match. Check the SSL certificate's SAN field for the correct hostname. If that fails, brute-force virtual hosts with ffuf: ffuf -u https://TARGET_IP/ -H "Host: FUZZ.target.com" -w vhosts.txt. Land on the right hostname and the server wakes up.
The Tilde Enumeration Gift
IIS inherited the DOS 8.3 filename convention. By sending crafted requests, you can enumerate short names of files and directories even with directory listing disabled. The tool shortscan handles this: shortscan https://target.com/ -F -p 1. It spits out fragments like WEB~1.CON (web.config) or SITEBA~1.ZIP. That ZIP file is now a target. Burp's IIS Tilde Enumeration Scanner does the same thing.
Once you have short names, resolve them. The post suggests using LLMs, GitHub dorks, BigQuery, or brute-forcing the remaining characters with crunch. If you see ADMIN~1, you know there's an admin directory - go find its full name.
Automation and Manual Depth
Run nuclei against your IIS target list with nuclei -l iis-targets.txt -tags microsoft,windows,asp,aspx,iis,azure,config,exposure. Let it run in the background while you manually probe for path traversal to web.config, bin directory DLL exposure via cookieless sessions, reverse proxy path confusion, and NTFS authentication bypass tricks. Each of those is a separate rabbit hole, but the tilde enumeration alone has surfaced dozens of hidden assets for bug hunters.
The blue screen isn't a wall. It's a door with a broken lock.
Source: Humiliating IIS servers for fun and jail time
Domain: mll.sh
Comments load interactively on the live page.