~/hackyfeed
> cat /dev/github | grep security-tools
discovered 30 Mar 2026

shortscan

Go ★ 1135 via github-topic
→ View on GitHub

AI Summary: Shortscan is an IIS short filename enumeration tool that rapidly identifies files with short filenames on an IIS web server and attempts to discover their corresponding full filenames using a unique checksum matching method. Its notable features include support for custom headers, concurrency settings, and vulnerability checks without full file enumeration, as well as the ability to utilize custom wordlists and generate rainbow tables through an accompanying utility named shortutil.

README

🌀 Shortscan

An IIS short filename enumeration tool.

Functionality

Shortscan is designed to quickly determine which files with short filenames exist on an IIS webserver. Once a short filename has been identified the tool will try to automatically identify the full filename.

In addition to standard discovery methods Shortscan also uses a unique checksum matching approach to attempt to find the long filename where the short filename is based on Windows’ propriatary shortname collision avoidance checksum algorithm (more on this research at a later date).

Installation

Quick install

Using a recent version of go:

go install github.com/bitquark/shortscan/cmd/shortscan@latest

Manual install

To build (and optionally install) locally:

go get && go build
go install

Usage

Basic usage

Shortscan is easy to use with minimal configuration. Basic usage looks like:

$ shortscan http://example.org/

You can also specify a file containing a list of URLs to be scanned:

$ shortscan @urls.txt

Examples

This example sets multiple custom headers by using --header/-H multiple times:

shortscan -H 'Host: gibson' -H 'Authorization: Basic ZGFkZTpsMzN0'

To check whether a site is vulnerable without performing file enumeration use:

shortscan --isvuln

Advanced features

The following options allow further tweaks:

🌀 Shortscan v0.9.2 · an IIS short filename enumeration tool by bitquark
Usage: main [--wordlist FILE] [--header HEADER] [--concurrency CONCURRENCY] [--timeout SECONDS] [--output format] [--verbosity VERBOSITY] [--fullurl] [--norecurse] [--stabilise] [--patience LEVEL] [--characters CHARACTERS] [--autocomplete mode] [--isvuln] URL [URL ...]

Positional arguments:
  URL                    url to scan (multiple URLs can be provided; a file containing URLs can be specified with an «at» prefix, for example: @urls.txt)

Options:
  --wordlist FILE, -w FILE
                         combined wordlist + rainbow table generated with shortutil
  --header HEADER, -H HEADER
                         header to send with each request (use multiple times for multiple headers)
  --concurrency CONCURRENCY, -c CONCURRENCY
                         number of requests to make at once [default: 20]
  --timeout SECONDS, -t SECONDS
                         per-request timeout in seconds [default: 10]
  --output format, -o format
                         output format (human = human readable; json = JSON) [default: human]
  --verbosity VERBOSITY, -v VERBOSITY
                         how much noise to make (0 = quiet; 1 = debug; 2 = trace) [default: 0]
  --fullurl, -F          display the full URL for confirmed files rather than just the filename [default: false]
  --norecurse, -n        don't detect and recurse into subdirectories (disabled when autocomplete is disabled) [default: false]
  --stabilise, -s        attempt to get coherent autocomplete results from an unstable server (generates more requests) [default: false]
  --patience LEVEL, -p LEVEL
                         patience level when determining vulnerability (0 = patient; 1 = very patient) [default: 0]
  --characters CHARACTERS, -C CHARACTERS
                         filename characters to enumerate [default: JFKGOTMYVHSPCANDXLRWEBQUIZ8549176320-_()&'!#$%@^{}~]
  --autocomplete mode, -a mode
                         autocomplete detection mode (auto = autoselect; method = HTTP method magic; status = HTTP status; distance = Levenshtein distance; none = disable) [default: auto]
  --isvuln, -V           bail after determining whether the service is vulnerable [default: false]
  --help, -h             display this help and exit
  --version              display version and exit

Utility

The shortscan project includes a utility named shortutil which can be used to perform various short filename operations and to make custom rainbow tables for use with the tool.

Examples

You can create a rainbow table from an existing wordlist like this:

shortutil wordlist input.txt > output.rainbow

To generate a one-off checksum for a file:

shortutil checksum index.html

Usage

Run shortutil <command> --help for a definiteive list of options for each command.

Shortutil v0.3 · a short filename utility by bitquark
Usage: main <command> [<args>]

Options:
  --help, -h             display this help and exit

Commands:
  wordlist               add hashes to a wordlist for use with, for example, shortscan
  checksum               generate a one-off checksum for the given filename

Wordlist

A custom wordlist was built for shortscan. For full details see pkg/shortscan/resources/README.md

Credit

Original IIS short filename research by Soroush Dalili.

Additional research and this project by bitquark.

malware exploit red-team pentesting scanner go