Windows creates corresponding Windows 8.3 abbreviated file names for long file (and folder) names to be compatible with 16-bit MS-DOS programs. You can use the
dir /x command to view the corresponding abbreviated file names in Windows. As shown in the following figure, the abbreviated file name corresponding to
Based on this feature, a file can be accessed indirectly by visiting its abbreviated file name. Because the length of an abbreviated file name is fixed (xxxxxx~xxxx), hackers can directly start brute-force cracking attacks on abbreviated file names to access the corresponding file.
For example, assume that there is a database backup file named
backup_www.abc.com_20150101.sql. It corresponds to the abbreviated file name
backup~1.sql. Once hackers manage to crack the name
backup~1.sql, they can download the file without having the full file name.
Disable the abbreviated file name feature in Windows.
regeditcommand to open the Windows registry, and go to the following directory
Modify the value of
After the modification, restart the system to bring the modification into effect.