We can use IIS Short names to enumerate protected files on an IIS app.

Example:

<http://example.com/secret~1/somefi~1.txt>

Tool https://github.com/irsdl/IIS-ShortName-Scanner (require Java)

Generate wordlist:

egrep -r ^transf /usr/share/wordlists/* | sed 's/^[^:]*://' > /tmp/list.txt

Then:

gobuster dir -u <http://10.129.204.231/> -w /tmp/list.txt -x .aspx,.asp