Hacking with wget

Hanno Böck
https://hboeck.de/
Twitter: @hanno

Let's talk about a mighty hacktool

Evidence presented during Private Manning’s court-martial for his role as the source for large archives of military and diplomatic files given to WikiLeaks revealed that he had used a program called “wget” to download the batches of files. (New York Times, 2014-02-09)

wget

Don't put secret information on your public web servers

HTTP GET attack

Downloading files from web servers

Drupal module backup_migrate creates Database backups

They are protected via an .htaccess file, a feature of Apache HTTPD

Drupal also runs on other web servers like Nginx, thus this is an insufficient protection

Magento

Magento stores its config in XML within the web root

It is protected via an .htaccess file

Well, guess what?

wget https://example.com/app/etc/local.xml

GIT

wget https://example.com/.git/config https://github.com/internetwache/GitTools

They used the very secure password "safran", which was stored in their publicly accessible git repository
Golem, 2017-05-17

According to a statement the password wasn't used in any production system

VIM

vim wp-config.php creates a temporary file .wp-config.php.swp

These get removed upon exit, but not if vim crashes or gets killed

wget https://example.com/.wp-config.php.swp

EMACS creates #filename#

wget https://example.com/%23wp-config.php%23

Many editors (including EMACS) automatically create backup files with appended ~

wget https://example.com/wp-config.php~

Database dumps

MySQL documentation - mysqldump

wget https://example.com/dump.sql

Database with 200,000 addresses from German postal service (Deutsche Post).
Database with 600,000 addresses from Australian online pharmacy.
Zeit Online, 2017-07-05

Private Keys

wget https://example.com/example.com.key

Certificates with compromised keys should be revoked by the CA within 24 hours

How do you check whether a private key belongs to a certificate?

Let's talk about cryptography (don't be scared)

Keys are just large numbers

Public and Private Keys (RSA)

Public key: N, e
Private key: N, e, d, p, q, d_P, d_Q, q_inv

RSA public key: two numbers called N and e.
RSA private key: the same N and e and some more numbers.

You're a Certificate Authority and someone reports a compromised key. What do you do?

Compare N, e of the private key with N, e of the certificate's public key?
Good idea?

Take RSA public key (N, e), add bogus private key values

Hanno's blog, 2017-07-20

Don't trust the Internet

I googled for instructions on how to check whether certificates and keys match.

There were dozends of howtos - and almost all of them were wrong.

Apache server-status

wget https://example.com/server-status

Information about server load, IPs of current visitors, request URLs, ...

wget http://ask.com/server-status Golem, 2017-04-07

Often server-status access is restricted to localhost

Tor hidden services run on localhost...
wireflaw blog, 2016-02-29

nginx

nginx also has a status page, but it's boring

Core dumps

Linux creates core dump files when applications crash

By default they are named "core"

PHP crashes quite often
https://github.com/hannob/php-crashers

wget https://example.com/core Hanno's blog, 2017-06-15

FTP config files

wget https://example.com/sftp-config.json
Sucuri blog, 2012-11-23

Configuration file from Sublime FTP

Gives you direct read/write access to web page

Is there something special about Sublime FTP that people tend to upload config files?

No, people also upload FileZilla.xml or WS_FTP.ini

Abandoned Domain takeover

<script type="text/javascript" src="https://example.org/fancy.js"></script>

What if the service from which you include Javascript ceases to operate?

Scan web pages, check if domains from src references resolve

Yahoo Web Analytics was discontinued in 2012

Flickr still included their code in June 2017

Impact: Mostly harmless, domain still belongs to Yahoo

Nonexisting Azure subdomain

Code included by dozens of web pages, mostly local US newspapers.
Most removed code after contacting them.

The Saline Courier didn't answer. Tried to contact them via mail, no answer, code remained

What if we look for domains that might expire soon?

How long will they keep their domain? And who will get it afterwards?

You should know whose code you execute on your web page and if you can trust it

Equifax’s Latest Security Foil: A Defunct Web Service

Wall Street Journal, 2017-10-13

HTTP

HTTP uses "methods", a normal HTTP request is a GET, a form submission is usually a POST.

What other HTTP methods are there?

OPTIONS

Shows you which HTTP methods a server supports

Allow: ,GET,,,POST,OPTIONS,HEAD,,
Allow: POST,OPTIONS,,HEAD,:09:44 GMT
Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE

Certain Apache configurations leaked arbitrary pieces of memory in the reply to OPTIONS requests. Fuzzing Project, 2017-09-18

Support for Various HTTP Methods on the Web, Arxiv, 2014-05-08

Optionsbleed was already discovered in 2014, but nobody noticed it's a security problem.
One month after Heartbleed!

Abuse Handling

Dear Network Manager : 

This warning is from the Financial Security Institute(FSI) of Korea.

Our job is to protect Korean financial organizations from illegal intrusion attacks.
We have received a report of unauthorized access trial originating from your site as shown below. 

--------------------------------------------------------------------------------
Date/Time(GMT+9): 2017/03/11 06:54:53 ~ 2017/03/11 06:58:10
Source IP : [removed]
Destination IP : [removed],[removed]
Attack Type : F-SCN-WEB-170305-GitRepository_scan_attempt
--------------------------------------------------------------------------------

We are seriously considering notifying these illegal attempts to the related authorities of both your and our countries and requesting proper legal actions.

So, please take appropriate measures to identify and stop the attacker. And, please inform us of the results. ([removed])

Thank you for your cooperation. 

p.s. : If you are not the correct person to deal with this incident, please forward this to the proper person and inform us for future convenience

To whom it may concern,

I'm a security manager of CERT-WFG (Computer Emergency Response Team for Woori Financial Group) and this is an official warning message against unauthorized access trial from IP addresses you manage.

We perform 24/7 security monitoring, threat assessment, investigation and response for threats or attacks to protect information asset of Woori Financial Group.

We have received an unauthorized access trial report from our information security systems as shown below:

   Time of attack        Attacker        Victim                       Name of Attack

  2017-03-10 17:27       [removed]      [removed]                        UD_SVN1

The infrastructure of Woori Financial Group is classified as "National Security Objective Facility - class A" and unauthorized access to this facility is strictly prohibited by related laws and regulations. Therefore, this access trial will be regarded as an illegal attack against foreign nation's critical infrastructure. Please take the appropriate steps to identify the source of this trial and make sure this trial is stopped immediately and no more occurred again. In addition, please inform us of whole information about this. If you are not the correct person for this matter, please forward this e-mail to the person who is in charge of IT Security.

Sincerely Yours.

CERT-WFG Address : Woori Financial Group IT Center, 1585, Sangam-dong, Mapo-gu, Seoul, The Republic of Korea

Disclosure

Problem: Scan results in hundreds or thousands of vulnerable sites

Disclosure approach: Get abuse mail contacts of IP via Abusix

Inform national certs (IP-to-CERT API from cert.at)

In severe cases individual contact (e. g. large database leaks)

Summary

Don't put secret stuff on web servers
Sometimes simple attacks are the best
Have more ideas? Talk to me!
I'm gonna release a tool to scan for all these issues soon.

Thanks for listening!

https://hboeck.de/
Twitter: @hanno