Hacking with wget

Hanno Böck
Twitter: @hanno

Let's talk about a mighty hacktool

Evidence presented during Private Manning’s court-martial for his role as the source for large archives of military and diplomatic files given to WikiLeaks revealed that he had used a program called “wget” to download the batches of files. (New York Times, 2014-02-09)


Don't put secret information on your public web servers

HTTP GET attack

Downloading files from web servers
Drupal module backup_migrate creates Database backups
They are protected via an .htaccess file, a feature of Apache HTTPD
Drupal also runs on other web servers like Nginx, thus this is an insufficient protection


Magento stores its config in XML within the web root
It is protected via an .htaccess file
Well, guess what?
wget https://example.com/app/etc/local.xml


wget https://example.com/.git/config https://github.com/internetwache/GitTools
They used the very secure password "safran", which was stored in their publicly accessible git repository
Golem, 2017-05-17
According to a statement the password wasn't used in any production system


vim wp-config.php creates a temporary file .wp-config.php.swp
These get removed upon exit, but not if vim crashes or gets killed
wget https://example.com/.wp-config.php.swp
EMACS creates #filename#
wget https://example.com/%23wp-config.php%23
Many editors (including EMACS) automatically create backup files with appended ~
wget https://example.com/wp-config.php~

Database dumps

mysqldump MySQL documentation - mysqldump
wget https://example.com/dump.sql
Database with 200,000 addresses from German postal service (Deutsche Post).
Database with 600,000 addresses from Australian online pharmacy.
Zeit Online, 2017-07-05

Private Keys

wget https://example.com/example.com.key
Certificates with compromised keys should be revoked by the CA within 24 hours
How do you check whether a private key belongs to a certificate?

Let's talk about cryptography (don't be scared)

Keys are just large numbers

Public and Private Keys (RSA)

  • Public key: N, e
  • Private key: N, e, d, p, q, dP, dQ, qinv
RSA public key: two numbers called N and e.
RSA private key: the same N and e and some more numbers.
You're a Certificate Authority and someone reports a compromised key. What do you do?
Compare N, e of the private key with N, e of the certificate's public key?
Good idea?
Take RSA public key (N, e), add bogus private key values
Hanno's blog, 2017-07-20

Don't trust the Internet

I googled for instructions on how to check whether certificates and keys match.

There were dozends of howtos - and almost all of them were wrong.

Apache server-status

wget https://example.com/server-status
Information about server load, IPs of current visitors, request URLs, ...
wget http://ask.com/server-status Golem, 2017-04-07
Often server-status access is restricted to localhost
Tor hidden services run on localhost...
wireflaw blog, 2016-02-29


nginx also has a status page, but it's boring

Core dumps

Linux creates core dump files when applications crash
By default they are named "core"
PHP crashes quite often
wget https://example.com/core Hanno's blog, 2017-06-15

FTP config files

wget https://example.com/sftp-config.json
Sucuri blog, 2012-11-23
Configuration file from Sublime FTP
Gives you direct read/write access to web page
Is there something special about Sublime FTP that people tend to upload config files?
No, people also upload FileZilla.xml or WS_FTP.ini

Abandoned Domain takeover

<script type="text/javascript" src="https://example.org/fancy.js"></script>
What if the service from which you include Javascript ceases to operate?
Scan web pages, check if domains from src references resolve
Yahoo Web Analytics
Yahoo Web Analytics was discontinued in 2012
Flickr still included their code in June 2017
Impact: Mostly harmless, domain still belongs to Yahoo
Nonexisting Azure subdomain
Azure free account
Code included by dozens of web pages, mostly local US newspapers.
Most removed code after contacting them.
The Saline Courier didn't answer. Tried to contact them via mail, no answer, code remained
Saline Courier
Saline Courier
Saline Courier
Saline Courier
What if we look for domains that might expire soon?
How long will they keep their domain? And who will get it afterwards?
You should know whose code you execute on your web page and if you can trust it
Equifax’s Latest Security Foil: A Defunct Web Service

Wall Street Journal, 2017-10-13


HTTP uses "methods", a normal HTTP request is a GET, a form submission is usually a POST.
What other HTTP methods are there?


Shows you which HTTP methods a server supports
Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Certain Apache configurations leaked arbitrary pieces of memory in the reply to OPTIONS requests. Fuzzing Project, 2017-09-18
Support for Various HTTP Methods on the Web, Arxiv, 2014-05-08

Optionsbleed was already discovered in 2014, but nobody noticed it's a security problem.
One month after Heartbleed!

Abuse Handling

Dear Network Manager : 

This warning is from the Financial Security Institute(FSI) of Korea.

Our job is to protect Korean financial organizations from illegal intrusion attacks.
We have received a report of unauthorized access trial originating from your site as shown below. 

Date/Time(GMT+9): 2017/03/11 06:54:53 ~ 2017/03/11 06:58:10
Source IP : [removed]
Destination IP : [removed],[removed]
Attack Type : F-SCN-WEB-170305-GitRepository_scan_attempt

We are seriously considering notifying these illegal attempts to the related authorities of both your and our countries and requesting proper legal actions.

So, please take appropriate measures to identify and stop the attacker. And, please inform us of the results. ([removed])

Thank you for your cooperation. 

p.s. : If you are not the correct person to deal with this incident, please forward this to the proper person and inform us for future convenience
To whom it may concern,

I'm a security manager of CERT-WFG (Computer Emergency Response Team for Woori Financial Group) and this is an official warning message against unauthorized access trial from IP addresses you manage.

We perform 24/7 security monitoring, threat assessment, investigation and response for threats or attacks to protect information asset of Woori Financial Group.

We have received an unauthorized access trial report from our information security systems as shown below:

   Time of attack        Attacker        Victim                       Name of Attack

  2017-03-10 17:27       [removed]      [removed]                        UD_SVN1

The infrastructure of Woori Financial Group is classified as "National Security Objective Facility - class A" and unauthorized access to this facility is strictly prohibited by related laws and regulations. Therefore, this access trial will be regarded as an illegal attack against foreign nation's critical infrastructure. Please take the appropriate steps to identify the source of this trial and make sure this trial is stopped immediately and no more occurred again. In addition, please inform us of whole information about this. If you are not the correct person for this matter, please forward this e-mail to the person who is in charge of IT Security.

Sincerely Yours.

CERT-WFG Address : Woori Financial Group IT Center, 1585, Sangam-dong, Mapo-gu, Seoul, The Republic of Korea


Problem: Scan results in hundreds or thousands of vulnerable sites
Disclosure approach: Get abuse mail contacts of IP via Abusix
Inform national certs (IP-to-CERT API from cert.at)
In severe cases individual contact (e. g. large database leaks)


  • Don't put secret stuff on web servers
  • Sometimes simple attacks are the best
  • Have more ideas? Talk to me!
  • I'm gonna release a tool to scan for all these issues soon.

Thanks for listening!

Twitter: @hanno