The HTTP GET Attack

Finding stuff on web servers

Hanno Böck
https://hboeck.de/

Let's talk about a mighty hacktool

Evidence presented during Private Manning’s court-martial for his role as the source for large archives of military and diplomatic files given to WikiLeaks revealed that he had used a program called “wget” to download the batches of files. (New York Times, 2014-02-09)

Hacking with wget

If you put files into your web root then other people can download them with HTTP GET requests
If those files contain secret information then that's not good

HTTP GET attack

Downloading files from web servers

GIT

Some people use GIT to develop and deploy web pages
wget https://example.com/.git/config https://github.com/internetwache/GitTools
Volksverschlüsselung
They used the very secure password "safran", which was stored in their publicly accessible git repository
Golem, 2017-05-17
According to a statement the password wasn't used in any production system

.svn, .hg, CVS

Attack works for most source code management systems

Apache server-status

wget https://example.com/server-status
Information about server load, IPs of current visitors, request URLs, ...
wget http://ask.com/server-status Golem, 2017-04-07
ask.com
Often server-status access is restricted to localhost
Tor hidden services run on localhost...
wireflaw blog, 2016-02-29

nginx

nginx also has a status page, but it's boring

Core dumps

Linux creates core dump files when applications crash
By default they are named "core"
PHP crashes quite often
https://github.com/hannob/php-crashers
wget https://example.com/core Hanno's blog, 2017-06-15

FTP config files

wget https://example.com/sftp-config.json
Sucuri blog, 2012-11-23
Configuration file from Sublime FTP
Gives you direct read/write access to web page
Is there something special about Sublime FTP that people tend to upload config files?
No, people also upload FileZilla.xml or WS_FTP.ini

VIM or EMACS?

VIM

vim test.txt creates a temporary file .test.txt.swp
vim wp-config.php creates a temporary file .wp-config.php.swp
These get removed upon exit, but not if vim crashes or gets killed
wget https://example.com/.wp-config.php.swp
Many editors (including EMACS) automatically create backup files with appended ~
wget https://example.com/wp-config.php~

Database dumps

mysqldump MySQL documentation - mysqldump
wget https://example.com/dump.sql
Database with 200.000 addresses from German postal service (Deutsche Post)
Zeit Online, 2017-07-05

split

wget https://example.com/xaa
600.000 addresses and order information from customers of largest Australian online pharmacy

Magento

Magento stores its config in XML within the web root
It is protected via an .htaccess file
.htaccess is a feature of Apache HTTPD
Magento also runs on Nginx
wget https://example.com/app/etc/local.xml

Private Keys

wget https://example.com/example.com.key
Plenty of people put private keys of their certificates in web roots
Certificates with compromised keys should be revoked within 24 hours
Certificate Transparency helps finding certificates corresponding to private keys
https://crt.sh/
How do you check whether a private key belongs to a certificate?

Let's talk about cryptography (don't be scared)

Keys are just large numbers

Public and Private Keys (RSA)

  • Public key: N, e
  • Private key: N, e, d, p, q, dP, dQ, qinv
RSA public key: two numbers called N and e.
RSA private key: the same N and e and some more numbers.
You're a Certificate Authority and someone reports a compromised key. What do you do?
Compare N, e of the private key with N, e of the certificate's public key?
Good idea?

Frankenkey

Take RSA public key (N, e), add bogus private key values
Symantec
Hanno's blog, 2017-07-20
openssl pkey -in server.key -check

Abandoned Domain takeover

wget https://example.com/
<script type="text/javascript" src="https://example.org/fancy.js"></script>
What if the service from which you include Javascript ceases to operate?
Scan web pages, check if domains from src references resolve
Yahoo Web Analytics
Yahoo Web Analytics was discontinued in 2012
Flickr still included their code in June 2017
Impact: Mostly harmless, domain still belongs to Yahoo
piwiklionshare
Nonexisting Azure subdomain
Azure free account
Code included by dozens of web pages, mostly local US newspapers
Vast majority on two IP addresses by same company, contacted their abuse department
No answer, but code was removed within days
Biggest user of that script: Saline Courier
Tried to contact them via mail, no answer, code remained
Saline Courier
Saline Courier
Saline Courier
Saline Courier
The Columbia Missourian still has the code included
(Click "Report an error" on any article)
Compete
How long will they keep their domain? And who will get it afterwards?
If you include other people's code on your web page then other people can execute code on your web page
Avoid including third party content if you don't have to
Remove unused or obsolete code
If you include third party code you should know whose code it is and whether you can trust them
You should at least know them well enough to notice when they end their business

Graduating from HTTP GET

GET is not the only HTTP method
I can't talk about details yet

Scan tool

Demo time

Scanning

  • Self-written scan tool
  • Alexa Top 1 Million
  • GNU parallel

Tool

  • Python 3 script
  • Goal: Easy to use, fast, only scan for common or high impact issues
  • Scans for all the issues mentioned in this talk and more
  • Will be released soon as free software

Abuse Handling

Dear Network Manager : 

This warning is from the Financial Security Institute(FSI) of Korea.

Our job is to protect Korean financial organizations from illegal intrusion attacks.
We have received a report of unauthorized access trial originating from your site as shown below. 

--------------------------------------------------------------------------------
Date/Time(GMT+9): 2017/03/11 06:54:53 ~ 2017/03/11 06:58:10
Source IP : [removed]
Destination IP : [removed],[removed]
Attack Type : F-SCN-WEB-170305-GitRepository_scan_attempt
--------------------------------------------------------------------------------

We are seriously considering notifying these illegal attempts to the related authorities of both your and our countries and requesting proper legal actions.

So, please take appropriate measures to identify and stop the attacker. And, please inform us of the results. ([removed])

Thank you for your cooperation. 

p.s. : If you are not the correct person to deal with this incident, please forward this to the proper person and inform us for future convenience
To whom it may concern,

I'm a security manager of CERT-WFG (Computer Emergency Response Team for Woori Financial Group) and this is an official warning message against unauthorized access trial from IP addresses you manage.

We perform 24/7 security monitoring, threat assessment, investigation and response for threats or attacks to protect information asset of Woori Financial Group.

We have received an unauthorized access trial report from our information security systems as shown below:

   Time of attack        Attacker        Victim                       Name of Attack

  2017-03-10 17:27       [removed]      [removed]                        UD_SVN1

The infrastructure of Woori Financial Group is classified as "National Security Objective Facility - class A" and unauthorized access to this facility is strictly prohibited by related laws and regulations. Therefore, this access trial will be regarded as an illegal attack against foreign nation's critical infrastructure. Please take the appropriate steps to identify the source of this trial and make sure this trial is stopped immediately and no more occurred again. In addition, please inform us of whole information about this. If you are not the correct person for this matter, please forward this e-mail to the person who is in charge of IT Security.

Sincerely Yours.

CERT-WFG Address : Woori Financial Group IT Center, 1585, Sangam-dong, Mapo-gu, Seoul, The Republic of Korea

Disclosure

Problem: Scan results in hundreds or thousands of vulnerable sites
Disclosure approach: Get abuse mail contacts of IP via Abusix
Inform national certs (IP-to-CERT API from cert.at)
In severe cases individual contact (e. g. large database leaks)

Takeaways

Plenty of stuff ends up on web servers that shouldn't be there
Sometimes the simple attacks are the best
Have more ideas what to scan for? Talk to me!

Thanks for listening!

https://hboeck.de/