Let's talk about a mighty hacktool
Evidence presented during Private Manning’s court-martial for his role as the source for large archives of military and diplomatic files given to WikiLeaks revealed that he had used a program called “wget” to download the batches of files. (New York Times, 2014-02-09)
If you put files into your web root then other people can download them with HTTP GET requests
If those files contain secret information then that's not good
HTTP GET attack
Downloading files from web servers
Some people use GIT to develop and deploy web pages
They used the very secure password "safran", which was stored in their publicly accessible git repository
According to a statement the password wasn't used in any production system
.svn, .hg, CVS
Attack works for most source code management systems
Information about server load, IPs of current visitors, request URLs, ...
Often server-status access is restricted to localhost
nginx also has a status page, but it's boring
Linux creates core dump files when applications crash
By default they are named "core"
Configuration file from Sublime FTP
Gives you direct read/write access to web page
Is there something special about Sublime FTP that people tend to upload config files?
No, people also upload FileZilla.xml or WS_FTP.ini
vim test.txt creates a temporary file
vim wp-config.php creates a temporary file
These get removed upon exit, but not if vim crashes or gets killed
Many editors (including EMACS) automatically create backup files with appended ~
600.000 addresses and order information from customers of largest Australian online pharmacy
Magento stores its config in XML within the web root
It is protected via an .htaccess file
.htaccess is a feature of Apache HTTPD
Magento also runs on Nginx
Plenty of people put private keys of their certificates in web roots
Certificates with compromised keys should be revoked within 24 hours
Certificate Transparency helps finding certificates corresponding to private keys
How do you check whether a private key belongs to a certificate?
Let's talk about cryptography (don't be scared)
Keys are just large numbers
Public and Private Keys (RSA)
RSA public key: two numbers called N and e.
- Public key: N, e
- Private key: N, e, d, p, q, dP, dQ, qinv
RSA private key: the same N and e and some more numbers.
You're a Certificate Authority and someone reports a compromised key. What do you do?
Compare N, e of the private key with N, e of the certificate's public key?
Take RSA public key (N, e), add bogus private key values
openssl pkey -in server.key -check
Abandoned Domain takeover
Scan web pages, check if domains from src references resolve
Yahoo Web Analytics was discontinued in 2012
Flickr still included their code in June 2017
Impact: Mostly harmless, domain still belongs to Yahoo
Nonexisting Azure subdomain
Code included by dozens of web pages, mostly local US newspapers
Vast majority on two IP addresses by same company, contacted their abuse department
No answer, but code was removed within days
Biggest user of that script: Saline Courier
Tried to contact them via mail, no answer, code remained
The Columbia Missourian still has the code included
(Click "Report an error" on any article)
How long will they keep their domain? And who will get it afterwards?
If you include other people's code on your web page then other people can execute code on
your web page
Avoid including third party content if you don't have to
Remove unused or obsolete code
If you include third party code you should know whose code it is and whether you can trust them
You should at least know them well enough to notice when they end their business
GET is not the only HTTP method
I can't talk about details yet
- Self-written scan tool
- Alexa Top 1 Million
- GNU parallel
- Python 3 script
- Goal: Easy to use, fast, only scan for common or high impact issues
- Scans for all the issues mentioned in this talk and more
- Will be released soon as free software
Dear Network Manager :
This warning is from the Financial Security Institute(FSI) of Korea.
Our job is to protect Korean financial organizations from illegal intrusion attacks.
We have received a report of unauthorized access trial originating from your site as shown below.
Date/Time(GMT+9): 2017/03/11 06:54:53 ~ 2017/03/11 06:58:10
Source IP : [removed]
Destination IP : [removed],[removed]
Attack Type : F-SCN-WEB-170305-GitRepository_scan_attempt
We are seriously considering notifying these illegal attempts to the related authorities of both your and our countries and requesting proper legal actions.
So, please take appropriate measures to identify and stop the attacker. And, please inform us of the results. ([removed])
Thank you for your cooperation.
p.s. : If you are not the correct person to deal with this incident, please forward this to the proper person and inform us for future convenience
To whom it may concern,
I'm a security manager of CERT-WFG (Computer Emergency Response Team for Woori Financial Group) and this is an official warning message against unauthorized access trial from IP addresses you manage.
We perform 24/7 security monitoring, threat assessment, investigation and response for threats or attacks to protect information asset of Woori Financial Group.
We have received an unauthorized access trial report from our information security systems as shown below:
Time of attack Attacker Victim Name of Attack
2017-03-10 17:27 [removed] [removed] UD_SVN1
The infrastructure of Woori Financial Group is classified as "National Security Objective Facility - class A" and unauthorized access to this facility is strictly prohibited by related laws and regulations. Therefore, this access trial will be regarded as an illegal attack against foreign nation's critical infrastructure. Please take the appropriate steps to identify the source of this trial and make sure this trial is stopped immediately and no more occurred again. In addition, please inform us of whole information about this. If you are not the correct person for this matter, please forward this e-mail to the person who is in charge of IT Security.
CERT-WFG Address : Woori Financial Group IT Center, 1585, Sangam-dong, Mapo-gu, Seoul, The Republic of Korea
Problem: Scan results in hundreds or thousands of vulnerable sites
Disclosure approach: Get abuse mail contacts of IP via Abusix
In severe cases individual contact (e. g. large database leaks)
Plenty of stuff ends up on web servers that shouldn't be there
Sometimes the simple attacks are the best
Have more ideas what to scan for? Talk to me!