190 likes | 429 Views
Sergey Belov. NGinx Warhead. whoami. Pentester in Digital Security / ERPScan ; Writer (habrahabr.ru, “ Xakep ”); CTF Player; Bug bounty member (Google, Yandex ); bugscollector.com creator. intro. Very easy 0$ Not mentioned in the wild. Part 1/3. NGinx – reverse proxy.
E N D
Sergey Belov NGinx Warhead
whoami • Pentester in Digital Security / ERPScan; • Writer (habrahabr.ru, “Xakep”); • CTF Player; • Bug bounty member (Google, Yandex); • bugscollector.com creator.
intro • Very easy • 0$ • Not mentioned in the wild
Part 1/3 NGinx – reverse proxy
NGinx – reverse proxy php-fpm Client Nginx Apache
NGinx – reverse proxy php-fpm attacker.com Client Nginx Apache vuln.com ??? http server
NGinx – reverse proxy Step 1 location / { proxy_pass http://vuln.com; proxy_set_header X-Real-IP $remote_addr; } }
NGinx – reverse proxy Step 2 • proxy_set_header Host “vuln.com"; • sub_filter ‘vuln.com' ‘attacker.com'; • sub_filter_once off;
Part 2/3 Phishing
Phishing NGinx – tool for MitM/phishing? • + Identical design • + Fully functional working • + Logging all data (POST/GET) • + Add custom JS/HTML • - Another domain (DNS poising / router hacking, malware, evil apnconfige.t.c.)
Phishing Pentest • Random exploit’s? • Change response data (rights of social networks apps) • Change apps swf-> java (exploit) • ???
Part 3/3 DNS rebinding
DNS rebinding • -Another domain • - Very unstable • + Can attack internal resources
DNS rebinding Internal, not external!
DNS rebinding C:\Users\BeLove>ping www.ya.ru Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных
DNS rebinding • Remove it from: • Pentester’sreports • Most famous security scanners
Thanks! demo: http://zn.sergeybelove.ru http://twitter.com/sergeybelove