Nginx warhead
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Nginx warhead

on

  • 835 views

ZeroNights 2013 talk about nginx

ZeroNights 2013 talk about nginx

Statistics

Views

Total Views
835
Views on SlideShare
786
Embed Views
49

Actions

Likes
0
Downloads
3
Comments
6

1 Embed 49

https://twitter.com 49

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

15 of 6 Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • P.S. о заголовках сервера-же речь. Твой MitM будет политься как растаман перед мавзолеем на красной площади.
    Are you sure you want to
    Your message goes here
    Processing…
  • sergeybelove тогда уж dnat, string и mangle
    Are you sure you want to
    Your message goes here
    Processing…
  • Говорилось не про угрозу, а про трюк: хватит подделок на пхп с рипнутым дизайном и позороным редиректом после ввода логина/пароля, когда можно полностью спроксировать ресурс, если юзер уже открыл нашу ссылку.
    И второй момент - хватит писать в отчетах сканеров / пентестеров про dns rebind на сайтах с внешним IP.

    P.S. О каких заголовках речь? Мы _полностью_ эмулируем легитимного юзера, совпадение идет всех заголовков. Как говорилось пример - zn.sergeybelove.ru
    Are you sure you want to
    Your message goes here
    Processing…
  • @alexanderlyamin я вот тоже не понял
    Are you sure you want to
    Your message goes here
    Processing…
  • headers will be altered == easily detectable == whats the point?
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Nginx warhead Presentation Transcript

  • 1. Sergey Belov
  • 2. • Pentester in Digital Security / ERPScan; • Writer (habrahabr.ru, “Xakep”); • CTF Player; • Bug bounty member (Google, Yandex); • bugscollector.com creator.
  • 3. • Very easy • 0$ • Not mentioned in the wild
  • 4. NGinx – reverse proxy
  • 5. php-fpm Client Nginx Apache
  • 6. attacker.com Client php-fpm Nginx Apache vuln.com ??? http server
  • 7. Step 1 location / { proxy_pass http://vuln.com; proxy_set_header X-Real-IP $remote_addr; } }
  • 8. Step 2    proxy_set_header Host “vuln.com"; sub_filter ‘vuln.com' ‘attacker.com'; sub_filter_once off;
  • 9. Phishing
  • 10. NGinx – tool for MitM/phishing?      + Identical design + Fully functional working + Logging all data (POST/GET) + Add custom JS/HTML - Another domain (DNS poising / router hacking, malware, evil apn config e.t.c.)
  • 11. Pentest  Random exploit’s?  Change response data (rights of social networks apps)  Change apps swf -> java (exploit)  ???
  • 12. DNS rebinding
  • 13. • -Another domain • - Very unstable • + Can attack internal resources
  • 14. Internal, not external!
  • 15. C:UsersBeLove>ping www.ya.ru Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных
  • 16. Remove it from: • Pentester’s reports • Most famous security scanners
  • 17. Thanks! demo: http://zn.sergeybelove.ru http://twitter.com/sergeybelove