Your SlideShare is downloading. ×
Nginx warhead
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Nginx warhead

600

Published on

ZeroNights 2013 talk about nginx

ZeroNights 2013 talk about nginx

Published in: Technology
6 Comments
0 Likes
Statistics
Notes
  • P.S. о заголовках сервера-же речь. Твой MitM будет политься как растаман перед мавзолеем на красной площади.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • sergeybelove тогда уж dnat, string и mangle
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Говорилось не про угрозу, а про трюк: хватит подделок на пхп с рипнутым дизайном и позороным редиректом после ввода логина/пароля, когда можно полностью спроксировать ресурс, если юзер уже открыл нашу ссылку.
    И второй момент - хватит писать в отчетах сканеров / пентестеров про dns rebind на сайтах с внешним IP.

    P.S. О каких заголовках речь? Мы _полностью_ эмулируем легитимного юзера, совпадение идет всех заголовков. Как говорилось пример - zn.sergeybelove.ru
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • @alexanderlyamin я вот тоже не понял
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • headers will be altered == easily detectable == whats the point?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
600
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
6
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Sergey Belov
  • 2. • Pentester in Digital Security / ERPScan; • Writer (habrahabr.ru, “Xakep”); • CTF Player; • Bug bounty member (Google, Yandex); • bugscollector.com creator.
  • 3. • Very easy • 0$ • Not mentioned in the wild
  • 4. NGinx – reverse proxy
  • 5. php-fpm Client Nginx Apache
  • 6. attacker.com Client php-fpm Nginx Apache vuln.com ??? http server
  • 7. Step 1 location / { proxy_pass http://vuln.com; proxy_set_header X-Real-IP $remote_addr; } }
  • 8. Step 2    proxy_set_header Host “vuln.com"; sub_filter ‘vuln.com' ‘attacker.com'; sub_filter_once off;
  • 9. Phishing
  • 10. NGinx – tool for MitM/phishing?      + Identical design + Fully functional working + Logging all data (POST/GET) + Add custom JS/HTML - Another domain (DNS poising / router hacking, malware, evil apn config e.t.c.)
  • 11. Pentest  Random exploit’s?  Change response data (rights of social networks apps)  Change apps swf -> java (exploit)  ???
  • 12. DNS rebinding
  • 13. • -Another domain • - Very unstable • + Can attack internal resources
  • 14. Internal, not external!
  • 15. C:UsersBeLove>ping www.ya.ru Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных
  • 16. Remove it from: • Pentester’s reports • Most famous security scanners
  • 17. Thanks! demo: http://zn.sergeybelove.ru http://twitter.com/sergeybelove

×