Penetration Testing with Kali Linux OffSec
|
|
Figure 22: File Operator in GitHub Search
Our search only found one file - xampp.users. This is nevertheless interesting because XAMPP 227 is a web application development environment. Let’s check the contents of the file. 227 (Apache Friends, 2022), https://www.apachefriends.org/index.html Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 124 Figure 23: GitHub Search Results This file appears to contain a username and password hash, 228 which could be very useful when we begin our active attack phase. Let’s add it to our notes. 228 (Wikipedia, 2022) https://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 125 Figure 24: xampp.users File Content This manual approach will work best on small repos. For larger repos, we can use several tools to help automate some of the searching, such as Gitrob 229 and Gitleaks . 230 . Most of these tools require an access token 231 to use the source code-hosting provider’s API. The following screenshot shows an example of Gitleaks finding an AWS access key ID 232 in a file. 229 (Michael Henriksen, 2018), https://github.com/michenriksen/gitrob 230 (Zachary Rice, 2022), https://github.com/zricethezav/gitleaks 231 (GitHub, 2022), https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line 232 (Amazon Web Services, 2022), https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret- access-keys Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 126 Figure 25: Example Gitleaks Output Obtaining these credentials allows us unlimited access to the same AWS account and could lead to a compromise of any cloud service managed by this identity. Tools that search through source code for secrets, like Gitrob or Gitleaks, generally rely on regular expressions or entropy 233 -based detections to identify potentially useful information. Entropy-based detection attempts to find strings that are randomly generated. The idea is that a long string of random characters and numbers is probably a password. No matter how a tool searches for secrets, no tool is perfect and they will miss things that a manual inspection might find. 6.2.5 Shodan As we gather information on our target, it is important to remember that traditional websites are just one part of the internet. Shodan 234 is a search engine that crawls devices connected to the internet, including the servers that run websites, but also devices like routers and IoT 235 devices. To put it another way, Google and other search engines search for web server content, while Shodan searches for internet-connected devices, interacts with them, and displays information about them. Although Shodan is not required to complete any material in this Module or the labs, it’s worth exploring a bit. Before using Shodan we must register a free account, which provides limited access. 233 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Password_strength#Random_passwords 234 (Shodan, 2022), https://www.shodan.io/ 235 (Wikipedia, 2022) https://en.wikipedia.org/wiki/Internet_of_things Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 127 Let’s start by using Shodan to search for hostname:megacorpone.com. Yüklə Dostları ilə paylaş:
|