Figure 22: File Operator in GitHub Search
Our search only found one file - xampp.users. This is nevertheless interesting because
XAMPP
227
is a web application development environment. Let’s check the contents of the file.
227
(Apache Friends, 2022), https://www.apachefriends.org/index.html
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
124
Figure 23: GitHub Search Results
This file appears to contain a username and password hash,
228
which could be very useful when
we begin our active attack phase. Let’s add it to our notes.
228
(Wikipedia, 2022) https://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
125
Figure 24: xampp.users File Content
This manual approach will work best on small repos. For larger repos, we can use several tools to
help automate some of the searching, such as
Gitrob
229
and
Gitleaks
.
230
. Most of these tools
require an access token
231
to use the source code-hosting provider’s API.
The following screenshot shows an example of Gitleaks finding an
AWS access key ID
232
in a file.
229
(Michael Henriksen, 2018), https://github.com/michenriksen/gitrob
230
(Zachary Rice, 2022), https://github.com/zricethezav/gitleaks
231
(GitHub, 2022), https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line
232
(Amazon Web Services, 2022), https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-
access-keys
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
126
Figure 25: Example Gitleaks Output
Obtaining these credentials allows us unlimited access to the same AWS account and could lead
to a compromise of any cloud service managed by this identity.
Tools that search through source code for secrets, like Gitrob or Gitleaks,
generally rely on regular expressions or entropy
233
-based detections to identify
potentially useful information. Entropy-based detection attempts to find strings
that are randomly generated. The idea is that a long string of random characters
and numbers is probably a password. No matter how a tool searches for secrets,
no tool is perfect and they will miss things that a manual inspection might find.
6.2.5
Shodan
As we gather information on our target, it is important to remember that traditional websites are
just one part of the internet.
Shodan
234
is a search engine that crawls devices connected to the internet, including the servers
that run websites, but also devices like routers and IoT
235
devices.
To put it another way, Google and other search engines search for web server content, while
Shodan searches for internet-connected devices, interacts with them, and displays information
about them.
Although Shodan is not required to complete any material in this Module or the labs, it’s worth
exploring a bit. Before using Shodan we must register a free account, which provides limited
access.
233
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Password_strength#Random_passwords
234
(Shodan, 2022), https://www.shodan.io/
235
(Wikipedia, 2022) https://en.wikipedia.org/wiki/Internet_of_things
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
127
Let’s start by using Shodan to search for hostname:megacorpone.com.
Yüklə Dostları ilə paylaş: |