开源信息泄露小考

开源信息泄露小考

内容纲要

前言

刚刚过去的学期有在cncert外派,做了一点辅助工作,做的最多仔细想想还是开源信息的泄露收集。借这段时间的经历,就想稍微总结一下Github等平台的信息泄露收集。

工作中的信息泄露收集

因为cert那边需要的是全国政企的开源信息泄露,而且要最终拿到敏感数据(比如身份证号之类的),和平时渗透时候的还是有些区别(漏洞不是目的,数据才是QAQ 我怎么越想越觉得像黑产),先说下俺日常做的,找某一类组织的信息泄露的流程。

折腾了各种各样的抓信息方式之后,感觉现在的最方便的方式就还是直接用Github搜关键词,什么GISL,什么携程云安全,全都不适合收集信息用(当然他们本来就是给企业自查的233)。至于关键词,我这边单搜项目相关的中文有奇效。日常就是分解单位的属性作标签,组合,找敏感的repo。

经常能一个Tag或Tag组合找到好多信息泄露,像全国的政协站,一省不差,全都有敏感信息,外包政协网站建设的公司一点安全意识没有,全员无过滤上传Github。

定位到某个repo之后,弄下来本地搜搜http://.do之类的,其实比预想中要容易找到暴露在公网的接口、测试站等等,后面就是常规渗透了。

说起来其实这项工作实际内容并不多,找到一个有效的流程就能一直用下去,也没什么太大长进。下学期主力还是得做漏洞挖掘。

渗透向信息泄露收集

在丁牛实习时候,最大的收获大概是对渗透的认识,也就是李哥挂在嘴边的渗透测试的本质是信息收集。这学期的开源信息收集工作也算是漫漫信息收集路的一个小分支,感觉对个人成长也算有些帮助。

渗透向的话,github-dorks的list这种类型的就很好用

Dork Description
filename:.npmrc _auth npm registry authentication data
filename:.dockercfg auth docker registry authentication data
extension:pem private private keys
extension:ppk private puttygen private keys
filename:id_rsa or filename:id_dsa private ssh keys
extension:sql mysql dump mysql dump
extension:sql mysql dump password mysql dump look for password; you can try varieties
filename:credentials aws_access_key_id might return false negatives with dummy values
filename:.s3cfg might return false negatives with dummy values
filename:wp-config.php wordpress config files
filename:.htpasswd htpasswd files
filename:.env DB_USERNAME NOT homestead laravel .env (CI, various ruby based frameworks too)
filename:.env MAIL_HOST=smtp.gmail.com gmail smtp configuration (try different smtp services too)
filename:.git-credentials git credentials store, add NOT username for more valid results
PT_TOKEN language:bash pivotaltracker tokens
filename:.bashrc password search for passwords, etc. in .bashrc (try with .bash_profile too)
filename:.bashrc mailchimp variation of above (try more variations)
filename:.bash_profile aws aws access and secret keys
rds.amazonaws.com password Amazon RDS possible credentials
extension:json api.forecast.io try variations, find api keys/secrets
extension:json mongolab.com mongolab credentials in json configs
extension:yaml mongolab.com mongolab credentials in yaml configs (try with yml)
jsforce extension:js conn.login possible salesforce credentials in nodejs projects
SF_USERNAME salesforce possible salesforce credentials
filename:.tugboat NOT _tugboat Digital Ocean tugboat config
HEROKU_API_KEY language:shell Heroku api keys
HEROKU_API_KEY language:json Heroku api keys in json files
filename:.netrc password netrc that possibly holds sensitive credentials
filename:_netrc password netrc that possibly holds sensitive credentials
filename:hub oauth_token hub config that stores github tokens
filename:robomongo.json mongodb credentials file used by robomongo
filename:filezilla.xml Pass filezilla config file with possible user/pass to ftp
filename:recentservers.xml Pass filezilla config file with possible user/pass to ftp
filename:config.json auths docker registry authentication data
filename:idea14.key IntelliJ Idea 14 key, try variations for other versions
filename:config irc_pass possible IRC config
filename:connections.xml possible db connections configuration, try variations to be specific
filename:express.conf path:.openshift openshift config, only email and server thou
filename:.pgpass PostgreSQL file which can contain passwords
filename:proftpdpasswd Usernames and passwords of proftpd created by cpanel
filename:ventrilo_srv.ini Ventrilo configuration
[WFClient] Password= extension:ica WinFrame-Client infos needed by users to connect toCitrix Application Servers
filename:server.cfg rcon password Counter Strike RCON Passwords
JEKYLL_GITHUB_TOKEN Github tokens used for jekyll
filename:.bash_history Bash history file
filename:.cshrc RC file for csh shell
filename:.history history file (often used by many tools)
filename:.sh_history korn shell history
filename:sshd_config OpenSSH server config
filename:dhcpd.conf DHCP service config
filename:prod.exs NOT prod.secret.exs Phoenix prod configuration file
filename:prod.secret.exs Phoenix prod secret
filename:configuration.php JConfig password Joomla configuration file
filename:config.php dbpasswd PHP application database password (e.g., phpBB forum software)
path:sites databases password Drupal website database credentials
shodan_api_key language:python Shodan API keys (try other languages too)
filename:shadow path:etc Contains encrypted passwords and account information of new unix systems
filename:passwd path:etc Contains user account information including encrypted passwords of traditional unix systems
extension:avastlic "support.avast.com" Contains license keys for Avast! Antivirus
filename:dbeaver-data-sources.xml DBeaver config containing MySQL Credentials
filename:.esmtprc password esmtp configuration
extension:json googleusercontent client_secret OAuth credentials for accessing Google APIs
HOMEBREW_GITHUB_API_TOKEN language:shell Github token usually set by homebrew users
xoxp OR xoxb Slack bot and private tokens
.mlab.com password MLAB Hosted MongoDB Credentials
filename:logins.json Firefox saved password collection (key3.db usually in same repo)
filename:CCCam.cfg CCCam Server config file
msg nickserv identify filename:config Possible IRC login passwords
filename:settings.py SECRET_KEY Django secret keys (usually allows for session hijacking, RCE, etc)
filename:secrets.yml password Usernames/passwords, Rails applications
filename:master.key path:config Rails master key (used for decrypting credentials.yml.enc for Rails 5.2+)
filename:deployment-config.json Created by sftp-deployment for Atom, contains server details and credentials
filename:.ftpconfig Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials
filename:.remote-sync.json Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials
filename:sftp.json path:.vscode Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentails
filename:sftp-config.json Created by SFTP for Sublime Text, contains FTP/FTPS or SFTP/SSH server details and credentials
filename:WebServers.xml Created by Jetbrains IDEs, contains webserver credentials with encoded passwords (not encrypted!)

遇见目标看看目标指纹,照猫画虎,弄几个关键字扫一波,说不定就有收获,像GitMiner这种就是更为简单粗暴的扫描器。

信息泄露这种东西,除了防不胜防的那类,只要安全意识好些就鲜有发生。更何况,各个组织的安全部门都会长期自查,像GISL、携程云安全的Github监控,全是自查向的工具,一旦有信息泄露直接处理掉了。当然,要是自己处理慢,被人先拿到数据就没办法了。

写到现在,也实在不能说开源信息泄露是信息收集多有效的部分,只能说是有用的一环。还是记着这些东西,说不定哪个场景就有奇效,像hz在黄鹤杯用git history解出3000分题的操作,啥操作还得看人使。

harmoc

发表评论

电子邮件地址不会被公开。 必填项已用*标注