Security notes
开源信息泄露小考
前言
刚刚过去的学期有在cncert外派,做了一点辅助工作,做的最多仔细想想还是开源信息的泄露收集。借这段时间的经历,就想稍微总结一下Github等平台的信息泄露收集。
工作中的信息泄露收集
因为cert那边需要的是全国政企的开源信息泄露,而且要最终拿到敏感数据(比如身份证号之类的),和平时渗透时候的还是有些区别(漏洞不是目的,数据才是QAQ 我怎么越想越觉得像黑产),先说下俺日常做的,找某一类组织的信息泄露的流程。
折腾了各种各样的抓信息方式之后,感觉现在的最方便的方式就还是直接用Github搜关键词,什么GISL,什么携程云安全,全都不适合收集信息用(当然他们本来就是给企业自查的233)。至于关键词,我这边单搜项目相关的中文有奇效。日常就是分解单位的属性作标签,组合,找敏感的repo。
经常能一个Tag或Tag组合找到好多信息泄露,像全国的政协站,一省不差,全都有敏感信息,外包政协网站建设的公司一点安全意识没有,全员无过滤上传Github。
定位到某个repo之后,弄下来本地搜搜http:// 、.do之类的,其实比预想中要容易找到暴露在公网的接口、测试站等等,后面就是常规渗透了。
说起来其实这项工作实际内容并不多,找到一个有效的流程就能一直用下去,也没什么太大长进。下学期主力还是得做漏洞挖掘。
渗透向信息泄露收集
在丁牛实习时候,最大的收获大概是对渗透的认识,也就是李哥挂在嘴边的渗透测试的本质是信息收集。这学期的开源信息收集工作也算是漫漫信息收集路的一个小分支,感觉对个人成长也算有些帮助。
渗透向的话,github-dorks的list这种类型的就很好用
| Dork | Description |
|---|---|
| filename:.npmrc _auth | npm registry authentication data |
| filename:.dockercfg auth | docker registry authentication data |
| extension:pem private | private keys |
| extension:ppk private | puttygen private keys |
| filename:id_rsa or filename:id_dsa | private ssh keys |
| extension:sql mysql dump | mysql dump |
| extension:sql mysql dump password | mysql dump look for password; you can try varieties |
| filename:credentials aws_access_key_id | might return false negatives with dummy values |
| filename:.s3cfg | might return false negatives with dummy values |
| filename:wp-config.php | wordpress config files |
| filename:.htpasswd | htpasswd files |
| filename:.env DB_USERNAME NOT homestead | laravel .env (CI, various ruby based frameworks too) |
| filename:.env MAIL_HOST=smtp.gmail.com | gmail smtp configuration (try different smtp services too) |
| filename:.git-credentials | git credentials store, add NOT username for more valid results |
| PT_TOKEN language:bash | pivotaltracker tokens |
| filename:.bashrc password | search for passwords, etc. in .bashrc (try with .bash_profile too) |
| filename:.bashrc mailchimp | variation of above (try more variations) |
| filename:.bash_profile aws | aws access and secret keys |
| rds.amazonaws.com password | Amazon RDS possible credentials |
| extension:json api.forecast.io | try variations, find api keys/secrets |
| extension:json mongolab.com | mongolab credentials in json configs |
| extension:yaml mongolab.com | mongolab credentials in yaml configs (try with yml) |
| jsforce extension:js conn.login | possible salesforce credentials in nodejs projects |
| SF_USERNAME salesforce | possible salesforce credentials |
| filename:.tugboat NOT _tugboat | Digital Ocean tugboat config |
| HEROKU_API_KEY language:shell | Heroku api keys |
| HEROKU_API_KEY language:json | Heroku api keys in json files |
| filename:.netrc password | netrc that possibly holds sensitive credentials |
| filename:_netrc password | netrc that possibly holds sensitive credentials |
| filename:hub oauth_token | hub config that stores github tokens |
| filename:robomongo.json | mongodb credentials file used by robomongo |
| filename:filezilla.xml Pass | filezilla config file with possible user/pass to ftp |
| filename:recentservers.xml Pass | filezilla config file with possible user/pass to ftp |
| filename:config.json auths | docker registry authentication data |
| filename:idea14.key | IntelliJ Idea 14 key, try variations for other versions |
| filename:config irc_pass | possible IRC config |
| filename:connections.xml | possible db connections configuration, try variations to be specific |
| filename:express.conf path:.openshift | openshift config, only email and server thou |
| filename:.pgpass | PostgreSQL file which can contain passwords |
| filename:proftpdpasswd | Usernames and passwords of proftpd created by cpanel |
| filename:ventrilo_srv.ini | Ventrilo configuration |
| [WFClient] Password= extension:ica | WinFrame-Client infos needed by users to connect toCitrix Application Servers |
| filename:server.cfg rcon password | Counter Strike RCON Passwords |
| JEKYLL_GITHUB_TOKEN | Github tokens used for jekyll |
| filename:.bash_history | Bash history file |
| filename:.cshrc | RC file for csh shell |
| filename:.history | history file (often used by many tools) |
| filename:.sh_history | korn shell history |
| filename:sshd_config | OpenSSH server config |
| filename:dhcpd.conf | DHCP service config |
| filename:prod.exs NOT prod.secret.exs | Phoenix prod configuration file |
| filename:prod.secret.exs | Phoenix prod secret |
| filename:configuration.php JConfig password | Joomla configuration file |
| filename:config.php dbpasswd | PHP application database password (e.g., phpBB forum software) |
| path:sites databases password | Drupal website database credentials |
| shodan_api_key language:python | Shodan API keys (try other languages too) |
| filename:shadow path:etc | Contains encrypted passwords and account information of new unix systems |
| filename:passwd path:etc | Contains user account information including encrypted passwords of traditional unix systems |
| extension:avastlic "support.avast.com" | Contains license keys for Avast! Antivirus |
| filename:dbeaver-data-sources.xml | DBeaver config containing MySQL Credentials |
| filename:.esmtprc password | esmtp configuration |
| extension:json googleusercontent client_secret | OAuth credentials for accessing Google APIs |
| HOMEBREW_GITHUB_API_TOKEN language:shell | Github token usually set by homebrew users |
| xoxp OR xoxb | Slack bot and private tokens |
| .mlab.com password | MLAB Hosted MongoDB Credentials |
| filename:logins.json | Firefox saved password collection (key3.db usually in same repo) |
| filename:CCCam.cfg | CCCam Server config file |
| msg nickserv identify filename:config | Possible IRC login passwords |
| filename:settings.py SECRET_KEY | Django secret keys (usually allows for session hijacking, RCE, etc) |
| filename:secrets.yml password | Usernames/passwords, Rails applications |
| filename:master.key path:config | Rails master key (used for decrypting credentials.yml.enc for Rails 5.2+) |
| filename:deployment-config.json | Created by sftp-deployment for Atom, contains server details and credentials |
| filename:.ftpconfig | Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials |
| filename:.remote-sync.json | Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials |
| filename:sftp.json path:.vscode | Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentails |
| filename:sftp-config.json | Created by SFTP for Sublime Text, contains FTP/FTPS or SFTP/SSH server details and credentials |
| filename:WebServers.xml | Created by Jetbrains IDEs, contains webserver credentials with encoded passwords (not encrypted!) |
遇见目标看看目标指纹,照猫画虎,弄几个关键字扫一波,说不定就有收获,像GitMiner这种就是更为简单粗暴的扫描器。
信息泄露这种东西,除了防不胜防的那类,只要安全意识好些就鲜有发生。更何况,各个组织的安全部门都会长期自查,像GISL、携程云安全的Github监控,全是自查向的工具,一旦有信息泄露直接处理掉了。当然,要是自己处理慢,被人先拿到数据就没办法了。
写到现在,也实在不能说开源信息泄露是信息收集多有效的部分,只能说是有用的一环。还是记着这些东西,说不定哪个场景就有奇效,像hz在黄鹤杯用git history解出3000分题的操作,啥操作还得看人使。
