قالب وردپرس درنا توس
Home / Tips and Tricks / How To Reveal Hidden Subdomains To Reveal Internal Services With CT Exposer «Null Byte :: WonderHowTo

How To Reveal Hidden Subdomains To Reveal Internal Services With CT Exposer «Null Byte :: WonderHowTo



Most organizations have services such as employee login portals, internal subdomains, and test servers that they would rather keep private. Red teams and white-hat hackers can find these obscure and often vulnerable services by using a tool to protect users from fraudulent certificates.

What is a Certificate Trust Protocol?

Certificates are issued to companies that operate online services through a certificate to protect users from fraudulent websites. In 2011, restrictions on the ability of certificates to protect users were proven by attacks against the certification bodies Comodo and DigiNotar. Since the detection of fraudulent certificates took a long time, certificate trust logs were created to provide users with better visibility.

Facebook has used CT protocols to detect misplaced TLS certificates and prevent them from being used to intercept HTTPS traffic. This success led them to publish a CT protocol tool for the public, with the ability to "subscribe" to a domain to quickly see certificates.

Ironically, releasing this tool directly resulted in several bug bounty reports being detected in the Facebook test server that did not have the same authorization checks as production servers, potentially leading to free access to all sorts of information. This perfectly illustrates how CT trust logs can uncover an inadvertent amount of information in the enterprise while identifying domains with fraudulent certificates.

Hidden subdomains can view hidden pages such as employee logins, used web applications, only internal domains only by an internal DNS and old or deleted domains. While we can use Facebook's CT monitoring tool online to find hidden subdomains, we use a local tool for more anonymity. It's called CT-Imagesetter, a Python OSINT scanner that can be easily run on any platform. It does not show us as much data as the Facebook tool and does not provide as many results, but the information is much easier to sift through.

What you need

To start with the CT imagesetter, you need to make sure that Python3 is installed on your computer. If you do not have it, you can download it from the Python website . Once you have Python installed, you can ensure that you have the correct version by typing python3 in a terminal window. If the output resembles the following edition, you should be fine. You can type quit () after the >>> to finish.

  python3

Python 3.6.4 (v3.6.4: d48ecebad5, Dec 18th 2017, 9:07:28 pm)
[GCC 4.2.1 (Apple Inc. build 6996) (dot 3)] about Husker
Enter "help", "copyright", "credits" or "license" for more information.
>>> quit () 

If you are running Kali Linux, make sure you also update and update your system with the following commands:

  apt update
apt upgrade 

Step 1: Download and installation requirements

When Python is installed and your system has been fully upgraded, you can start navigating to the GitHub for CT imagesetter page. Copy the URL below the clone or download button and execute the command Git Clone in a terminal window:

  git clone https://github.com/chris408/ct-exposer .git 

Once the files are finished downloading, change the directories to root, cd to the folder ct-exposter then install the requirements as follows:

  cd ct - Imagesetter
sudo pip3 install -r requirements.txt 

Once the requirements are installed, you should be ready!

Step 2: Select Domain and Run Scan

To find out which CT logs can be viewed, conduct a domain test and see what information can be viewed from the perspective of an attacker. To get started, try priceline.com

The main URL for this nonsense is priceline.com, so run CT Exposer on the URL to see what you can find. Make sure you are in the ct-exposer folder. Once you're in the ct-exposer folder, you can run the following command to scan the certificate trust logs for the domain priceline.com .

  python3 ct-exposer.py -d priceline.com 

Step 3: Disassemble and Interpret the Scan

The output below shows the results of the priceline.com scan. Impressive! There are many results, but how could they be useful?

  sudo python3 ct-exposer.py -d priceline.com

[+]: Download the domain list ...
[+]: Download the domain list completed.
[+]: Parsing 33 domain (s) from the list.

[+]: Locations:
23.23.126.26 admin.groupcommerce.com
178.250.2.116 app-install.priceline.com
35.241.46.146 appinstall.priceline.com
64.6.22.95 bomgar.corp.priceline.com
161.47.16.153 career.priceline.com
209.202.133.98 cruises.priceline.com
64.6.22.95 dealreveal.corp.priceline.com
69.195.35.215 enet.qahotelportal.priceline.com
151.101.196.65 g.ssl.fastly.net
185.28.222.22 h.priceline.com
185.28.222.21 hsecure.priceline.com
64.6.22.100 mail.corp.priceline.com
104.196.14.36 media.priceline.com
64.6.22.95 phantom.corp.priceline.com
104.131.82.197 picme.priceline.com
151.101.196.204 priceline.map.fastly.net
69.195.35.246 qahotelportal.priceline.com
64.6.22.95 splunkes.corp.priceline.com
64.6.22.95 ssh.corp.priceline.com
69.195.35.226 travela.a1.qa.priceline.com
64.6.21.26 travela.priceline.com
69.195.35.166 www.a1.dev.priceline.com
69.195.35.245 www.a1.qa.priceline.com
64.6.23.56 www.a309.corp.priceline.com
69.195.35.167 www.b1.dev.priceline.com
151.101.130.186 www.priceline.com
69.195.35.143 www.qaa.priceline.com

[+]: Domains without DNS entry:
no en.hotelportal.priceline.com
no fs.corp.priceline.com
no pcln04.corp.priceline.com
no rsecure.priceline.com
none secure.priceline.com 

Example 1: Subdomains with DNS that can not be resolved

You can try to navigate to the various subdomains that are displayed. If they are not resolved, this can have one of several meanings:

See what happens when you try to access an internal service because you need to be connected to an internal DNS server in a service. For example, when you try to navigate to mail.corp.priceline.com through your Web browser, you may encounter the following:

unlike what you see when the page you want to get to does not exist. That's it, you just can not see it on a public server. For a red team or an attacker, an internal infrastructure has just been discovered. A Simple Nmap Displays a Microsoft IIS / 8.5 Server at This Address

Example 2: Subdomains with DNS Disconnecting (1)

Some subdomains dissolve and are not secret at all. For an attacker, however, this may allow an early entry to explore a possible attack path.

For an example, see a Career Subdomain at careers.priceline.com . As an attacker, I've just learned what kind of resume I need to copy and paste into these job postings to get the attention of an HR employee at Priceline. Maybe I can even get them to open a PDF resume with an exploit, but even if they use an outsourced hiring company, by reading the job requirements carefully I can learn the physical locations they work on and the types of systems. 19659033] Hiding hidden subdomains for viewing internal services with CT Exposters ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

Example 3: Subdomains with DNS resolving (2)

If you follow the subdomain breadcrumbs, you can still discover subdomains where the DNS is resolved becomes . Another example, h.priceline.com which leads to an insecure website with a very old copyright date. The site talks about a number of services that they either no longer offer or offer.

Example 4: Subdomains with DNS Disconnecting (3)

Similarly solves media.priceline.com Actually, this time on a secure website that uses HTTPS for press like me, but also last updated in 2014. I'm sure nothing has changed since then.

Example 5: Subdomains with DNS resolving (4)

In some cases, the security of the transport layer is broken and you receive a big warning like follows when trying to resolve picme.priceline.com for example.

If you ignore it and continue, you can see that the whole server is broken, resulting in an error message with m ore information about it. (Gee, thanks for the unnecessary information.)

As you can see, there is an Apache 2.4.18 server on an Ubuntu on port 443. Hmm that seems to be old somehow. Go ahead and google that exactly to see if something could be wrong. Surely, the fortress of information priceline.com can not expose an old, vulnerable server to the Internet.

Oh my god. There are 16 different vulnerabilities. In that case, you could just keep going, assuming it's so riddled with problems that it's probably a honey pot. Would not you feel bad?

Example 6: Subdomains with DNS Disconnecting (5)

Finally, there is the crown jewel of discovery: employee login and application endpoints! Learn more about the safety of your destinations and try to get passwords in these waterholes. For example, if you try to resolve phantom.corp.priceline.com the following page prompts you to request a logon.

So, does that mean that Priceline operates a Phantom Corporation? It may be so, but in fact these are only endpoints for things like email, hotel logins, and other services accessed by people outside the Priceline network.

Here are the two important things you can learn that priceline uses okta.com for authentication and requires two-factor authentication through "duo" security.

If I'm an attacker, I now know that employees receive a push notification every time they log in to a corporate resource on a new device. This means that the collection of usernames and passwords is useless without this authentication layer being detected as well.

Example 7: Subdomains without a DNS Record

You may also have multiple domains without a DNS record. This means that you can not navigate to them because there is no route known on the public Internet. What does that mean?

  [+]: Domains without DNS entry:
no en.hotelportal.priceline.com
no fs.corp.priceline.com
no pcln04.corp.priceline.com
no rsecure.priceline.com
none secure.priceline.com 

This means that they are serviced by an internal DNS server or that you need to be logged in to access a VPN. This makes these subdomains the most interesting in the world because they are internal attack surfaces to which you do not yet have access. They also serve as targeting information for your first attacks and a way to persuade employees to be on a private network if they are truly public.

If I were an attacker or a red team, I would quietly start buying phishing domains similar to those seen here, such as secure.priceline.com to induce employees to do so to believe that you would log into an internal service. Abuse of Certificate Trust Logs Can Disclose Hidden Information

A short command allows an attacker to take a look at the available target surfaces and determine the best attack method. In our example, you were able to evaluate internal and external target interfaces, assess individual employee safety at the company, and identify various internal departments, such as: For example, settings that may have lax security standards. You could also find old, internal, and directly vulnerable domains by simply navigating to the URLs for which CT logs were found.

What a hacker might learn from that is that Recon is a critical skill that does not have to be an enormously time-consuming endeavor. While CT imagesetters should be just one tool in your arsenal, it's relatively easy to get to know the structure of a company's online presence before choosing the perfect target.

I hope you have this guide to using CT imagesetters to collect OSINT dropped data on a target domain! If you have questions about this CT Exposer tutorial or have a comment, feel free to contact me in the comments below or on Twitter @KodyKinzie .

Miss: How to Scratch Target Email Addresses with TheHarvester

Cover Photo and Screenshots of Kody / Null Byte




Source link