Nginx warhead

•Download as PPTX, PDF•

0 likes•1,714 views

Sergey Belov

ZeroNights 2013 talk about nginx

Technology

•

Pentester in Digital Security / ERPScan;

•

Writer (habrahabr.ru, “Xakep”);

•

CTF Player;

•

Bug bounty member (Google, Yandex);

•

bugscollector.com creator.

•

Very easy

•

0$

•

Not mentioned in the wild

attacker.com

Client

php-fpm

Nginx
Apache
vuln.com

??? http server

$Step 1 location / { proxy_pass http://vuln.com; proxy_set_header X-Real-IP $remote_addr; } }$

Step 2





proxy_set_header Host “vuln.com";
sub_filter ‘vuln.com' ‘attacker.com';
sub_filter_once off;

NGinx – tool for MitM/phishing?






+ Identical design
+ Fully functional working
+ Logging all data (POST/GET)
+ Add custom JS/HTML
- Another domain (DNS poising / router
hacking, malware, evil apn config e.t.c.)

Pentest
 Random exploit’s?
 Change response data (rights of social
networks apps)
 Change apps swf -> java (exploit)
 ???

• -Another domain
• - Very unstable
• + Can attack internal resources

C:UsersBeLove>ping www.ya.ru
Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных

Remove it from:
• Pentester’s reports
• Most famous security scanners

Thanks!
demo:
http://zn.sergeybelove.ru
http://twitter.com/sergeybelove

What's hot

TriplePlay-WebAppPenTestingToolsYury Chemerkin

Flash it baby!Soroush Dalili

Random numbersPositive Hack Days

Иван Новиков «Elastic search»Mail.ru Group

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs

Security in PHP - 那些在滲透測試的小技巧Orange Tsai

44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON

I can be apple and so can youShakacon

Web (dis)assemblyShakacon

MacdooredShakacon

44CON London 2015 - Is there an EFI monster inside your apple?44CON

[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE

DevOops & How I hacked you DevopsDays DC June 2015Chris Gates

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON

DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE

Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days

Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov

Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE

Assume CompromiseZach Grace

What's hot (20)

TriplePlay-WebAppPenTestingTools

Flash it baby!

Random numbers

Иван Новиков «Elastic search»

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...

Security in PHP - 那些在滲透測試的小技巧

44CON London 2015 - 15-Minute Linux Incident Response Live Analysis

I can be apple and so can you

Web (dis)assembly

Macdoored

44CON London 2015 - Is there an EFI monster inside your apple?

[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes

DevOops & How I hacked you DevopsDays DC June 2015

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root

DevOOPS: Attacks and Defenses for DevOps Toolchains

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...

Экспресс-анализ вредоносов / Crowdsourced Malware Triage

Waf.js: How to Protect Web Applications using JavaScript

Industroyer: biggest threat to industrial control systems since Stuxnet by An...

Assume Compromise

Similar to Nginx warhead

[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemyPROIDEA

Год в Github bugbounty, опыт участияdefcon_kz

Static Code Analysis PHP[tek] 2023Scott Keck-Warren

Orange@php confHash Lin

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl

Legal and efficient web app testing without permissionAbraham Aranguren

How To Be A HackerPaul Tarjan

Automating & Integrating Pantheon with JIRA, Slack, Jenkins and MorePantheon

Taming botnetsf00d

Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days

Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl

Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71

Debugging webOS applicationsfpatton

Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin

Detecting headless browsersSergey Shekyan

Debugging Effectively in the Cloud - Felipe Fidelix - Presentation at eZ Con...eZ Systems

Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblickrenebruns

Unity Makes StrengthXavier Mertens

Columbus WordCamp 2015Jason Packer

Web-App Remote Code Execution Via Scripting Enginesc0c0n - International Cyber Security and Policing Conference

Similar to Nginx warhead (20)

[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy

Год в Github bugbounty, опыт участия

Static Code Analysis PHP[tek] 2023

Orange@php conf

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...

Legal and efficient web app testing without permission

How To Be A Hacker

Automating & Integrating Pantheon with JIRA, Slack, Jenkins and More

Taming botnets

Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis

Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014

Cracking Into Embedded Devices - HACK.LU 2K8

Debugging webOS applications

Abraham aranguren. legal and efficient web app testing without permission

Detecting headless browsers

Debugging Effectively in the Cloud - Felipe Fidelix - Presentation at eZ Con...

Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick

Unity Makes Strength

Columbus WordCamp 2015

Web-App Remote Code Execution Via Scripting Engines

Recently uploaded

Pigging Solutions in Pet Food ManufacturingPigging Solutions

Presentation on how to chat with PDF using ChatGPT code interpreternaman860154

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada

Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik

Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely

Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar

Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes

CloudStudio User manual (basic edition):comworks

The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh

Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm

The transition to renewables in India.pdfCompetition Advisory Services (India) LLP

Vulnerability_Management_GRC_by Sohang Sengupta.pptxnull - The Open Security Community

How to convert PDF to text with Nanonetsnaman860154

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106

SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community

AI as an Interface for Commercial BuildingsMemoori

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada

Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing

Presentation on how to chat with PDF using ChatGPT code interpreter

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024

Injustice - Developers Among Us (SciFiDevCon 2024)

Unlocking the Potential of the Cloud for IBM Power Systems

Unleash Your Potential - Namagunga Girls Coding Club

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners

CloudStudio User manual (basic edition):

The Codex of Business Writing Software for Real-World Solutions 2.pptx

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi

Streamlining Python Development: A Guide to a Modern Project Setup

The transition to renewables in India.pdf

Vulnerability_Management_GRC_by Sohang Sengupta.pptx

How to convert PDF to text with Nanonets

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics

SQL Database Design For Developers at php[tek] 2024

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx

AI as an Interface for Commercial Buildings

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024

Advanced Test Driven-Development @ php[tek] 2024

Nginx warhead

1. Sergey Belov

2. • Pentester in Digital Security / ERPScan; • Writer (habrahabr.ru, “Xakep”); • CTF Player; • Bug bounty member (Google, Yandex); • bugscollector.com creator.

3. • Very easy • 0$ • Not mentioned in the wild

4. NGinx – reverse proxy

5. php-fpm Client Nginx Apache

6. attacker.com Client php-fpm Nginx Apache vuln.com ??? http server

7. Step 1 location / { proxy_pass http://vuln.com; proxy_set_header X-Real-IP $remote_addr; } }

8. Step 2    proxy_set_header Host “vuln.com"; sub_filter ‘vuln.com' ‘attacker.com'; sub_filter_once off;

10. Phishing

11. NGinx – tool for MitM/phishing?      + Identical design + Fully functional working + Logging all data (POST/GET) + Add custom JS/HTML - Another domain (DNS poising / router hacking, malware, evil apn config e.t.c.)

12. Pentest  Random exploit’s?  Change response data (rights of social networks apps)  Change apps swf -> java (exploit)  ???

13. DNS rebinding

14. • -Another domain • - Very unstable • + Can attack internal resources

15. Internal, not external!

16. C:UsersBeLove>ping www.ya.ru Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных

17. Remove it from: • Pentester’s reports • Most famous security scanners

18. Thanks! demo: http://zn.sergeybelove.ru http://twitter.com/sergeybelove

Nginx warhead

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Nginx warhead

Similar to Nginx warhead (20)

More from Sergey Belov

More from Sergey Belov (6)

Recently uploaded

Recently uploaded (20)

Nginx warhead