ZeroNights 2013 talk about nginx

1. Sergey Belov

2. •
Pentester in Digital Security / ERPScan;
•
Writer (habrahabr.ru, “Xakep”);
•
CTF Player;
•
Bug bounty member (Google, Yandex);
•
bugscollector.com creator.

3. •
Very easy
•
0$
•
Not mentioned in the wild

4. NGinx – reverse proxy

5. php-fpm
Client
Nginx
Apache

6. attacker.com
Client
php-fpm
Nginx
Apache
vuln.com
??? http server

7. Step 1
location / {
proxy_pass
http://vuln.com;
proxy_set_header X-Real-IP $remote_addr;
}
}

8. Step 2



proxy_set_header Host “vuln.com";
sub_filter ‘vuln.com' ‘attacker.com';
sub_filter_once off;

10. Phishing

11. NGinx – tool for MitM/phishing?





+ Identical design
+ Fully functional working
+ Logging all data (POST/GET)
+ Add custom JS/HTML
- Another domain (DNS poising / router
hacking, malware, evil apn config e.t.c.)

12. Pentest
 Random exploit’s?
 Change response data (rights of social
networks apps)
 Change apps swf -> java (exploit)
 ???

13. DNS rebinding

14. • -Another domain
• - Very unstable
• + Can attack internal resources

15. Internal, not external!

16. C:UsersBeLove>ping www.ya.ru
Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных

17. Remove it from:
• Pentester’s reports
• Most famous security scanners

18. Thanks!
demo:
http://zn.sergeybelove.ru
http://twitter.com/sergeybelove