cPanel has had a very large impact on the hosting industry. This single company has enabled people to build their dreams overnight with $5 — the American dream. cPanel’s largest offerings to the industry have been the cPanel/WHM web-server management software. It’s actually pretty stellar software, and offers the systems administrator an abundant amount of tools to just get shit done on a large scale. The shared hosting market is huge — no, it’s colossal.
Shared hosting is essentially stuffing users onto one server allowing them to share the servers resources. I’ve seen cPanel servers with well over 1000 users. To an outside security researcher this would look like a rich opportunity to take one machine, with a very large reward. With cPanel each customer could have more than one website hosted in their account(sharing the same IP), meaning if even only a few accounts were compromised some-how in the shared stack the amount of data that could be at risk is pretty scary.
So, how could someone compromise a shared cPanel server, or at least enumerate it’s users? Well with Science of course!
Unfortunately it’s become a common practice to use incremental hostnames for several different reasons. As I’ve written in other posts about enumerating subdomains, a lot of these results coming back contain an incremental naming structure. This is interesting, because one could use the incremented naming structure to map and locate a lot of information about a particular group of servers within a given infrastructure(a production distributed MySQL farm for instance; db1, db2, db3). This can be used as a powerful reconnaissance tactic.
How does this happen? Why do we use this naming system for servers that will expose them to potential security issues? It’s pretty common for scalable systems to assign an incremented hostname upon instance creation when being auto-scaled.
For example; let’s say that we know the hostname of a server that looks like it could be incremented.
dustin@atxsec ~ $ host server1.gamingservers.local
server1.gamingservers.local has address 10.2.3.4
dustin@atxsec ~ $ host server10.gamingservers.local
server10.gamingservers.local has address 10.2.3.13
dustin@atxsec ~ $ host server11.gamingservers.local
server11.gamingservers.local has address 10.2.3.14
Now..I wonder what would happen if..
Read the rest of this entry »
There are a ton of short-url generating services out there like tinyurl and even Google’s url shortening service. One of my favorite of these services is a website called Shoutkey.com. What is so special about Shoutkey?
Well, Shoutkey by design uses words that could be found within a standard English dictionary. Meaning when you create a short-link using the website the end result isn’t some randomly generated URL — it’s based on a dictionary word. On the record: I’m a huge fan of Shoutkey. Let’s look at an example of these two types of services side by side and observe how their link structure vary.
a Tinyurl example
a shoutkey example
One might use Shoutkey as compared to Tinyurl so they can share the word with the person instead of sending them the direct link; the short-url can be easily shared via speech. Now, this is obviously flawed as in theory someone could automate creating short links to build a dictionary from Shoutkey so they could test it for valid links.
Nah, that’s too much time to dedicate and most likely wouldn’t even work…or would it?
Read the rest of this entry »
I was out the other night hanging out with a few fellow nerds when we were all talking about how WindowsXP is reaching it’s end of life within 3 months. “This is great news!”, we all found ourselves exclaiming. But — is this really great news? That same night when I went to pay out my tab I was watching the woman at the checkout use the Point of Sale system and what I saw next had me cringing in fear and anger all at once. I saw the notorious Windows XP deep blue toolbar — then she proceeded to swipe my debit card through the machine.
As it turns out, there are a lot of point of sale systems that are still operating on Windows XP. Why? Well, one might say that it’s cheaper to run that system and not have to pay for an IT contractor to come out and perform upgrades that would cost the business several thousands of dollars. Sure, that’s a lot right? No wonder they don’t upgrade.
That is no excuse.. Read the rest of this entry »