The dangers of incremental hostnames

by atxsec

Unfortunately it’s become a common practice to use incremental hostnames for several different reasons. As I’ve written in other posts about enumerating subdomains, a lot of these results coming back contain an incremental naming structure. This is interesting, because one could use the incremented naming structure to map and locate a lot of information about a particular group of servers within a given infrastructure(a production distributed MySQL farm for instance; db1, db2, db3). This can be used as a powerful reconnaissance tactic.

How does this happen? Why do we use this naming system for servers that will expose them to potential security issues? It’s pretty common for scalable systems to assign an incremented hostname upon instance creation when being auto-scaled.

For example; let’s say that we know the hostname of a server that looks like it could be incremented.

dustin@atxsec ~ $ host server1.gamingservers.local
server1.gamingservers.local has address 10.2.3.4
dustin@atxsec ~ $ host server10.gamingservers.local
server10.gamingservers.local has address 10.2.3.13
dustin@atxsec ~ $ host server11.gamingservers.local
server11.gamingservers.local has address 10.2.3.14

Now..I wonder what would happen if..

one were to generate a list of these host names and check to see if they are valid or not? This could be easily accomplished by using Brace expansion with BASH. Note — for this example I will be using gamingservers.local as the domain name to test hostnames against as this is for demonstration purposes only. Please be responsible with the information that you discover. The reason for this post is to highlight these issues. Many of the largest hosting companies in the world have server naming structures that can be incrementally guessed upwards into the thousands.

dustin@atxsec ~ $ echo server{1..20}.gamingservers.local
server1.gamingservers.local server2.gamingservers.local server3.gamingservers.local server4.gamingservers.local server5.gamingservers.local server6.gamingservers.local server7.gamingservers.local server8.gamingservers.local server9.gamingservers.local server10.gamingservers.local server11.gamingservers.local server12.gamingservers.local server13.gamingservers.local server14.gamingservers.local server15.gamingservers.local server16.gamingservers.local server17.gamingservers.local server18.gamingservers.local server19.gamingservers.local server20.gamingservers.local

Schweet! Now we have a working list of hostnames we can test against. Let’s automate the discovery of these hostnames to guess how many servers gamingservers.local actually could be running. In fact, we can do this with only one line of BASH.

for server in $(echo server{1..27}.gamingservers.local); do host $server| grep -v not || echo "$server does not exist"; done

Running the above command produces the below output.

server1.gamingservers.local has address 10.2.3.4
server2.gamingservers.local has address 10.2.3.5
server3.gamingservers.local has address 10.2.3.6
server4.gamingservers.local has address 10.2.3.7
server5.gamingservers.local has address 10.2.3.8
server6.gamingservers.local has address 10.2.3.9
server7.gamingservers.local has address 10.2.3.10
server8.gamingservers.local has address 10.2.3.11
server9.gamingservers.local has address 10.2.3.12
server10.gamingservers.local has address 10.2.3.13
server11.gamingservers.local has address 10.2.3.14
server12.gamingservers.local has address 10.2.3.15
server13.gamingservers.local has address 10.2.3.16
server14.gamingservers.local has address 10.2.3.17
server15.gamingservers.local has address 10.2.3.18
server16.gamingservers.local has address 10.2.3.19
server17.gamingservers.local has address 10.2.3.20
server18.gamingservers.local has address 10.2.3.30
server19.gamingservers.local has address 10.2.3.40
server20.gamingservers.local has address 10.2.3.50
server21.gamingservers.local has address 10.2.3.60
server22.gamingservers.local has address 10.2.3.70
server23.gamingservers.local has address 10.2.3.80
server24.gamingservers.local has address 10.2.3.90
server25.gamingservers.local does not exist
server26.gamingservers.local does not exist
server27.gamingservers.local does not exist

As simple as that we discovered how many of these servers gamingservers.local could be operating. From here we can use this data to perform a wide recon-sweep of the infrastructure. Most of the time these servers are all under some sort of image management; but there’s always that one machine or instance that’s been forgotten about that’s running exploitable software. We saw a perfect example of this when the Playstation network hack happened. The attackers compromised the network via an outdated version of Apache.

It would be safe to say that some sort of key->value system for hostnames used to identify servers could be of use. Either way we have learned a valuable lesson from this. Do not use incremental hostnames, or you’re going to have a bad time.