Pillaging DVCS Repos For Fun And Profit

DEFCON 19 // Adam Baldwin

Pillaging DVCS Repos

...for fun and profit

$ whoami

Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin

@adam_baldwinCo-Founder of nGenuity

Pentester of websevilpacket.net

WTF is DVCS


Objectives


Identify web accessible reposPillage as much info as possible???Profit

Alexa top million sites


GITHG

BZR

GIT: 1498 reposHG: 312 reposBZR: 235 repos

Repo Identification


GIT: .git/HEADHG: .hg/requiresBZR: .bzr/README

http://example.com/.git/HEAD



W3AF Plugin


Cloning


0. Check for dir browsing1. Get predictable files2. List repo files3. Download references to files4. Restore the repo (if possible)

Pillaging


Platform details (.php, .cgi, etc)Downloadable files (.old, .sql)Source CodeCredentials / Certs / API Keys

Pillaging Ideas


.sql / .sql.bz2 .pem config .bak

.sql.gz .xls / .xlsx .ini .cfg

.tar / .tar.gz .doc / .docx .sh export

htpasswd private .qbw / .mny backup

id_rsa .pst / .ost confidential dump / .dmp

id_dsa settings .csv .txt

Thanks to @flirzan & @quitlahok for some of these!


Montage of fail

<- Twitter API

<- Facebook API<- MySpace API

<- Google API

<- Auth Required?

Nope

Database Passwords

<- SSH Keys

htpasswd ->

Customer Invoices

Demo


The Tool


https://github.com/ngenuity/DVCS-Pillage

https://github.com/ngenuity/gitpillage

https://github.com/ngenuity/gitpillage

Questions?

[email protected] // @adam_baldwin

mailto:[email protected]

mailto:[email protected]


References

nGenuity: http://ngenuity-is.comhttp://ngenuity-is.com/blog/2011/mar/22/gotta-git-up-to-get-down/http://ngenuity-is.com/blog/2011/apr/30/git-pillaging-revisited/

Evilpacket: http://evilpacket.net

W3AF:http://w3af.sourceforge.net/

DVCS Pillage Toolkit:http://github.com/ngenuity/dvcs-pillage

http://ngenuity-is.com

http://ngenuity-is.com

http://ngenuity-is.com/blog/2011/mar/22/gotta-git-up-to-get-down/

http://ngenuity-is.com/blog/2011/mar/22/gotta-git-up-to-get-down/

http://ngenuity-is.com/blog/2011/apr/30/git-pillaging-revisited/

http://ngenuity-is.com/blog/2011/apr/30/git-pillaging-revisited/

http://evilpacket.net

http://evilpacket.net

https://www.owasp.org/images/0/0b/ESAPI4JS-Marcus.Niemietz.pdf

https://www.owasp.org/images/0/0b/ESAPI4JS-Marcus.Niemietz.pdf

http://github.com/ngenuity/dvcspillage

http://github.com/ngenuity/dvcspillage

Pillaging DVCS Repos For Fun And Profit

Documents

Transcript of Pillaging DVCS Repos For Fun And Profit