Pillaging DVCS Repos For Fun And Profit
Transcript of Pillaging DVCS Repos For Fun And Profit
DEFCON 19 // Adam Baldwin
Pillaging DVCS Repos
...for fun and profit
$ whoami
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
@adam_baldwinCo-Founder of nGenuity
Pentester of websevilpacket.net
WTF is DVCS
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
Objectives
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
Identify web accessible reposPillage as much info as possible???Profit
Alexa top million sites
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
GITHG
BZR
GIT: 1498 reposHG: 312 reposBZR: 235 repos
Repo Identification
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
GIT: .git/HEADHG: .hg/requiresBZR: .bzr/README
http://example.com/.git/HEAD
W3AF Plugin
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
Cloning
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
0. Check for dir browsing1. Get predictable files2. List repo files3. Download references to files4. Restore the repo (if possible)
Pillaging
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
Platform details (.php, .cgi, etc)Downloadable files (.old, .sql)Source CodeCredentials / Certs / API Keys
Pillaging Ideas
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
.sql / .sql.bz2 .pem config .bak
.sql.gz .xls / .xlsx .ini .cfg
.tar / .tar.gz .doc / .docx .sh export
htpasswd private .qbw / .mny backup
id_rsa .pst / .ost confidential dump / .dmp
id_dsa settings .csv .txt
Thanks to @flirzan & @quitlahok for some of these!
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
Montage of fail
<- Twitter API
<- Facebook API<- MySpace API
<- Google API
<- Auth Required?
Nope
Database Passwords
<- SSH Keys
htpasswd ->
Customer Invoices
Demo
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
The Tool
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
https://github.com/ngenuity/DVCS-Pillage
Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin
References
nGenuity: http://ngenuity-is.comhttp://ngenuity-is.com/blog/2011/mar/22/gotta-git-up-to-get-down/http://ngenuity-is.com/blog/2011/apr/30/git-pillaging-revisited/
Evilpacket: http://evilpacket.net
W3AF:http://w3af.sourceforge.net/
DVCS Pillage Toolkit:http://github.com/ngenuity/dvcs-pillage