This article I wrote for 2600, was first published in 2600 Magazine (www.2600.com), Volume Thirty-Two, Number One, Spring 2015. As it has now been in physical circulation for some time, I now publish it online.
Abusing the Past
DISCLAIMER: If you do evil shit with this information, I hope something really bad happens to you. Information is free, but people are human.
It has been quite a long time since my last article, so I’ll keep it short.
In this day and age, there are mass scanning tools and several easy-to-query databases that make it
a simple thing to find sites with vulnerabilities. Hackers and other agents with all hat-colors use them every day to do their jobs. I will present you today
a very simple technique that will, when certain special circumstances are met, allow you to scan the past for vulnerabilities.
When we want to have a website, we obtain a [sub]domain name, point it to some web hosting server’s IP, and configure it to serve that
website. We also get DNS service somehow. I am sure you’ve done this before, so I’ll skip those details. So now, www.example.com is running on server A.
Yay, we got a website! By the way, it is Joomla or some other CMS like wordpress, etc.
The days/months/years pass, and we find ourselves in the need to move the website to another server, for whatever reason (luckily, cause we have so many
visits the old server cant handle them). The new website is configured on the new server, the DNS is updated, and voila, visits now arrive at the new server.
If we go to Netcraft, and check some domain name using their tools, we MIGHT find the hosting history of a website. Yes, www.example.com used to run on server A,
then server B, now server C! And, wow, thats weird, the old servers are still up and running.
So, www.example.com MIGHT still be configured in one of those servers. You know how hosting companies [dont] do their homework sometimes 😉
So, an attacker could fire up a scanner, and by any means available, target www.example.com thru the older IP addresses, and scan our OLD WEBSITE[s],
which, of course, we no longer keep updated (maybe not even the server, for that matter…). And you know what outdated usually means: holes. Lots of them.
And holes lead to lots of things: remote code execution, data exfiltration, resource control.
An Nmap NSE script could be written to scan some domain name’s hosting history, and, essentially, abuse the past.
Go. Check your hosting history. Don’t say I did not warn you. 😛
UPDATE 2015-11-19: WebLorean tool has been released: http://blogs.buanzo.com.ar/2015/11/weblorean-the-abusing-the-past-script.html