search

ztgrace / changeme

A default credential scanner.
GNU General Public License v3.0
1.44k stars 248 forks source link

Ability to send a POST request to a different domain after initial fingerprinting #53

Open anshumanbh opened 6 years ago

anshumanbh commented 6 years ago

Hi again,

I encountered one more usecase today. Now, this might not make sense to you at all but I just thought of letting you know.

After the initial fingerprinting against a target, the POST request is being sent to a different domain all together. Think about this as an authentication microservice that is used by a target.

So, even though the fingerprinting is successful, the next phase of trying the default creds will always fail because there is no way to change the domain to send the authentication request to. It tries it against the target only.

I noticed there is a HOST header but making that static to the authentication microservice didn't help either.

I am curious to know your thoughts on this?

Cheers!

ztgrace commented 6 years ago

Hi @anshumanbh

Does the diagram below match what you were describing?

image

Are you able to describe this service a bit more? Is this a vendor product that acts funky or something custom your org has written? I want to be careful about feature bloat and this feels like it would very rarely occur yet introduces more complexity and changes to the core scanning modules.

Thanks, Zach

anshumanbh commented 6 years ago

The diagram above is exactly what I was describing.

I have seen such an authentication microservice in multiple places. It can be something custom written specific to an org or can be a generic one like OpenStack's Keystone.

It shouldn't really matter what that service is doing really, as long as it can take a request and give back a response. So, from my perspective, it is just a matter of taking in a specific IP/domain for authentication in the YML file after a successful fingerprinting, like the HOST header.

But, then again, I don't really understand all the nuances of Changeme yet so again, I will leave this upto you to decide if this is something that should go in as a new feature or not.

I could accomplish the same thing with curl/grep statements and not Changeme so not a big deal for me personally. I was interested in knowing how easy/difficult implementing this would be.