SlideShare una empresa de Scribd logo

Wonderful world of (distributed) SCM or VCS

Descargar como ODP, PDF
V
Vlatko Kosturjak

Talk given on BalCCon 2013 by Vlatko Kosturjak: Wonderful world of (distributed) SCM or VCS. Ripping and extracting useful info from CVS, Subversion (SVN) and GIT repositories publicly exposed on the web.

Tecnología
1 de 52
#BalCCon Wonderful World of Distributed SCM: Opening closed source code https://twitter.com/k0st Vlatko Kosturjak
Agenda ● Not covered ● Philosophical issues ● Finding code ● Old school SCM ● New school SCM ● How to get the source when its not open source ● Questions and Answers 75 minutes
Disclaimer ● This is a work of pure fiction ● Any resemblance to anyone, living or dead is purely coincidental ● The characters are fictional and of my own creation ● The place, time and incidents are purely fictional ● I don't take any responsibilities for your actions, consider yourself ethical and legal issues of your actions! ● Look closer - I'm also virtual! :)
That source control management is really really great... ● Versioning ● Blame ● Undo ● Collaboration ● Code review ● Sign off ● Integration ● ...
But... ● ...Have you thought about security implications?
First rule ● If sensitive ● Don't put source code on internet ● Don't put SCM files on the internet ● Don't put sensitive parts in web root ● Don't... ● Don't... ● Don't...
Search for specific phrase, file, function or class ● Just google for it! ;) ● Internet does not forget! ;) ● Instructions ● Strings <binary> ● Google above @alexsotirov on 4th of Jul 2010: It's amazing what you can find on random Chinese sites if you start googling internal strings from closed- source applications
How about configs in repos? ● Software.conf vs Software.conf-dist ● Software.conf ● More dangerous ● Danger of accidentaly commiting sensitive info ● Software.conf-dist ● Less dangerous ● Still watchout wildcards “*”
Search? ● Functions ● odbc_connect ● mysql_connect ● Search engines ● Google ● GitHub ● ...
“Old School” versioning systems ● RCS ● CVS ● Subversion (SVN) ● ...
CVS ● Concurrent Versions System ● CVS ● Entries ● Entries.Log ● Repository ● Root ● Finding repository source ● Profit if it is Internet accessible
What can be extracted? ● Artifacts ● Repository location ● Name of hidden files – If present in repository ● Repository user ● Just enough for password guessing if online
DVCS-ripper ● Example ● rip-cvs.pl -v -u http://www.example.com ● Nmap ● Nmap –script=cvs-brute www.example.com ● Profit!
Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
SVN ● Subversion ● .svn ● prop-base ● props ● text-base ● tmp ● entries ● Finding repository source ● Profit if it is Internet accessible ● Sensitive files ● Extraction of whole tree possible
.svn/entries content ● dir/ ● 0 ● svn://myprivatecode.com//repo/myweb ● svn://myprivatecode.com//repo/myweb ● ● user ●
SVN client 1.6+ ● No more .svn directories all around ● Single .svn (just like git!) ● Different format ● Incompatible, of course ;) ● Different files ● wc.db – SQLite database
SVN client 1.6+ extraction ● Much easier ● Much faster ● Much robust ● No more problems extracting interpreted files – Like PHP ● Thank you SVN developers! ;)
Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .svn> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .svn /non-existant-page
Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.svn /non-existant-404-page <IfModule autoindex_module> IndexIgnore .svn </IfModule>
“New School”(distributed) source code management systems ● Git ● Mercurial ● Bazaar ● ...
Git!?
Google Dorks
Want source? ● Get the repo: mkdir git-test cd git-test wget --mirror --include-directories=/.git http://www.target.com/.git ● Get files cd www.target.com git reset --hard ● Profit! http://www.skullsecurity.org/blog/2012/using-git-clone-to-get-pwn3d
Problem Directory browsing disabled
Git: many ways... ● Find archive of SCM ● Bruteforce SHA1 ● Bandwidth ● Time ● Partial SHA1 visible ● different files ● There must be the way...
Zombie mode on I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE …
DVCS-Pillage ● It will rip the .git files when directory browsing disabled ● By Adam Baldwin ● Accessible from URL: ● https://github.com/evilpacket/DVCS-Pillage ● Have few problems ● Hmm...
Problems... ● Current methods ● Not complete tree download method – Packed refs – git ls-files –stage method ● No support for branches ● No support for other than http ● Slooow... ● Hmmm ● Want whole tree / files ● Branches ● Support old protocols ● Bruteforcing not feasable
Zombie mode on I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE ...
Back to the drawing board! RTFM
Solution is... ● RTFM ● git fsck – it will tell what sha1 are missing – No partial recovery ● Time to code my own tool ● Want whole tree ● Branches ● Support all protocols ● FAST!!
DVCS-rip ● It will rip the .git files when directory browsing disabled ● It will rip ALL files and checkout repository for you ● Not partial ● git fsck trick ● Support for ● Branches ● Any protocol (http/https/...) ● Accessible from URL: ● https://github.com/kost/dvcs-ripper
DVCS-rip ● How to run? ● Example run: ● rip-git.pl -v -u http://www.example.com/.git/ ● It will automatically do "git checkout -f" ● Profit!
Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .git> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .git /non-existant-page
Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.git /non-existant-404-page <IfModule autoindex_module> IndexIgnore .git </IfModule>
How about others? ● Mercurial ● Bazaar ● Checkout DVCS-Pillage ● It will handle git, hg and bzr ● Accessible from URL: – https://github.com/evilpacket/DVCS-Pillage
No tool available to detect ● Most of the web/network scanners will not find this ● No awareness ● Tools looks only this ● .git/ => 403 ● They should actually look ● .git/logs/HEAD => 200 ● .git/config => 200 ● .git/index => 200 ● ...
Nmap NSE comes to rescue ● Have to use latest Nmap version ● Script is not in 6.01 ● It was broken in some previous Nmap versions ● It looks all relevant git files ● .git/logs/HEAD ● .git/config ● ... ● nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at XX.XX.XX.XX:XX/.git/ (found 5 of 6 expected files)
Evolving Good example of open source collaboration between projects
WiK and Mubix: gitDigger (Defcon 21 / Bsides Vegas) https://github.com/wick2o/gitDigger
Google dorks ● “.git” intitle:”index of” ● “.svn” intitle:”index of” ● “CVS” intitle:”index of” ● “.hg” intitle:”index of” ● “.bzr” intitle:”index of” ● … (I guess you got idea already)...
Searching for standard interfaces ● Interfaces ● Redmine ● ViewCS ● ViewCVS ● Gitweb ● ... ● Google Dorks ● “Powered by ViewCS” ● Bing as well...
Recommendations for developers ● Do not store passwords and API keys on SCM ● Config.php vs config.php-dist ● Do not store sensitive info on SCM ● Separate test and production data ● Being paranoid is good feeling
Recommendations for system administrators ● Proactively forbid serving all SCM files on web servers ● Periodical check for standard directories of SCMs, i.e.: ● find /web -name .svn ● find /web -name .git ● wget http://www.site.com/svn/ ● Is there any need to have source code available at all?
Recommendations for management and auditors ● Ask how source code management is done ● Ask what security controls are there to protect source code ● What controls are there to protect source code leaks? ● What controls are there to protect passwords and keys leaks? ● What controls are there to protect sensitive information in source code and configurations?
References ● https://github.com/evilpacket/DVCS-Pillage ● https://github.com/kost/DVCS-Pillage ● https://github.com/kost/dvcs-ripper ● https://github.com/anantshri/svn-extractor ● http://blog.anantshri.info/svn-extractor-for-web-pentesters/ ● http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive ● http://www.cirt.net/svnpristine ● http://pen-testing.sans.org/blog/2012/12/06/all-your-svn-are-belong-to-us/comment- page-1/ ● http://nmap.org/nsedoc/scripts/cvs-brute-repository.html ● http://nmap.org/nsedoc/scripts/cvs-brute.html ● http://nmap.org/nsedoc/scripts/http-git.html
Questions? Comments? Feedbacks? @k0st This is zero Acknowledgements: Adam Baldwin, Ron Bowes, Alex Weber, ...

Recomendados

Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git filesVlatko Kosturjak
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidVlatko Kosturjak
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 
COSCUP 2016 - ROS + Gazebo機器人模擬器工作坊
COSCUP 2016 - ROS + Gazebo機器人模擬器工作坊COSCUP 2016 - ROS + Gazebo機器人模擬器工作坊
COSCUP 2016 - ROS + Gazebo機器人模擬器工作坊Po-Jen Lai
 
about Debian "squeeze" @201002 OSC Tokyospring
about Debian "squeeze" @201002 OSC Tokyospringabout Debian "squeeze" @201002 OSC Tokyospring
about Debian "squeeze" @201002 OSC TokyospringHideki Yamane
 
Golang workshop
Golang workshopGolang workshop
Golang workshopVictor S. Recio
 
Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015ice799
 
Local Community for Debian (2013 Taiwan miniDebConf)
Local Community for Debian (2013 Taiwan miniDebConf)Local Community for Debian (2013 Taiwan miniDebConf)
Local Community for Debian (2013 Taiwan miniDebConf)Hideki Yamane
 

Recomendados

Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git filesVlatko Kosturjak
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidVlatko Kosturjak
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 
COSCUP 2016 - ROS + Gazebo機器人模擬器工作坊
COSCUP 2016 - ROS + Gazebo機器人模擬器工作坊COSCUP 2016 - ROS + Gazebo機器人模擬器工作坊
COSCUP 2016 - ROS + Gazebo機器人模擬器工作坊Po-Jen Lai
 
about Debian "squeeze" @201002 OSC Tokyospring
about Debian "squeeze" @201002 OSC Tokyospringabout Debian "squeeze" @201002 OSC Tokyospring
about Debian "squeeze" @201002 OSC TokyospringHideki Yamane
 
Golang workshop
Golang workshopGolang workshop
Golang workshopVictor S. Recio
 
Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015Package manages and Puppet - PuppetConf 2015
Package manages and Puppet - PuppetConf 2015ice799
 
Local Community for Debian (2013 Taiwan miniDebConf)
Local Community for Debian (2013 Taiwan miniDebConf)Local Community for Debian (2013 Taiwan miniDebConf)
Local Community for Debian (2013 Taiwan miniDebConf)Hideki Yamane
 
Desarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y AzureDesarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y AzurePatxi Gortázar
 
Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015ice799
 
Chef Conf 2015: Package Management & Chef
Chef Conf 2015: Package Management & ChefChef Conf 2015: Package Management & Chef
Chef Conf 2015: Package Management & Chefice799
 
Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?Hideki Yamane
 
A Look at Command Line Swift
A Look at Command Line SwiftA Look at Command Line Swift
A Look at Command Line SwiftJoshuaKaplan22
 
SouthEast LinuxFest 2015 - intro to git
SouthEast LinuxFest 2015 - intro to gitSouthEast LinuxFest 2015 - intro to git
SouthEast LinuxFest 2015 - intro to gitedgester
 
CloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineCloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineNick Anderson
 
find & improve some bottleneck in Debian project (DebConf14 LT)
find & improve some bottleneck in Debian project (DebConf14 LT)find & improve some bottleneck in Debian project (DebConf14 LT)
find & improve some bottleneck in Debian project (DebConf14 LT)Hideki Yamane
 
Drupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and TricksDrupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and TricksGerald Villorente
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,BusterHideki Yamane
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwaresTushar B Kute
 
Chromium OS Introduction
Chromium OS IntroductionChromium OS Introduction
Chromium OS IntroductionWei-Ning Huang
 
OpenStack Swift on virtualbox
OpenStack Swift on virtualboxOpenStack Swift on virtualbox
OpenStack Swift on virtualboxAtul Jha
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resourcesAntonio Costa aka Cooler_
 
Null Xposed Framework internals and writing modules
Null Xposed Framework internals and writing modulesNull Xposed Framework internals and writing modules
Null Xposed Framework internals and writing modulesAbhinav Chourasia, GMOB
 
Openwrt startup
Openwrt startupOpenwrt startup
Openwrt startup晓东 杜
 
Docker & PHP - Practical use case
Docker & PHP - Practical use caseDocker & PHP - Practical use case
Docker & PHP - Practical use caserjsmelo
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on WindowsCarl Su
 
Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Asher Martin
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 

Más contenido relacionado

La actualidad más candente

Desarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y AzureDesarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y AzurePatxi Gortázar
 
Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015ice799
 
Chef Conf 2015: Package Management & Chef
Chef Conf 2015: Package Management & ChefChef Conf 2015: Package Management & Chef
Chef Conf 2015: Package Management & Chefice799
 
Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?Hideki Yamane
 
A Look at Command Line Swift
A Look at Command Line SwiftA Look at Command Line Swift
A Look at Command Line SwiftJoshuaKaplan22
 
SouthEast LinuxFest 2015 - intro to git
SouthEast LinuxFest 2015 - intro to gitSouthEast LinuxFest 2015 - intro to git
SouthEast LinuxFest 2015 - intro to gitedgester
 
CloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineCloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineNick Anderson
 
find & improve some bottleneck in Debian project (DebConf14 LT)
find & improve some bottleneck in Debian project (DebConf14 LT)find & improve some bottleneck in Debian project (DebConf14 LT)
find & improve some bottleneck in Debian project (DebConf14 LT)Hideki Yamane
 
Drupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and TricksDrupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and TricksGerald Villorente
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,BusterHideki Yamane
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwaresTushar B Kute
 
Chromium OS Introduction
Chromium OS IntroductionChromium OS Introduction
Chromium OS IntroductionWei-Ning Huang
 
OpenStack Swift on virtualbox
OpenStack Swift on virtualboxOpenStack Swift on virtualbox
OpenStack Swift on virtualboxAtul Jha
 
Null Xposed Framework internals and writing modules
Null Xposed Framework internals and writing modulesNull Xposed Framework internals and writing modules
Null Xposed Framework internals and writing modulesAbhinav Chourasia, GMOB
 
Openwrt startup
Openwrt startupOpenwrt startup
Openwrt startup晓东 杜
 
Docker & PHP - Practical use case
Docker & PHP - Practical use caseDocker & PHP - Practical use case
Docker & PHP - Practical use caserjsmelo
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on WindowsCarl Su
 
Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Asher Martin
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 

La actualidad más candente (20)

Desarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y AzureDesarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y Azure
 
Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015Puppet Camp LA 2/19/2015
Puppet Camp LA 2/19/2015
 
Chef Conf 2015: Package Management & Chef
Chef Conf 2015: Package Management & ChefChef Conf 2015: Package Management & Chef
Chef Conf 2015: Package Management & Chef
 
Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?Does Cowgirl Dream of Red Swirl?
Does Cowgirl Dream of Red Swirl?
 
A Look at Command Line Swift
A Look at Command Line SwiftA Look at Command Line Swift
A Look at Command Line Swift
 
SouthEast LinuxFest 2015 - intro to git
SouthEast LinuxFest 2015 - intro to gitSouthEast LinuxFest 2015 - intro to git
SouthEast LinuxFest 2015 - intro to git
 
CloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngineCloudOpen North America 2013: Vagrant & CFEngine
CloudOpen North America 2013: Vagrant & CFEngine
 
find & improve some bottleneck in Debian project (DebConf14 LT)
find & improve some bottleneck in Debian project (DebConf14 LT)find & improve some bottleneck in Debian project (DebConf14 LT)
find & improve some bottleneck in Debian project (DebConf14 LT)
 
Drupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and TricksDrupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and Tricks
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
 
Chromium OS Introduction
Chromium OS IntroductionChromium OS Introduction
Chromium OS Introduction
 
OpenStack Swift on virtualbox
OpenStack Swift on virtualboxOpenStack Swift on virtualbox
OpenStack Swift on virtualbox
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
 
Null Xposed Framework internals and writing modules
Null Xposed Framework internals and writing modulesNull Xposed Framework internals and writing modules
Null Xposed Framework internals and writing modules
 
Openwrt startup
Openwrt startupOpenwrt startup
Openwrt startup
 
Docker & PHP - Practical use case
Docker & PHP - Practical use caseDocker & PHP - Practical use case
Docker & PHP - Practical use case
 
Docker on Windows
Docker on WindowsDocker on Windows
Docker on Windows
 
Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 

Similar a Wonderful world of (distributed) SCM or VCS

Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
Mp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is blissMp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is blissMontreal Python
 
HTML, CSS & Javascript Architecture (extended version) - Jan Kraus
HTML, CSS & Javascript Architecture (extended version) - Jan KrausHTML, CSS & Javascript Architecture (extended version) - Jan Kraus
HTML, CSS & Javascript Architecture (extended version) - Jan KrausWomen in Technology Poland
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 
Don’t turn your logs into cuneiform
Don’t turn your logs into cuneiformDon’t turn your logs into cuneiform
Don’t turn your logs into cuneiformAndrey Rebrov
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex
 
Optimizing Your Frontend Performance
Optimizing Your Frontend PerformanceOptimizing Your Frontend Performance
Optimizing Your Frontend PerformanceThomas Weinert
 
[HKDUG] #20180512 - Fix Hacked Drupal with GIT
[HKDUG] #20180512 - Fix Hacked Drupal with GIT[HKDUG] #20180512 - Fix Hacked Drupal with GIT
[HKDUG] #20180512 - Fix Hacked Drupal with GITWong Hoi Sing Edison
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdfn00py1
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containersNitish Jadia
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Puppet managed loadays
Puppet managed loadaysPuppet managed loadays
Puppet managed loadaysloadays
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Opersys inc.
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsGR8Conf
 

Similar a Wonderful world of (distributed) SCM or VCS (20)

Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Mp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is blissMp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is bliss
 
HTML, CSS & Javascript Architecture (extended version) - Jan Kraus
HTML, CSS & Javascript Architecture (extended version) - Jan KrausHTML, CSS & Javascript Architecture (extended version) - Jan Kraus
HTML, CSS & Javascript Architecture (extended version) - Jan Kraus
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Don’t turn your logs into cuneiform
Don’t turn your logs into cuneiformDon’t turn your logs into cuneiform
Don’t turn your logs into cuneiform
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
 
Go at Skroutz
Go at SkroutzGo at Skroutz
Go at Skroutz
 
Optimizing Your Frontend Performance
Optimizing Your Frontend PerformanceOptimizing Your Frontend Performance
Optimizing Your Frontend Performance
 
[HKDUG] #20180512 - Fix Hacked Drupal with GIT
[HKDUG] #20180512 - Fix Hacked Drupal with GIT[HKDUG] #20180512 - Fix Hacked Drupal with GIT
[HKDUG] #20180512 - Fix Hacked Drupal with GIT
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
 
Pentester++
Pentester++Pentester++
Pentester++
 
Puppet managed loadays
Puppet managed loadaysPuppet managed loadays
Puppet managed loadays
 
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
Native Android Userspace part of the Embedded Android Workshop at Linaro Conn...
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
Git Heaven with Wakanda
Git Heaven with WakandaGit Heaven with Wakanda
Git Heaven with Wakanda
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
 

Último

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Último (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Wonderful world of (distributed) SCM or VCS

  • 1. #BalCCon Wonderful World of Distributed SCM: Opening closed source code https://twitter.com/k0st Vlatko Kosturjak
  • 2. Agenda ● Not covered ● Philosophical issues ● Finding code ● Old school SCM ● New school SCM ● How to get the source when its not open source ● Questions and Answers 75 minutes
  • 3. Disclaimer ● This is a work of pure fiction ● Any resemblance to anyone, living or dead is purely coincidental ● The characters are fictional and of my own creation ● The place, time and incidents are purely fictional ● I don't take any responsibilities for your actions, consider yourself ethical and legal issues of your actions! ● Look closer - I'm also virtual! :)
  • 4. That source control management is really really great... ● Versioning ● Blame ● Undo ● Collaboration ● Code review ● Sign off ● Integration ● ...
  • 5. But... ● ...Have you thought about security implications?
  • 6. First rule ● If sensitive ● Don't put source code on internet ● Don't put SCM files on the internet ● Don't put sensitive parts in web root ● Don't... ● Don't... ● Don't...
  • 7. Search for specific phrase, file, function or class ● Just google for it! ;) ● Internet does not forget! ;) ● Instructions ● Strings <binary> ● Google above @alexsotirov on 4th of Jul 2010: It's amazing what you can find on random Chinese sites if you start googling internal strings from closed- source applications
  • 8. How about configs in repos? ● Software.conf vs Software.conf-dist ● Software.conf ● More dangerous ● Danger of accidentaly commiting sensitive info ● Software.conf-dist ● Less dangerous ● Still watchout wildcards “*”
  • 9. Search? ● Functions ● odbc_connect ● mysql_connect ● Search engines ● Google ● GitHub ● ...
  • 10. “Old School” versioning systems ● RCS ● CVS ● Subversion (SVN) ● ...
  • 11. CVS ● Concurrent Versions System ● CVS ● Entries ● Entries.Log ● Repository ● Root ● Finding repository source ● Profit if it is Internet accessible
  • 12.
  • 13. What can be extracted? ● Artifacts ● Repository location ● Name of hidden files – If present in repository ● Repository user ● Just enough for password guessing if online
  • 14. DVCS-ripper ● Example ● rip-cvs.pl -v -u http://www.example.com ● Nmap ● Nmap –script=cvs-brute www.example.com ● Profit!
  • 15. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  • 16. SVN ● Subversion ● .svn ● prop-base ● props ● text-base ● tmp ● entries ● Finding repository source ● Profit if it is Internet accessible ● Sensitive files ● Extraction of whole tree possible
  • 17.
  • 18. .svn/entries content ● dir/ ● 0 ● svn://myprivatecode.com//repo/myweb ● svn://myprivatecode.com//repo/myweb ● ● user ●
  • 19. SVN client 1.6+ ● No more .svn directories all around ● Single .svn (just like git!) ● Different format ● Incompatible, of course ;) ● Different files ● wc.db – SQLite database
  • 20. SVN client 1.6+ extraction ● Much easier ● Much faster ● Much robust ● No more problems extracting interpreted files – Like PHP ● Thank you SVN developers! ;)
  • 21. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  • 22. Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .svn> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .svn /non-existant-page
  • 23. Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.svn /non-existant-404-page <IfModule autoindex_module> IndexIgnore .svn </IfModule>
  • 24. “New School”(distributed) source code management systems ● Git ● Mercurial ● Bazaar ● ...
  • 25. Git!?
  • 27. Want source? ● Get the repo: mkdir git-test cd git-test wget --mirror --include-directories=/.git http://www.target.com/.git ● Get files cd www.target.com git reset --hard ● Profit! http://www.skullsecurity.org/blog/2012/using-git-clone-to-get-pwn3d
  • 29. Git: many ways... ● Find archive of SCM ● Bruteforce SHA1 ● Bandwidth ● Time ● Partial SHA1 visible ● different files ● There must be the way...
  • 30. Zombie mode on I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE I MUST GET THE SOURCE …
  • 31. DVCS-Pillage ● It will rip the .git files when directory browsing disabled ● By Adam Baldwin ● Accessible from URL: ● https://github.com/evilpacket/DVCS-Pillage ● Have few problems ● Hmm...
  • 32. Problems... ● Current methods ● Not complete tree download method – Packed refs – git ls-files –stage method ● No support for branches ● No support for other than http ● Slooow... ● Hmmm ● Want whole tree / files ● Branches ● Support old protocols ● Bruteforcing not feasable
  • 33. Zombie mode on I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE I MUST GET THE FULL SOURCE ...
  • 34. Back to the drawing board! RTFM
  • 35. Solution is... ● RTFM ● git fsck – it will tell what sha1 are missing – No partial recovery ● Time to code my own tool ● Want whole tree ● Branches ● Support all protocols ● FAST!!
  • 36. DVCS-rip ● It will rip the .git files when directory browsing disabled ● It will rip ALL files and checkout repository for you ● Not partial ● git fsck trick ● Support for ● Branches ● Any protocol (http/https/...) ● Accessible from URL: ● https://github.com/kost/dvcs-ripper
  • 37. DVCS-rip ● How to run? ● Example run: ● rip-git.pl -v -u http://www.example.com/.git/ ● It will automatically do "git checkout -f" ● Profit!
  • 38. Protection ● Make it open source ;) ● Remove SCM files if not needed ● Web server configuration ● Web deployment automation controls ● ...
  • 39. Apache (main configuration file) ● 403 – Forbidden – Move along nothing to see <DirectoryMatch .git> Order allow,deny Deny from all </DirectoryMatch> ● 404 – Not found – Pick somewhere else AliasMatch .git /non-existant-page
  • 40. Apache (.htaccess) ● Using mod_rewrite RewriteEngine On RewriteRule /.git /non-existant-404-page <IfModule autoindex_module> IndexIgnore .git </IfModule>
  • 41. How about others? ● Mercurial ● Bazaar ● Checkout DVCS-Pillage ● It will handle git, hg and bzr ● Accessible from URL: – https://github.com/evilpacket/DVCS-Pillage
  • 42. No tool available to detect ● Most of the web/network scanners will not find this ● No awareness ● Tools looks only this ● .git/ => 403 ● They should actually look ● .git/logs/HEAD => 200 ● .git/config => 200 ● .git/index => 200 ● ...
  • 43. Nmap NSE comes to rescue ● Have to use latest Nmap version ● Script is not in 6.01 ● It was broken in some previous Nmap versions ● It looks all relevant git files ● .git/logs/HEAD ● .git/config ● ... ● nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at XX.XX.XX.XX:XX/.git/ (found 5 of 6 expected files)
  • 44. Evolving Good example of open source collaboration between projects
  • 45. WiK and Mubix: gitDigger (Defcon 21 / Bsides Vegas) https://github.com/wick2o/gitDigger
  • 46. Google dorks ● “.git” intitle:”index of” ● “.svn” intitle:”index of” ● “CVS” intitle:”index of” ● “.hg” intitle:”index of” ● “.bzr” intitle:”index of” ● … (I guess you got idea already)...
  • 47. Searching for standard interfaces ● Interfaces ● Redmine ● ViewCS ● ViewCVS ● Gitweb ● ... ● Google Dorks ● “Powered by ViewCS” ● Bing as well...
  • 48. Recommendations for developers ● Do not store passwords and API keys on SCM ● Config.php vs config.php-dist ● Do not store sensitive info on SCM ● Separate test and production data ● Being paranoid is good feeling
  • 49. Recommendations for system administrators ● Proactively forbid serving all SCM files on web servers ● Periodical check for standard directories of SCMs, i.e.: ● find /web -name .svn ● find /web -name .git ● wget http://www.site.com/svn/ ● Is there any need to have source code available at all?
  • 50. Recommendations for management and auditors ● Ask how source code management is done ● Ask what security controls are there to protect source code ● What controls are there to protect source code leaks? ● What controls are there to protect passwords and keys leaks? ● What controls are there to protect sensitive information in source code and configurations?
  • 51. References ● https://github.com/evilpacket/DVCS-Pillage ● https://github.com/kost/DVCS-Pillage ● https://github.com/kost/dvcs-ripper ● https://github.com/anantshri/svn-extractor ● http://blog.anantshri.info/svn-extractor-for-web-pentesters/ ● http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive ● http://www.cirt.net/svnpristine ● http://pen-testing.sans.org/blog/2012/12/06/all-your-svn-are-belong-to-us/comment- page-1/ ● http://nmap.org/nsedoc/scripts/cvs-brute-repository.html ● http://nmap.org/nsedoc/scripts/cvs-brute.html ● http://nmap.org/nsedoc/scripts/http-git.html
  • 52. Questions? Comments? Feedbacks? @k0st This is zero Acknowledgements: Adam Baldwin, Ron Bowes, Alex Weber, ...