Hi. On 19th November 2015 I published the WebLorean tool, which implements the technique described in my 2600 Article entitled “Abusing the Past”, which you can read here: http://blogs.buanzo.com.ar/2015/05/abusing-the-past-a-2600-article-published-volume-32-number-one.html
The tool is useful for sysadmins, hostmasters, web designers (with linux knowledge), etc.
It is also useful for pentesters!
It might be immediately obvious if you read the Abusing the Past article (link up there ^^).
Basically, if you own or manage a website, or are hired to conduct a penetration test of a website, you probably know what to do. But many people fail to notice that websites have a history, and sometimes the past is definitely more vulnerable, as it is no longer maintained/updated.
Why would an old website still be configured in its old servers? Mismanagement? Bad security practices? Any combination of the above?
Truth be told, an old website (that is how I will be calling a website-still-configured-in-an-old-host in the context of Abusing the Past) contains information and potential vulnerabilities, which could provide access to the current (or present-host) website. Or just be useful for oldhost abusing, weakening a web service provider.
So, let’s define a target. www.example.com
First, you need to setup weblorean. That is quite easy with any current linux (osx too) distro with access to python3. And no, it does not currently work on Windows [TODO: remove pyvirtualdisplay requirement, which is mostly needed if you intend to take screenshots using weblorean, which is very easy to do from selenium-python).
WebLorean is just three files. Two if we take the README out of the equation. The main script is timetravel.py and it takes only one argument: the target.
So, we would run ./timetravel.py www.example.com and get the output.
The script first checks netcraft for the hosting history of www.example.com, which might or might not include the current IP. The second step involves getting the current IP addresses for www.example.com, and removing them from the hosting history IP list. WebLorean then proceeds to make a simple check to determine potential existance of www.example.com on the old servers. Of course, in many cases the past IP addresses might be down. WebLorean makes no assumptions.
If an old host seems to still have www.example.com configured on the server, weblorean will let you know. You should make a note, and start working.
Now, you would create a /etc/hosts entry for www.example.com for the first old-IP that weblorean reports as still configured, and run your web pentesting tools against it. Once finished, edit /etc/hosts, update for the next old-IP, and repeat until you run out.
Of course, if you are just a manager or web designer or some other non-pentesting interested party,you might just want to contact someone and let them know about this situation, which could affect the old web host, and the current web-host, plus anyone involved with the website (owners, customers, employees, etc).
Believe it or not, this technique IS used, and not really discussed much. I mentioned the technique to a couple of colleagues during Ekoparty 2011 (the BEST security conference in Latin-America, www.ekoparty.org) and they all agreed on it.
NOTE: Some people might claim using selenium is an overkill (and I agree), but I consider selenium a tool pentesters should use more, hence my using it in weblorean.
- Abusing the Past (A 2600 Article, published Volume 32 Number One)
- WebLorean – The “Abusing the Past” script
- Linux Enterprise Mail Server Security Guides – Chapter 2
- Linux Enterprise Mail Server Security Guides – Chapter 1
- Feedback Request. Ideas for an Enigform/mod_openpgp website / plugin.