Find out the invisible assets -- use hosts collision to break through the boundary

Sort out the assets from the perspective of the attacker , Use full port scanning + How subdomain names are collected , Identify all corporate asset exposures . But even so , It is often caused by incorrect configuration or untimely recycling , There are still some hidden assets .

01、 Business scenario

In general , Using a domain name to access a web site requires two steps , One is DNS Domain name resolution to server ip Address , The second is to bind the domain name to the server IP Address , Most of the time, we will forbid the passage IP Go directly to the website , Thus, malicious parsing and ip Scanning detection , Ensure that users can only access the business system through the correct domain name .

Take an enterprise deployment architecture as an example , Use Lvs+Nginx Build high availability web framework . In this mode , Just bind a public network ip, All service ports of the Intranet can pass through nginx The unique port of the agent is mapped to the external network environment .

Based on this enterprise deployment architecture , There are two typical vulnerability scenarios ：

（1） Test environment or pre production environment , Clear the domain name resolution of the public network , however Nginx The configuration was not cleared in time , Bind correct host To access .

（2） For security reasons , Extranet Nginx And the Internet Nginx It is necessary to make a strict distinction , But there is no distinction between internal and external networks . Use the same Nginx Complete the configuration of Intranet and Internet services , Resolve to the public network through the public network domain name , Intranet DNS Resolve to intranet . This is the time , Bind correct host You can access the intranet system .

02、Hosts Collision Technology

Based on the above scenario , The domain name record cannot be found in the domain name resolution record , adopt IP Port can not access the website , Only to check nginx Configuration situation , Will discover the security problems that may be caused by improper configuration .

that , From the attacker's point of view , How to find these invisible assets ？

Here is a technology to share , It's called Hosts Collision Technology , By combining the domain name with IP Conduct binding collision , Once it matches the domain name binding configuration on the back-end proxy server , You can access the corresponding business system , To discover hidden assets .

Of course , In addition to being able to find hidden assets , We can also use this method to find the real business system IP, To bypass the cloud WAF Safety protection of .

03、 Automated scanning tools

hostscan： automation Host Collision tool

https://github.com/cckuailong/hostscan

Hosts_scan： be used for IP And domain name collision match access python Script

https://github.com/fofapro/Hosts_scan