Everyone in a company is responsible for the company’s data security. A company can spend billions of dollars on all kinds of security equipment, but it only takes one person for the company’s security to be compromised [1].
Among various techniques and methods used during Penetration Test sometimes we also do “Dumpster Diving”, which involves searching throughout the trash or garbage looking for something useful to gain access to the network or to get data that helps at next steps. Seemingly innocent information like organizational charts, calendar entries, or phone records can be used in a social engineering attack.
During one of the Penetration Test projects we found documents like:
- Invoices
- Contracts
- Names
- Addresses
- Identity Card information
- Birthday dates
- Other personal information
This happens, because companies/people are not paying enough attention to what is thrown into dumpsters outside the buildings. Afterwards, the security companies performing Penetration Tests only have to put puzzles together in order to prepare attack scenarios, and infiltration into the company’s internal network is highly possible. To prevent Dumpster Diving a company should establish a disposal policy for all print-outs, storage media, etc. Additionally, all employees should be educated as well and maybe trash should not be accessed without proper permissions.
CloudFlare provides services to protect and accelerate websites. Using their services also protects against DoS in DDoS attacks. I know a large number of clients that are using these services. By using this service the real IP address of the website is hidden and so there is a better chance to survive the DDoS attack. Just googling you can find some sites that can reveal the real IP address such as http://www.crimeflare.com/cfs.html.
Going back to the challenge, I checked different pages and googled even more. I found a page where CloudFlare suggests what to do in such cases. This page can be found at this address: https://support.cloudflare.com/hc/en-us/articles/200170196-I-am-under-DDoS-attack-what-do-I-do-.
After registering at the attacked page, I tried to see if there is some leakage in their web page, but there was nothing to find. After looking a little bit more, I went another way. Since the webpage was sending out emails when registering or doing some other changes, I noticed, that there was some IP address that belongs to some hosting provider. This IP address was found in the email headers of sent emails. I verified with my friends and after just a couple of minutes, they confirmed that this is the real IP address that is under attack. They were checking a lot of things, but they didn’t expect that leakage would be coming from email headers.
So what can we learn from such an issue? We need to check all kinds of sources that can reveal the real IP address behind CloudFlare services. Webpage is just one of the things we need to check and next time be sure to check also email headers.
After they changed the IP address and fixed IP leakage from email headers, DDoS attacks stopped, and also website is no longer under the attack.
Here are some interesting links I found during my Google search:
http://smartguysays.com/find-out-real-ip-behind-clouflare/
http://geekflare.com/find-real-ip-address-of-website-powered-by-cloudflare/
http://tipstrickshack.blogspot.si/2012/11/how-to-find-real-ip-protected-by-cloud.html
Reference
[1] http://www.sans.org/reading-room/whitepapers/engineering/social-engineering-manipulating-the-source-32914