Foster Day at the Foreign Ministry
Good afternoon, ladies and gentlemen. The day is really good: today * the state has become a little bit closer to the people, and the country as a whole is closer to the ideal. After all, what is this, if not the glow of a brighter future, if we now write to an official or even a minister is no more difficult than sending email to a friend?
He sat, did not touch anyone, repaired his asterisk for compatibility with the operator communigate pro . What did not know - googled, and unexpectedly googled the login form in the corporate mail of the Ministry of Foreign Affairs . Um ...
Well - that is not the FSB. Bad - disrespect for robots.txt. But this is a separate issue.
')
Outside the window - deep night, the moon and light snow. And on the screen - an invitation to the entrance and a flashing cursor. I don’t know, probably, in people with computer-related specialties, this is somewhere at the level of reflexes. But agree, you would have done the same in my place:
What a pity. However, I am persistent:
What???
I will read the article on a small screen: the password did not fit, but in the second picture in the field after the admin username, the domain: mid .ru suddenly appeared. You do not need to be a genius to understand the logic of the page and draw appropriate conclusions. Not rosy conclusions, of course. For reliability, I checked the “postmaster” name, which is standard for communigate, and got an unequivocal evidence of the existence of such an account too.
For a large postal company like Yandex, for example, a similar embarrassment is nothing, zilch. Throw cubes with the alphabet, type the resulting word - and you will not lose. But here we are dealing with a very specific organization with a small number of even more specific users. How "specific"? I dont know. Honestly and conscientiously tried s.lavrov , lavrov_sv , etc. The cherished mid did not appear.
I am a respectable person, and in general, going head to head is primitive and inelegant. In addition, a serious domain must be seriously protected. And indeed, there is some protection: the number of connections per second is unlimited, and the channel is quite wide, but after a dozen unsuccessful attempts, the system will not let you in even with the correct password. That, however, does not prevent her stubbornly expose the notorious mid . Anyway, it is necessary to have a reserve of time, but I don’t have it. Generate a dictionary of names / surnames - even more so. But still, I need at least one address for further experiments , where I can report on the found vulnerability. Let's start with three digits, for example, aaa. Of course, there are no such addresses, but it will be possible to at least evaluate the speed of the script. Stop the script after finding the first valid account. Ready? Buckle up. This is the most reactive brute force in mine, yours, and indeed, probably, in world practice.
What happened? What a strange metamorphosis? Nooo ... You're kidding! Yes, this is some kind of holiday! In the sense, if I’m an evilhack a spammer, or an engineer of human souls, aka otchet_za_fevral.exe ... Damn, somehow even uncomfortable before a man. Sorry, AA Anikin, you saw everything yourself, I did not on purpose ... Perhaps, we need to stop the script. That's too much. It seems that such three-letter aliases from the first letters of the first name, first name, last name, self-unfolding in full form before checking, are brought to many key users of the system. In a few minutes I found an employee of the Institute of Informatics, I found an expert at the embassy in Germany (and where does everyone have such a love for linked-in? Corporate standard?). Lavrov did not find. Who knows, maybe it's for the best.
This article will not have conclusions, or moralistic at the end. Jokes jokes, the triumph of human laziness and all that. But I really do not know what to do with this find. And therefore I transfer it to the competent community, in other words, in the hub "Information Security". If you are interested in employment in the Research Institute of Informatics, then now you know where to send your resume. But I still hope that someone has the courage to send a bug report, and as soon as possible. I myself do not dare to do this, and I do not strongly believe in success. Although what the hell is not joking?
* Actually May 22, 2015
** will be!
*** Vitaly mid , weasel, I'm not on purpose :)
What happened?
He sat, did not touch anyone, repaired his asterisk for compatibility with the operator communigate pro . What did not know - googled, and unexpectedly googled the login form in the corporate mail of the Ministry of Foreign Affairs . Um ...
Well - that is not the FSB. Bad - disrespect for robots.txt. But this is a separate issue.
')
Outside the window - deep night, the moon and light snow. And on the screen - an invitation to the entrance and a flashing cursor. I don’t know, probably, in people with computer-related specialties, this is somewhere at the level of reflexes. But agree, you would have done the same in my place:
What a pity. However, I am persistent:
What???
I will read the article on a small screen: the password did not fit, but in the second picture in the field after the admin username, the domain: mid .ru suddenly appeared. You do not need to be a genius to understand the logic of the page and draw appropriate conclusions. Not rosy conclusions, of course. For reliability, I checked the “postmaster” name, which is standard for communigate, and got an unequivocal evidence of the existence of such an account too.
For a large postal company like Yandex, for example, a similar embarrassment is nothing, zilch. Throw cubes with the alphabet, type the resulting word - and you will not lose. But here we are dealing with a very specific organization with a small number of even more specific users. How "specific"? I dont know. Honestly and conscientiously tried s.lavrov , lavrov_sv , etc. The cherished mid did not appear.
Bruteforce will not, we differ **
I am a respectable person, and in general, going head to head is primitive and inelegant. In addition, a serious domain must be seriously protected. And indeed, there is some protection: the number of connections per second is unlimited, and the channel is quite wide, but after a dozen unsuccessful attempts, the system will not let you in even with the correct password. That, however, does not prevent her stubbornly expose the notorious mid . Anyway, it is necessary to have a reserve of time, but I don’t have it. Generate a dictionary of names / surnames - even more so. But still, I need at least one address What happened? What a strange metamorphosis? Nooo ... You're kidding! Yes, this is some kind of holiday! In the sense, if I’m an evil
What's next?
This article will not have conclusions, or moralistic at the end. Jokes jokes, the triumph of human laziness and all that. But I really do not know what to do with this find. And therefore I transfer it to the competent community, in other words, in the hub "Information Security". If you are interested in employment in the Research Institute of Informatics, then now you know where to send your resume. But I still hope that someone has the courage to send a bug report, and as soon as possible. I myself do not dare to do this, and I do not strongly believe in success. Although what the hell is not joking?
* Actually May 22, 2015
** will be!
*** Vitaly mid , weasel, I'm not on purpose :)
Source: https://habr.com/ru/post/276859/
All Articles