Exposure of Grafana and Prometheus metrics (/debug/pprof)
I always have had an interest in recon. Recon is the primary and essential step in pen testing. So please do give more importance to Reconnaissance.
What is Reconnaissance?
Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim's organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to the scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts. — MITRE Website
Reconnaissance is split up into 2 categories based on the type of interaction with the target:
- Active reconnaissance — Actively engaging/interacting with the target network, hosts, employees, etc. (Port scanning, vuln scans, web app scanning)
- Passive reconnaissance — Utilizing publicly available information. (whois, OSINT, DNS, search engine dorks)
A search engine dork refers to search engine syntax which allows users to filter the type of results they get.
What I did to find an endpoint to identify /debug/pprof of grafana or Prometheus metrics:
First recon the website by using the Subdomain finder so I used https://subdomainfinder.c99.nl/ this website gives a decent number of subdomains of websites. You can use many tools such as
Sublist3r
httpx
knock
sub404
“Active Scanning”
- Port Scanning
- Vulnerability scanning
- Website Directory brute-force
After doing this I took this list into a tool called nuclei. It started crawling all the endpoints. WOW, what a tool it gave out good results.
The results were those endpoint /debug/pprof were exposed to public ports. This was very sensitive information and exposure.
SEE MY PROFILE IF YOU WISH TO:
I’m just on LinkedIn not there on any social media platforms sorry:(.
