{"id":41023,"date":"2021-08-30T16:25:11","date_gmt":"2021-08-30T14:25:11","guid":{"rendered":"https:\/\/www.pentestfactory.de\/automated-cyber-attacks-no-system-remains-untouched\/"},"modified":"2024-07-26T10:30:21","modified_gmt":"2024-07-26T08:30:21","slug":"automated-cyber-attacks-no-system-remains-untouched","status":"publish","type":"post","link":"https:\/\/www.pentestfactory.de\/en\/automated-cyber-attacks-no-system-remains-untouched\/","title":{"rendered":"Automated cyber attacks: no system remains untouched"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"41023\" class=\"elementor elementor-41023 elementor-40611\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-7872947 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"47779\" data-id=\"7872947\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7e35d15\" data-eae-slider=\"33815\" data-id=\"7e35d15\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-05c1885 elementor-widget elementor-widget-text-editor\" data-id=\"05c1885\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Independent of the size of a company or enterprise, everyone has to expect becoming a target of cyber attacks. Many attacks are not aimed at a specific target, but happen randomly and automated. Upon deploying a new server for the provisioning of our own vulnerability database, we noticed that already in the first 20 hours of online time, almost 800 requests could be logged on the webserver. In this article we want to dissect which origin these requests have and illustrate that attackers target far more than well-known systems and companies these days. In addition, we give practical advice, how to protect your own system against these attacks.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-f60558b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"94955\" data-id=\"f60558b\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-11fa5be\" data-eae-slider=\"68574\" data-id=\"11fa5be\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-44f8acf elementor-widget elementor-widget-text-editor\" data-id=\"44f8acf\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>Legitimate requests to the vulnerability database (37%)<\/h4>\n<p>In a first step we want to filter all requests from our log file that constitue valid queries to our vulnerability database (the majority of which were executed in test cases). We do this by filtering all known source IP addresses, as well as regular requests to known API endpoints. The vulnerability database provides the following API endpoints for the retrieval of vulnerability data:<\/p>\n<ul type=\"disc\">\n<li>\/api\/status<\/li>\n<li>\/api\/import<\/li>\n<li>\/api\/query_cve<\/li>\n<li>\/api\/query_cpe<\/li>\n<li>\/api\/index_management<\/li>\n<\/ul>\n<p>After a first evaluation, we observed that 269 of 724 requests were legitimate requests to the vulnerability database:<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-40645 size-full\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_1_cut.png\" alt=\"Cyber attacks\" width=\"1269\" height=\"213\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_1_cut.png 1269w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_1_cut-300x50.png 300w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_1_cut-1024x172.png 1024w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_1_cut-768x129.png 768w\" sizes=\"(max-width: 1269px) 100vw, 1269px\" \/> <em style=\"text-align: center;\">Figure 1: Sample of legitimate requests to the webserver<\/em><\/p>\n<\/p>\n<p>But which origin do the remaining 455 requests have?<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-2f7249b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"27023\" data-id=\"2f7249b\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-53cc6c5\" data-eae-slider=\"11028\" data-id=\"53cc6c5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9dcca2a elementor-widget elementor-widget-text-editor\" data-id=\"9dcca2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>Directory enumeration of administrative database backends (14%)<\/h4>\n<p>A single IP address was particularly persistent: With 101 requests an attacker attempted to enumerate various backends for database administration:<img decoding=\"async\" class=\"aligncenter wp-image-40647 size-full\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_2_cut.png\" alt=\"\" width=\"1112\" height=\"379\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_2_cut.png 1112w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_2_cut-300x102.png 300w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_2_cut-1024x349.png 1024w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_2_cut-768x262.png 768w\" sizes=\"(max-width: 1112px) 100vw, 1112px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 2: Directory scanning to find database backends<\/em><\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-61542ef elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"43455\" data-id=\"61542ef\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0a283e6\" data-eae-slider=\"43925\" data-id=\"0a283e6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-cb0ea4a elementor-widget elementor-widget-text-editor\" data-id=\"cb0ea4a\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>Vulnerability scans from unknown sources (14%)<\/h4>\n<p>Furthermore we could identify 102 requests, where our attempts to associate the source IPs with domains or specific organisations (e.g., using nslookup, user-agent) were unsuccessful. The 102 requests originate from 5 different IP addresses or subnets. This means around 20 requests per scan were executed.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-40649 size-full\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_3_cut.png\" alt=\"\" width=\"716\" height=\"325\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_3_cut.png 716w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_3_cut-300x136.png 300w\" sizes=\"(max-width: 716px) 100vw, 716px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 3: Various vulnerability scans with unknown origin<\/em><\/p>\n<p>Enumerated components were:<\/p>\n<ul type=\"disc\">\n<li>boaform Admin Interface (8 requests)<\/li>\n<li>\/api\/jsonws\/invoke: Liferay CMS Remote Code Execution and other exploits<\/li>\n<\/ul>\n<p style=\"margin: 0in;\">\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-910030d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"43483\" data-id=\"910030d\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-fc36f8f\" data-eae-slider=\"26984\" data-id=\"fc36f8f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-03d96ab elementor-widget elementor-widget-text-editor\" data-id=\"03d96ab\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>Requests to \/ (11,5%)<\/h4>\n<p>Overall, we could identify 83 requests that requested the index file of the webserver. This allows to identify, whether a webserver is online and to observe which service is initially returned.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-40620 size-full\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_4.png\" alt=\"\" width=\"1357\" height=\"295\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_4.png 1357w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_4-300x65.png 300w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_4-1024x223.png 1024w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_4-768x167.png 768w\" sizes=\"(max-width: 1357px) 100vw, 1357px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 4: Index-requests of various sources<\/em><\/p>\n<p>We could identify various providers and tools that have checked our webserver for its availability:<\/p>\n<ul type=\"disc\">\n<li><a href=\"https:\/\/censys.io\" target=\"_blank\" rel=\"noopener nofollow\">censys.io<\/a><\/li>\n<li><a href=\"https:\/\/netsystemsresearch.com\" target=\"_blank\" rel=\"noopener nofollow\">netsystemsresearch.com<\/a><\/li>\n<li><a href=\"https:\/\/leakix.net\" target=\"_blank\" rel=\"noopener nofollow\">leakix.net<\/a><\/li>\n<li><a href=\"https:\/\/zmap.io\/\" target=\"_blank\" rel=\"noopener nofollow\">zmap\/zgrab<\/a> (Scanner)<\/li>\n<li><a href=\"https:\/\/go-colly.org\/\" target=\"_blank\" rel=\"noopener nofollow\">colly<\/a> (Scanner-Framework)<\/li>\n<\/ul>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-44b9b3b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"86008\" data-id=\"44b9b3b\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b4f0711\" data-eae-slider=\"5838\" data-id=\"b4f0711\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3bcb2c1 elementor-widget elementor-widget-text-editor\" data-id=\"3bcb2c1\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>Vulnerability scans from leakix.net (9%)<\/h4>\n<p>During our evaluation of the log file we could identify further 65 requests that originate from two IP addresses, using a user agent of &#8220;leakix.net&#8221;:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-40622 size-full\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_5.png\" alt=\"\" width=\"1404\" height=\"416\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_5.png 1404w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_5-300x89.png 300w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_5-1024x303.png 1024w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_5-768x228.png 768w\" sizes=\"(max-width: 1404px) 100vw, 1404px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 5: Vulnerability scan of leakix.net<\/em><\/p>\n<p>The page itself explains that the service scans the entire Internet randomly for known vulnerabilities:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-40624 size-full\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_6.png\" alt=\"\" width=\"1634\" height=\"454\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_6.png 1634w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_6-300x83.png 300w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_6-1024x285.png 1024w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_6-768x213.png 768w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_6-1536x427.png 1536w\" sizes=\"(max-width: 1634px) 100vw, 1634px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 6: leakix.net &#8211; About<\/em><\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-53dfed3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"30150\" data-id=\"53dfed3\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-af40386\" data-eae-slider=\"20876\" data-id=\"af40386\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-84db14e elementor-widget elementor-widget-text-editor\" data-id=\"84db14e\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>HAFNIUM Exchange Exploits (2,8%)<\/h4>\n<p>Furthermore we could identify 20 requests that attempted to detect or exploit parts of the HAFNIUM Exchange vulnerabilities. (Common IOCs can be found under <a href=\"https:\/\/i.blackhat.com\/USA21\/Wednesday-Handouts\/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/i.blackhat.com\/USA21\/Wednesday-Handouts\/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf<\/a>):<\/p>\n<ul type=\"disc\">\n<li>autodiscover.xml: Attempt to obtain the administrator account ID of the Exchange server<\/li>\n<li>\\owa\\auth\\: Folder that shells are uploaded into post-compromise to establish a backdoor to the system<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-40626 size-full\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_7.png\" alt=\"\" width=\"1257\" height=\"378\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_7.png 1257w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_7-300x90.png 300w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_7-1024x308.png 1024w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_7-768x231.png 768w\" sizes=\"(max-width: 1257px) 100vw, 1257px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 7: Attempted exploitation of HAFNIUM\/Proxylogon Exchange vulnerabilities<\/em><\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-a4c733e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"75676\" data-id=\"a4c733e\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-30179c0\" data-eae-slider=\"9703\" data-id=\"30179c0\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-55c7b77 elementor-widget elementor-widget-text-editor\" data-id=\"55c7b77\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>NGINX .env Sensitive Information Disclosure of Server Variables (1,5%)<\/h4>\n<p>11 requests have attempted to read a .env file in the root directory of the webserver. Should this file exist and be accessible it is likely to contain sensitive environment variables (such as passwords).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-40628 size-full\" src=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_8.png\" alt=\"\" width=\"863\" height=\"216\" title=\"\" srcset=\"https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_8.png 863w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_8-300x75.png 300w, https:\/\/www.pentestfactory.de\/wp-content\/uploads\/logs_8-768x192.png 768w\" sizes=\"(max-width: 863px) 100vw, 863px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 8: Attempts to read a .env file<\/em><\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-6bd1fa2 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"19373\" data-id=\"6bd1fa2\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0701c3e\" data-eae-slider=\"16153\" data-id=\"0701c3e\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9414e7f elementor-widget elementor-widget-text-editor\" data-id=\"9414e7f\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>Remaining Requests (10,2%)<\/h4>\n<p>Further 58 requests were not part of larger scanning activities and have enumerated single vulnerabilities:<\/p>\n<ul type=\"disc\">\n<li>Server-Side Request Forgery attempts: 12 requests<\/li>\n<li>CVE-2020-25078: D-Link IP Camera Admin Passwort Exploit: 9 requests<\/li>\n<li>Hexcoded Exploits\/Payloads: 5 requests<\/li>\n<li>Spring Boot: Actuator Endpoint for reading (sensitive) server information: 3 requests<\/li>\n<li>Netgear Router DGN1000\/DGN2200: Remote Code Execution Exploit: 2 requests<\/li>\n<li>Open Proxy CONNECT: 1 request\n<\/li>\n<li>Various single exploits or vulnerability checks: 27 requests\n<\/li>\n<\/ul>\n<p>Furthermore the following harmless data was queried:<\/p>\n<ul type=\"disc\">\n<li>favicon.ico &#8211; Bookmark graphic: 7 requests<\/li>\n<li>robots.txt &#8211; file for search engine indexing: 9 requests<\/li>\n<\/ul>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-b23076e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"95198\" data-id=\"b23076e\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9fd1eed\" data-eae-slider=\"36093\" data-id=\"9fd1eed\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-77b2a9b elementor-widget elementor-widget-text-editor\" data-id=\"77b2a9b\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>Conclusion<\/h4>\n<p>Using tools like zmap, attackers are able to scan the entire Internet in less than 5 minutes (see <a href=\"https:\/\/www.usenix.org\/system\/files\/conference\/woot14\/woot14-adrian.pdf\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/www.usenix.org\/system\/files\/conference\/woot14\/woot14-adrian.pdf<\/a>). The listed statistics have shown that IT systems are an immediate target of automated attacks and vulnerability scans, as soon as they are available on the Internet.<strong>The size of a company or the degree of familiarity are irrelevant<\/strong>, since attackers are able to scan the entire Internet for vulnerable hosts and oftentimes cover the entire IPv4 address range. Even using common infrastructural components like reverse proxies or load balancers to hide applications behind specific hostnames can be targeted. A secret or special hostname is not hidden, like oftentimes assumed, and does not protect from unauthorized access. Already with the retrieval of SSL certificates for your services and applications, hostnames are logged in so called SSL transparency logs. These are publicly available. This similarly allows automated tools to conduct attacks, since hostnames can be queried using services like <a href=\"https:\/\/crt.sh\" rel=\"nofollow noopener\" target=\"_blank\">crt.sh<\/a>. Further information regarding this topic can be found in our article<a href=\"https:\/\/www.pentestfactory.com\/subdomains-under-the-hood-ssl-transparency-logs\/\" rel=\"nofollow noopener\" target=\"_blank\">Subdomains under the hood: SSL Transparency Logs <\/a>.<\/p>\n<p>The implementation of access controls and hardening measures thus has to be done before your services and applications are exposed to the Internet. <strong>As soon as an IT system is reachable on the Internet, you have to expect active attacks<\/strong> that may succeed in the worst case.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-9ca5537 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-eae-slider=\"47185\" data-id=\"9ca5537\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;ekit_has_onepagescroll_dot&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e524965\" data-eae-slider=\"49340\" data-id=\"e524965\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-885f5c7 elementor-widget elementor-widget-text-editor\" data-id=\"885f5c7\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;ekit_we_effect_on&quot;:&quot;none&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>Recommendation<\/h4>\n<p><span style=\"text-decoration: underline;\">Expose only required network services publicly<\/span><\/p>\n<p>When you publish IT systems on the public Internet, you should only expose services that are required for the business purpose. Running a web application or service based on the HTTP(S) protocol, this usually means port 443 TCP is required.<\/p>\n<p>Refrain from exposing the entire host (all available network services) on the Internet.<\/p>\n<p><span style=\"text-decoration-line: underline;\">Network separation<\/span><\/p>\n<p>Implement a demilitarized zone (DMZ) using firewalls to achieve an additional layer of network separation between the public Internet and your internal IT infrastructure. Place all infrastructure components that you want to expose on the Internet in the designated DMZ. Further information can be found in the IT baseline of the BSI.<\/p>\n<p><span style=\"text-decoration: underline;\">Patch-Management and Inventory Creation<\/span><\/p>\n<p>Keep all your software components up to date and implement a patch management process. Create an inventory of all IT infrastructure components, listing all used software versions, virtual hostnames, SSL certificate expiration dates, configuration settings, etc.<\/p>\n<p>Further information can be found under: <a href=\"http:\/\/www.windowsecurity.com\/uplarticle\/Patch_Management\/ASG_Patch_Mgmt-Ch2-Best_Practices.pdf\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/www.windowsecurity.com\/uplarticle\/Patch_Management\/ASG_Patch_Mgmt-Ch2-Best_Practices.pdf<\/a><\/p>\n<p><span style=\"text-decoration: underline;\">Hardening measures<\/span><\/p>\n<p>Harden all exposed network services and IT systems according to the best-practices of the vendor or hardening measures of the Center for Internet Security (CIS). Change all default passwords or simple login credentials that may still exist from the development period and configure your systems for productive use. This includes the deactivation of debug features or testing endpoints. Implement all recommended&nbsp;<a href=\"https:\/\/owasp.org\/www-project-secure-headers\/\" target=\"_blank\" rel=\"nofollow noopener\">HTTP-Response-Headers<\/a>&nbsp;and harden the configuration of your webservers. Ensure that sensitive cookies have the <i>Secure<\/i>, <i>HttpOnly <\/i>and <i>SameSite <\/i> flags set.<\/p>\n<p><span style=\"text-decoration: underline;\">Transport encryption<\/span><\/p>\n<p>Offer your network services via an encrypted communication channel. This ensures the confidentiality and integrity of your data and allows clients to verify the authenticity of the server. Refrain from using outdated algorithms like <i>RC4<\/i>, <i>DES<\/i>, <i>3DES<\/i>, <i>MD2<\/i>, <i>MD4<\/i>, <i>MD5 <\/i>or <i>SHA1<\/i>. Employ SSL certificates that are issued from a trustworthy certification authority, e.g., <i>Let&#8217;s Encrypt<\/i>. Keep these certificates up to date and renew them in time. Use a single, unique SSL certificate per application (service) and set the correct domain name in the <i>Common Name<\/i> field of the certificate. Using SSL wildcard certificates is only necessary in rare cases and not recommended.<\/p>\n<p><span style=\"text-decoration: underline;\">Access controls and additional security solutions<\/span><\/p>\n<p>Limit access to your network services, in case they are not publicly available on the Internet. It may make sense to implement an IP whitelisting, which limits connections to a trustworthy pool of static IPv4 addresses. Configure this behavior either in your firewall solution or directly within the deployed network service, if possible. Alternatively you can also use SSL client certificates or&nbsp;<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Authentication\" target=\"_blank\" rel=\"nofollow noopener\">Basic-Authentication<\/a>.&nbsp;<\/p>\n<ul>\n<li>Nginx Webserver: <a href=\"https:\/\/docs.nginx.com\/nginx\/admin-guide\/security-controls\/controlling-access-proxied-tcp\/\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/docs.nginx.com\/nginx\/admin-guide\/security-controls\/controlling-access-proxied-tcp\/<\/a><\/li>\n<li>Apache Webserver: <a href=\"https:\/\/httpd.apache.org\/docs\/2.4\/howto\/access.html\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/httpd.apache.org\/docs\/2.4\/howto\/access.html<\/a><\/li>\n<li>SSH: <a href=\"https:\/\/unix.stackexchange.com\/a\/406264\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/unix.stackexchange.com\/a\/406264<\/a><\/li>\n<\/ul>\n<p>Implement additional security solutions for your network services like <i>Intrusion Prevention Systems<\/i> (IPS) or a <i>Web Application Firewall<\/i> (WAF), to have advanced protection against potential attacks. For IPS we can reommend the open source solution <i>Fail2ban<\/i>. As a WAF, <i>ModSecurity <\/i>with the known <i>OWASP Core Rule Set<\/i> can be set up.<\/p>\n<p>Fail2ban is an IPS written in Python, which identifies suspicious activity based on log entries and regex filters and allows to set up automatical defense actions. It is for instance possible to recognized automated vulnerability scans, brute-force attacks or bot-based requests and block attackers using IPtables. Fail2ban ist open source and can be used freely.<\/p>\n<ul>\n<li>Installation of Fail2ban\n<ul>\n<li>Fail2ban can usually be installed using the native packet manager of your Linux distribution. The following command is usually sufficient:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre style=\"padding-left: 120px;\">sudo apt update &amp;&amp; sudo apt install fail2ban<\/pre>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Afterwards the Fail2ban service should have started automatically. Verify succesful startup using the following command:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre style=\"padding-left: 120px;\">sudo systemctl status fail2ban<\/pre>\n<ul>\n<li>Configuration of Fail2ban\n<ul>\n<li>After the installation of Fail2ban, a new directory <i>\/etc\/fail2ban\/<\/i> is available, which holds all relevant configuration files. By default, two configuration files are provided:<i>\/etc\/fail2ban\/jail.conf<\/i> and <i>\/etc\/fail2ban\/jail.d\/defaults-debian.conf<\/i>. They should however not be edited, since they may be overriden with the next package update.<\/li>\n<li>Instead you should create specific configuration files with the <i>.local<\/i> file extension. Configuration files with this extension will override directives from the <i>.conf <\/i>files. The easiest configuration method for most users is copying over the supplied <i>jail.conf<\/i> to<i>jail.local<\/i> and then editing the .local file for desired changes. The .local file only needs to hold entries that shall override the default config.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Fail2ban for SSH\n<ul>\n<li>After the installation of Fail2ban, a default guard is active for the SSH service on TCP port 22. Should you use a different port for your SSH service, you have to adapt the configuration setting <em>port<\/em> in your <em>jail.local<\/em> file. Here you can also adapt important directives like <em>findtime<\/em>, <em>bantime<\/em> and <em>maxretry<\/em>, should you require a more specific configuration. Should you not require this protection, you can disable it by setting the directive <i>enabled <\/i>to <i>false<\/i><i>.&nbsp;<\/i>Further information can be found under: <a href=\"https:\/\/docs.nginx.com\/nginx\/admin-guide\/security-controls\/controlling-access-proxied-tcp\/\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/wiki.ubuntuusers.de\/fail2ban\/<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Fail2ban for web services<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Furthermore, Fail2ban can be set up to protect against automated web attacks. You may, for instance, recognize attacks that try to enumerate web directories (Forceful Browsing) or known requests associated with vulnerability scans and block them.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>The community provides dedicated configuration files, which can be used freely:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><a href=\"https:\/\/github.com\/fail2ban\/fail2ban\/blob\/master\/config\/filter.d\/apache-botsearch.conf\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/github.com\/fail2ban\/fail2ban\/blob\/master\/config\/filter.d\/apache-botsearch.conf<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/fail2ban\/fail2ban\/blob\/master\/config\/filter.d\/apache-badbots.conf\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/github.com\/fail2ban\/fail2ban\/blob\/master\/config\/filter.d\/apache-badbots.conf<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/fail2ban\/fail2ban\/blob\/master\/config\/filter.d\/nginx-botsearch.conf\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/github.com\/fail2ban\/fail2ban\/blob\/master\/config\/filter.d\/nginx-botsearch.conf<\/a><\/li>\n<li><a href=\"https:\/\/gist.github.com\/dale3h\/660fe549df8232d1902f338e6d3b39ed#file-nginx-badbots-conf\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/gist.github.com\/dale3h\/660fe549df8232d1902f338e6d3b39ed#file-nginx-badbots-conf<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Store these exemplary filter configurations in the directory \/etc\/fail2ban\/filter.d\/ and configure a new jail in your jail.local file. In the following we provide an example.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Blocking search requests from bots\n<ul>\n<li>Automated bots and vulnerability scanners continuously crawl the entire Internet to identify vulnerable hosts and execute exploits. Oftentimes, known tools are used, whose signature can be identified in the <em>User-Agent<\/em> HTTP-Header. Using this header, many simple bot attacks can be detected and blocked. Attackers may change this header, which leaves more advanced attacks undetected. The Fail2ban filters <em>*badbots.conf<\/em> are mainly based on the &#8220;User-Agent&#8221; header.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Alternatively, it is also possible to block all requests that follow a typical attack pattern. This includes automated requests, which continuously attempt to identify files or directories on the web server. Since this type of attack requests several file and directory names at random, the probability of many requests resulting in a <em>404 Not Found<\/em> error message is relatively high. Analysing these error messages and the associated log files, Fail2ban is able to recognize attacks and ban attacker systems early on.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Example: Nginx web server:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 120px;\">1. Store the following file under <em>\/etc\/fail2ban\/filter.d\/nginx-botsearch.conf<\/em><\/p>\n<p style=\"padding-left: 160px;\"><a href=\"https:\/\/github.com\/fail2ban\/fail2ban\/blob\/master\/config\/filter.d\/nginx-botsearch.conf\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/github.com\/fail2ban\/fail2ban\/blob\/master\/config\/filter.d\/nginx-botsearch.conf<\/a><\/p>\n<p style=\"padding-left: 120px;\">2. Add configuration settings to your <em>\/etc\/fail2ban\/jail.local<\/em>:<\/p>\n<pre style=\"padding-left: 160px;\">[nginx-botsearch]<br\/>ignoreip = 127.0.0.0\/8 10.0.0.0\/8 172.16.0.0\/12 192.168.0.0\/16<br\/>enabled = true<br\/>port = http,https<br\/>filter = nginx-botsearch<br\/>logpath = \/var\/log\/nginx\/access.log<br\/>bantime = 604800 # Bann f\u00fcr 1 Woche<br\/>maxretry = 10 # Bann bei 10 Fehlermeldungen<br\/>findtime = 60 # zur\u00fccksetzen von maxretry nach 1 Minute<\/pre>\n<p style=\"padding-left: 120px;\">3. If necessary, include further trustworthy IP addresses of your company in the <em>ignoreip<\/em> field, which shall not be blocked by Fail2ban. If necessary, adapt other directives according to your needs and verify the specified port number of the web server, as well as correct read permissions for the &nbsp; <em>\/var\/log\/nginx\/access.log<\/em> log file.<\/p>\n<p style=\"padding-left: 120px;\">4. Restart the Fail2ban service<\/p>\n<pre style=\"padding-left: 160px;\">sudo systemctl restart fail2ban<\/pre>\n<p>Automated enumeration requests will now be banned if they generate more than ten 404 error messages within one minute. The IP address of the attacking system will be blocked for a week using IPtables and enabled again afterwards. If desired, you can also be informed about IP bans via e-mail using additional configuration settings. A&nbsp;Push-notification to your smartphone using a&nbsp;<a href=\"https:\/\/deividsdocs.com\/2020\/04\/21\/sending-fail2ban-notifications-using-a-telegram-bot\/\" target=\"_blank\" rel=\"nofollow noopener\">Telegram-Messenger-Bot in Fail2ban<\/a>&nbsp;is also possible.<i>&nbsp;<\/i>Overall, Fail2ban is very flexible and allows unlimited&nbsp;<i>banactions,&nbsp;<\/i> like custom shell scripts, in case a filter matches<i>.&nbsp;<\/i><\/p>\n<p>To view already banned IP addresses the following command can be used:<\/p>\n<ul>\n<li>View available jails<\/li>\n<\/ul>\n<pre style=\"padding-left: 80px;\">sudo fail2ban-client status<\/pre>\n<ul>\n<li>View banned IP address in a jail<\/li>\n<\/ul>\n<pre style=\"padding-left: 80px;\">sudo fail2ban-client status <\/pre>\n<p>Fail2ban offers several ways to protect your services even better. Inform yourself about additional filters and start using them, if desired. Alternatively, you can also create your own filters using regex and&nbsp;<a href=\"https:\/\/www.the-art-of-web.com\/system\/fail2ban-filters\/\" target=\"_blank\" rel=\"nofollow noopener\">test them on log entries<\/a>.<\/p>\n<p>Premade Fail2ban filter lists can be found here:&nbsp;<a href=\"https:\/\/github.com\/fail2ban\/fail2ban\/tree\/master\/config\/filter.d\" style=\"background-color: rgb(255, 255, 255);\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/github.com\/fail2ban\/fail2ban\/tree\/master\/config\/filter.d<\/a>&nbsp;&nbsp;<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Independent of the size of a company or enterprise, everyone has to expect becoming a target of cyber attacks. Many attacks are not aimed at a specific target, but happen randomly and automated. Upon deploying a new server for the provisioning of our own vulnerability database, we noticed that already in the first 20 hours [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":40705,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[22],"tags":[35,34,36],"class_list":["post-41023","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-specialist-article","tag-cyber-attacks-en","tag-cyber-attacks","tag-vulnerabilities"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/posts\/41023","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/comments?post=41023"}],"version-history":[{"count":5,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/posts\/41023\/revisions"}],"predecessor-version":[{"id":41028,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/posts\/41023\/revisions\/41028"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/media\/40705"}],"wp:attachment":[{"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/media?parent=41023"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/categories?post=41023"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pentestfactory.de\/en\/wp-json\/wp\/v2\/tags?post=41023"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}