0

I am a website developer (mainly using MVC.NET). Recently, we have been contacted by a hacker. He claimed that he knows our admin URL. The problem is we do not publish or put the admin URL anywhere on our webpage. The only place where the URL is listed is in CloudFlare DNS as A record.

So, when I challenge the hacker and, like magic, he/she pasted my admin URL.

I have spent days on google to find out how is it possible to find admin URL (which is part of a subdomain - but I never publish the URL). For curiosity - here is our admin URL xbda-www3345-hilo.mydomain.com. The question is, how is it possible that anyone could know the subdomain of xbda-www3345-hilo?

The IP address that hit the domain is msnbot. How is it msnbot (a search engine crawler) knows my admin domain?

Every time I change the admin domain, he would find out my admin domain after a few weeks. How is it possible?

I hosted my website on Azure VM machine (Windows 2016).

schroeder
  • 123,438
  • 55
  • 284
  • 319
Sam
  • 109
  • 1
  • 4
    A better question is why you attempt to keep a URL secret. It may leak through browsers submitting it to URL screening systems, leading to search engines visiting it... You should rely on authentication, not obfuscation of the URL. – vidarlo Aug 02 '22 at 06:36
  • 2
    You can't rely on security by obscurity. Do you have HTTPS for your admin panel? If so, do you use a wildcard certificate or does the certificate mention the full domain? All trusted certs are listed in public certificate transparency logs. – amon Aug 02 '22 at 06:36
  • Hi vidarlo & amon, yes we have authentication and yes, all of our websites are using HTTPS. We obscure the admin page to prevent "brute force" login. I am very curious, how is it possible for the hacker to know my admin domain? – Sam Aug 02 '22 at 06:45
  • 1
    Do you use Edge to connect to the admin portal? – schroeder Aug 02 '22 at 07:04
  • 2
    Have you used `dig` or something similar to see if these subdomains are publicly discoverable using DNS? – schroeder Aug 02 '22 at 07:07
  • Hi schroeder, I did not use Edge, mostly we use chrome. But our customers might access the website using Edge. I did use dig and nslookup (in Windows) and my domain is clear. – Sam Aug 02 '22 at 12:12
  • Wait, so this isn't limited to you accessing this, but it is meant to be publicly accessible by clients? Then you can't know what's exposed. If just one person uses Edge, then that could do it. And this is clearly not a "hacker" as you stated. You, yourself, determined that it is a search crawler. So, the person contacting you is simply looking up public info. – schroeder Aug 04 '22 at 09:47
  • @schroeder, since it is admin access, therefore it is only a limited number of people know the URL (right now only 4 people have access). None of them using Edge. Furthermore, I log what browser was used each time the admin page is visited, including the IP address of the visitor. So, I know that no one is using Edge – Sam Aug 05 '22 at 11:56

1 Answers1

4

Whilst it's not possible to know definitively, based on the comment from @amon and your response one way which an attacker could find your admin URL would be to use Certificate Transparency Logs.

There are several good examples of exactly how these logs work (for example this one) however the basics is that every TLS certificate issued by one of the Certificate Authorities trusted by the major browsers is placed in a public log, so that users can validate that the certificate of sites the visit is a valid one, and to help mitigate the risk of attackers tricking certificate authorities into issuing certificates for sites they don't own.

The flip-side of this is that anyone can get a list of newly issued certificate which include the DNS name of the host (unless you're using a wildcard certificate), allowing them to find the site.

With that said, knowledge of the URL shouldn't, on its own, allow an attacker to compromise your system.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • 1
    Related: [WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued](https://portswigger.net/daily-swig/wordpress-sites-getting-hacked-within-seconds-of-tls-certificates-being-issued) – Steffen Ullrich Aug 02 '22 at 08:38
  • +1 Thanks Rory, this is an interesting idea! and Thanks Steffen for the interesting WordPress site being hacked. I am issuing the certificate via CloudFlare, so it is a wildcard certificate. I am still scratching my head. But +1 for an interesting article about Certificate Transparency Logs. – Sam Aug 02 '22 at 12:18