Skip to content

Sentinel monitors certificate transparency logs for various services that allow anonymous access

License

Notifications You must be signed in to change notification settings

BorisGerretzen/Sentinel

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Sentinel

Sentinel monitors certificate transparency logs and looks for services that have not configured authentication correctly.

I recommend using a vpn while running this service.

Currently, the following services are supported:

  • MongoDB
  • Mongo-Express
  • Elasticsearch
  • Mysql
  • It is possible to add more services/labels by registering them in SentinelLib.

Instructions

  1. Connect to a VPN, this is not required but recommended so your IP does not show up in any logs.
  2. Download and install MongoDB, make sure authentication is disabled and the server is listening on 127.0.0.1.
  3. Restore Nuget packages and build solution.
  4. Run built executable.
  5. Wait...

How it works

Sentinel uses certstream to get a live feed of certificates added to CT logs. It extracts the domain names from these certificates and checks the first label of these domain names. If the label is one of the recognized labels, a connection is attempted with a client of the corresponding service. For example, mongo.example.com will be treated as a MongoDB host and thus a MongoDB connection will be attempted.

If this connection is successful, a callback method is called where you can deal with the results. Sentinel by default stores them in a locally hosted MongoDB instance. Authentication is disabled, very nice.

Every service that requires a specific connection type will need its own scanner. An abstract class is provided for these scanners. Custom scanners can be implemented by extending this base class and registering them in ScannerProvider. If no custom scanners are required, ScannerProvider.DefaultProvider will suffice.

Why?

My BSc. thesis was about information leakage through certificate transparency. During my research I found that a considerable percentage of services that announce their presence through domain name labels do not have authentication enabled or allow guest access.

My thesis used an older dataset, specifically the Google Argon 2021 dataset. Because this is a relatively old dataset, a lot of the domains listed no longer exist or the owners had time to fix their mistakes. This got me curious what differences could be observed when using more recent, near realtime CT logs.

Future work

  • Increased result handling flexibility e.g. config for MongoDB instance.
  • More configuration options
  • Callback for open ports, regardless of scan result
  • CI/CD
  • Better logging
  • Nuget package of SentinelLib