• Stars
    star
    149
  • Rank 248,619 (Top 5 %)
  • Language
    Python
  • Created almost 5 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Created for my TryHackMe room

There are 5308 publically available Pi-Holes according to Shodan.io. This article will demonstrate how bad of an idea this is.

If you've spent any time over at r/pihole, you'll know they always talk about not having publically available Pi-Holes. But, why? What's the harm?

Out of the 5308 Pi-Holes publically available, I found 100 of them are vulnerable. Vulnerable means:

  1. You can access /admin/index.php?login. This is because not all Pi-Holes listed by Shodan work in the way we expect them to.

However, in my research I came across something interesting:

Passwordless Pi-Holes

I came across many passwordless Pi-Holes. 578 passwordless Pi-Holes to be correct. These aren't considered "vulnerable", because they are by default open. It's incredibly easy to find these, if you click around on Shodan enough you'll find them. You can also search the Shodan API (like I did below) and try to access a page, /admin/queries.php and see if it doesn't prompt for a password. Some of these Pi-Holes are meant to be public. You can tell because their domain name includes "public-pihole".

It's hard to differentiate between Pi-Holes meant to be publically accessible and those that aren't, so I haven't explored these much. Just know that these exist and to not make a publically facing Pi-Hole without a password for your personal use.

Finding these Pi-Holes

Shodan.io is a service that scans the web. It finds IoT or other devices like Pi-Hole. Using the Shodan API, we can programatically explore these Pi-Holes. Or, you can click here and explore them manually.

Finding these Pi-Holes took a minimal amount of code. I was surprised to find my Pi-Hole on this list. You need a Shodan membership. Also, don't attack Pi-Holes you don't own.

from shodan import Shodan
import requests
api = Shodan('API_KEY')

def url_ok(url):
    r = requests.head("http://" + url)
    return r.status_code == 200

def check_page(url):
    r = requests.get("http://" + url + "/admin/")
    return "Pi-hole" in r.text

def pruneIPS(vulnerableIPs):
    for i in vulnerableIPs:
        if not url_ok(i):
            if not check_page(i):
                vulnerableIPs.remove(i)
    return vulnerableIPs

result = api.search("pi-hole")

VulnerableIP = []
for service in result['matches']:
    VulnerableIP.append(service['ip_str'])

Hacking the Pi-Hole

Pi-Hole doesn't block bruteforcing. You can enter 200,000 incorrect passwords and Pi-Hole wouldn't care. How easy is it to create a brute-force attack? With Hydra - very easy. Hydra is a brute-forcing tool that uses a dictionary to attack a target. The payload for brute-forcing a Pi-Hole is:

hydra -l '' -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-post-form "/admin/index.php?login:pw=^PASS^:Forgot password"

Our wordlist is the infamous rockyou.txt. We use the http-post-form module and enter some information. The form to post, the name of the variable for the password ("pw"), and what will be on the page when a failed login attempt happens (the forgotten password box).

Since Pi-Hole doesn't block brute-force attacks, it makes it trivial to brute-force most of the Pi-Holes assuming password length is low (under 9 chars optimally, although 9 chars can be done in 19 hours https://howsecureismypassword.net/). It's worth mentioning that Pi-Hole's default password is very secure, but the lack of any timeouts sucks. Not to mention that most people change their password to something more human.

To recap, it is possible to get a list of all the vulnerable Pi-Holes and to brute-force their passwords with a dictionary attack.

I will not show code for this, because it is illegal. However, you can see the 2 separate parts in action above. Please test your own Pi-Hole. Do not test a Pi-Hole you do not own.

What can an attacker see?

Once the attacker has gained access to your Pi-Hole, they can see every website you visit. Your hosts' files, your clients and their IP addresses. Your top domains and your top blocked domains.

Now, they have a pretty good idea of who you are. They know all your devices. They know your password (which, most people would reuse on at least one of their devices). And they know you, pretty well actually. Considering your entire internet history is there. There is no point in using a Pi-Hole if all of your DNS information is as easily accessible as this.

DNS Amplification Attacks

An attacker could use your DNS server to perform a DDoS attack. This is very common and is called a DNS amplification attack. This is likely illegal for you to allow this, depending on the country. Another reason to not use a publically facing Pi-Hole.

How to protect yourself

Search your IP address on Shodan.io. Read the output. Shodan will tell you what ports are open, and will let you know whether it thinks a Pi-Hole service is running.

  1. Use a VPN to connect to your Pi-Hole: https://www.reddit.com/r/pihole/comments/bl4ka8/guide_pihole_on_the_go_with_wireguard/
  2. Don't have a publically facing Pi-Hole
  3. Choose a very strong password
  4. Turn your Pi-Hole into a no-logs Pi-Hole

Fun Facts

Statistically, most people with exploitable Pi-Holes used Deutsche Telekom AG. However, most publically accessible Pi-Holes are hosted on:

  1. Digital Ocean
  2. OVH SAS
  3. Google Cloud
  4. Deutsche Telekom AG

Shodan

Follow me on Twitter: https://twitter.com/BeeeSec

More Repositories

1

pyWhat

🐸 Identify anything. pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it'll tell you what it is! 🧙‍♀️
Python
6,558
star
2

Ares

Automated decoding of encrypted text without knowing the key or ciphers used
Rust
562
star
3

AlgorithmsBook

📚 My algorithmic design paradigms book! 📚
TeX
242
star
4

Employabiltiy-book

The repo for my book, How to get any job you want
HTML
61
star
5

tldr-News

🏖️ Generates a TL;DR of news using Natural Language Processing 🏖️
JavaScript
36
star
6

Python-Zero-to-Hero

For my book on Python https://beesec.gitbook.io/python-zero-to-hero/
25
star
7

Algorithms

Learn DS&A through leetcode problems
15
star
8

bee-san

6
star
9

awesome-accessible-hacking

Accessible hacking made awesome
6
star
10

DeepValueAnalysisBot

Discord bot for analysis of stocks
Python
5
star
11

awesome-a11y-pentesting

Awesome Accessible Pentesting Tools
5
star
12

skerritt.blog

JavaScript
4
star
13

youtube-videos

Code for my YouTube Videos
Python
4
star
14

diss

Python
4
star
15

Books

React app to show all the books I've read / want to read
JavaScript
4
star
16

Awesome-RSS-Feeds

An Awesome List of RSS Feeds
3
star
17

Dissertation

3
star
18

Everything

A program to do all the annoying little things
Python
3
star
19

newsLetterChecker

The code I use to check my newsletters
Python
3
star
20

LineBytes

.lines() for non-UTF8 files by reading bytes and breaking on 0x0A (linefeed)
Rust
2
star
21

ethereum_osint_tools

2
star
22

DiscordBot

Python
2
star
23

Kurcoder

A tool kit to assist with encoding, decoding, checksums, hex conversions, and IP calculation information.
Python
2
star
24

Musk_bot

Markov chain implementation
Python
2
star
25

Coding-Interview-Questions

My solutions for Hackerrank / Leetcode
Python
2
star
26

Peer2PeerBook

The repo for my book on peer 2 peer networking! :)
2
star
27

Polymath

HTML
2
star
28

HackNotts

Python
2
star
29

Subreddit_Lottery

Uses the blockchain to verifiably pick random winners in subreddit giveaways
Solidity
2
star
30

discord-bot

Discord bot for Ares & Lemmeknow in the http://discord.skerritt.blog discord server
Rust
1
star
31

Shell-Scripts

Shell scripts I use
Shell
1
star
32

Alice

All in one tool for editing blog posts
Python
1
star
33

gatsby-starter-ghost2

1
star
34

twitter_bot

Twitter bot
1
star
35

CS101

All blog posts from my CS101 series
1
star
36

SRE-Resources

Highest return on value resources to up your SRE game
1
star
37

karis

Kurome's Auto Ricing Installation Script for Kali 2020.3+ and will install my everyday tools, and dotfiles.
Shell
1
star
38

getting_started_with_SQL

SQL starting out
Python
1
star
39

TryRecipeMe

JavaScript
1
star
40

gatsby-starter-ghost

1
star
41

Blog-Conclusion-Summariser

Summaries a blog, TL;DR style.
JavaScript
1
star
42

skerrittblog

1
star
43

Algorithmic_Design_Paradigm_pdf

Repo for my book on Algorithmic Design Paradigms
1
star
44

Python-scripts

Short scripts I've made in my spare time
Python
1
star
45

ansible_scripts

This is for my personal K3s cluster
Dockerfile
1
star
46

portfolio

JavaScript
1
star
47

pipi

A discord personal assistant
Python
1
star
48

WUDS

Wi-Fi User Detection System
Python
1
star
49

Scripts

Python
1
star
50

hideme

hides me in my cave
Python
1
star
51

PyCat

Python3 implementation of CAT
Python
1
star
52

Recipes

A GitHub repo of my recipes
JavaScript
1
star
53

bank

Used for my banking
Python
1
star
54

3rd-year-university-notes

For my class
1
star