Hello,
Im sorry , I don’t speak Russian, but I hope English is fine here.
I'm working on a PostgreSQL target that's only accessible via port 443 (HTTPS). Port 5432 is not reachable directly.
I assumed there's a PostgreSQL instance behind a reverse proxy (nginx), so I attempted protocol smuggling / ALPACA-style tunneling.
Here's what I did step by step:
1. Verified TLS acceptance over 443:
→ Got expected response from server, handshake successful.
2. Sent PostgreSQL StartupMessage manually over TLS:
→ Received hex response:
520000002a0000000a534352414d2d5348412d3235362d504c555300534352414d2d5348412d3235360000
Breakdown:
So we're inside PostgreSQL’s SCRAM auth handshake over TLS.
3. Used socat to forward traffic:
→ This tunnels local 127.0.0.1:15432 to remote 443 using TLS
→ Verified with psql -h 127.0.0.1 -p 15432 -U postgres
→ PostgreSQL responds with SCRAM challenge
4. Tried SCRAM brute-force (custom script):
Wrote a Python script that:
Tried a small wordlist — all failed so far.
Now stuck at this point:
If anyone has experience with:
I’d appreciate any insight.
I can share pcap, hex dumps, or my brute-force script if needed.
Thanks in advance.
Im sorry , I don’t speak Russian, but I hope English is fine here.
I'm working on a PostgreSQL target that's only accessible via port 443 (HTTPS). Port 5432 is not reachable directly.
I assumed there's a PostgreSQL instance behind a reverse proxy (nginx), so I attempted protocol smuggling / ALPACA-style tunneling.
Here's what I did step by step:
1. Verified TLS acceptance over 443:
Код:
printf '\x00\x00\x00\x08\x04\xd2\x16\x2f' | openssl s_client -connect <target_ip>:443 -quiet→ Got expected response from server, handshake successful.
2. Sent PostgreSQL StartupMessage manually over TLS:
Код:
\x00\x00\x00\x2c\x00\x03\x00\x00user\x00postgres\x00database\x00postgres\x00\x00→ Received hex response:
520000002a0000000a534352414d2d5348412d3235362d504c555300534352414d2d5348412d3235360000
Breakdown:
- 0x52: Authentication request
- 0x0a: Auth type: SCRAM-SHA-256
- Server supports: SCRAM-SHA-256, SCRAM-SHA-256-PLUS
So we're inside PostgreSQL’s SCRAM auth handshake over TLS.
3. Used socat to forward traffic:
Код:
socat -v -d -d TCP-LISTEN:15432,reuseaddr,fork OPENSSL:<target_ip>:443,verify=0→ This tunnels local 127.0.0.1:15432 to remote 443 using TLS
→ Verified with psql -h 127.0.0.1 -p 15432 -U postgres
→ PostgreSQL responds with SCRAM challenge
4. Tried SCRAM brute-force (custom script):
Wrote a Python script that:
- Initiates TLS
- Sends client-first SCRAM message
- Parses server nonce, salt, iteration count
- Crafts final message with HMAC base64 proof
Tried a small wordlist — all failed so far.
Now stuck at this point:
- Server responds with SCRAM challenge
- Proofs are always rejected
- Can’t confirm if brute is failing due to:
- bad proof generation
- additional middleware / rate-limiting
- broken SCRAM logic
If anyone has experience with:
- Crafting valid SCRAM-SHA-256 client proofs
- PostgreSQL + reverse proxy + TLS tunneling
- TLS proxy bypass (ALPACA-style)
I’d appreciate any insight.
I can share pcap, hex dumps, or my brute-force script if needed.
Thanks in advance.
Последнее редактирование: