{"id":25107833,"url":"https://github.com/borisgerretzen/sentinel","last_synced_at":"2025-04-02T08:46:12.149Z","repository":{"id":44721442,"uuid":"512329038","full_name":"BorisGerretzen/Sentinel","owner":"BorisGerretzen","description":"Sentinel monitors certificate transparency logs for various services that allow anonymous access","archived":false,"fork":false,"pushed_at":"2023-03-06T02:07:25.000Z","size":72,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-07T23:49:18.582Z","etag":null,"topics":["certificate","certificate-transparency","certificate-transparency-abuse","certificate-transparency-logs","certificates","certstream","internet-scanning","scanning"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BorisGerretzen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-07-10T02:41:59.000Z","updated_at":"2022-07-12T01:28:12.000Z","dependencies_parsed_at":"2022-09-12T09:10:51.103Z","dependency_job_id":null,"html_url":"https://github.com/BorisGerretzen/Sentinel","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BorisGerretzen%2FSentinel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BorisGerretzen%2FSentinel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BorisGerretzen%2FSentinel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BorisGerretzen%2FSentinel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BorisGerretzen","download_url":"https://codeload.github.com/BorisGerretzen/Sentinel/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246785428,"owners_count":20833471,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","certificate-transparency","certificate-transparency-abuse","certificate-transparency-logs","certificates","certstream","internet-scanning","scanning"],"created_at":"2025-02-07T23:49:20.915Z","updated_at":"2025-04-02T08:46:12.118Z","avatar_url":"https://github.com/BorisGerretzen.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sentinel\nSentinel monitors certificate transparency logs and looks for services that have not configured authentication correctly.\n\nI recommend using a vpn while running this service.\n\nCurrently, the following services are supported:\n- MongoDB\n- Mongo-Express\n- Elasticsearch\n- Mysql\n- It is possible to add more services/labels by registering them in SentinelLib.\n\n## Instructions\n1. Connect to a VPN, this is not required but recommended so your IP does not show up in any logs.\n2. Download and install MongoDB, make sure authentication is disabled and the server is listening on `127.0.0.1`.\n3. Restore Nuget packages and build solution.\n4. Run built executable.\n5. Wait...\n\n## How it works\nSentinel uses [certstream](https://certstream.calidog.io) to get a live feed of certificates added to CT logs. It extracts the domain names from these certificates and checks the first label of these domain names.\nIf the label is one of the recognized labels, a connection is attempted with a client of the corresponding service.\nFor example, `mongo.example.com` will be treated as a MongoDB host and thus a MongoDB connection will be attempted.\n\nIf this connection is successful, a callback method is called where you can deal with the results. \nSentinel by default stores them in a locally hosted MongoDB instance. Authentication is disabled, very nice.\n\nEvery service that requires a specific connection type will need its own scanner. \nAn abstract class is provided for these scanners. Custom scanners can be implemented by extending this base class and registering them in `ScannerProvider`. \nIf no custom scanners are required, `ScannerProvider.DefaultProvider` will suffice.\n\n## Why?\nMy BSc. thesis was about information leakage through certificate transparency. \nDuring my research I found that a considerable percentage of services that announce their presence through domain name labels do not have authentication enabled or allow guest access.\n\nMy thesis used an older dataset, specifically the Google Argon 2021 dataset. \nBecause this is a relatively old dataset, a lot of the domains listed no longer exist or the owners had time to fix their mistakes. \nThis got me curious what differences could be observed when using more recent, near realtime CT logs.\n\n## Future work\n- [x] Increased result handling flexibility e.g. config for MongoDB instance.\n- [x] More configuration options \n- [x] Callback for open ports, regardless of scan result\n- [ ] CI/CD\n- [ ] Better logging\n- [ ] Nuget package of SentinelLib","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fborisgerretzen%2Fsentinel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fborisgerretzen%2Fsentinel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fborisgerretzen%2Fsentinel/lists"}