NOTE: All the methods I have explained are at your own risk

Open Source Intelligence(OSINT) is one of the first techniques to gather information before the attack. There have been many hacking cases using OSINT in the past. Along with the developing IoT devices, we can collect lots of critical data on the public web. We will be gathering critical data for Cryptocurrency Miners (Bitcoin[Antminer] and Ethereum[Claymore]) in this article.

Many Cryptocurrency miners tools and software need the internet connection to send/receive data. So that, they have some vulnerability for attackers.

Reconnaissance the Antminer!

The best bitcoin ASIC miner is Antminer S9/S7. The miner’s hardware use “lighttpd/1.4.32” web server and some of these have open SSH Port. There is an exploit for “Lighttpd 1.4.31” version. However, you can not access the server with this exploit.

The webpage on the web server is protected by “Digest HTTP Authentication”. The critical point is that miners need username and password to log in.

antMiner configuration page uses “Digest Authentication”

It’s known that we need some information or keywords to collect data with OSINT techniques. That information is the keyword including “antMiner Configuration” in HTTP headers which appears each time I send a request to the server

I have searched on censys.io and shodan.io with some specific dorks and collected the IP addresses.

(antminer) AND protocols.raw: “80/http” AND 80.http.get.title: “401”

censys.io search dorks

The system can be accessed by a brute-force attack on the HTTP port or SSH port.

Firstly, I needed a user guide to learn default HTTP username and password. After, I have searched on Google with “antminer default password” and found a website that includes User Guide.

AntMiner User Manuel | We can obtain easily by searching

For this tutorial, I preferred to use hydra for brute-force attack (Bruteforcing HTTP Digest Authentication) with exposed most common 10.000 passwords. You can also use Burp Suite Intruder too.

hydra -l root -P commonPasswords.txt -vV {TARGET} http-get /

If you are lucky, you can access the configuration page.

antMiner configuration page.

Attackers can edit the page as desired.