You found that on Google? Gaining awareness about “Google Hackers” Johnny Long [email protected] CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 1 HUGE DISCLAIMER! •The print version of this presentation is much smaller than the live version! • The live version shows many more techniques and examples. CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 2 What this is about • We’ll be talking about how hackers can use Google to locate vulnerable targets and sensitive information • This process has been termed “Google hacking” • We will be blowing through the basics – After all, this is Blackhat! =) CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 3 Advanced Operators • Google advanced operators help refine searches • Advanced operators use a syntax such as the following: – operator:search_term • Notice that there's no space between the operator, the colon, and the search term CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 4 Advanced Operators • site: restrict a search to a specific web site or domain – The web site to search must be supplied after the colon. • filetype: search only within the text of a particular type of file • link: search within hyperlinks • cache: displays the version of a web page as it appeared when Google crawled the site • intitle: search for a term in the title of a document • inurl: search only within the URL (web address) of a document CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 5 Search Characters • Some characters: • • • • • ( + ) force inclusion of a search term ( - ) exclude a search term ( “ ) use quotes around search phrases ( . ) a single-character wildcard ( * ) any word CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 6 Site Crawling • To find every web page Google has crawled for a specific site, use the site: operator site: microsoft.com CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 7 Server Crawling • To locate additional servers, subtract common hostnames from the query site: microsoft.com -site:www.microsoft.com CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 8 Directory Listings • Directory listings can be a source of great information intitle:index.of/admin CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 9 Directory Listings • Directory listings can provide server version information intitle:index.of apache server.at CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 10 Default Server Pages • Web servers with default pages can serve as juicy targets intitle:test.page.for.apache “it worked” CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 11 Default Server Pages • Web servers with default pages can serve as juicy targets allintitle:Netscape FastTrack Server Home Page CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 12 Default Server Pages • Web servers with default pages can serve as juicy targets intitle:"Welcome to Windows 2000 Internet Services" CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 13 Default Server Pages • Web servers with default pages can serve as juicy targets intitle:welcome.to.IIS.4.0 CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 14 Default Server Pages • Web servers with default pages can serve as juicy targets allintitle:Welcome to Windows XP Server Internet Services CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 15 Default Server Pages • Web servers with default pages can serve as juicy targets allintitle:”Welcome to Internet Information Server” CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 16 Default Server Pages • Web servers with default pages can serve as juicy targets allintitle:Netscape Enterprise Server Home Page CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 17 Default Server Pages • Web servers with default pages can serve as juicy targets allintitle:Netscape FASTTRACK Server Home Page CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 18 Default Documents • Servers can also be profiled via default manuals and documentation intitle:"Apache HTTP Server" intitle:"documentation" CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 19 Error Messages • Server profiling is easy with some error messages intitle:"Error using Hypernews" "Server Software" CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 20 Error Messages • CGI environment vars provide a great deal of information • The generic way to find these pages is by focusing on the trail left by the googlebot crawler “HTTP_USER_AGENT=Googlebot” CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 21 Error Messages • after a generic search, we can narrow down to the fields we find more interesting “HTTP_USER_AGENT=Googlebot” TNS_ADMIN CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 22 Vulnerability Trolling • Many attackers find vulnerable targets via Google • A typical security advisory may look like this: CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 23 Vulnerability Trolling • A quick browse of the vendor’s website reveals a demo of the product CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 24 Vulnerability Trolling • The demo page suggests one method for finding targets CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 25 Vulnerability Trolling • A quick intitle: search suggests more vectors… CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 26 Vulnerability Trolling • This search finds the documentation included with the product • These sites are probably poorly configured CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 27 Vulnerability Trolling • Other searches are easy to discover as well… CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 28 Vulnerability Trolling • Other searches are easy to discover as well… CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 29 Vulnerability Trolling • Many times, a good search string is much simpler to come up with • Consider this advisory: CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 30 Vulnerability Trolling • A creative search finds vulnerable targets CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 31 CGI Scanning • In order to locate web vulnerabilities on a larger scale, many attacker will use a ‘CGI’ scanner • Most scanners read a data file and query target web servers looking for the vulnerable files CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 32 CGI Scanning • A CGI scanner’s vulnerability file… • can be converted to Google queries in a number of different ways: /iisadmpwd/ /iisadmpwd/achg.htr /iisadmpwd/aexp.htr /iisadmpwd/aexp2.htr /iisadmpwd/aexp2b.htr inurl;/iisadmpwd/ inurl;/iisadmpwd/achg.htr inurl;/iisadmpwd/aexp.htr inurl;/iisadmpwd/aexp2.htr inurl;/iisadmpwd/aexp2b.htr CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 33 Vulnerability Trolling • Regardless of the age of the vulerability, there are usually vulnerable targets CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 34 Port Scanning • Although port numbers are sometimes found in the url, there’s no easy way to scan just for a port number… the results are much too copious inurl:5800 CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 35 Port Scanning • We can use creative queries to sniff out services that may be listening on particular ports • VNC Desktop, port 5800 "VNC Desktop" inurl:5800 CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 36 Port Scanning • Webmin, port 10000 inurl:webmin inurl:10000 CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 37 Port Scanning • Google can be used to find sites to do the portscanning for you • Consider the Network Query Tool CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 38 Port Scanning • NQT allows web users to perform traceroutes, rdns lookups and port scans. • This is the NQT program checking port 80 on www.microsoft.com: CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 39 Port Scanning • Google can be used to locate servers running the NQT program, nqt.php • Once servers are harvested, they can be used to perform port scans (usually through a web proxy) • NQT also allows remote posts, so that more than one port can be checked at a time CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 40 Login Portals • The most generic of login portals CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 41 Login Portals • Another very generic portal CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 42 Login Portals • Microsoft Outlook Web Access CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 43 Login Portals • Coldfusion Admin Page CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 44 Login Portals • Windows Remote Desktop CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 45 Login Portals • Citrix Metaframe CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 46 SQL Information • Gathering SQL usernames is simple with this search CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 47 SQL Information • This is an SQL dump made by phpmyadmin CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 48 SQL Information • This is a complete database schema dump, essentially a complete database backup CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 49 SQL Information • This query will locate SQL schemas on the web CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 50 SQL Information • In addition, this query finds the words username and password inside the SQL dump CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 51 SQL Information • This potent query finds SQL dumps wither username, user, users or password as a table name CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 52 SQL Information • This graphical front-end to SQL is mis-configured to allow anyone admin access CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 53 SQL Information • This search can be used by hackers to find SQL injection targets CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 54 SQL Information • …another SQL injection target… CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 55 SQL Information • ..and another… CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 56 SQL Information • the mysql_connect function makes a database query with a supplied username and password • This file should not be on the web CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 57 SQL Information • In most cases, there’s nothing better for an SQL injector than a complete line of SQL source code… CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 58 SQL Information • …except for really long lines of SQL code… CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 59 Examples • *** LIVE EXAMPLES REMOVED FROM PRINT VERSION*** CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 60 Prevention • Do not put sensitive data on your web site, even temporarily • Proactively check your web presence with Google on a regular basis • Use sites like http://johnny.ihackstuff.com to keep up on the latest “Google Hacks” CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 61 Prevention • Use site: queries against each of your web hosts • Don’t forget about hosts that do not have DNS names • Scan each result page, ensuring that each and every page it supposed to be in Google’s database CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 62 Prevention • Automate your scans with tools like sitedigger by Foundstone CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 63 Presentation Materials • This is a condensed version of the actual presentation given at the event • For more information, please see: http://johnny.ihackstuff.com • Or contact: Johnny Long CSC Global Security Solutions e-mail: [email protected] • Private e-mail: [email protected] CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 64 Information About Johnny • Mr. Long has been involved in system security since a very early age, and has accentuated his natural aptitude for computer technology through involvement in major security efforts for the Department of Defense and corporate America. A System Engineer with 10 years experience in most areas of technical and functional support and system development, Mr. Long possesses a strong background in many elements of network and system operation as well as computer, network and physical security. Equally adept in most aspects of Windows NT and UNIX systems as well as many current technologies, Mr. Long has proven to be a very fast study in the face of the ever-changing computer industry. An exceptionally accomplished speaker and trainer, Mr. Long has the rare ability to present highly technical material in a way that is beneficial for both technical and non-technical audiences. Mr. Long is currently employed by Computer Sciences Corporation (CSC). CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 65 Thanks • • • • Thanks to God for the gift of life. Thanks to my wife for the gift of love. Thanks to my kids for the gift of laughter. Thanks to my friends for filling in the blanks. CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 66
© Copyright 2026 Paperzz