Company LOGO Search Engine Hacking Steve at SnakeOilLabs dot com.

Slides:



Advertisements
Similar presentations
WordPress Installation for Beginners Sheila Bergman
Advertisements

Getting Your Web Site Found. Meta Tags Description Tag This allows you to influence the description of your page with the web crawlers.
Customizing the MOSS 2007 Search Results November 2007 Rafael Perez.
Google Chrome & Search C Chapter 18. Objectives 1.Use Google Chrome to navigate the Word Wide Web. 2.Manage bookmarks for web pages. 3.Perform basic keyword.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Turners SharePoint Web Site How we did it. 2 Page Anatomy Custom Search Web Part Custom Search Web Part Data Form Web Parts Content Query Web Part HTML.
Introduction The Basic Google Hacking Techniques How to Protect your Websites.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Introduction Web Development II 5 th February. Introduction to Web Development Search engines Discussion boards, bulletin boards, other online collaboration.
UWWD In our quest to eliminate bad websites, we present…. HALLELUJAH!!
Ch 13 - Adminstering Web Resources1 Ch. 13 – Administering Web Resources MIS 431 – Created Spring 2006.
Internet Research Search Engines & Subject Directories.
The easy way to a nice looking website design By a total non-designer (Me!)
Build a CMS Website. The topics this chapter covers are: What is CMS ? What you can do with CMS The benefits and disadvantages of using a content management.
Linux Operations and Administration
Yahoo! Proprietary. Not for re-distribution. 0  Trip Planner is a tool to help consumers envision, research, plan, and share their travel experience 
A Free sample background from © 2001 By Default!Slide 1 Web Design Fundamentals.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.
Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 4 Manage Software for SUSE Linux Enterprise Server.
Tutorial 1: Getting Started with Adobe Dreamweaver CS4.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Lesson 15 Client Side Vulnerabilities and you. Active Server Pages MS’s answer to the scripting world of PERL and CGI on Unix Usually Written In Visual.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Microsoft Internet Information Services 5.0 (IIS) By: Edik Magardomyan Fozi Abdurhman Bassem Albaiady Vince Serobyan.
Installing and Configuring IIS. Reliable IIS 6.0 uses a new request-processing architecture and application-isolation environment that enables individual.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Internet Information Server © N. Ganesan, Ph.D. All Rights Reserved.
IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References.
Copyright ©2004 Foundstone, Inc. All Rights Reserved »Google Hacking Searching For Ways To Stop Hackers Copyright ©2004 Foundstone, Inc. All Rights Reserved.
FTP Presentation Using “CuteFTP” By IT the IT Support Team.
CIS 290 LINUX Security Basic Network Security “Chroot Jail”
SUSE Linux Enterprise Desktop Administration Chapter 6 Manage Software.
ARCSDE & ARCIMS Mr. David A. Perini. ARCIMS  Internet Mapping Server Distribute GIS information over the Internet Integrates with addition ESRI softwareESRI.
McLean HIGHER COMPUTER NETWORKING Lesson 7 Search engines Description of search engine methods.
1 After completing this lesson, you will be able to: Transfer your files to the Internet. Choose a method for posting your Web pages. Use Microsoft’s My.
Copyright Security-Assessment.com 2005 GoogleMonster Using The Google Search Engine For Underhand Purposes by Nick von Dadelszen.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Search Overview Search Features: WSS and Office Search Architecture Content Sources and.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Module 8 : Configuration II Jong S. Bok
Web Access. Overview  Purpose  Prerequisites  Install Components  Enable Virtual Directories  IIS Configuration & Security  Troubleshooting.
The Web Wizard’s Guide to HTML Chapter One World Wide Web Basics.
Dean Anderson Polk County, Oregon GIS in Action 2014 Modifying Open Source Software (A Case Study)
WEB SERVER SOFTWARE FEATURE SETS
G046 Lecture 04 Task C Briefing Notes Mr C Johnston ICT Teacher
IIS Manager Details Delegated Administration Configuration System.
Institute for the Protection and Security of the Citizen HAZAS – Hazard Assessment ECCAIRS Technical Course Provided by the Joint Research Centre - Ispra.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Windows Administration How to protect your computer.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
What Is Firefox? __________ is a Web ___________ that you use to search for and view Web pages, save pages for use in the future, and maintain a list.
NX Documentation Using Windows IIS (Internet Information Services) as a http server for NX documentation.
Search Engine and Optimization 1. Introduction to Web Search Engines 2.
 Hi friends now I am going to show you a next part of this article. This is the 3 rd part of the Centre Point of Magento development guide line. Pre-
How to use Drupal Awdhesh Kumar (Team Leader) Presentation Topic.
TOPSpro Special Topics
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
CompTIA Server+ Certification (Exam SK0-004)
Search Engines & Subject Directories
Configuring Internet-related services
Search Engines & Subject Directories
Search Engines & Subject Directories
Dongwhan Kim Annie Zhao Steven Lawrance
Presentation transcript:

Company LOGO Search Engine Hacking Steve at SnakeOilLabs dot com

Search Engine Hacking

1. What is SEH? 2. Tools Armoury 3. Exploiting SEH 4. Countermeasures

Search Engine Hacking

What is SEH? Definition: Search Engine Hacking (SEH) Function: noun SEH is the malicious use of indexing technologies in order to identify, fingerprint and exploit at-risk systems, data and people. In other words: Using Search Engines and other indexing facilities to find juicy information and 0wnable b0x3n/w4r3z/d00dz

What is SEH? How much data are we talking about?

Search Engine Hacking

What is SEH? Only now there’s much more to contend with IRC Search Engines Bit Torrent/P2P Search engines FTP Search engines Flickr.com Blogs Your.application.here/search/ Oh, and Google But there’s more… (Whaddya mean you only thought there was Google?)

What is SEH?

Tools Armoury SiteDigger Apollo Wikto Athena

Tools Armoury SiteDigger ( The ‘original’ Google Scanning tool (other than a web browser, of course) Requires a Google API Key Uses FSDB and GHDB Searches deliberately restricted The ‘Internet Scanner’ of SEH tools

Tools Armoury SiteDigger

Tools Armoury SiteDigger

Tools Armoury SiteDigger Pros Slick Reporting Well maintained FSDB sometimes outdated, but well categorized Cons Needs Google API Key Google-Specific Restricted searches means stuff gets missed Overall A good tool, ultimately crippled by restrictions

Tools Armoury Apollo ( Written by Mimi & Spark of the Good Cat Studio. No Google Key required, but still Google only No restrictions on Search Similar functionality to SiteDigger, minus the snazzy reporting

Tools Armoury

Apollo Pros No restrictions No Google API Key needed Auto update GHDB Cons Google-Specific Clunky interface No direct link in results Overall Better than SiteDigger, but needs better reporting interface

Tools Armoury Wikto ( Port of Nikto to Windows with bells and whistles Google Hacking functionality a la GooScan Needs Google API Key Site orientated Requires registration with Foundstone’s portal!!!!

Tools Armoury Wikto Uses a ‘Googler’ to identify directories worth investigating

Tools Armoury Wikto

Tools Armoury Wikto ‘BackEnd’ module imports data from Googler for use in data mining…

Tools Armoury Wikto

Tools Armoury Wikto ‘Wikto’ module functions as Nikto on other systems, with ability to import dirs from Googler and BackEnd

Tools Armoury Wikto

Tools Armoury Wikto ‘GoogleHacks’ Module provides an automated GoogleDork searching facility

Tools Armoury Wikto

Tools Armoury Wikto Pros Directory harvesting via Google Wikto port Cons Google Key required Complicated Google-Specific Overall Feels like several tools bundled into one

Tools Armoury Athena ( The ‘original’ Search Engine Hacking tool (other than a web browser, of course) No API Key required Features GHDB editor and extensive logging functionality Not Google Specific! Manual tool

Tools Armoury Athena

Tools Armoury Athena

Tools Armoury Athena

Tools Armoury Athena

Tools Armoury Athena

Tools Armoury Athena Pros Cool logging/note-taking functionality Can edit GHDB information within Athena Use datagrid or raw XML editing facilities Designed for non-techies as well as power users Suitable for Yahoo, Altavista, Cons No automation Tabbed browsing would be nice Overall Unique … so far.

Exploiting SEH It’s easy as Load the GHDB.xml into Athena Select your query type (and enter any filters) Hit Search

Exploiting SEH

Thinking of buying a digital camera? Load Digicams.xml into Athena Select your camera manufacturer (and enter any filters – e.g wedding, holiday, ‘amateur’) Hit Go!

Exploiting SEH

Exploiting non-Google SEH An example Create a Catalog in Indexing Server for file store Associate the Catalog with the default web site via the catalog properties Use the index server query object in ASP (ixsso.Query) Voila! Instant Search facility!

Exploiting non-Google SEH Indexing Service MMC Snap-in

Exploiting non-Google SEH Example query

Exploiting non-Google SEH What happens when you’re not sure what you’re indexing?

Exploiting non-Google SEH Things to try on your own app.htaccess/.htpasswd stuff GET POST Deny from all IIS Indexing REM (from autoexec.bat) SELECT (from backup.asp and.aspx files) Other stuff <?php #!/usr/bin/perl root:0:.inc,.htm,.txt,.bak (try other html tags)

Countermeasures Google-specific countermeasures Add the following to specific pages to be left out Remove ‘snippets’ but still index link Stop archiving Remove my page NOW!

Countermeasures HTTP Server configuration countermeasures Robots.txt Some indexing systems obey it Some don’t.htaccess/.htpasswd Make sure it’s configured properly! Indexing Services Make sure indexed files are held in a specific directory, not the web root! Figure out what you’re indexing – you’re only indexing files with specific extensions, right?

Countermeasures Procedural countermeasures Newsgroups/Mailing lists Use a hushmail/hotmail account Use X-No-Archive: Yes headers in Usenet postings Don’t post information about your systems, data or people (e.g: specify Solaris rather than specific Solaris patch levels) Check for information leakage periodically Don’t use site: restrictions – you want to find all occurrences that affect you, not just the ones on your site! Web sites Ensure that backups, test data etc. is held outside of the web root.

Countermeasures Further Info/Resources Info Google Hacking for Penetration Testers (Johnny Long) Johnny.ihackstuff.com Tools SiteDigger: Wikto: Apollo: Athena:

Company LOGO Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.