Presentation is loading. Please wait.

Presentation is loading. Please wait.

Watching the Watchers Target Exploitation via Public Search Engines

Published byGervais Gilmore Modified over 6 years ago

Similar presentations

Presentation on theme: "Watching the Watchers Target Exploitation via Public Search Engines"— Presentation transcript:

1 Watching the Watchers Target Exploitation via Public Search Engines

2 what’s this about? using search engines to do interesting (sometimes unintended) stuff sp3ak l1ke l33to hax0rs act as transparent proxy servers sneak past security find development sites

3 what’s this about? using search engines to find exploitable targets on the web which run certain operating systems run certain web server software harbor specific vulnerabilities harbor sensitive data in public directories harbor sensitive data in public files automating the process: googlescan

4 pick your poison we have certain needs from a search engine:
advanced search options (not just AND’s and OR’s) browsing down or changed pages (caching) instant response (zero-wait) document and language translations web, news, image and ftp searches The obvious choice: Google Many of these techniques can be used with other search engines. Some of these techniques can not.

5 not new... Vincent GAILLOT posted this to BUGTRAQ nearly two years ago... the technique is old, but an old dog can learn new tricks... read on...

6 doing interesting stuff
hax0r, “Google hacks,” proxy, auth bypass, finding development sites

7 for those of us spending way too much time spe@king hax0r...

8 /misc: “Google Hacks” There is this book. And it’s an O’REILLY book.
But it’s not about hacking. It’s about searching. I didn’t write it. Because if I wrote it, it would really be about hacking using Google and that would get both Google and O’REILLY both really upset and then lawyers would get involved, which is never good unless of course the lawyer happens to be Jennifer Granick... =)                       

9 Google offers a very nice language translation service.
proxy Google offers a very nice language translation service.

10 for example, translating from english to spanish...
proxy for example, translating from english to spanish...

11 proxy Our english-to-spanish translated Google page is:
(main URL) ?u= (options) What happens if we play with the options a bit to provide an english-to-english translation, for example? ?u= (options)

12 proxy Because Google took our URL, and “translated” it for us, we appear to be surfing Google, not Defcon. Even images are fetched via Google! This is not foolproof, and should only be used as a transparant proxy, but it can effectively hide where we’re surfing from the casual observer... we’re surfing through Google, not to the evil DEFCON page. The boss will be sooo proud! 8P

13 proxy Google proxy bouncers

14 finding development sites
use unique phrases from an existing site to find mirrors or development servers hosting the same page. this is a copy of a production site found on a web development company’s server...

15 finding development sites
troll the development site with another search looking for more files on that server...

16 finding development sites
eventually, creative searching can lead to pay dirt: a source code dump dir!

17 auth bypass Let’s say an attacker is interested in what’s behind a password protected page:

18 auth bypass One search gives us insight into the structure of the site:

19 auth bypass Another search gives a cache link:

20 auth bypass Another click takes us to the cached version of the page (no password needed!)

21 auth bypass One more click to the really interesting stuff... site source code! How does this work? I don’t work at Google, and I don’t have their source code. My guess is that the Google bot caught the site when the authentication mechanism was down. My other guesses are much more insidious... *this site was notified and secured before making this public. sorry, kids ;-)

22 evil searching: the basics
tools of the trade

23 Google search syntax Tossing Google around requires a firm grasp of the basics. Many of the details can be found here:

24 simple word search A simple search...

25 simple word search ...can return amazing results. This is the contents of a live .bash_history file!

26 simple word search Crawling around on the same web site reveals a firewall configuration file complete with a username and password...

27 ...as well as an ssh known hosts file!
simple word search ...as well as an ssh known hosts file!

28 Creativity with search phrases (note the use of quotes)…
simple phrase search Creativity with search phrases (note the use of quotes)…

29 simple phrase search ...can reveal interesting tidbits like
this Cold Fusion error message.

30 (Error messages can be very revealing. )
simple phrase search (Error messages can be very revealing. )

31 simple phrase search II
Sometimes the most idiotic searches (“enter UNIX command”)...

32 simple phrase search II
...can be the most rewarding!

33 special characters symbol use + (plus) AND, force use - (dash)
NOT (when used outside quotes) . (period) any character space (when used in quotes) * (asterisk) wildcard word (when used in quotes)

34 site: site-specific search
site:gov boobs this search finds all .gov sites with the word “boobs” in the text... no politicians were listed in the returned results...

35 site: crawling site:defcon.org defcon
-use the site: keyword along with the site name for a quick list of potential servers and directories

36 site: crawling -use the site: keyword along with a common file extension to find accidental directory listings..

37 Date Searching Date Restricted Search
Star Wars daterange: If you want to limit your results to documents that were published within a specific date range, then you can use the “daterange: “ query term to accomplish this. The “daterange:” query term must be in the following format: daterange:<start_date>-<end date> where <start_date> = Julian date indicating the start of the date range <end_date> = Julian date indicating the end of the date range The Julian date is calculated by the number of days since January 1, 4713 BC. For example, the Julian date for August 1, 2001 is Site Restricted Search Example: admission site: If you know the specific web site you want to search but aren’t sure where the information is located within that site, you can use Google to search only within a specific web site.  Do this by entering your query followed by the string “site:” followed by the host name. Note: The exclusion operator (“-“) can be applied to this query term to remove a web site from consideration in the search. Note: Only one site: term per query is supported.

38 Title searching Starting a query with the term "allintitle:" restricts the results to those with all of the query words in the title. allintitle: Google search Title Search (all) If you prepend "intitle:" to a query term, Google search restricts the results to documents containing that word in the title. Note there can be no space between the "intitle:" and the following word. Note: Putting "intitle:" in front of every word in your query is equivalent to putting "allintitle:" at the front of your query. intitle:Google search Title Search (term)

39 INURL: URL Searches inurl: find the search term within the URL
inurl:admin inurl:admin users mbox inurl:admin users passwords If you prepend "inurl:" to a query term, Google search restricts the results to documents containing that word in the result URL. Note there can be no space between the "inurl:" and the following word. Note:  "inurl:" works only on words , not URL components. In particular, it ignores punctuation and uses only the first word following the "inurl:" operator. To find multiple words in a result URL, use the "inurl:" operator for each word. Note: Putting "inurl:" in front of every word in your query is equivalent to putting "allinurl:" at the front of your query.

40 filetype: filetype:xls “checking account” “credit card”
many more examples coming... patience...

41 finding interesting stuff
finding OS and web server versions

42 Windows-based default server
intitle:"Welcome to Windows 2000 Internet Services"

43 Windows-based default server
intitle:"Under construction" "does not currently have"

44 intitle:“Welcome to IIS 4.0"
Windows NT 4.0 intitle:“Welcome to IIS 4.0"

45 OpenBSD/Apache (scalp=)
“powered by Apache” “powered by openbsd"

46 Apache 1.2.6 Intitle:”Test Page for Apache” “It Worked!”

47 Apache – 1.3.9 Intitle:”Test Page for Apache” “It worked!” “this web site!”

48 "seeing this instead" intitle:"Test Page for Apache"

49 Intitle:”Simple page for Apache” “Apache Hook Functions”

50 Directory Info Gathering
Some servers, like Apache, generate a server version tag...

51 ...which we can harvest for some quick stats...
Apache Version Info Apache Version Number of Servers 1.3.6 119,000.00 1.3.3 151,000.00 1.3.14 159,000.00 1.3.24 171,000.00 1.3.9 203,000.00 2.0.39 256,000.00 1.3.23 259,000.00 1.3.19 260,000.00 1.3.12 300,000.00 1.3.20 353,000.00 1.3.22 495,000.00 1.3.26 896,000.00 The script is simple. Just do recursive Google searches for intitle:Index.of “Apache/[version] Server at” and grep out the “Results” line from the returned output. That line will look something like: “Results of about 15,700. Search took 0.72 seconds” when searching for intitle:index.of “Apache/ Server at” ...which we can harvest for some quick stats...

52 Weird Apache Versions

53 Common Apache Versions

54 vulnerability trolling
finding 0day targets...

55 vulnerability trolling
A new vulnerability hits the streets...

56 vulnerability trolling
The vulnerability lies in a cgi script called “normal_html.cgi”

57 vulnerability trolling
212 sites are found with the vulnerable CGI the day the exploit is released.

58 more interesting stuff...
finding sensitive data in directories and files

59 Directory Listings Directory listings are often misconfigurations in the web server. A directory listing shows a list of files in a directory as opposed to presenting a web page. Directory listings can provide very useful information.

60 reveals sites like this one.
Directory Example a query of intitle:”Index of” reveals sites like this one. lots of times when a directory listing is unintentional, the default title of the page begins with a generic “Index of “... The “intitle” keyword is one of the most powerful in the google master’s arsenal...

61 Directory Example notice that the directory listing shows the names of the files in the directory. lots of times when a directory listing is unintentional, the default title of the page begins with a generic “Index of “... we can combine our “intitle” search with another search to find specific files available on the web.

62 .htpasswd Intitle:”Index of” .htpasswd
Lots more examples coming. Stick around for the grand finale...

63 finding interesting stuff
automation: googlescan

64 Googlescan With a known set of file-based web vulnerabilities, a vulnerability scanner based on search engines is certainly a reality. Let’s take a look at a painfully simple example using nothing more than UNIX shell commands...

65 first, create a file (vuln_files) with the names of cgi programs...
Googlescan.sh first, create a file (vuln_files) with the names of cgi programs...

66 ...then, use this shell script...
Googlescan.sh ...then, use this shell script... rm temp awk -F"/" '{print $NF"| intitle%3A%22Index+of%22+"$NF}' vuln_files > queries for query in `cat queries` do echo -n $query"|" >> temp echo $query | awk -F"|" '{print $2}' lynx -source `echo $query | awk -F"|" '{print $2}'` | grep "of about" | awk -F "of about" '{print $2}' | awk -F"." '{print $1}' | tr -d "</b>[:cntrl:] " >> temp echo " " >> temp Done cat temp | awk -F"|" '{print "<A HREF=\"" $2 "\">" $1 " (" $3 "hits) </A><BR><BR>"}' | grep -v "(1,770,000" > report.html

67 Googlescan.sh output ...to output an html list of potentially vulnerable or interesting web servers according to Google. Mike Walker at CSC created a program like this (but better) to automate scans for his clients.

68

69 more interesting stuff
Rise of the Robots

70 Rise of the Robots “Rise of the Robots”, Phrack by Michal Zalewski: autonomous malicious robots powered by public search engines Search engine crawlers pick up malicious links and follow them, actively exploiting targets “Consider a remote exploit that is able to compromise a remote system without sending any attack code to his victim. Consider an exploit which simply creates local file to compromise thousands of computers, and which does not involve any local resources in the attack. Welcome to the world of zero-effort exploit techniques. Welcome to the world of automation, welcome to the world of anonymous, dramatically difficult to stop attacks resulting from increasing Internet complexity.” –Michal Zalewski

71 Rise of the Robots: Example
Michal presents the following example links on his indexed web page:

72 Rise of the Robots: Results
Within Michal’s study, the robots followed all the links as written, including connecting to non-http ports! The robots followed the “attack links,” performing the attack completely unawares. Moral: Search engines can attack for you, and store the results, all without an attacker sending a single packet directly to the target.

73 Prevention Locking it down

74 Google’s advice This isn’t Google’s fault.
Google is very happy to remove references. See Follow the webmaster advice found at

75 My advice Don’t be a dork. Keep it off the web! Scan yourself.
Be proactive. Watch googledorks (

76 Finally.... The Grand Finale!

77 intitle:index.of test-cgi

78 intitle:index.of page.cfm
exploitable by passing invalid ?page_id=

79 intitle:index.of dead.letter

80 intitle:index.of pwd.db passwd –pam.conf

81 intitle:index.of master.passwd

82 intitle:index.of..etc passwd

83 intitle:index.of passwd

84 intitle:"Index.of..etc" passwd

85 intitle:"Index.of..etc" passwd

86 intitle:"Index.of..etc" passwd
wah.... no encrypted passwords?

87 intitle:index.of auth_user_file.txt

88 intitle:index.of pwd.db passwd –pam.conf

89 intitle:index.of ws_ftp.ini

90 intitle:index.of administrators.pwd

91 intitle:index.of people.lst

92 intitle:index.of passlist

93 intitle:index.of .htpasswd

94 intitle:index.of “.htpasswd” htpasswd.bak

95 intitle:index.of “.htpasswd” htpasswd.bak

96 intitle:index.of “.htpasswd” htpasswd.bak

97 intitle:index.of secring.pgp

98 intitle:index.of..etc hosts
...but this one’s old....

99 intitle:index.of..etc hosts

100 intitle:Index.of etc shadow
<whine> “but encrypted passwords are tooo hard....” </whine>

101 intitle:index.of passlist

102 filetype:xls username password email

103 intitle:index.of config.php

104 social security numbers
how about a few names and SSN’s?

105 social security numbers II
How about a few thousand names and SSN’s?

106 social security numbers III
How about a few thousand more names and SSN’s?

107 Final words...

108 other google press.. “Mowse: Google Knowledge: Exposing Sensitive data with Google” “Autism: Using google to hack” “Google hacking”: (German) “Google: Net Hacker Tool du Jour” 

109 Special Thanks to j3n, m@c, tr3 and p3@nut! =)
EOF <plug> Watch googleDorks. </plug> Questions? Contact Me / Get stuff: Special Thanks to j3n, tr3 and =)

110

Download ppt "Watching the Watchers Target Exploitation via Public Search Engines"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Getting Your Web Site Found. Meta Tags Description Tag This allows you to influence the description of your page with the web crawlers.

Getting Your Web Site Found. Meta Tags Description Tag This allows you to influence the description of your page with the web crawlers.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Hacking Borhan Kazimi pour. Agenda How to hack How to hack using How to prevent hack using.

Hacking Borhan Kazimi pour. Agenda How to hack How to hack using How to prevent hack using.
Google Search Using internet search engine as a tool to find information related to creativity & innovation.

Google Search Using internet search engine as a tool to find information related to creativity & innovation.
Introduction The Basic Google Hacking Techniques How to Protect your Websites.

Introduction The Basic Google Hacking Techniques How to Protect your Websites.
Searching The Web Search Engines are computer programs (variously called robots, crawlers, spiders, worms) that automatically visit Web sites and, starting.

Searching The Web Search Engines are computer programs (variously called robots, crawlers, spiders, worms) that automatically visit Web sites and, starting.
Crawler-Based Search Engine By: Bryan Chapman, Ryan Caplet, Morris Wright.

Crawler-Based Search Engine By: Bryan Chapman, Ryan Caplet, Morris Wright.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
Wasim Rangoonwala ID# 00506259 CS-460 Computer Security “Privacy is the claim of individuals, groups or institutions to determine for themselves when,

Wasim Rangoonwala ID# CS-460 Computer Security “Privacy is the claim of individuals, groups or institutions to determine for themselves when,

Similar presentations

Ads by Google