You found that on Google?

CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 1

Gaining awareness about “Google Hackers”

Johnny Long

johnny@ihackstuff.com

HUGE DISCLAIMER!•The print version of thispresentation is muchsmaller than the liveversion!

• The live version shows many more techniquesand examples.

What this is about

• We’ll be talking about how hackers can use Google tolocate vulnerable targets and sensitive information

• This process has been termed “Google hacking”

• We will be blowing through the basics– After all, this is Blackhat! =)

Advanced Operators

• Google advanced operators help refine searches

• Advanced operators use a syntax such as the following:– operator:search_term

• Notice that there's no space between the operator, thecolon, and the search term

Advanced Operators

• site: restrict a search to a specific web site or domain– The web site to search must be supplied after the colon.

• filetype: search only within the text of a particular type of file

• link: search within hyperlinks

• cache: displays the version of a web page as it appearedwhen Google crawled the site

• intitle: search for a term in the title of a document

• inurl: search only within the URL (web address) of adocument

Search Characters

• Some characters:• ( + ) force inclusion of a search term

• ( - ) exclude a search term

• ( “ ) use quotes around search phrases

• ( . ) a single-character wildcard

• ( * ) any word

Site Crawling

• To find every web page Google has crawled for a specificsite, use the site: operator

site: microsoft.com

Server Crawling

• To locate additional servers, subtract common hostnamesfrom the query

site: microsoft.com-site:www.microsoft.com

Directory Listings

• Directory listings can be a source of great information

intitle:index.of/admin

Directory Listings

• Directory listings can provide server version information

intitle:index.of apache server.at

Default Server Pages

• Web servers with default pages can serve as juicy targets

intitle:test.page.for.apache “it worked”

allintitle:Netscape FastTrack ServerHome Page

intitle:"Welcome to Windows 2000Internet Services"

intitle:welcome.to.IIS.4.0

allintitle:Welcome to Windows XPServer Internet Services

allintitle:”Welcome to InternetInformation Server”

allintitle:Netscape Enterprise ServerHome Page

allintitle:Netscape FASTTRACKServer Home Page

Default Documents

• Servers can also be profiled via default manuals anddocumentation

intitle:"Apache HTTP Server"intitle:"documentation"

Error Messages

• Server profiling is easy with some error messages

intitle:"Error using Hypernews""Server Software"

Error Messages

• CGI environment vars provide a great deal of information

• The generic way to find these pages is by focusing on thetrail left by the googlebot crawler

“HTTP_USER_AGENT=Googlebot”

Error Messages

• after a generic search, we can narrow down to the fields wefind more interesting

“HTTP_USER_AGENT=Googlebot”TNS_ADMIN

Vulnerability Trolling

• Many attackers find vulnerable targets via Google

• A typical security advisory may look like this:

• A quick browse of the vendor’s website reveals a demo ofthe product

• The demo page suggests one method for finding targets

• A quick intitle: search suggests more vectors…

• This search finds the documentation included with the product

• These sites are probably poorly configured

• Other searches are easy to discover as well…

• Many times, a good search string is much simpler to come upwith

• Consider this advisory:

• A creative search finds vulnerable targets

CGI Scanning

• In order to locate web vulnerabilities on a larger scale,many attacker will use a ‘CGI’ scanner

• Most scanners read a data file and query target webservers looking for the vulnerable files

CGI Scanning

• A CGI scanner’svulnerability file…

• can be converted toGoogle queries in anumber of differentways:

/iisadmpwd/ /iisadmpwd/achg.htr /iisadmpwd/aexp.htr /iisadmpwd/aexp2.htr /iisadmpwd/aexp2b.htr

inurl;/iisadmpwd/ inurl;/iisadmpwd/achg.htr inurl;/iisadmpwd/aexp.htr inurl;/iisadmpwd/aexp2.htr inurl;/iisadmpwd/aexp2b.htr

• Regardless of the age of the vulerability, there areusually vulnerable targets

Port Scanning

• Although port numbers are sometimes found in the url, there’sno easy way to scan just for a port number… the results aremuch too copious

inurl:5800

Port Scanning

"VNC Desktop" inurl:5800

• We can use creative queries to sniff out services that may belistening on particular ports

• VNC Desktop, port 5800

Port Scanning

inurl:webmin inurl:10000

• Webmin, port 10000

Port Scanning

• Google can be used to find sites to do theportscanning for you

• Consider the Network Query Tool

Port Scanning

• NQT allows web users to perform traceroutes, rdnslookups and port scans.

• This is the NQT program checking port 80 onwww.microsoft.com:

Port Scanning

• Google can be used to locate servers running the NQT program,nqt.php

• Once servers are harvested, they can be used to perform port scans(usually through a web proxy)

• NQT also allows remote posts, so that more than one port can bechecked at a time

Login Portals

• The most generic of login portals

Login Portals

• Another very generic portal

Login Portals

• Microsoft Outlook Web Access

Login Portals

• Coldfusion Admin Page

Login Portals

• Windows Remote Desktop

Login Portals

• Citrix Metaframe

SQL Information

• Gathering SQL usernames is simple with this search

SQL Information

• This is an SQL dump made by phpmyadmin

SQL Information

• This is a complete database schema dump, essentially acomplete database backup

SQL Information

• This query will locate SQL schemas on the web

SQL Information

• In addition, this query finds the words username andpassword inside the SQL dump

SQL Information

• This potent query finds SQL dumps wither username, user,users or password as a table name

SQL Information

• This graphical front-end to SQL is mis-configured to allowanyone admin access

SQL Information

• This search can be used by hackers to find SQL injectiontargets

SQL Information

• …another SQL injection target…

SQL Information

• ..and another…

SQL Information

• the mysql_connect function makes a database query with asupplied username and password

• This file should not be on the web

SQL Information

• In most cases, there’s nothing better for an SQL injectorthan a complete line of SQL source code…

SQL Information

• …except for really long lines of SQL code…

Examples

• *** LIVE EXAMPLES REMOVED FROM PRINT VERSION***

Prevention

• Do not put sensitive data on your web site, even temporarily

• Proactively check your web presence with Google on aregular basis

• Use sites like http://johnny.ihackstuff.com to keep up on thelatest “Google Hacks”

Prevention

• Use site: queries against each of your web hosts

• Don’t forget about hosts that do not have DNS names

• Scan each result page, ensuring that each and every page itsupposed to be in Google’s database

Prevention

• Automate your scans with tools like sitedigger byFoundstone

Presentation Materials

• This is a condensed version of the actual presentation givenat the event

• For more information, please see:http://johnny.ihackstuff.com

• Or contact:Johnny LongCSC Global Security Solutionse-mail: securitysolutions@csc.com

• Private e-mail: johnny@ihackstuff.com

Information About Johnny

• Mr. Long has been involved in system security since a very early age, andhas accentuated his natural aptitude for computer technology throughinvolvement in major security efforts for the Department of Defense andcorporate America. A System Engineer with 10 years experience in mostareas of technical and functional support and system development, Mr.Long possesses a strong background in many elements of network andsystem operation as well as computer, network and physical security.

Equally adept in most aspects of Windows NT and UNIX systems as wellas many current technologies, Mr. Long has proven to be a very fast studyin the face of the ever-changing computer industry. An exceptionallyaccomplished speaker and trainer, Mr. Long has the rare ability to presenthighly technical material in a way that is beneficial for both technical andnon-technical audiences.

Mr. Long is currently employed by Computer Sciences Corporation (CSC).

Thanks

• Thanks to God for the gift of life.

• Thanks to my wife for the gift of love.

• Thanks to my kids for the gift of laughter.

• Thanks to my friends for filling in the blanks.

You found that on Google?

Documents

Transcript of You found that on Google?

Google & You

Anything but Google: you can say "NO" to Google

Get Found on Google: Search Engine Optimization (SEO ... · Get Found on Google: Search Engine Optimization (SEO) Basics & Technical Solutions Lindsay Wassell Keyphraseology March

Get Found On Google Search And Maps

Beginning SEO: How to Help Google Help You€¦ · Senior Vice President at Google and responsible for the development of Google Search, disclosed that Google's search engine found

Be found by customers across Google - Monnet Digital IndiaBrochure.pdf · Be found by customers across Google ENGAGE CUSTOMERS WITH 360 BUSINESS VIEW FOR LIFE TIME ! It’s simple,

Google: Help Customers Find You! .pdfGoogle: Make Sure Your Customers Can Find You! Your customers are searching for you ± will you be found? What are the benefits of an attractive

Retail Search Beyond Google: Get Found More, Sell More

Get Found on Google - Don't Be a Needle in a Haystack

GOOGLE EXPEDITION ACTIVITIES · In the Keyword Search box, type in Google or Google Expeditions. You have found the Google Expeditions activities. ASSIGN AN EXPEDITION Click on the

Grow Your Business Online - Amazon S3 You… · GROW YOUR BUSINESS ONLINE Agenda Be found by local customers Create a free Google My Business listing. Be found everywhere, on all

Get Found on Google Search and Maps with Google My Business

Ghost Partner: Getting found on Google (the basics)

How to Get Found On Google Using The HubSpot Software

Top 10 Ways to be Found on Google

Google & Getting Found: An SEO Challenge

Delivered by Mediaworks · google tag manager analytics fundamentals google analytics google analytics shows you how people found your site, how they explored it, and how you can

Where are you? Get found in Google by customers

Get Found Fast: Google AdWords Strategies for Growth

Get Found on Google: Search Engine Optimization …...Get Found on Google: Search Engine Optimization (SEO) Basics & Technical Solutions Lindsay Wassell Keyphraseology, LLC August