ECSAv4 Module 02 Advanced Googling_NoRestriction
-
Upload
mahmoud-eladawi -
Category
Documents
-
view
95 -
download
0
description
Transcript of ECSAv4 Module 02 Advanced Googling_NoRestriction
Advanced Penetration Testing Penetration Testing
and Security Analysis
Module 2Advanced Googling
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
g g
Module Objective
This module will familiarize you with:
• Site Operator • intitle:index.of• error | warning• login | logong | g• admin | administrator• Google Advanced Search Form• Categorization of the Operators• Viewing Live Web Camsg• Locating Source Code with Common Strings• Locating Vulnerable Targets• Locating Targets Via Demonstration Pages• Locating Targets Via Source Codeg g• Vulnerable web Application Examples• Locating Targets Via CGI Scanning• A Single CGI Scan-Style Query• Directory Listings
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
y g• Web Server Software Error Messages• The Goolag Scanner
Site Operator
The site operator is absolutely invaluable during the The site operator is absolutely invaluable during the information-gathering phase of an assessment.
A site search can be used to gather information about the s te sea c ca be used to gat e o at o about t eservers and hosts that a target hosts.
Using simple reduction techniques, we can quickly get an g p q , q y gidea about a target’s online presence.
Consider the following simple example: g p psite:washingtonpost.com –site:www.washingtonpost.com
This query effectively locates pages on the hi t t d i th th
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
washingtonpost.com domain other than www.washingtonpost.com
Site Operator (cont’d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
intitle:index.of
intitle:index.of is the universal
In most cases, this search applies only to Apache-based servers, but due to the overwhelming number of Apache-derived web servers on
search for directory listings. of Apache derived web servers on
the Internet, there’s a good chance that the server you’re
profiling will be Apache-based.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
intitle:index.of
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
error | warning
Error messages can reveal a great deal of information about a target.
Often overlooked, error messages can provide insight into the application or operating system software a target is running, the architecture of the network the target is on information about users on the system and much moretarget is on, information about users on the system, and much more.
Not only are error messages informative, they are prolific.
A query of intitle:error results in over 55 million results.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
error | warning (cont’d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
login | logon
Login portals can reveal the software and operating system of a target and in many cases “self-help” documentation is linked target, and in many cases self help documentation is linked from the main page of a login portal.
These documents are designed to assist users who run into gproblems during the login process.
Whether the user has forgotten his or her password or even thi d t id l th t i ht h l username, this documents can provide clues that might help an
attacker.
Documentation linked from login portals lists email addresses, h b f h i h h lphone numbers, or URLs of human assistants who can help a
troubled user regain lost access.
These assistants or help desk operators are perfect targets for
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
These assistants, or help desk operators, are perfect targets for a social engineering attack.
login | logon (cont’d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
username | userid |employee ID | “your username is”employee.ID | your username is
There are many different ways to obtain a username from a target system.
Even though a username is the less important half of most authentication mechanisms, it should at least be marginally protected from outsiders.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
password | passcode | “your password is”
The word “password” is so common on the Internet, there are over 73 million results for this one-word query.
During an assessment it’s very likely that results for During an assessment, it s very likely that results for this query combined with a site operator will include pages that provide help to users who have forgotten their passwords.
In some cases, this query will locate pages that provide policy information about the creation of a password.
This type of information can be used in an intelligent-guessing, or even a brute-force, campaign against a
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
g g, , p g gpassword field.
password | passcode | “your password is” (cont’d)password is (cont d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
admin | administrator
The word “administrator” is often used to describe the person in control of a network or system.
The word administrator can also be used to locate administrative login pages, or login portals.
The phrase “Contact your system administrator” is a fairly common phrase on the web, as are several basic derivations.
A query such as “please contact your * administrator” will return results that reference local company site department server system network database reference local, company, site, department, server, system, network, database, email, and even tennis administrators.
If a web user is told to contact an administrator, the odds are that there’s data of
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
at least moderate importance to a security tester.
admin | administrator (cont’d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
admin login
admin login reveals administrative login pages.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
–ext:html –ext:htm–ext:shtml –ext:asp –ext:phpext:shtml ext:asp ext:php
The –ext:html –ext:htm –ext:shtml –ext:asp –ext:php query uses ext, a p p p q y ,synonym for the filetype operator, and is a negative query.
It returns no results when used alone and should be combined with a site It returns no results when used alone and should be combined with a site operator to work properly.
The idea behind this query is to exclude some of the most common The idea behind this query is to exclude some of the most common Internet file types in an attempt to find files that might be more interesting.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
–ext:html –ext:htm –ext:shtml –ext:asp –ext:php (cont’d)ext:asp ext:php (cont d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
inurl:temp | inurl:tmp |inurl:backup | inurl:bakinurl:backup | inurl:bak
The inurl:temp | inurl:tmp | inurl:backup | inurl:bak query, combined with the p | p | p | q y,site operator searches for temporary or backup files or directories on a server.
Although there are many possible naming conventions for temporary or backup files, this search focuses on the most common terms.
Since this search uses the inurl operator, it will also locate files that contain these terms as file extensions, such as index.html.bak.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Google Advanced Search Form
Google’s advanced search form is easy to use and provides more options for the searchsearch.
It allows a user to select or prohibit pages with more accuracy.
It focuses on options, which results in more targeted and accurate search.
One can categorize the search by giving all word, exact phrase, or at least one word.
B f ll i h b l d i i i l f d d hBy following the below procedure, it is simple to perform an advanced search:
• Go to Google’s standard search text box.• Click on “Advanced search” at right side of the search box.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Google Advanced Search Form: ScreenshotForm: Screenshot
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Categorization of the OperatorsOperators
Search Service Search OperatorsSearch Service Search Operators
Web Searchallinanchor:, allintext:, allintitle:, allinurl:, cache:, define:, filetype:, id:, inanchor:, info:, intext:, intitle:, inurl:, phonebook:, related:, rphonebook:, site:, stocks:,p , , p , , ,
Image Search allintitle:, allinurl:, filetype:, inurl:, intitle:, site:
Groupsallintext:, allintitle:, author:, group:, insubject:, intext:, i titlGroups intitle:
Directoryallintext:, allintitle:, allinurl:, ext:, filetype:, intext:, intitle:, inurl:
Newsallintext:, allintitle:, allinurl:, intext:, intitle:, inurl:, location:, source:
Froogle allintext:, allintitle:, store:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
allinanchor:
allinanchor:
• The query with allinanchor restricts the results to the pages containing all the query terms in their inbound-links.A id th f th h t hil i • Avoid the use of any other search operators while using allinanchor.
• Example: “allinanchor: Longest river”: It ill t th lt th t t i ‘l t’ d ‘ i ’ i th • It will return the results that contain ‘longest’ and ‘river’ in the anchor text of the pages.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - allinanchor:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
allintext:
allintext:
• The query with allintext restricts the results to the pages containing all query terms only in the text (does not check g q y y (in the url, title).
• Example: “allintext: Best travel”:• It will return the results that contain ‘Best’ and ‘travel’ in the text
of the page.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - allintext:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
allintitle:
• The query with allintitle restricts results to pages containing
allintitle:
• The query with allintitle restricts results to pages containing all query terms specified in the title.
• Avoid the use of any other search operators while using allintitle.allintitle.
• Example: “allintitle: Vulnerability attacks”:• It will return the results which contain ‘vulnerability’ and ‘attacks’
in the title.• In image search, allintitle returns images that contain the
terms specified.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - allintitle:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
author:
author:
• The query with author includes newsgroup articles by the h ifi d i h author, specified in the query.
• The author name can be full name, partial name, or email ID.• Example: “Hacking author: Linda Lee”:
• It will return the articles that contain the word ‘Hacking’ written by ‘Linda Lee’.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - author:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
cache:
cache:
• The query cache:url displays Google’s cached version of a bweb page.
• Do not put a space between cache: and the URL.• Example: “cache:www.eccouncil.org”:
• It shows the cache version of “eccouncil”.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - cache:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
define:
define:
• The query with define shows definitions from pages on the b f h ifi d
f
web for the term specified.• It is useful for finding definitions of words, phrases, and
acronyms.E l “d fi h ki ”• Example: “define: hacking”:
• It shows the definitions for the term ‘Hacking’.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - define:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
filetype:
filetype:
• The query with filetype:suffix shows the result pages whose
f yp
The query with filetype:suffix shows the result pages whose names end in suffix.
• Example: “web attacks filetype:pdf”:• It returns Adobe Acrobat PDF files that match the term ‘web’ and It returns Adobe Acrobat PDF files that match the term web and
‘attacks’
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - filetype:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
group:
group:
• The query with group restricts results to newsgroup articles
group:
The query with group restricts results to newsgroup articles from certain groups or subareas.
• Example: “ Sleep group:misc.kids”:• It returns articles in the subarea ‘misc.kids’ that contain the word It returns articles in the subarea misc.kids that contain the word
“sleep”.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - group:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
inanchor:
inanchor:
• Searches for the text representation of the link.• The query with inanchor restricts results to pages
containing the query terms specified.• Example: “restaurants inanchor: menu”:
• It returns pages with anchor text in the links to the pages i i h d “ ” d h i h d containing the word “menu” and the page contains the word
“restaurants”.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - inanchor:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
insubject:
insubject:
• The query with insubject restricts articles in Google group to t i i th t ifi dpages, containing the query terms specified.
• Example: “Insubject:“Security issue””:• It returns Google Group articles that contain the phrase
“S it i ” i th bj t“Security issue” in the subject.• It is equivalent to intitle:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot – in subject:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
intext:
intext:
• The query with intext:term restricts results to documents
intext:
q ycontaining the term in the text.
• There must be no space between the intext: and the following word.
• Example: “intext:poem”
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - intext:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
link:
link:
• The query with link:URL shows pages that point to that URLURL.
• Example: “link:www.googleguide.com”
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - link:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
location:
location:
• The query with location will show articles from Google q y gNews, and only from the location specified.
• Example: “Hackers location: China”:• It shows articles that match the term “Hackers” from sites in
China.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot - location:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Live Web Cams
You can find out live security cameras, traffic monitoringYou can find out live security cameras, traffic monitoringcameras and many more using simple Google searchoperators like: inurl, intitle, and intext.
These cameras generally use known protocols, which makesit easy for anyone to access them.it easy for anyone to access them.
Following are a few Google search links to find publiclyaccessible live streaming feeds:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Live Web Cams (cont’d)(cont d)
inurl:/view.shtml
intitle:”Live View / - AXIS” | inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis cgi/jpginurl:axis-cgi/jpg
allintitle:”Network Camera NetworkCamera”
intitle:axis intitle:”video server”
intitle:liveapplet inurl:LvAppl
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
intitle:”EvoCam” inurl:”webcam.html”
Screenshot - Live Web CamsCams
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ffi i lAt a Traffic Signal
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 1Signals 1
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 2Signals 2
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 3Signals 3
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 4Signals 4
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 5Signals 5
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 6Signals 6
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 7Signals 7
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 8Signals 8
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 9Signals 9
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Live Web Cams – Traffic Signals 10Signals 10
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
intranet | help.desk
The term intranet despite more specific The term intranet, despite more specific technical meanings, has become a generic term that describes a network confined to a small group.
In most cases the term intranet describes a closed or private network, unavailable to closed or private network, unavailable to the general public.
Many sites have configured portals that Many sites have configured portals that allow access to an intranet from the Internet, bringing this typically closed network one step closer to potential attackers
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
attackers.
Locating Public Exploit Sites
One way to locate exploit code is to focus on the file extension of the source code and then search for specific content within that codesearch for specific content within that code.
Since source code is the text-based representation of the difficult-to-read machine code, Google is well suited for this task.
For example, a large number of exploits are written in C, which generally uses source code ending in a .c extension.
A query for filetype:c exploit returns around 5,000 results, most of which are exactly the q y f yp p 5, , ytypes of programs we’re looking for.
These are the most popular sites hosting C source code containing the word exploit, the returned list is a good start for a list of bookmarks.
Using page-scraping techniques, we can isolate these sites by running a UNIX command against the dumped Google results page.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
grep Cached exp | awk –F" –" '{print $1}' | sort –u
Locating Exploits via Common Code StringsCommon Code Strings
Another way to locate exploit code is to focus on common strings within the source code itself.
One way to do this is to focus on common inclusions or header file referencesOne way to do this is to focus on common inclusions or header file references.
For example, many C programs include the standard input/output library f ti hi h f d b i l d t t t h #i l d functions, which are referenced by an include statement such as #include <stdio.h> within the source code.
A query like this would locate C source code that contained the word exploit A query like this would locate C source code that contained the word exploit, regardless of the file’s extension.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
“#include <stdio.h>” “Usage” exploit
Searching for Exploit Code with Nonstandard Extensionswith Nonstandard Extensions
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Locating Source Code with Common StringsCommon Strings
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Locating Vulnerable Targets
Attackers are increasingly using Google to locate web-based targets that are vulnerable to specific exploits.p p
In fact, it’s not uncommon for public vulnerability announcements to contain Google links to potentially vulnerable targets.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Locating Targets via Demonstration PagesDemonstration Pages
Our goal is to develop a query string to locate vulnerable targets on the web; the vendor’s website is a good place to discover what exactly the product’s web pages look likewebsite is a good place to discover what exactly the product s web pages look like.
For example, some administrators might modify the format of a vendor-supplied web page to fit the theme of the site.
These types of modifications can impact the effectiveness of a Google search that targets a vendor-supplied page format.
We can find that most sites look very similar and that nearly every site has a “powered by” message at the bottom of the main page.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
“Powered by” Tags are Common Query Fodder for Finding Web ApplicationsFodder for Finding Web Applications
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Locating Targets via Source CodeCode
Let’s take a look at how a hacker might use the source code of a program to g p gdiscover ways to search for that software with Google.
To find the best search string to locate potentially vulnerable targets, we can visit g p y g ,the web page of the software vendor to find the source code of the offending software.
In cases where source code is not available an attacker might opt to simply In cases where source code is not available, an attacker might opt to simply download the malicious software and run it on a machine he controls to get ideas for potential searches.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerable Web Application ExamplesExamples
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerable Web Application Examples (cont’d)Examples (cont d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Locating Targets via CGI ScanningScanning
One of the oldest and most familiar techniques for locating vulnerable web servers is through the use of a CGI scanner.g
These programs parse a list of known “bad” or vulnerable web files and attempt to locate those files on a web server.
Based on various response codes, the scanner could detect the presence of these potentially p , p p yvulnerable files.
A CGI scanner can list vulnerable files and directories in a data file, such as:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
A Single CGI Scan-Style Query
Example: search for inurl:/cgi-bin/userreg.cgi
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Directory Listings
The server tag at the bottom of a directory listing can provide explicit detail about the type of web server software that’s running web server software that s running.
If an attacker has an exploit for Apache 2.0.52 running on a UNIX server, a query such as server.at “Apache/2.0.52” will locate servers that host a directory listing with an Apache 2 0 52 server tag2.0.52 server tag.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Finding IIS 5.0 Servers
Query for “Microsoft-IIS/5.0 server at”
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Web Server Software Error MessagesMessages
Error messages contain a lot of useful information, but in the context of locating specific servers, we can use portions of various error messages to locate servers running specific , p g g psoftware versions.
The absolute best way to find error messages is to figure out what messages the server is capable of generating.
You could gather these messages by examining the server source code or configuration files or by actually generating the errors on the server yourself.
The best way to get this information from IIS is by examining the source code of the error pages themselves.
IIS 5 and 6, by default, display static HTTP/1.1 error messages when the server encounters some sort of problem.
These error pages are stored by default in the %SYSTEMROOT%\help\iisHelp\common
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
These error pages are stored by default in the %SYSTEMROOT%\help\iisHelp\common directory.
Web Server Software Error Messages (cont’d)Messages (cont d)
A query such as intitle: “The page cannot be found” “please following” “Internet * S i ” b d t h f IIS th t t 400 Services” can be used to search for IIS servers that present a 400 error.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IIS HTTP/1.1 Error Page Titles
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IIS HTTP/1.1 Error Page Titles (cont’d)(cont d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
“Object Not Found” Error Message Used to Find IIS 5 0Message Used to Find IIS 5.0
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Apache Web Server
Apache web servers can also be located by focusing on server-generated error messages.
Some generic searches such as “Apache/1.3.27 Server at” -intitle:index.of intitle:inf” or “Apache/1.3.27 Server at” -intitle:index.of intitle:error
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Apache 2.0 Error Pages
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Application Software Error MessagesMessages
Although this ASP message is fairly benign, some ASP error messages are Although this ASP message is fairly benign, some ASP error messages are much more revealing.
Consider the query “ASP.NET_SessionId”“data source=”, which locates unique strings found in ASP.NET application state dumps.
These dumps reveal all sorts of information about the running application and the web server that hosts that application.
An advanced attacker could use encrypted password data and variable information in these stack traces to subvert the security of the application
d h h b i lf
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
and perhaps the web server itself.
ASP Dumps Provide Dangerous DetailsDangerous Details
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Many Errors Reveal Pathnames and Filenamesand Filenames
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CGI Environment Listings Reveal Lots of InformationReveal Lots of Information
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Default Pages
Another way to locate specific types of servers or web software is to search for y p ypdefault web pages.
Most web software, including the web server software itself, ships with one or , g , pmore default or test pages.
These pages can make it easy for a site administrator to test the installation of a p g yweb server or application.
Google crawls a web server while it is in its earliest stages of installation, still displaying a set of default pages.
In these cases, there’s generally a short window of time between the moment when Google crawls the site and when the intended content is actually placed on
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
when Google crawls the site and when the intended content is actually placed on the server.
A Typical Apache Default Web PageDefault Web Page
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Locating Default Installations of IIS 4 0 on Windows NT 4 0/OPIIS 4.0 on Windows NT 4.0/OP
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Default Pages Query for Web ServerServer
Many different types of web servers can be located by querying for default llpages as well.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Outlook Web Access Default PortalPortal
Query allinurl:”exchange/logon.asp”
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Searching for Passwords
Password data, one of the “Holy Grails” during a penetration test, should be protected.
Unfortunately, many examples of Google queries can be used to locate passwords on the web.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows Registry Entries can Reveal PasswordsReveal Passwords
A query, such as filetype:reg intext: “internet account manager” could reveal interesting keys containing password data.interesting keys containing password data.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Usernames, Cleartext Passwords and HostnamesPasswords, and Hostnames
A search for password information intext:(password | passcode | pass) A search for password information, intext:(password | passcode | pass) intext:(username | userid | user), combines common words for passwords and user IDs into one query.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Goolag Scanner
“Goolag Scanner” is a software published by a famous hacker group, “Cult f h dof the Dead Cow (CDC)”.
This software turns Google’s search engine into a vulnerability scannerThis software turns Google s search engine into a vulnerability scanner.
It allows to scan websites or Internet domains for vulnerabilitiesIt allows to scan websites or Internet domains for vulnerabilities.
It works on the “Dork” pattern:It works on the Dork pattern:
• Dork is a search pattern used with Google's search engine.• The results of a dork search explores possible security attacks.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
o do p o po b y
Features of Goolag
Goolag scanner uses simple and readable xml documents.
It simplifies the use of myriad numbers of dorks to a few mouse clicksIt simplifies the use of myriad numbers of dorks to a few mouse clicks.
Knowledge of cryptic command line options and Google hacking basics are not required to use this scannerrequired to use this scanner.
It helps to check the website before criminals can attack weak points.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Goolag Scanner ScreenshotScreenshot
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
In this module, we have reviewed Google penetration t ti
We have discussed the advanced
testing.
We have discussed the advanced Google techniques:
• Overview of software error messages• Overview of default pages• Explanation of techniques to reveal password
L ti t t • Locating targets • Searching passwords
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited