You found that on Google?
Transcript of You found that on Google?
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 1
You found that on Google?
Gaining awareness about “Google Hackers”
Johnny Long
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 2
HUGE DISCLAIMER!•The print version of thispresentation is muchsmaller than the liveversion!
• The live version shows many more techniquesand examples.
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 3
What this is about
• We’ll be talking about how hackers can use Google tolocate vulnerable targets and sensitive information
• This process has been termed “Google hacking”
• We will be blowing through the basics– After all, this is Blackhat! =)
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 4
Advanced Operators
• Google advanced operators help refine searches
• Advanced operators use a syntax such as the following:– operator:search_term
• Notice that there's no space between the operator, thecolon, and the search term
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 5
Advanced Operators
• site: restrict a search to a specific web site or domain– The web site to search must be supplied after the colon.
• filetype: search only within the text of a particular type of file
• link: search within hyperlinks
• cache: displays the version of a web page as it appearedwhen Google crawled the site
• intitle: search for a term in the title of a document
• inurl: search only within the URL (web address) of adocument
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 6
Search Characters
• Some characters:• ( + ) force inclusion of a search term
• ( - ) exclude a search term
• ( “ ) use quotes around search phrases
• ( . ) a single-character wildcard
• ( * ) any word
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 7
Site Crawling
• To find every web page Google has crawled for a specificsite, use the site: operator
site: microsoft.com
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 8
Server Crawling
• To locate additional servers, subtract common hostnamesfrom the query
site: microsoft.com-site:www.microsoft.com
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 9
Directory Listings
• Directory listings can be a source of great information
intitle:index.of/admin
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 10
Directory Listings
• Directory listings can provide server version information
intitle:index.of apache server.at
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 11
Default Server Pages
• Web servers with default pages can serve as juicy targets
intitle:test.page.for.apache “it worked”
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 12
Default Server Pages
• Web servers with default pages can serve as juicy targets
allintitle:Netscape FastTrack ServerHome Page
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 13
Default Server Pages
• Web servers with default pages can serve as juicy targets
intitle:"Welcome to Windows 2000Internet Services"
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 14
Default Server Pages
• Web servers with default pages can serve as juicy targets
intitle:welcome.to.IIS.4.0
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 15
Default Server Pages
• Web servers with default pages can serve as juicy targets
allintitle:Welcome to Windows XPServer Internet Services
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 16
Default Server Pages
• Web servers with default pages can serve as juicy targets
allintitle:”Welcome to InternetInformation Server”
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 17
Default Server Pages
• Web servers with default pages can serve as juicy targets
allintitle:Netscape Enterprise ServerHome Page
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 18
Default Server Pages
• Web servers with default pages can serve as juicy targets
allintitle:Netscape FASTTRACKServer Home Page
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 19
Default Documents
• Servers can also be profiled via default manuals anddocumentation
intitle:"Apache HTTP Server"intitle:"documentation"
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 20
Error Messages
• Server profiling is easy with some error messages
intitle:"Error using Hypernews""Server Software"
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 21
Error Messages
• CGI environment vars provide a great deal of information
• The generic way to find these pages is by focusing on thetrail left by the googlebot crawler
“HTTP_USER_AGENT=Googlebot”
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 22
Error Messages
• after a generic search, we can narrow down to the fields wefind more interesting
“HTTP_USER_AGENT=Googlebot”TNS_ADMIN
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 23
Vulnerability Trolling
• Many attackers find vulnerable targets via Google
• A typical security advisory may look like this:
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 24
Vulnerability Trolling
• A quick browse of the vendor’s website reveals a demo ofthe product
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 25
Vulnerability Trolling
• The demo page suggests one method for finding targets
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 26
Vulnerability Trolling
• A quick intitle: search suggests more vectors…
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 27
Vulnerability Trolling
• This search finds the documentation included with the product
• These sites are probably poorly configured
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 28
Vulnerability Trolling
• Other searches are easy to discover as well…
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 29
Vulnerability Trolling
• Other searches are easy to discover as well…
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 30
Vulnerability Trolling
• Many times, a good search string is much simpler to come upwith
• Consider this advisory:
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 31
Vulnerability Trolling
• A creative search finds vulnerable targets
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 32
CGI Scanning
• In order to locate web vulnerabilities on a larger scale,many attacker will use a ‘CGI’ scanner
• Most scanners read a data file and query target webservers looking for the vulnerable files
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 33
CGI Scanning
• A CGI scanner’svulnerability file…
• can be converted toGoogle queries in anumber of differentways:
/iisadmpwd/ /iisadmpwd/achg.htr /iisadmpwd/aexp.htr /iisadmpwd/aexp2.htr /iisadmpwd/aexp2b.htr
inurl;/iisadmpwd/ inurl;/iisadmpwd/achg.htr inurl;/iisadmpwd/aexp.htr inurl;/iisadmpwd/aexp2.htr inurl;/iisadmpwd/aexp2b.htr
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 34
Vulnerability Trolling
• Regardless of the age of the vulerability, there areusually vulnerable targets
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 35
Port Scanning
• Although port numbers are sometimes found in the url, there’sno easy way to scan just for a port number… the results aremuch too copious
inurl:5800
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 36
Port Scanning
"VNC Desktop" inurl:5800
• We can use creative queries to sniff out services that may belistening on particular ports
• VNC Desktop, port 5800
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 37
Port Scanning
inurl:webmin inurl:10000
• Webmin, port 10000
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 38
Port Scanning
• Google can be used to find sites to do theportscanning for you
• Consider the Network Query Tool
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 39
Port Scanning
• NQT allows web users to perform traceroutes, rdnslookups and port scans.
• This is the NQT program checking port 80 onwww.microsoft.com:
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 40
Port Scanning
• Google can be used to locate servers running the NQT program,nqt.php
• Once servers are harvested, they can be used to perform port scans(usually through a web proxy)
• NQT also allows remote posts, so that more than one port can bechecked at a time
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 41
Login Portals
• The most generic of login portals
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 42
Login Portals
• Another very generic portal
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 43
Login Portals
• Microsoft Outlook Web Access
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 44
Login Portals
• Coldfusion Admin Page
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 45
Login Portals
• Windows Remote Desktop
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 46
Login Portals
• Citrix Metaframe
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 47
SQL Information
• Gathering SQL usernames is simple with this search
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 48
SQL Information
• This is an SQL dump made by phpmyadmin
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 49
SQL Information
• This is a complete database schema dump, essentially acomplete database backup
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 50
SQL Information
• This query will locate SQL schemas on the web
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 51
SQL Information
• In addition, this query finds the words username andpassword inside the SQL dump
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 52
SQL Information
• This potent query finds SQL dumps wither username, user,users or password as a table name
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 53
SQL Information
• This graphical front-end to SQL is mis-configured to allowanyone admin access
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 54
SQL Information
• This search can be used by hackers to find SQL injectiontargets
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 55
SQL Information
• …another SQL injection target…
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 56
SQL Information
• ..and another…
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 57
SQL Information
• the mysql_connect function makes a database query with asupplied username and password
• This file should not be on the web
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 58
SQL Information
• In most cases, there’s nothing better for an SQL injectorthan a complete line of SQL source code…
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 59
SQL Information
• …except for really long lines of SQL code…
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 60
Examples
• *** LIVE EXAMPLES REMOVED FROM PRINT VERSION***
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 61
Prevention
• Do not put sensitive data on your web site, even temporarily
• Proactively check your web presence with Google on aregular basis
• Use sites like http://johnny.ihackstuff.com to keep up on thelatest “Google Hacks”
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 62
Prevention
• Use site: queries against each of your web hosts
• Don’t forget about hosts that do not have DNS names
• Scan each result page, ensuring that each and every page itsupposed to be in Google’s database
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 63
Prevention
• Automate your scans with tools like sitedigger byFoundstone
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 64
Presentation Materials
• This is a condensed version of the actual presentation givenat the event
• For more information, please see:http://johnny.ihackstuff.com
• Or contact:Johnny LongCSC Global Security Solutionse-mail: [email protected]
• Private e-mail: [email protected]
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 65
Information About Johnny
• Mr. Long has been involved in system security since a very early age, andhas accentuated his natural aptitude for computer technology throughinvolvement in major security efforts for the Department of Defense andcorporate America. A System Engineer with 10 years experience in mostareas of technical and functional support and system development, Mr.Long possesses a strong background in many elements of network andsystem operation as well as computer, network and physical security.
Equally adept in most aspects of Windows NT and UNIX systems as wellas many current technologies, Mr. Long has proven to be a very fast studyin the face of the ever-changing computer industry. An exceptionallyaccomplished speaker and trainer, Mr. Long has the rare ability to presenthighly technical material in a way that is beneficial for both technical andnon-technical audiences.
Mr. Long is currently employed by Computer Sciences Corporation (CSC).
CSC Proprietary 7/9/04 2:45 PM 008_5864_WHT 66
Thanks
• Thanks to God for the gift of life.
• Thanks to my wife for the gift of love.
• Thanks to my kids for the gift of laughter.
• Thanks to my friends for filling in the blanks.