Ethical Hacking and Version 6
M o d u l e IV IV
Google Hacking
Module Objective
This module will familiarize you with:
• • • • • • •
What What is Google Google Hackin Hacking g What a Hacke Hackerr Can Do Do With Vulner Vulnerable able Site Site oog e ac ng as cs Google Google Adva Advance nced d Operato Operators rs PrePre-As Asse sess ssme ment nt Locatin Ex loits and Findin Tar ets Tracking Tracking Down Down Web Servers, Servers, Login Portals Portals,, and Network Network Hardware • Google Google Hackin Hacking g Tool Toolss
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is Google Hacking Google hacking is a term that refers to the art of creating com com lex lex sea search rch en ine ine ueri ueries es in orde orderr to filt filter er thro throu u h lar lar e amounts of search results for information related to computer security n s ma c ous orma , can e use o e ec we s es a are vulnerable to numerous exploits and vulnerabilities as well as locate private, sensitive information about others, such as credit card numbers, social security numbers, and passwords
Google Hacking involves using Google operators to locate s ecif ecific ic stri strin n s of of tex textt wit withi hin n sea searc rch h res resul ults ts
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What a Hacker Can Do With Information that the Google Hacking Database identifies: Advisories and server vulnerabilities Error messages that contain too much information
Sensitive directories Pages containing logon portals ages con a n ng ne wor or vu nera logs EC-Council
y a a suc as rewa Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Anonymity with Caches Hackers can get a copy sensitive data even if plug on that pesky Web server is pulled off and the the can can craw crawll into into enti entire re webs websit itee wit witho hout ut even even send sendin in a sin sin le acke ackett to serv server er
If the web server does not get so much as a packet, it can not write any thing to log files
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Using Google as a Proxy Server Google some times works as a proxy server which requires a Google
Translation URL is generated through Google’s translation , . . _
If URL is entered in to “Translate “ Translate a web page” field, by selecting a , translate contents of Web page and generate a translation URL
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Directory Listings A directory listing is a type of Web page that lists files and directories that exist on a Web W eb
It is designed such that it is to be navigated by clicking directory links, directory listings typically have a title that describes the current directory, a list of files and directories that can be clicked Just like an FTP server, directory listings offer a no-frills, easy-install solution for granting
Problems faced by directory listings are: • They do not prevent users from downloading downloading certain certain files or accessing ce certain rtain directories hence hence they are not secure • They can display information information that helps an attacker attacker learn specific technical technical details about Web Web server • They do not discriminate discriminate between files that are meant to be public and and those that are meant to remain behind the the scenes • They are often displayed accidentally, accidentally, since since many Web servers display a directory directory listing if a top-level index file is missing or invalid
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Locating Directory Listings Since directory listings offer parent directory links and allow browsing through files and folders, attacker can find sensitive data simply by locating listings and browsing browsing through them
Locating directory listings with Google is fairly straightforward as they begin with phrase “Index of,” which shows in tittle
An obvious query to find this type of page might be ntitle:index.of , which can find pages with the term “index of” in the title of the document
intitle:index. intitle:index.of of “parent “par ent directory directory ” or intitle:index.of “name size” queries indeed provide directory listings by not only focusing on index.of in title but on keywords often found inside directory listings, such as parent directory, name, and size EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Finding Specific Directories
This is easily accomplished by adding the name of the directory to the search query
“ ” accessible from directory listings, queries such as intitle:index.of.admin or intitle:index. intitle:index.of of inurl:a inurl: a dmin will dmin will work well, as shown in the following figure
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Finding Specific Files As the directory listing is in tree style, it is also possible to find specific files in a directory listing To find WS_FTP log files, try a search such as intitle:index.o intitle:index.off w s_ftp.log s_ftp.log,, as shown in the Figure below:
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Server Versioning The information an attacker can use to determine the best method for attacking a
An attacker can retrieve that information by connecting directly to the Web port of that server and issuing a request for the HTTP headers Some typical directory listings provide the name of the server software as well as the version number at the bottom portion. These information are faked and attack can be done on web server intitle: intitle: index.of index.of “ server serv er a t” query will locate all directory listings on the Web with index index of in the the title a nd ser ser ver a t any a nyw w here here in the text text of the the pag e In addition to identifying the Web server version, it is also possible to determine the operating system of the server as well as modules and other software that is installed Server versioning technique can be extended by including more details in the query EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Going Out on a Limb: Traversal Attackers use traversal techniques to expand a small foothold into a larger com romise The query intitle query intitle:: index.of index.of inurl:“/ inurl: “/a a dmin/*” dmin/*” is helped to traversal as shown in the figure:
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Directory Traversal By clicking on the parent directory link the sub links under it will open. This is basic directory directory traversal Regardless of walking through the directory tree , the target Web server is also be b e done
e wor
n
e
w
e c ange w
o er wor s
Poorly coded third-party software product installed in the server accepts rec rectory names as argu rguments w c a ows users to view files above the web server directory
and vulnerabilities EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incremental Substitution
find directories or files that are hidden, or unlinked from other pages
By changing the numbers in the file names, the other files can be found
In some examples, substitution is used to modify the numbers in the • /docs/bulletin/2.xls /docs/bulletin/2.xls could be modified modified to /docs/bulletin/ /docs/bulletin/2.xls 2.xls • /DigLib_thumbnail/spmg /DigLib_thumbnail/spmg/hel/0001/H/ /hel/0001/H/ could be changed changed to g _ um na spmg e 0002 • /gallery/wel008-1.jpg /gallery/wel008-1.jpg could be modified modified to /gallery/wel008 /gallery/wel008-2.jpg -2.jpg EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Extension Walking File extensions extensions and how filetype operator can be used to locate files with specific file exte extens ns ons ons
HTM files can can be easily searched with a query such as filetype:HTM HTM
Filetype searches require a search parameter and files ending in in HTM always have have HTM in the URL After locating HTM files, substitution technique is used to find files with the same file name and different extension Easies Easiestt way to etermi etermine ne names names o ac up i es on a server server is to ocate ocate a irecto irectory ry isting isting using intitle:index.of or intitle:index.of or to search for specific files with queries such as intitle:index.of index.php.bak or index.php.bak or inurl:index.php.bak If a s stem stem admi admini nist stra rato torr or Web Web auth author orin in ro ram ram crea create tess back backu u file filess with with a .BAK .BAK extension in one directory, there is a good chance that BAK files will exist in other directories as well EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Site Operator The The sit sitee o erat erator or is abso absolu lute tell inva invalu luab able le duri durin n the the information-gathering phase of an assessment
Site search can can be used to ather information information about the servers and hosts that a target hosts
Usin sim le red reduction techni ues about a target’s online presence
ou can uickl
et an idea
Consider the sim le exam le of site:washin ton ost.com – site:www.washingtonpost.com
. domain other than www.washingtonpost.com EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
intitle:index.of
intitle:index.of is the universal search for directory listings
In most cases, this search applies only to Apache-based servers, but due to the overw e m ng num er o pac ederived Web servers on the Internet, there is a good chance that the server you are profiling will be Apache-based
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
error | warning
Error messages can reveal a great deal of information about a target
en over oo e , error messages can prov e ns ns g n o e app ca on or operating system software a target is running, the architecture of the network the target is on, information about users on the system, and much more
Not only are error messages informative, they are prolific
A query of intitle: error results in over 55 million results
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
login | logon Login portals can reveal the software and operating system of a target, “ ” page of a login portal
These documents are designed to assist users who run into problems pr oblems during the login process
Whether Whether the user has for otten his or her assword assword or even username username this document can provide clues that might help an attacker
Documentation linked from login portals lists e-mail addresses, phone num ers, or URLs o uman assistants w o can e p a trou e user regain lost access
, engineering attack EC-Council
, Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
username | userid | employee.ID | “ our username is” There are many different ways to obtain a username from a target system Even though a username is the less important i mportant half of most authentication mechanisms, it should at least be marginally protected from outsiders
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
password | passcode | “your assword is” The word assword is so common on the Internet there are over 73 million results for this one-word query
During an assessment, it is very likely that results r esults for this query combined with a site operator will include pages that provide help to users who have forgotten their passwords
In some cases, this query will locate pages that provide policy information about the creation of a password
This type of information can be used in an intelligent-guessing or even even a rute rute-- orce rce campa ampa gn aga aga nst nst a pass passwo worr e
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
admin | administrator The word administrator is often used to describe the person in control of a net networ wor or sys system tem
The word administrator can also be used to locate administrative login pages, or login portals
The phrase Contact your system administrator is a fairly common phrase on the Web, as are several basic derivations A query such as “please contact your * administrator” will return results that re erence oca , company, s e, epar men , server, sys em, ne wor , a a ase, e-mail, and even tennis administrators , has at least moderate importance to a security tester EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
–ext:html –ext:htm –ext:shtml –ext:as –ext: h The –e –ex xt:htm t:htmll –e –ex xt:htm t:htm –e –ex xt:shtm t:shtmll –e –ex xt:asp – ext: p p quer query y uses uses ext, ext, a syno synony nym m or t e etyp etypee operator, and is a negative query It returns no results when used alone and should be combined with a site operator to work properly The idea behind this query is to exclude some of the most common Internet file types in an attempt to find files that might be more interesting
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
inurl:temp | inurl:tmp | inurl:backu inurl:bak The inurl:te inurl:temp mp | inurl inurl:: tmp tmp | inurl:back inurl:backup up | inurl:bak inurl:bak query, query, com combi bine ned d w e s e opera or, searc es or or em emporary or ac up es or directories on a server
Although there are many possible naming conventions for temporary or backup files, this search focuses on the most common terms
Since this search uses the inurl inurl opera operato tor, r, it w ill also loc loca a te file filess tha tha t contain these terms as file extensions such as index.html.bak
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
intranet | help.desk The term intranet, despite more specific technical meanings, has become a generic term that describes a network confined to a small group
In most cases, the term intranet describes a closed or private network unavailable to the general public
Many sites have configured portals that allow access to an intranet from the Internet, bringing this typically closed network one step closer to the potential attackers
Unavailable to public EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Locating Public Exploit Sites One way to locate exploit code is to focus on the file extension of the source code and then
Since source code is the text-based representation of the difficult-to-read machine code, Google is well suited for this task For example, a large number of exploits are written in C, which generally use source code ending in a .c extension query or e y pe: c exp o r e ur ns a r oun 5,000 r esu s, mos o w c are exac y types of programs you are looking for
e
These are the most popular sites hosting C source code containing the word exploit, the returne st s a goo start or or a st o oo mar s Using page-scraping techniques, you can isolate these sites by running a UNIX command against the dumped Google results page grep Cached exp | awk –F" –" '{print $1}' | sort –u EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Locating Exploits Via Common Code Strin s Ano Anoth ther er wa to loca locate te ex loit loit code code is to focu focuss on on com commo mon n str strin in s wit withi hin n the source code itself
ne way to o t s s to ocus on common nc us ons or ea er references
e
For example, many C programs include the standard input/output library functions, which are referenced by an include statement such as #include within the source code A query like this would locate C source code that contained the word exploit, regardless of the file’s extension: • “#include ” exploit EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Locating Targets Via Demonstration Develop a query string to locate vulnerable targets on the Web; the vendor’s Web ’ For example, some administrators might modify the format of a vendor-supplied Web page to fit the theme of the site These types of modifications can impact the effectiveness effe ctiveness of a Google search that targets a vendor-supplied page format You can find that most sites look very similar and that nearly every site has a “powered by” message at the bottom of the main page
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Locating Targets Via Source Code A hacker might use the source code of a program to discover ways to search for that software with Google To find find the the be best st se sear arch ch stri strin n to loca locate te oten otenti tial alll vuln vulner erab able le tar tar ets ets ou can visit the Web page of the software vendor to find the source code of the offending software , simply download the offending software and run it on a machine he controls to get ideas for potential searches
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Locating Targets Via CGI Scanning One of the oldest and most familiar techniques for locating vulnerable Web servers is through the use of a CGI scanner These programs parse a list of known “bad” or vulnerable Web files and attempt to locate those files on a Web server Based on various response codes, the scanner could detect the presence of these potentially vulnerable files A CGI scanner can list vulnerable files and directories in a data file, such as:
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Finding IIS 5.0 Servers Query for “Microsoft-IIS/5.0 server at”
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Web Server Software Error Messa es Error messages contain a lot of useful information, but in the context of locating specific servers, you can use portions of various error messages to locate servers running specific so twar twaree versi version onss The best way to find error messages is to figure out what messages the server is capable of generating You could gather these messages by examining the server source code or configuration files or by actually generating the errors on the server yourself The best way to get this information from IIS is by examining the source code of the error pages themselves IIS 5 and 6, by default, display static HTTP/1.1 HTTP/ 1.1 error messages when the server encounters some sort of problem T ese error pages are store directory EC-Council
y e au t in t e %SYSTEMROOT%
e p iisHe p common
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Apache Web Server Apache Web servers can also be located by focusing on server-generated error messages Some generic searches such as “Apache/1.3.27 Server at” -intitle:index.of intitle: intitle:inf” inf” or or “Apa “Apach che/1. e/1.3.27 3.27 Serv Server er a t” -intitle:index. -intitle:index.of of intitle: intitle: error err or
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Application Software Error
, error messages are much more revealing
Consider the query “AS query “ASP.NET_Se P.NET_SessionId” ssionId”“data “data source=”, which locates unique strings found in ASP.NET application state dumps Error
These dumps reveal all sorts of information about the running application and the Web server that hosts that a lication An advanced attacker can use encrypted password data and variable information in these stack traces to subvert the security of the application and perhaps the Web server itself EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Default Pages Another way to locate specific types of servers or Web so ware s o searc or e au e pages
Most Web software, including the Web server software itself, ships with one or more default or test pages
Thes Thesee a es can can make make it eas eas for for a site site admi admini nist stra rato torr to test the installation of a Web server or application
of installation, still displaying a set of default pages
In these cases there is enerall enerall a short window window of time between the moment when Google crawls the site and when the intended content is actually placed on the server EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Searching for Passwords
Password data, one of the “Holy Grails” during a penetration test, should be rotected
examples of Google queries can be used to locate passwords on the Web
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Google Hacking Database The Google Hacking Database (GHDB) contains queries that identify sen se nsit sitive ive data ata such such as orta ortall lo on a es lo s with ith net network ork secur ecurit it information, and so on Visit http://johnny.ihackstuff.com
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
In this module, Google hacking techniques have been reviewed
The following Google hacking techniques have been • • • • •
EC-Council
Softwa Software re Erro Errorr Messa Messages ges Defa Defaul ultt page pagess Explanatio Explanation n of techniqu techniques es to reveal reveal password password Loca Locati ting ng tar targe gets ts Search Searching ing for for pass passwor words ds
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited