Hacking Objective Google Hacking uses Google Search to find security holes in the configuration and code that websites use. Utilize searches to reveal sensitive information, such as username/passwords, internal documents, etc. The techniques are commonly used during penetration testing. This is a skill-set skill-set developme development nt lab – no work work needs needs to be turned in. Put in 30 minutes or more. Caveats Look but don’t exploit Activity shows up in web logs and some IPS tools Watch out for Honeypots, SEO poisoning, and Traps Look before you click
Google Hacking Lab
1
Hacking Requirements The network security lab is isolated from the campus, so you will need a computer with Internet access. Make sure it is fully patched p atched (OS, BHO, Adobe, Players, etc) and the firewall is on. To get started Open any internet browser Type Type www.go www.google ogle.co .com m into into the addr address ess bar bar
Google Hacking Lab
2
Hacking The site: operator site: operator The site: search site: search is invaluable in all directed Google searches. Combined with a host or domain name, the results are listed in page-ranked order. Type site:pacific.edu into site:pacific.edu into the Google search bar.
Google Hacking Lab
3
Hacking Further refining the search:
After site:pacific.edu , type in login | logon and logon and run the search. Note that the resulting search has illustrated the main login page associated with Pacific (insidePacific), as well as student and staff logins. login | logon finds logon finds login pages associated with any particular particular website website – the significanc significance e of this this is that that login login pages are the “front door” and often reveal the nature of the operating system, software, and even ev en offer clues for gaining access to the site.
Google Hacking Lab
4
Hacking There are several variations of basic Google searches searches like the login | logon. All logon. All are self explanatory and merely return web sites that contain the word/words specified.
userna username me | user userid id | employ employee. ee.ID ID | “you “yourr user usernam name e is” is”
admin | administrator
password | “your password is” error | warning
These queries are good for checking servers to locate possible vulnerabilities and determining what software is being used. This allows attackers with a particular exploit to locate potential targets. Google Hacking Lab
5
Hacking inur inurl:t l:temp emp | inur inurl:t l:tmp mp | inur inurl:b l:bac acku kup p | inur inurl: l:ba bak k The inurl prefix inurl prefix will cause Google to find any file that contains what was specified. inurl: can inurl: can be used with any other search term intitle: The intitle prefix intitle prefix will cause Google to search for any terms within the title (the html
tag) of the document. As with inur inurl, l, inti intitl tle e can can be used with any other search term to produce useful results. intitle:index.of.config – – These These directo directories ries can give information about a web servers configuration, such as ports, security permissions, etc. intitle:index.of.etc – – The /etc/ /etc/ dire directo ctory ry often often contai contains ns password files which are usually protected with an md5 hash. Google Hacking Lab
6
Hacking Examples of other uses of intitle: of intitle: inti intitl tle: e:in inde dex. x.of of mp3 mp3 ja jack ckso son n – – Brin Brings gs up listin listings gs of files and directories that contain “mp3” and “jackson.” Warnin War ning: g: mal malwar ware e sit sites es may spo spoof of int intitl itle e con conten tent. t. inti intitl tle:i e:ind ndex ex.of .of pass passwd wd pass passwd wd.b .bak ak – – simila larr to to above, only with password files intitle:error/intitle:warning – – Fi Find ndss err error or an and d warning pages, often revealing server version numbers nu mbers
Results of the Google Hacking Lab
intitle:index.of mp3 jackson search 7
Hacking Special operators in searches While creating searches that look for exploits, there are several special operators that Google recognizes that are sometimes necessary for the desired results. (“”) – Surroundin Surrounding g a search search term term in quotes quotes causes causes Google to include all the terms specified, in the order they are specified. (-) – Use before before an an operator operator to exclude exclude the the search search term term following it. (i.e.. –ext:html –ext:html would would exclude all html files from the results) (.) – Use to represent represent a single character character wildcard wildcard (i.e. (i.e. – intitle:index.of searches intitle:index.of searches cause the period to recognize a space in between “index” and “of”). (*) – Use to represent represent a single word wildcard wildcard (i.e. (i.e. – "growth demands a * * * *“ returns *“ returns the quote “Growth demands a temporary surrender of security.”
Google Hacking Lab
8
Hacking Other useful searches phonebook: - Gives Gives the the hom home e pho phone ne and often the address of any name you put in. ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) - limits - limits Google to displaying only the filetypes filetypes specified, specified, which which may may contain contain confident confidential ial information or other pertinent data not meant for outsiders to see. "robots.txt" "disallow:" filetype:txt – – sear search ches es for for the the text file “robots,” which specifies to the Google crawler what pages on a particular website the webmaster does not want searchable; using this search returns a list of all those locations. Google Hacking Lab
9
Hacking Google countermeasures to protect the lame Searches designed specifically to find credit card numbers ( i.e. 300000000000000..399999999999999 ) or for probing probing for passwo password/co rd/config nfig directories directories may may be “blocked” “blocked” by Google using either: • A pag page e sta stati ting ng it cann cannot ot pr proc oces esss you yourr req reque uest st due due to its resemb resemblan lance ce of of a bot bot search search • A CAP CAPTC TCHA HA pr prom ompt pt whic which h wil willl sti stillll al allo low w the the sea searc rch h after user input
Google Hacking Lab
10
Hacking inti intitl tle: e:”L ”Liv ive e View View / – AXIS AXIS 206W 206W” ” Webcam WebcamXP XP - "powe "powered red by webcam webcamXP" XP" "Pro| "Pro|Broa Broadca dcast“ st“ inurl:axis-cgi/mjpg inurl:view/indexFrame.shtml inurl:ViewerFrame?Mode=Refresh inurl:"viewerframe?/mode=motion" site:axiscam.net Above are some searches for servers with network cameras, including traffic, weather, office, and pet-cams. p et-cams. Unsecured cameras allow the camera to be tilted, panned, zoomed, etc. Look for results that use an IP address, bewa beware re of mal malwa ware re sites sites.. Google Hacking Lab
11
Hacking Searches for printers are more useful when ran inside a network. The printer below shows an error. Note the ‘Pro ‘Prope pert rtie ies’ s’ butt button on.. intitle: intitle:Hom Home e "displa "display y printer printer status" status"
Google Hacking Lab
12
Hacking Examples of different searches: intitle: “Welcome to Windows Small Business Server 2003” inurl:ConnectComputer/precheck.htm inurl:Remote/logon.aspx intitle: intitle:"We "Welco lcome me to 602LA 602LAN N SUITE SUITE *” intitle: intitle:"in "index dex of /back /backup“ up“ “par “p aren entt dir direc ecto tory ry”” DVD DVDRip Rip –xxx –xxx –htm –htmll –ph –php p –sht –shtml ml –ope –opend ndivx ivx inurl(company) filetype:iso "#-FrontPage-" inurl:service.pwd inti intitl tle e:"Index of" con confi fig. g.p php use username/passwor sword d 4 sql sql database -Forum w/admin access
Google Hacking Lab
13
Hacking A sea searc rch h for for SSH SSHTe Term rm an and d SSHV SSHVnc nc appl applet ets: s: “loading the applet” “you will be asked to accept a certificate registered to 3SP LTD”
Google Hacking Lab
14
Hacking More examples of different searches: “Powered by” “This site is using” “This site created by” “This website powered by” “This script created by” “Thank you for using” “Welcome to the” enable password | secret “current configuration” intitle: intitle:“TO “TOPde Pdesk sk Applica Applicatio tionSe nServe rver” r” A search search for the TOPdesk TOPdesk default default logon logon found found:: admin/a admin/admin dmin Google Hacking Lab
15
Hacking More examples of different searches: intitle: intitle:“Er “Error ror Occurr Occurred ed While While” ” “not “not for public public releas release” e” (url:* (url:*.ed .edu u |*.go |*.gov v |*.mi |*.mil) l) “not “n ot for for pub public lic rele releas ase” e” -.ed -.edu u -.go -.gov v -.mi -.mil l “not for distribution” confidential “internal working draft” “Thank you for your order” +receipt "phone * * *" "addres "addresss *" "e-mail" "e-mail" intitle:"c intitle:"curric urriculum ulum vitae" "phpMyAdmin" "running on" inurl:"main.php“ "Network Vulnerability Assessment Report"
Google Hacking Lab
16
Hacking intitle intitle:"S :"SHOU HOUTca Tcast st Adminis Administra trator tor”” inurl: inurl:adm admin. in.cgi cgi
Google Hacking Lab
17
Hacking The SHOUTca SHOUTcast st admin page can can be used to kick kick off users, ban their IP address, or ban their subnet. Changing printer settings can be a form of DOS. Over time, many search patterns become less useful as users and vendors become aware (aka: gain clue). New search patterns tend not to be widely shared in order to prolong their useful lifespan lif espan (and maybe to increase sales of books on the subject). Good Google Google searching searching skills skills are part skill skill - part art! art!
Google Hacking Lab
18