Pulp Google HackingThe Next Generation Search Engine Hacking Arsenal3 August 2011 – Black Hat 2011 – Las Vegas, NV        ...
Agenda     OVERVIEW• Introduction/Background• Advanced Attacks    • Google/Bing Hacking - Core Tools    • NEW Diggity Atta...
Introduction/BackgroundGETTING UP TO SPEED                      3
Open Source Intelligence     SEARCHING PUBLIC SOURCES OSINT – is a form of intelligence collection management that involve...
Google/Bing Hacking  SEARCH ENGINE ATTACKS                          5
Google/Bing Hacking   SEARCH ENGINE ATTACKS Bings source leaked! class Bing {    public static string Search(string    que...
Attack Targets          GOOGLE HACKING DATABASE• Advisories and Vulnerabilities (215)   • Pages containing network or• Err...
Google Hacking = Lulz      REAL WORLD THREATLulzSec and Anonymous believed to useGoogle Hacking as a primary means ofident...
Google Hacking = Lulz         REAL WORLD THREAT22:14 <@kayla> Sooooo...using the link above and the google hack string.!Ho...
Quick History   GOOGLE HACKING RECAP   Dates          Event   2004           Google Hacking Database (GHDB) begins   May 2...
Quick History…cont.   GOOGLE HACKING RECAP   Dates           Event   Mar 2008        cDc Goolag - gui tool released   Sept...
Advanced AttacksWHAT YOU SHOULD KNOW                       12
Diggity Core Tools    STACH & LIU TOOLS Google Diggity    • Uses Google JSON/ATOM API        • Not blocked by Google bot d...
New Features    DIGGITY CORE TOOLS Google Diggity - New API    • Updated to use Google JSON/ATOM API    • Due to deprecate...
New Features     DOWNLOAD BUTTON Download Buttons for Google/Bing Diggity     • Download actual files from Google/Bing sea...
New Features    AUTO-UPDATES SLDB Updates in Progress    • Example: SharePoint Google Dictionary        • http://www.stach...
Google Diggity   DIGGITY CORE TOOLS                        17
Bing Diggity   DIGGITY CORE TOOLS                        18
Bing Hacking Database               STACH & LIU TOOLSBHDB – Bing Hacking Data Base                        Example - Bing v...
Hacking CSE’s  ALL TOP LEVEL DOMAINS                          20
NEW GOOGLE HACKING TOOLSCode Search Diggity                           21
Google Code Search       VULNS IN OPEN SOURCE CODE • Regex search for vulnerabilities in indexed   public code, including ...
CodeSearch Diggity  AMAZON CLOUD SECRET KEYS                             23
NEW GOOGLE HACKING TOOLSBing LinkFromDomainDiggity                             24
Bing LinkFromDomain  DIGGITY TOOLKIT                      25
Bing LinkFromDomain  FOOTPRINTING LARGE ORGANIZATIONS                                     26
NEW GOOGLE HACKING TOOLSMalware Diggity                           27
MalwareDiggity      DIGGITY TOOLKIT 1. Leverages Bing’s linkfromdomain: search directive    to find off-site links of targ...
Mass Injection Attacks      MALWARE GONE WILDMalware Distribution Woes – WSJ.com – June2010   • Popular websites victimize...
Mass Injection Attacks      MALWARE GONE WILDMalware Distribution Woes – LizaMoon – April2011   • Popular websites victimi...
Mass Injection Attacks      MALWARE GONE WILDMalware Distribution Woes – willysy.com - August2011   • Popular websites vic...
Malware Diggity  DIGGITY TOOLKIT                    32
Malware Diggity  DIGGITY TOOLKIT                    33
Malware Diggity  DIAGNOSTICS IN RESULTS                           34
NEW GOOGLE HACKING TOOLSDLP Diggity                           35
DLP Diggity   LOTS OF FILES TO DATA MINE                                36
DLP Diggity       MORE DATA SEARCHABLE EVERY YEAR                                 Google Results for Common Docs          ...
DLP Diggity   DIGGITY TOOLKIT                     38
NEW GOOGLE HACKING TOOLSFlashDiggity                           39
Flash Diggity      DIGGITY TOOLKIT • Google for SWF files on target domains     • Example search: filetype:swf site:exampl...
NEW GOOGLE HACKING TOOLSDEMO                           41
GoogleScrape Diggity            DIGGITY TOOLKITGoogleScrape Diggity• Uses Google mobile interface     • Light-weight, no a...
NEW GOOGLE HACKING TOOLSBaidu Diggity                           43
BaiduDiggity     CHINA SEARCH ENGINE • Fighting back                           44
Advanced Defenses  PROTECT YO NECK                    45
Traditional Defenses     GOOGLE HACKING DEFENSES • “Google Hack yourself” organization     • Employ tools and techniques u...
Existing Defenses    “H A C K Y O U R S E L F”  Tools exist  Convenient  Real-time updates  Multi-engine results  His...
Advanced Defenses         NEW HOT SIZZLEStach & Liu now proudly presents:   • Google and Bing Hacking Alerts       • Share...
Google Hacking Alerts     ADVANCED DEFENSES Google Hacking Alerts    • All hacking database queries using    • Real-time v...
Google Hacking Alerts   ADVANCED DEFENSES                        50
Bing Hacking Alerts     ADVANCED DEFENSES Bing Hacking Alerts    • Bing searches with regexs from BHDB    • Leverages http...
Bing/Google Alerts   LIVE VULNERABILITY FEEDS World’s Largest Live Vulnerability Repository    • Daily updates of ~3000 ne...
Diggity Alerts                         One Feed to Rule Them AllADVANCED DEFENSE TOOLSDiggity Alert Fundle Bundle         ...
FUNdle Bundle ADVANCED DEFENSES                     54
FUNdle Bundle ADVANCED DEFENSES                     55
FUNdle Bundle  MOBILE FRIENDLY                    56
ADVANCED DEFENSE TOOLSSHODAN Alerts                         57
SHODAN Alerts  FINDING SCADA SYSTEMS                          58
SHODAN Alerts  SHODAN RSS FEEDS                     59
Upcoming SlideShare
Loading in...5
×

Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacking Arsenal

16,988

Published on

Last year's Lord of the Bing presentation stabbed Google Hacking in the heart with a syringe full of adrenaline and injected life back into a dying art form. New attack tools and modern defensive techniques redefined the way people thought about Google Hacking. Among these were the first ever Bing Hacking tool and the Google/Bing Hacking Alert RSS feeds, which have grown to become the world's single largest repository of live vulnerabilities on the web. And it was only the beginning…

This year, we once again tear down the basic assumptions about what Google/Bing Hacking is and the extent to which it can be exploited to target organizations and even governments. In our secret underground laboratory, we've been busy creating an entirely new arsenal of Diggity Hacking tools that we'll be unveiling for the first time and releasing for free at Black Hat USA 2011. Just a few highlights of new tools to be unveiled are:

BaiduDiggity:first ever Baidu hacking tool, which targets vulnerabilities disclosed by China's dominant search engine. DEMO: Live targeting of vulnerabilities in Chinese government websites exposed via Baidu.
DroidDiggity:fully functional GoogleDiggity and BingDiggity application for Android phones.
GoogleCodeSearchDiggity:identifying vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 40 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more.
FlashDiggity:automated Google searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and info disclosures.
SHODAN Hacking Alerts:new live vulnerability RSS feeds based on results from the popular SHODAN hacking search engine.
MalwareDiggity and MalwareDiggity Alerts:leveraging Bing API and the Google SafeBrowsing API together to provide an answer to a simple question, "Am I being used as a platform to distribute malware to people who visit my website?"
AlertDiggity:Windows systray application that filters the results of the various Google/Bing/Shodan Hacking Alerts RSS feeds and notifies the user if any new alerts match a domain belong to them.
DiggityDLP:Data loss prevention tool that leverages Google/Bing to identify exposures of sensitive info (e.g. SSNs, credit card numbers, etc.) via common document formats such as .doc, .xls, and .pdf. Also utilizes Google APIs for searching across Google Docs/Spreadsheets for data leaks.
That is just a taste of the new tools that will be explored in this DEMO rich presentation. So come ready to engage us as we re-define Google Hacking once again.

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
16,988
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
164
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacking Arsenal"

  1. 1. Pulp Google HackingThe Next Generation Search Engine Hacking Arsenal3 August 2011 – Black Hat 2011 – Las Vegas, NV Presented by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com
  2. 2. Agenda OVERVIEW• Introduction/Background• Advanced Attacks • Google/Bing Hacking - Core Tools • NEW Diggity Attack Tools• Advanced Defenses • Google/Bing Hacking Alert RSS Feeds • NEW Diggity Alert Feeds and Updates • NEW Diggity Alert RSS Feed Client Tools• Future Directions 2
  3. 3. Introduction/BackgroundGETTING UP TO SPEED 3
  4. 4. Open Source Intelligence SEARCHING PUBLIC SOURCES OSINT – is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. 4
  5. 5. Google/Bing Hacking SEARCH ENGINE ATTACKS 5
  6. 6. Google/Bing Hacking SEARCH ENGINE ATTACKS Bings source leaked! class Bing { public static string Search(string query) { return Google.Search(query); } } 6
  7. 7. Attack Targets GOOGLE HACKING DATABASE• Advisories and Vulnerabilities (215) • Pages containing network or• Error Messages (58) vulnerability data (59)• Files containing juicy info (230) • Sensitive Directories (61)• Files containing passwords (135) • Sensitive Online Shopping Info (9)• Files containing usernames (15) • Various Online Devices (201)• Footholds (21) • Vulnerable Files (57)• Pages containing login portals (232) • Vulnerable Servers (48) • Web Server Detection (72) 7
  8. 8. Google Hacking = Lulz REAL WORLD THREATLulzSec and Anonymous believed to useGoogle Hacking as a primary means ofidentifying vulnerable targets.Their releases have nothing to do with their goalsor their lulz. Its purely based on whatever theyfind with their "google hacking" queries and thenrelease it.-- A-Team, 28 June 2011 8
  9. 9. Google Hacking = Lulz REAL WORLD THREAT22:14 <@kayla> Sooooo...using the link above and the google hack string.!Host=*.* intext:enc_UserPassword=* ext:pcf Take your pick of VPNs youwant access too. Ugghh.. Aaron Barr CEO HBGary Federal Inc.22:15 <@kayla> download the pcf file22:16 <@kayla> then use http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode?enc= to clear text it22:16 <@kayla> = free VPN 9
  10. 10. Quick History GOOGLE HACKING RECAP Dates Event 2004 Google Hacking Database (GHDB) begins May 2004 Foundstone SiteDigger v1 released Jan 2005 Foundstone SiteDigger v2 released Feb 13, 2005 Google Hack Honeypot first release Feb 20, 2005 Google Hacking v1 released by Johnny Long Jan 10, 2006 MSNPawn v1.0 released by NetSquare Dec 5, 2006 Google stops issuing Google SOAP API keys Mar 2007 Bing disables inurl: link: and linkdomain: Nov 2, 2007 Google Hacking v2 released 10
  11. 11. Quick History…cont. GOOGLE HACKING RECAP Dates Event Mar 2008 cDc Goolag - gui tool released Sept 7, 2009 Google shuts down SOAP Search API Nov 2009 Binging tool released by Blueinfy Dec 1, 2009 FoundStone SiteDigger v 3.0 released 2010 Googlag.org disappears April 21, 2010 Google Hacking Diggity Project initial releases Nov 1, 2010 Google AJAX API slated for retirement Nov 9, 2010 GHDB Reborn Announced – Exploit-db.com July 2011 Bing ceases ‘&format=rss’ support 11
  12. 12. Advanced AttacksWHAT YOU SHOULD KNOW 12
  13. 13. Diggity Core Tools STACH & LIU TOOLS Google Diggity • Uses Google JSON/ATOM API • Not blocked by Google bot detection • Does not violate Terms of Service • Required to use Bing Diggity • Uses Bing 2.0 SOAP API • Company/Webapp Profiling • Enumerate: URLs, IP-to-virtual hosts, etc. • Bing Hacking Database (BHDB) • Vulnerability search queries in Bing format 13
  14. 14. New Features DIGGITY CORE TOOLS Google Diggity - New API • Updated to use Google JSON/ATOM API • Due to deprecated Google AJAX API Misc. Feature Uprades • Auto-update for dictionaries • Output export formats • Now also XLS and HTML • Help File – chm file added 14
  15. 15. New Features DOWNLOAD BUTTON Download Buttons for Google/Bing Diggity • Download actual files from Google/Bing search results • Downloads to default: C:DiggityDownloads • Used by other tools for file download/analysis: • FlashDiggity, DLP Diggity, MalwareDiggity,… 15
  16. 16. New Features AUTO-UPDATES SLDB Updates in Progress • Example: SharePoint Google Dictionary • http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity- project/#SharePoint – GoogleDiggity Dictionary File 16
  17. 17. Google Diggity DIGGITY CORE TOOLS 17
  18. 18. Bing Diggity DIGGITY CORE TOOLS 18
  19. 19. Bing Hacking Database STACH & LIU TOOLSBHDB – Bing Hacking Data Base Example - Bing vulnerability search: • GHDB query• First ever Bing hacking database • "allintitle:Netscape FastTrack Server Home Page" • BHDB version• Bing hacking limitations • intitle:”Netscape FastTrack Server Home Page" • Disabled inurl:, link: and linkdomain: directives in March 2007 • No support for ext:, allintitle:, allinurl: • Limited filetype: functionality • Only 12 extensions supported 19
  20. 20. Hacking CSE’s ALL TOP LEVEL DOMAINS 20
  21. 21. NEW GOOGLE HACKING TOOLSCode Search Diggity 21
  22. 22. Google Code Search VULNS IN OPEN SOURCE CODE • Regex search for vulnerabilities in indexed public code, including popular open source code repositories: • Example: SQL Injection in ASP querystring • select.*from.*request.QUERYSTRING 22
  23. 23. CodeSearch Diggity AMAZON CLOUD SECRET KEYS 23
  24. 24. NEW GOOGLE HACKING TOOLSBing LinkFromDomainDiggity 24
  25. 25. Bing LinkFromDomain DIGGITY TOOLKIT 25
  26. 26. Bing LinkFromDomain FOOTPRINTING LARGE ORGANIZATIONS 26
  27. 27. NEW GOOGLE HACKING TOOLSMalware Diggity 27
  28. 28. MalwareDiggity DIGGITY TOOLKIT 1. Leverages Bing’s linkfromdomain: search directive to find off-site links of target applications/domains 2. Runs off-site links against Google’s Safe Browsing API to determine if any are malware distribution sites 3. Return results that identify malware sites that your web applications are directly linking to 28
  29. 29. Mass Injection Attacks MALWARE GONE WILDMalware Distribution Woes – WSJ.com – June2010 • Popular websites victimized, become malware distribution sites to their own customers 29
  30. 30. Mass Injection Attacks MALWARE GONE WILDMalware Distribution Woes – LizaMoon – April2011 • Popular websites victimized, become malware distribution sites to their own customers 30
  31. 31. Mass Injection Attacks MALWARE GONE WILDMalware Distribution Woes – willysy.com - August2011 • Popular websites victimized, become malware distribution sites to their own customers 31
  32. 32. Malware Diggity DIGGITY TOOLKIT 32
  33. 33. Malware Diggity DIGGITY TOOLKIT 33
  34. 34. Malware Diggity DIAGNOSTICS IN RESULTS 34
  35. 35. NEW GOOGLE HACKING TOOLSDLP Diggity 35
  36. 36. DLP Diggity LOTS OF FILES TO DATA MINE 36
  37. 37. DLP Diggity MORE DATA SEARCHABLE EVERY YEAR Google Results for Common Docs 513,000,000 600,000,000 500,000,000 400,000,000 260,000,000 2004 300,000,000 2007 84,500,000 200,000,000 2011 17,300,000 46,400,000 42,000,000 100,000,000 16,100,000 2011 10,900,000 30,100,000 2,100,000 0 2007 969,000 PDF 1,720,000 DOC 2004 XLS TXT 37
  38. 38. DLP Diggity DIGGITY TOOLKIT 38
  39. 39. NEW GOOGLE HACKING TOOLSFlashDiggity 39
  40. 40. Flash Diggity DIGGITY TOOLKIT • Google for SWF files on target domains • Example search: filetype:swf site:example.com • Download SWF files to C:DiggityDownloads • Disassemble SWF files and analyze for Flash vulnerabilities 40
  41. 41. NEW GOOGLE HACKING TOOLSDEMO 41
  42. 42. GoogleScrape Diggity DIGGITY TOOLKITGoogleScrape Diggity• Uses Google mobile interface • Light-weight, no advertisements • Violates Terms of Service• Bot detection avoidance • Distributed via proxies • Spoofs User-agent and Referer headers • Random &userip= value • Across Google servers 42
  43. 43. NEW GOOGLE HACKING TOOLSBaidu Diggity 43
  44. 44. BaiduDiggity CHINA SEARCH ENGINE • Fighting back 44
  45. 45. Advanced Defenses PROTECT YO NECK 45
  46. 46. Traditional Defenses GOOGLE HACKING DEFENSES • “Google Hack yourself” organization • Employ tools and techniques used by hackers • Remove info leaks from Google cache • Using Google Webmaster Tools • Regularly update your robots.txt. • Or robots meta tags for individual page exclusion • Data Loss Prevention/Extrusion Prevention Systems • Free Tools: OpenDLP, Senf • Policy and Legal Restrictions 46
  47. 47. Existing Defenses “H A C K Y O U R S E L F”  Tools exist  Convenient  Real-time updates  Multi-engine results  Historical archived data  Multi-domain searching 47
  48. 48. Advanced Defenses NEW HOT SIZZLEStach & Liu now proudly presents: • Google and Bing Hacking Alerts • SharePoint Hacking Alerts – 118 dorks • SHODAN Hacking Alerts – 26 dorks • Diggity Alerts FUNdle Bundles • Consolidated alerts into 1 RSS feed • Alert Client Tools • Alert Diggity – Windows systray notifications • iDiggity Alerts – iPhone notification app 48
  49. 49. Google Hacking Alerts ADVANCED DEFENSES Google Hacking Alerts • All hacking database queries using • Real-time vuln updates to >2400 hack queries via RSS • Organized and available via importable file 49
  50. 50. Google Hacking Alerts ADVANCED DEFENSES 50
  51. 51. Bing Hacking Alerts ADVANCED DEFENSES Bing Hacking Alerts • Bing searches with regexs from BHDB • Leverages http://api.bing.com/rss.aspx • Real-time vuln updates to >900 Bing hack queries via RSS 51
  52. 52. Bing/Google Alerts LIVE VULNERABILITY FEEDS World’s Largest Live Vulnerability Repository • Daily updates of ~3000 new hits per day 52
  53. 53. Diggity Alerts One Feed to Rule Them AllADVANCED DEFENSE TOOLSDiggity Alert Fundle Bundle 53
  54. 54. FUNdle Bundle ADVANCED DEFENSES 54
  55. 55. FUNdle Bundle ADVANCED DEFENSES 55
  56. 56. FUNdle Bundle MOBILE FRIENDLY 56
  57. 57. ADVANCED DEFENSE TOOLSSHODAN Alerts 57
  58. 58. SHODAN Alerts FINDING SCADA SYSTEMS 58
  59. 59. SHODAN Alerts SHODAN RSS FEEDS 59
  60. 60. Bing/Google Alerts THICK CLIENTS TOOLS Google/Bing Hacking Alert Thick Clients • Google/Bing Alerts RSS feeds as input • Allow user to set one or more filters • e.g. “yourcompany.com” in the URL • Several thick clients being released: • Windows Systray App • Droid app (coming soon) • iPhone app 60
  61. 61. ADVANCED DEFENSE TOOLSAlert Diggity 61
  62. 62. Alerts Diggity ADVANCED DEFENSES 62
  63. 63. iDiggity AlertsADVANCED DEFENSE TOOLSiDiggity Alerts 63
  64. 64. iDiggity Alerts ADVANCED DEFENSES 64
  65. 65. iDiggity Alerts ADVANCED DEFENSES 65
  66. 66. New Defenses“G O O G L E / B I N G H A C K A L E R T S”  Tools exist  Convenient  Real-time updates  Multi-engine results  Historical archived data  Multi-domain searching 66
  67. 67. Future Direction IS NOW 67
  68. 68. Diggity Alert DB DATA MINING VULNS Diggity Alerts Database 68
  69. 69. Dictionary Updates 3RD P A R T Y I N T E G R A T I O NNew maintainers of the GHDB – 09 Nov 2010 • http://www.exploit-db.com/google-hacking-database-reborn/ 69
  70. 70. Special ThanksOscar “The Bull” SalazarBrad “BeSickWittIt” SicklesNick “King Luscious” HarbinPrajakta “The Flasher” JagdaleRuihai “Ninja” FangJason “Blk-majik” Lash
  71. 71. Questions?Ask us somethingWe’ll try to answer it. For more info: Email: contact@stachliu.com Project: diggity@stachliu.com Stach & Liu, LLC www.stachliu.com
  72. 72. Thank YouStach & Liu Google Hacking Diggity Project info:http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/ 72
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×