Lord of the Bing - Black Hat USA 2010

  • 14,818 views
Uploaded on

During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the team’s resourcefulness was the …

During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the team’s resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the Internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior. Not anymore - our demonstration-heavy presentation picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. We will then reveal several new search engine hacking techniques that have resulted in remarkable breakthroughs against both Google and Bing. Come ready to engage with us as we release two new tools, GoogleDiggity and BingDiggity, which take full advantage of the new hacking techniques. We’ll also be releasing the first ever “live vulnerability feed”, which will quickly become the new standard on how to detect and protect yourself against these types of attacks. This presentation will change the way you've previously thought about search engine hacking, so put on your helmets. We don't want a mess when we blow your minds.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
14,818
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
73
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Lord of the Bing d f h Taking Back Search Engine Hacking From Google and Bing 29 July 2010 Presented by: Francis Brown and Rob Ragan Stach & Liu, LLC www.stachliu.com
  • 2. Goals G l DESIRED OUTCOME • To improve Google Hacking • Attacks and defenses • Advanced tools and techniques • To think differently about exposures in publicly available sources • To blow your mind! 3
  • 3. Google/Bing H ki G l /Bi Hacking SEARCH ENGINE ATTACKS 4
  • 4. Attack Targets Att k T t GOOGLE HACKING DATABASE • Advisories and Vulnerabilities (215) • Pages containing network or • Error Messages (58) vulnerability data (59) y • Files containing juicy info (230) • Sensitive Directories (61) • Files containing passwords (135) • Sensitive Online Shopping Info (9) • Files containing usernames (15) • Various Online Devices (201) • Footholds (21) • Vulnerable Files (57) • Pages containing login portals (232) • Vulnerable Servers (48) • Web Server Detection (72) 5
  • 5. Attack Targets Att k T t GOOGLE HACKING DATABASE Old School Examples • E Error Messages M • filetype:asp + "[ODBC SQL“ • "Warning: mysql_query()" "invalid query“ • Files containing passwords • inurl:passlist.txt 6
  • 6. New Toolkit N T lkit STACH & LIU TOOLS Google Diggity • Uses Google AJAX API g J • Not blocked by Google bot detection • Does not violate Terms of Service • Can leverage Bing Diggity • Uses Bing SOAP API • Company/Webapp Profiling • Enumerate: URLs, IP-to-virtual hosts, etc. • Bing Hacking Database (BHDB) • V l Vulnerability search queries in Bing format bilit h i i Bi f t 7
  • 7. New Toolkit N T lkit STACH & LIU TOOLS GoogleScrape Diggity • Uses Google mobile interface • Light-weight, no advertisements or extras • V l Violates T Terms of S f Service • Automatically leverages valid open proxies • Spoofs User agent and User-agent Referer headers • Random &userip= value 8
  • 8. New Hack Databases N H kD t b ATTACK QUERIES BHDB – Bing Hacking Data Base Example - Bing vulnerability search: • First ever Bing Hacking database • GHDB query • "allintitle:Netscape FastTrack Server Home Page" allintitle:Netscape Page • Bing has limitations that make it • BHDB version • "intitle:Netscape FastTrack Server Home Page" difficult to create vuln search queries • Bing disabled the link: and linkdomain: directives to combat abuse in March 2007 • Does not support ext: or inurl: • The filetype: functionality is limited 9
  • 9. New Hack Databases N H kD t b ATTACK QUERIES SLDB - Stach & Liu Data Base • New Google/Bing hacking searches in active development by the S&L team SLDB Examples • ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary | intext:"budget approved") inurl:confidential • ( filetype:mail | filetype:eml | filetype:mbox | filetype:mbx ) intext:password|subject • filetype:sql "insert into" (pass|passwd|password) • !Host=*.* intext:enc_UserPassword=* ext:pcf • "your password is" filetype:log 10
  • 10. NEW GOOGLE HACKING TOOLS DEMO 11
  • 11. Traditional D f T diti l Defenses GOOGLE HACKING DEFENSES • “Google Hack yourself” organization • Employ tools and techniques used by hackers p y q y • Remove info leaks from Google cache • Using Google Webmaster Tools • Regularly update your robots.txt. • Or robots meta tags for individual page exclusion • Data Loss Prevention/Extrusion Prevention Systems • Free Tools: OpenDLP, Senf OpenDLP • Policy and Legal Restrictions 12
  • 12. Traditional D f T diti l Defenses GOOGLE HACKING DEFENSES • “Google Hack yourself” organization • Employ tools and techniques used by hackers p y q y • Remove info leaks from Google cache • Using Google Webmaster Tools • Regularly update your robots.txt. • Or robots meta tags for individual page exclusion • Data Loss Prevention/Extrusion Prevention Systems • Free Tools: OpenDLP, Senf OpenDLP • Policy and Legal Restrictions 13
  • 13. Advanced Defenses Ad dD f PROTECT YO NECK 14
  • 14. Existing D f E i ti Defenses “H A C K Y O U R S E L F”  Tools exist  Convenient  Real-time updates Real time  Multi-engine results  Historical archived data  Multi-domain searchingg 15
  • 15. Advanced Defenses Ad dD f NEW HOT SIZZLE Stach & Liu now proudly presents: p yp • Google Hacking Alerts • Bing Hacking Alerts 16
  • 16. Google H ki Alerts G l Hacking Al t ADVANCED DEFENSES Google Hacking Alerts • All hacking database queries using • Real-time vuln updates to >2400 hack queries via RSS • Organized and available via importable file 17
  • 17. Google H ki Alerts G l Hacking Al t ADVANCED DEFENSES 18
  • 18. Bing H ki Al t Bi Hacking Alerts ADVANCED DEFENSES Bing Hacking Alerts • Bing searches with regexs from BHDB • Leverage &format rss directive to turn into update feeds &format=rss 19
  • 19. Alert Cli t Tools Al t Client T l GOOGLE/BING ALERT CLIENTS Google/Bing Hacking Alert Thick Clients • Take in Google/Bing Alert RSS feeds as input • Allow user to set one or more filters to generate alerts when one of the RSS alert entries matches something they are interested in (e.g. “yourcompany.com” in the URL) • Several thick clients being released by Stach & Liu: • Windows app • iPhone app (coming soon) • Droid app (coming soon) 20
  • 20. ADVANCED DEFENSE TOOLS DEMO 21
  • 21. New Defenses N D f “G O O G L E / B I N G H A C K A L E R T S”  Tools exist  Convenient  Real-time updates Real time  Multi-engine results  Historical archived data  Multi-domain searchingg 22
  • 22. Google A G l Apps E l i Explosion SO MANY APPLICATIONS TO ABUSE 23
  • 23. Google Ph G l PhoneBook B k SPEAR PHISHING 24
  • 24. Google C d S G l Code Search h VULNS IN OPEN SOURCE CODE • Regex search for vulnerabilities in public code • Example: SQL Injection in ASP querystring • select.*from.*request.QUERYSTRING 25
  • 25. GOOGLE CODE SEARCH HACKING DEMO 26
  • 26. Google C d S G l Code Search h VULNS IN OPEN SOURCE CODE 27
  • 27. Google C d S G l Code Search h VULNS IN OPEN SOURCE CODE 28
  • 28. Black Hat SEO SEARCH ENGINE OPTIMIZATION • Use popular search topics d jour du • Pollute results with links to badware • Increase chances of a successful attack 29
  • 29. Google Trends BLACK HAT SEO RECON 30
  • 30. Defenses D f BLACKHAT SEO DEFENSES • Malware Warning Filters • Google Safe Browsing g g • Microsoft SmartScreen Filter • Yahoo Search Scan • Sandbox Software • Sandboxie (sandboxie.com) • Dell KACE - Secure Browser • Adobe Reader Sandbox (Protected Mode) • No-script and Ad-block browser plugins 32
  • 31. Mass I j ti Att k M Injection Attacks MALWARE GONE WILD Malware Distribution Woes • Popular websites victimized, become malware distribution sites to their own customers 33
  • 32. Malware B M l Browser Fil Filters URL BLACK LIST Protecting users from known threats • Joint effort to protect customers from known malware and phishing links 34
  • 33. Inconvenient T th I i t Truth DICKHEAD ALERTS Malware Black List Woes • Average web administrator has no idea when their site gets black listed 35
  • 34. Advanced Defenses Ad dD f PROTECT YO NECK 36
  • 35. Malware Di it M l Diggity ADVANCED DEFENSES Malware Diggity • Uses Bing’s linkfromdomain: directive to identify off-site links of the domain(s) g y () you wish to monitor • Compares to known malware sites/domains • Alerts if site is compromised and now distributing malware • Monitors new Google Trends links Malware Diggity Alerts • L Leverages the Bing ‘&f h B ’ directive, to actively monitor new off-site ‘&format=rss’ d l ff links of your site as they appear • Immediately lets you know if you have been compromised by one of these mass injection attacks or if your site has been black listed 37
  • 36. Malware Di it M l Diggity ADVANCED DEFENSES 38
  • 37. Malware Di it M l Diggity ADVANCED DEFENSES 39
  • 38. 40
  • 39. Malware M i i M l Monitoring INFECTION DETECTION Identify  External Links Identify  Alert Incoming Links Detect  Compare to  Infected Links Black List 41
  • 40. Search Engine deOptimization BLACK LIST YOUR FOES Identify  Malware Links Mass Inject  Profit Competition Competition  Competition  PageRank is 0 Black Listed 42
  • 41. Future Direction F Di i PREDICTIONS 43
  • 42. Predictions P di ti FUTURE DIRECTIONS Data Explosion Renewed Tool Dev • More data indexed, • Google Ajax API based searchable • Bing/Yahoo/other engines • Real-time, streaming updates • Search engine aggregators • Faster more robust search Faster, • G Google C d and Oth O l Code d Other Open interfaces Source Repositories • MS CodePlex, SourceForge, … Google Involvement g • More automation in tools Mo e au o a o oo s • Filtering of search results • Real-time detection and • Better GH detection and exploitation tool blocking • Google worms 44
  • 43. Real-time U d t R l ti Updates FUTURE DIRECTIONS 45
  • 44. Questions? Ask us something W We’ll try to answer it. y w For more info: Email: contact@stachliu.com Project: diggity@stachliu.com Stach Liu, St h & Li LLC www.stachliu.com
  • 45. Thank Yo You Stach & Liu Project info: http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/ htt //www t hli /i d h / /t l / l h ki di it j t/ 47