Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using Google to Hack Your Site #Pubcon

5,035 views

Published on

Slides from my talk at Pubcon Las Vegas in October 2016 about using Google to find site security weaknesses.

Published in: Internet
  • Be the first to comment

Using Google to Hack Your Site #Pubcon

  1. 1. #pubcon@badams Using Google to Hack Your Site Presented by: Barry Adams Polemic Digital
  2. 2. #pubcon@badams About Barry Adams • Dutchman in Northern Ireland • Founder of Polemic Digital • Co-Chief Editor for StateofDigital.com • Twitter ranter: @badams • Lecturer & educator
  3. 3. #pubcon@badams Anatomy of a Hack 1. Reconnaissance 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Covering Tracks
  4. 4. #pubcon@badams Prevention is the best cure • Security through obscurity – Enough to defeat script kiddies & automated tools • Won’t stop dedicated hackers – But then, few things will…
  5. 5. #pubcon@badams Becoming invisible…
  6. 6. #pubcon@badams Wappalyzer
  7. 7. #pubcon@badams Hide your version numbers <meta name="generator" content="WordPress 4.6.1"/>
  8. 8. #pubcon@badams Broadcasting your security in robots.txt • Don’t put your back-end login folder in your robots.txt – Use meta robots noindex,nofollow
  9. 9. #pubcon@badams Using Google to find weaknesses • Google is a hungry beast • It will crawl & index all it can • Even stuff it really shouldn’t … Advanced search commands allow you to use Google’s insatiable hunger for your own benefit/protection
  10. 10. #pubcon@badams Google Advanced Search Commands site:domain.com > only search within that domain ext:xxx > only show files with that extension inurl:xyz > only show pages with ‘xyz’ in the URL -abc > exclude pages that match ‘abc’ | > string searches together with pipes
  11. 11. #pubcon@badams Login folders
  12. 12. #pubcon@badams Database files
  13. 13. #pubcon@badams Configuration files
  14. 14. #pubcon@badams Log Files
  15. 15. #pubcon@badams Backups
  16. 16. #pubcon@badams Documents
  17. 17. #pubcon@badams Social Engineering • Be careful what you publish online! – Hackers can use personal information to gain confidence and extract more information. • Even passwords…
  18. 18. #pubcon@badams Shared Hosting / Shared Sites SpyOnWeb.com
  19. 19. #pubcon@badams Subdomains https://pentest-tools.com/
  20. 20. #pubcon@badams To summarise • Minimise your online footprint; – Anything online can and will be used against you • Don’t give away any clues; – Make your website difficult to reconnoitre • Educate your staff; – People are your biggest weakness
  21. 21. #pubcon@badams Thank You Follow me on Twitter: @badams Email me your questions: barry@polemicdigital.com

×