SlideShare a Scribd company logo

Google Dorks: Analysis, Creation, and new Defenses

Flavio Toffalini
Flavio Toffalini

Presentation brought to DIMVA 2016

Internet
1 of 26
Download to read offline
Google Dorks: Analysis, Creation, and new Defenses Flavio Toffalini, University of Verona, IT, flavio.toffalini@gmail.com Maurizio Abbà, LastLine, UK, mabba@lastline.com Damiano Carra, University of Verona, IT, damiano.carra@univr.it Davide Balzarotti, Eurecom, FR, davide.balzarotti@eurecom.fr
2 GOOGLE DORKS
3 MOTIVATION ● Attackers use Dorks to quickly locate targets ● After a new vulnerability is disclosed, one Google query is sufficient to identify a large amount of vulnerable installations ● No time for sysadmins to apply patches !!
4 MOTIVATION ● Attackers use Dorks to quickly locate targets ● After a new vulnerability is disclosed, one Google query is sufficient to identify a large amount of vulnerable installations ● No time for sysadmins to apply patches !! ● If we could prevent dorks, attackers would need to resort to Internet scanning … which is several orders of magnitude slower
5 GOALS ● Current practices ● Understand which information is used by existing dorks ● Design simple solutions to defeat those dorks ● Future threats ● Test if attackers could move towards new styles of dorks ● Design simple solutions to prevent it
6 GOOGLE DORKS
7 TAXONOMY ● The Exploit-DB database contains over 5143 dorks ● Automated/manual analysis URL Patterns (44%) File Extensions (6%) Content-Based (74%)
8 ● The Exploit-DB database contains over 5143 dorks ● Automated/manual analysis URL Patterns (44%) File Extensions (6%) Content-Based Banners (54%) Misconfigurations (8%) Error messages (1%) Common words (11%) TAXONOMY
10 DORKS EVOLUTION BY CATEGORY URL Patterns Banner Common words Misconfiguration
11 KNOWN DEFENSES URL Patterns File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words
12 CONTRIBUTION URL Patterns ?? File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words ??
13 ● Force search engines to index “randomized” URLs ● Let the users navigate and share using cleartext URLs http://www.web-site.com/wp-content/dimva.html http://www.web-site.com/HD12DAF35TR/dimva.html URL-DORKS
14 ● XOR (part of) URLs with random seed kept in the server a = resource a O(a) = obfuscated resource a ● Redirect 301 to inform search engine that the page is moved ● Canonical URL Tag to delete plain URLs in the results ● Intercept and replace SiteMap URL-DORKS
15 OBFUSCATION PROTOCOL - CRAWLERS Crawler URL Obfuscator Web Site a a resp. of a Redir. 301 to O(a) O(a) resp. of a + canonical tag
16 OBFUSCATION PROTOCOL - BROWSER Browser URL Obfuscator Web Site O(a) a resp. of a resp. of a b resp. of b resp. of b b
17 URL Patterns File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words ??
18 WORD-BASED DORKS ● Goal ● Using words left by CMSs to create a Google Dork ● Greedy search algorithm to maximizes ● Hit-rank: percentage of web site made by a target technology ● Coverage: number of entries extracted by the Dork
19 WORD-BASED DORKS: CREATION Joomla!
20 “Category” + “Submit” + “....” Vanilla installation WORD-BASED DORKS: CREATION Categories SubmitRegister Contact Buy Recent Users List Registration Compute hit rank & coverage
22 WORD-BASED DORKS: CREATION ● Gradient Ascent algorithm ● How to add a new word? ● At each step, we add the word that provides the highest hit rank between the ones that have a coverage above the median of all candidate words (more details in the paper)
24 Common Words Ground Truth WordPress 938/1000 967/1000 Hit rank 47.1 M 83.6 M Coverage Joomla! 878/1000 887/1000 Hit rank 7.24 M 3.73 M Coverage Drupal 827/1000 997/1000 Hit rank 7.87 M 3.27 M Coverage Magento 871/1000 852/1000 Hit rank 0.39 M 0.68 M Coverage OpenCart 891/1000 998/1000 Hit rank 0.59 M 1.42 M Coverage WORD-BASED DORKS:
25 Common Words Ground Truth WordPress 938/1000 967/1000 Hit rank 47.1 M 83.6 M Coverage Joomla! 878/1000 887/1000 Hit rank 7.24 M 3.73 M Coverage Drupal 827/1000 997/1000 Hit rank 7.87 M 3.27 M Coverage Magento 871/1000 852/1000 Hit rank 0.39 M 0.68 M Coverage OpenCart 891/1000 998/1000 Hit rank 0.59 M 1.42 M Coverage WORD-BASED DORKS:
26 Common Words Ground Truth WordPress 938/1000 967/1000 Hit rank 47.1 M 83.6 M Coverage Joomla! 878/1000 887/1000 Hit rank 7.24 M 3.73 M Coverage Drupal 827/1000 997/1000 Hit rank 7.87 M 3.27 M Coverage Magento 871/1000 852/1000 Hit rank 0.39 M 0.68 M Coverage OpenCart 891/1000 998/1000 Hit rank 0.59 M 1.42 M Coverage WORD-BASED DORKS:
29 Idea: add invisible characters to break words and prevent them to be indexed. WORD-BASED DORKS: DEFENSES Powered by WordPress Power⁣ed b⁣y Wor⁣dPress
30 DORKS DEFENSES URL Patterns File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words
31 CONCLUSION 1) Dork classification 2) URL Pattern Dork Defense 3) New type of Dork using common words 4) Defense against common word dorks

Recommended

Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With Google
Zero Science Lab
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google Hacking
Gareth Davies
 
Information gathering
Information gatheringInformation gathering
Information gathering
Maulik Kotak
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
Christian Martorella
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
Chris Gates
 
Google Hacking by Ali Jahangiri
Google Hacking by Ali JahangiriGoogle Hacking by Ali Jahangiri
Google Hacking by Ali Jahangiri
Devetol
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-final
Romania Testing
 

Recommended

Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With Google
Zero Science Lab
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google Hacking
Gareth Davies
 
Information gathering
Information gatheringInformation gathering
Information gathering
Maulik Kotak
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
Christian Martorella
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
Chris Gates
 
Google Hacking by Ali Jahangiri
Google Hacking by Ali JahangiriGoogle Hacking by Ali Jahangiri
Google Hacking by Ali Jahangiri
Devetol
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-final
Romania Testing
 
Footprinting
FootprintingFootprinting
Footprinting
prashant3535
 
Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)
Maximiliano Soler
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
Andrew McNicol
 
Advanced phishing for red team assessments
Advanced phishing for red team assessmentsAdvanced phishing for red team assessments
Advanced phishing for red team assessments
JEBARAJM
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
Sudhanshu Chauhan
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
Christian Martorella
 
OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source Intelligence
Philippe Lin
 
Iy2515891593
Iy2515891593Iy2515891593
Iy2515891593
IJERA Editor
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Information Security and Forensics
Information Security and ForensicsInformation Security and Forensics
Information Security and Forensics
Tharindu Weerasinghe
 
Maltego
MaltegoMaltego
Maltego
penetration Tester
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
Caleb Sima
 
OSINT using Twitter & Python
OSINT using Twitter & PythonOSINT using Twitter & Python
OSINT using Twitter & Python
37point2
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
Jerod Brennen
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attacks
lord
 
Tactical Information Gathering
Tactical Information GatheringTactical Information Gathering
Tactical Information Gathering
Christian Martorella
 
GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007
guest20ab09
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
Rashid Khatmey
 
Traçabilité
TraçabilitéTraçabilité
Traçabilité
Patrick Robert
 
Cehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and BackdoorsCehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and Backdoors
Vuz Dở Hơi
 

More Related Content

What's hot

Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)
Maximiliano Soler
 
OSINT using Twitter & Python
OSINT using Twitter & PythonOSINT using Twitter & Python
OSINT using Twitter & Python
37point2
 

What's hot (20)

Footprinting
FootprintingFootprinting
Footprinting
 
Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Advanced phishing for red team assessments
Advanced phishing for red team assessmentsAdvanced phishing for red team assessments
Advanced phishing for red team assessments
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source Intelligence
 
Iy2515891593
Iy2515891593Iy2515891593
Iy2515891593
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
 
Information Security and Forensics
Information Security and ForensicsInformation Security and Forensics
Information Security and Forensics
 
Maltego
MaltegoMaltego
Maltego
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
OSINT using Twitter & Python
OSINT using Twitter & PythonOSINT using Twitter & Python
OSINT using Twitter & Python
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attacks
 
Tactical Information Gathering
Tactical Information GatheringTactical Information Gathering
Tactical Information Gathering
 
GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 

Viewers also liked

cellular concept.. including trunking, cells etc
cellular concept.. including trunking, cells etccellular concept.. including trunking, cells etc
cellular concept.. including trunking, cells etc
saam123
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
leminhvuong
 
Alphorm.com Formation WebDev 22 avancé
Alphorm.com Formation WebDev 22 avancéAlphorm.com Formation WebDev 22 avancé
Alphorm.com Formation WebDev 22 avancé
Alphorm
 
Ubiquiti product
Ubiquiti productUbiquiti product
Ubiquiti product
Budi Net
 
Nanosatellites: état de l’art, éléments de conception et simulations
Nanosatellites: état de l’art, éléments de conception et simulationsNanosatellites: état de l’art, éléments de conception et simulations
Nanosatellites: état de l’art, éléments de conception et simulations
Vicheka Phor
 
The What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignThe What If Technique presented by Motivate Design
The What If Technique presented by Motivate Design
Motivate Design
 

Viewers also liked (16)

Traçabilité
TraçabilitéTraçabilité
Traçabilité
 
Cehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and BackdoorsCehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and Backdoors
 
cellular concept.. including trunking, cells etc
cellular concept.. including trunking, cells etccellular concept.. including trunking, cells etc
cellular concept.. including trunking, cells etc
 
Cehv8 - Module 05: System Hacking
Cehv8 - Module 05: System HackingCehv8 - Module 05: System Hacking
Cehv8 - Module 05: System Hacking
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
CS 354 Ray Casting & Tracing
CS 354 Ray Casting & TracingCS 354 Ray Casting & Tracing
CS 354 Ray Casting & Tracing
 
Mobile Radio Propagations
Mobile Radio PropagationsMobile Radio Propagations
Mobile Radio Propagations
 
Alphorm.com Formation WebDev 22 avancé
Alphorm.com Formation WebDev 22 avancéAlphorm.com Formation WebDev 22 avancé
Alphorm.com Formation WebDev 22 avancé
 
Ubiquiti product
Ubiquiti productUbiquiti product
Ubiquiti product
 
Nanosatellites: état de l’art, éléments de conception et simulations
Nanosatellites: état de l’art, éléments de conception et simulationsNanosatellites: état de l’art, éléments de conception et simulations
Nanosatellites: état de l’art, éléments de conception et simulations
 
Gestion technique-de-tracabilité-version finale
Gestion technique-de-tracabilité-version finaleGestion technique-de-tracabilité-version finale
Gestion technique-de-tracabilité-version finale
 
Compréhension et utilisation des décibels par F1RZF
Compréhension et utilisation des décibels par F1RZFCompréhension et utilisation des décibels par F1RZF
Compréhension et utilisation des décibels par F1RZF
 
Introduction aux Technologies de la Tracabilite
Introduction aux Technologies de la TracabiliteIntroduction aux Technologies de la Tracabilite
Introduction aux Technologies de la Tracabilite
 
Traçabilité
TraçabilitéTraçabilité
Traçabilité
 
LES OUTILS D’UN LOGISTICIEN
LES OUTILS D’UN LOGISTICIENLES OUTILS D’UN LOGISTICIEN
LES OUTILS D’UN LOGISTICIEN
 
The What If Technique presented by Motivate Design
The What If Technique presented by Motivate DesignThe What If Technique presented by Motivate Design
The What If Technique presented by Motivate Design
 

Similar to Google Dorks: Analysis, Creation, and new Defenses

Accra MongoDB User Group
Accra MongoDB User GroupAccra MongoDB User Group
Accra MongoDB User Group
MongoDB
 
Production Performance Testing in the Cloud
Production Performance Testing in the CloudProduction Performance Testing in the Cloud
Production Performance Testing in the Cloud
TechWell
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
Christian Deger
 
Technology radar-may-2013
Technology radar-may-2013Technology radar-may-2013
Technology radar-may-2013
Carol Bruno
 
Finding balance of DDD while your application grows
Finding balance of DDD while your application growsFinding balance of DDD while your application grows
Finding balance of DDD while your application grows
Carolina Karklis
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
Using Compass to Diagnose Performance Problems in Your Cluster
Using Compass to Diagnose Performance Problems in Your ClusterUsing Compass to Diagnose Performance Problems in Your Cluster
Using Compass to Diagnose Performance Problems in Your Cluster
MongoDB
 
Using Compass to Diagnose Performance Problems
Using Compass to Diagnose Performance Problems Using Compass to Diagnose Performance Problems
Using Compass to Diagnose Performance Problems
MongoDB
 

Similar to Google Dorks: Analysis, Creation, and new Defenses (20)

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Accra MongoDB User Group
Accra MongoDB User GroupAccra MongoDB User Group
Accra MongoDB User Group
 
Production Performance Testing in the Cloud
Production Performance Testing in the CloudProduction Performance Testing in the Cloud
Production Performance Testing in the Cloud
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
Rudder 3.0 and beyond
Rudder 3.0 and beyondRudder 3.0 and beyond
Rudder 3.0 and beyond
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
 
Technology radar-may-2013
Technology radar-may-2013Technology radar-may-2013
Technology radar-may-2013
 
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsTour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
 
The Future of Cloud Innovation, featuring Adrian Cockcroft
The Future of Cloud Innovation, featuring Adrian CockcroftThe Future of Cloud Innovation, featuring Adrian Cockcroft
The Future of Cloud Innovation, featuring Adrian Cockcroft
 
Finding balance of DDD while your application grows
Finding balance of DDD while your application growsFinding balance of DDD while your application grows
Finding balance of DDD while your application grows
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
Why drupal should power your next web project
Why drupal should power your next web projectWhy drupal should power your next web project
Why drupal should power your next web project
 
Loosely Coupled Complexity - Unleash the power of your Domain Model with Comm...
Loosely Coupled Complexity - Unleash the power of your Domain Model with Comm...Loosely Coupled Complexity - Unleash the power of your Domain Model with Comm...
Loosely Coupled Complexity - Unleash the power of your Domain Model with Comm...
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
MongoDB on Azure
MongoDB on AzureMongoDB on Azure
MongoDB on Azure
 
Improve your Tech Quotient
Improve your Tech QuotientImprove your Tech Quotient
Improve your Tech Quotient
 
Using Compass to Diagnose Performance Problems in Your Cluster
Using Compass to Diagnose Performance Problems in Your ClusterUsing Compass to Diagnose Performance Problems in Your Cluster
Using Compass to Diagnose Performance Problems in Your Cluster
 
Using Compass to Diagnose Performance Problems
Using Compass to Diagnose Performance Problems Using Compass to Diagnose Performance Problems
Using Compass to Diagnose Performance Problems
 

More from Flavio Toffalini

More from Flavio Toffalini (6)

SGXMonitor Presentation - ACSAC 2022
SGXMonitor Presentation - ACSAC 2022SGXMonitor Presentation - ACSAC 2022
SGXMonitor Presentation - ACSAC 2022
 
SnakeGX (full version)
SnakeGX (full version) SnakeGX (full version)
SnakeGX (full version)
 
SnakeGX (short version)
SnakeGX (short version)SnakeGX (short version)
SnakeGX (short version)
 
ScaRR
ScaRRScaRR
ScaRR
 
Careful Packing
Careful PackingCareful Packing
Careful Packing
 
Static Analysis of Context Leaks in Android Applications
Static Analysis of Context Leaks in Android ApplicationsStatic Analysis of Context Leaks in Android Applications
Static Analysis of Context Leaks in Android Applications
 

Recently uploaded

call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 

Recently uploaded (20)

20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 

Google Dorks: Analysis, Creation, and new Defenses

  • 1. Google Dorks: Analysis, Creation, and new Defenses Flavio Toffalini, University of Verona, IT, flavio.toffalini@gmail.com Maurizio Abbà, LastLine, UK, mabba@lastline.com Damiano Carra, University of Verona, IT, damiano.carra@univr.it Davide Balzarotti, Eurecom, FR, davide.balzarotti@eurecom.fr
  • 3. 3 MOTIVATION ● Attackers use Dorks to quickly locate targets ● After a new vulnerability is disclosed, one Google query is sufficient to identify a large amount of vulnerable installations ● No time for sysadmins to apply patches !!
  • 4. 4 MOTIVATION ● Attackers use Dorks to quickly locate targets ● After a new vulnerability is disclosed, one Google query is sufficient to identify a large amount of vulnerable installations ● No time for sysadmins to apply patches !! ● If we could prevent dorks, attackers would need to resort to Internet scanning … which is several orders of magnitude slower
  • 5. 5 GOALS ● Current practices ● Understand which information is used by existing dorks ● Design simple solutions to defeat those dorks ● Future threats ● Test if attackers could move towards new styles of dorks ● Design simple solutions to prevent it
  • 7. 7 TAXONOMY ● The Exploit-DB database contains over 5143 dorks ● Automated/manual analysis URL Patterns (44%) File Extensions (6%) Content-Based (74%)
  • 8. 8 ● The Exploit-DB database contains over 5143 dorks ● Automated/manual analysis URL Patterns (44%) File Extensions (6%) Content-Based Banners (54%) Misconfigurations (8%) Error messages (1%) Common words (11%) TAXONOMY
  • 9. 10 DORKS EVOLUTION BY CATEGORY URL Patterns Banner Common words Misconfiguration
  • 10. 11 KNOWN DEFENSES URL Patterns File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words
  • 11. 12 CONTRIBUTION URL Patterns ?? File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words ??
  • 12. 13 ● Force search engines to index “randomized” URLs ● Let the users navigate and share using cleartext URLs http://www.web-site.com/wp-content/dimva.html http://www.web-site.com/HD12DAF35TR/dimva.html URL-DORKS
  • 13. 14 ● XOR (part of) URLs with random seed kept in the server a = resource a O(a) = obfuscated resource a ● Redirect 301 to inform search engine that the page is moved ● Canonical URL Tag to delete plain URLs in the results ● Intercept and replace SiteMap URL-DORKS
  • 14. 15 OBFUSCATION PROTOCOL - CRAWLERS Crawler URL Obfuscator Web Site a a resp. of a Redir. 301 to O(a) O(a) resp. of a + canonical tag
  • 15. 16 OBFUSCATION PROTOCOL - BROWSER Browser URL Obfuscator Web Site O(a) a resp. of a resp. of a b resp. of b resp. of b b
  • 16. 17 URL Patterns File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words ??
  • 17. 18 WORD-BASED DORKS ● Goal ● Using words left by CMSs to create a Google Dork ● Greedy search algorithm to maximizes ● Hit-rank: percentage of web site made by a target technology ● Coverage: number of entries extracted by the Dork
  • 19. 20 “Category” + “Submit” + “....” Vanilla installation WORD-BASED DORKS: CREATION Categories SubmitRegister Contact Buy Recent Users List Registration Compute hit rank & coverage
  • 20. 22 WORD-BASED DORKS: CREATION ● Gradient Ascent algorithm ● How to add a new word? ● At each step, we add the word that provides the highest hit rank between the ones that have a coverage above the median of all candidate words (more details in the paper)
  • 21. 24 Common Words Ground Truth WordPress 938/1000 967/1000 Hit rank 47.1 M 83.6 M Coverage Joomla! 878/1000 887/1000 Hit rank 7.24 M 3.73 M Coverage Drupal 827/1000 997/1000 Hit rank 7.87 M 3.27 M Coverage Magento 871/1000 852/1000 Hit rank 0.39 M 0.68 M Coverage OpenCart 891/1000 998/1000 Hit rank 0.59 M 1.42 M Coverage WORD-BASED DORKS:
  • 22. 25 Common Words Ground Truth WordPress 938/1000 967/1000 Hit rank 47.1 M 83.6 M Coverage Joomla! 878/1000 887/1000 Hit rank 7.24 M 3.73 M Coverage Drupal 827/1000 997/1000 Hit rank 7.87 M 3.27 M Coverage Magento 871/1000 852/1000 Hit rank 0.39 M 0.68 M Coverage OpenCart 891/1000 998/1000 Hit rank 0.59 M 1.42 M Coverage WORD-BASED DORKS:
  • 23. 26 Common Words Ground Truth WordPress 938/1000 967/1000 Hit rank 47.1 M 83.6 M Coverage Joomla! 878/1000 887/1000 Hit rank 7.24 M 3.73 M Coverage Drupal 827/1000 997/1000 Hit rank 7.87 M 3.27 M Coverage Magento 871/1000 852/1000 Hit rank 0.39 M 0.68 M Coverage OpenCart 891/1000 998/1000 Hit rank 0.59 M 1.42 M Coverage WORD-BASED DORKS:
  • 24. 29 Idea: add invisible characters to break words and prevent them to be indexed. WORD-BASED DORKS: DEFENSES Powered by WordPress Power⁣ed b⁣y Wor⁣dPress
  • 25. 30 DORKS DEFENSES URL Patterns File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words
  • 26. 31 CONCLUSION 1) Dork classification 2) URL Pattern Dork Defense 3) New type of Dork using common words 4) Defense against common word dorks