HaX0rz ToolkitComplicated ‘sploits that need aBachelor’s degree to understand anduseScripts in various languages andsyntaxes like C, PERL, gtk and bashAutomated scanning tools like nmapand nessusA web browser
A Web Browser?Web surfing:• Is easy to do,• Is Operating System independent,• Doesn’t require intimate knowledge of “the system”,• Provides access to vast amounts of data and information,• and topped off with all kinds of data mining tools
Web FeaturesReverse phone number searchesDetailed address topological mapsSatellite photography of target areaResumesPhone and Email listsLikely targets described in detailExploit information easy to obtainData aggregation makes it more serious
What We’ll LearnMethods of ReconnaissanceThe level of sensitive detailcompanies and organizations leaveexposed to the InternetThe level of detail about specificpeople on the InternetThe effect of data aggregation onprivacy
Where to start?Search Engines areone of the first thingspeople learn to use onthe InternetMost use highlyeffective searchalgorithms to mine theInternetMost provide equallyadvanced searchabilities to the user
Sometimes it works when brokenFrom an allintitle:”Index of /admin”searchAdmin account had been patchedBut the error information was prettyinteresting, too…• Within the full page error report was: Full paths to libraries /home/faraway/opt/cancat/lib /usr/local/share/perl/5.6.1/Apache/ASP.pm /usr/local/lib/perl/5.6.1/DBD/mysql.pm
Search Enginesallintitle:”Index of /”site:gov site:mil site:ztarget.comfiletype:doc filetype:pdf filetype:xls[cached] [view as html]intitle:, inurl:, allinurl:Filetypes include: pdf, ps, wk, wki,wks, wku, lwp, mw, xls, ppt, doc, wps,wdb, wri, rtf, ans and txt
Other Interesting SearchesFar too many password files to bothercounting anymoreAccess and error logs from a hotel chain• Included booking information and how long customers were staying• Some very well-known people had their full vacation schedules made available to the publicMilitary “Procedures and Practices”
Other Interesting Searchesallintitle:”Index of /” +confidential filetype:doc • A regulatory matters postal letter to an executive at a telecommunications commission, which contained competitor and specific revenue information, and made the following declaration: The release of such information on the public record would allow current and potential competitors to develop more effective business and marketing strategies…
Other Interesting SearchesSearches for WS_FTP.LOG give a ratherdetailed list of files that are updatedregularly, and often provides internalnetwork IP information normally hiddenfrom the InternetName, job title, phone number, and emailaddress of mailroom staff at majormilitary sitesInter-department electronic fundstransfers
Other Interesting Searchesrobots.txt files tell search engines“don’t look here”World-readable and in a knownlocation so the search engines willfind it easily, and ignore confidentialor private directoriesWhat do you find when you do lookin those directories?
Other Interesting SearchesPassive scanning for vulnerabletargetsWhere to find targets:• Search for phrases commonly found on web-based application interfaces (and especially their error messages)• Sites like http://www.securityfocus.com – provide information that can be used to create search criteria
Unreported VulnerabilitiesMany vulnerabilities go unreported andunfixed, despite how obvious they areExample:• HAMWeather is a weather software package that allows websites to provide accurate weather information. Geared towards news sites.• Does not require authentication for any of its administrative processes• Lets search for that administrative program…
More Web HackingSearch engines are a treasure troveof informationWe’ve looked at general web searchengines, but let’s now look at moreinformation specific sites• Administrative web servers• Reconnaissance from the sky• Proxies
Administrative Web ServersMany devices come with web serversenabled by default:• Printers• Routers and Switches• Wireless Access Points
Printers on the Web?Netcraft provides an ongoing tally ofweb servers operating on theInternet.Can we find web basedadministration?
Several sites seem to have leftthis particular printer wide open
ReconnaissanceWe’ve seen a glimpse of various backdoors available to web browsersLet’s turn the tables now, and talkmuch closer to homeHow much personal detail do we putonline for all to see?
ReconaissanceWeb surfing habitsCookiesResumesWeb site histories (www.archive.org)News group postsFriendsRelativesSchool archivesMaps
Final ThoughtsWe have shown a few ways that a webbrowser can be used to gather hugeamounts of target information, and a fewways the web browser can be used toexploit trivial vulnerabilitiesThere are many more online services likethe ones pointed out in this presentationIt is easy to collect and analyze thisinformation to produce thorough profiles
Thank You Karsten Johansson KSAJ Inc.www.PENETRATIONTEST.com