Google as a Hacking Tool

77,857 views

Published on

Published in: Technology
  • Be the first to comment

Google as a Hacking Tool

  1. 1. First Improvised Security Testing ConferenceMadrid, 8th August 2003 Advanced Google Sear ching Google as a hacking tool Author: Johnny Long johnny@ihackstuff.com http://johnny.ihackstuff.com Speaker: Vicente Aceituno
  2. 2. Why Google? Google caches all crawled web pages Google provides instant response Google provides document translations Google provides language translation Google provides web, news, catalog and ftp searches Google is cool
  3. 3. Index Google Searching Default Web pages Directory listings Finding files Googlescan tools Rise of the Robots Prevention
  4. 4. Google Searching Google provides a great deal of information about using it’s search engine in it’s fullest capacity. The following tables are copied verbatim from Google’s usage documents
  5. 5. Basic Searching Special Query Example Query Description Capability If a common word is essential to getting the results you Include Query Star Wars Episode want, you can include it by putting a "+" sign in Term +I front of it. You can exclude a word from your search by putting a Exclude Query bass -music minus sign ("-") immediately in front of the term you Term want to exclude from the search results. Search for complete phrases by enclosing them in quotation marks or connecting them with hyphens. Words marked in this way will appear together in Phrase Search "yellow pages" all results exactly as entered. Note: You may need to use a "+" to force inclusion of common words in a phrase. Google search supports the Boolean "OR" operator. To Boolean OR vacation london OR retrieve pages that include either word A or word Search paris B, use an uppercase OR between terms.
  6. 6. Filtering/Exclusion The query prefix "filetype:" filters the results returned to include only documents with the extension specified immediately after. Note there can be no space Google filetype:doc OR File Type Filtering between "filetype:" and the specified filetype:pdf extension. Note: Multiple file types can be included in a filtered search by adding more "filetype:" terms to the search query. The query prefix "-filetype:" filters the results to exclude documents with the extension specified immediately after. Google -filetype:doc - Note there can be no space between "- File Type Exclusion filetype:pdf filetype:" and the specified extension. Note: Multiple file types can be excluded in a filtered search by adding more "- filetype:" terms to the search query.
  7. 7. Filtering site/date If you know the specific web site you want to search but aren’t sure where the information is located within that site, you can use Google to search only within a specific web site. Do this by entering your query followed by the Site Restricted admission site:www.stanford.edu string “site:” followed by the host name. Search Note: The exclusion operator (“-“) can be applied to this query term to remove a web site from consideration in the search. Note: Only one site: term per query is supported. If you want to limit your results to documents that were published within a specific date range, then you can use the “daterange: “ query term to accomplish this. The “daterange:” query term must be in the following format: daterange:<start_date>-<end date> where Date Restricted Star Wars daterange:2452122- <start_date> = Julian date indicating the start of Search 2452234 the date range <end_date> = Julian date indicating the end of the date range The Julian date is calculated by the number of days since January 1, 4713 BC. For example, the Julian date for August 1, 2001 is 2452122.
  8. 8. Title searching If you prepend "intitle:" to a query term, Google search restricts the results to documents containing that word in the title. Note there can be no space between Title Search (term) intitle:Google search the "intitle:" and the following word. Note: Putting "intitle:" in front of every word in your query is equivalent to putting "allintitle:" at the front of your query. Starting a query with the term "allintitle:" Title Search (all) allintitle: Google search restricts the results to those with all of the query words in the title.
  9. 9. URL Searches If you prepend "inurl:" to a query term, Google search restricts the results to documents containing that word in the result URL. Note there can be no space between the "inurl:" and the following word. Note: "inurl:" works only on words , not URL components. In particular, it ignoresURL Search (term) inurl:Google search punctuation and uses only the first word following the "inurl:" operator. To find multiple words in a result URL, use the "inurl:" operator for each word. Note: Putting "inurl:" in front of every word in your query is equivalent to putting "allinurl:" at the front of your query. Starting a query with the term "allinurl:" restricts the results to those with all of the query words in the result URL. Note: "allinurl:" works only on words, not URL components. In particular, it ignores punctuation. Thus, "allinurl: foo/bar" restrictsURL Search (all) allinurl: Google search the results to pages with the words "foo" and "bar" in the URL, but does not require that they be separated by a slash within that URL, that they be adjacent, or that they be in that particular word order. There is currently no way to enforce these constraints.
  10. 10. Text/Link Searching Starting a query with the term “allintext:” allintext: Google restricts the results to those with all of Text Only Search (all) search the query words in only the body text, ignoring link, URL, and title matches. Starting a query with the term “allinlinks:” allinlinks: Google restricts the results to those with all of Links Only Search (all) search the query words in the URL links on the page.
  11. 11. Link Searches The query prefix "link:" lists web pages that have links to the specified web page. Note there can be no space between Back Links link:www.google.com "link:" and the web page URL. Note: No other query terms can be specified when using this special query term. The query prefix "related:" lists web pages that are similar to the specified web related:www.google.co page. Note there can be no space Related Links m between "link:" and the web page URL. Note: No other query terms can be specified when using this special query term.
  12. 12. Translation service Google offers a very nice language translation service.
  13. 13. Tricks  When www.google.com is not available, try www2.google.com or www3.google.com.  Reading the google’s cache can prevent filters to know what page are you seeing.  You can get the same result we trick an english-to-english translation. http://translate.google.com/translate (main URL) ?u=http://www.defcon.org&langpair=en|en (options)
  14. 14. Intuitive GoogleSear chesDefault Web Pages
  15. 15. Windows-based defaultserver intitle:"Welcome to Windows 2000 Internet Services"
  16. 16. Windows-based defaultserver intitle:"Under construction" "does not currently have"
  17. 17. Windows NT 4.0 intitle:“Welcome to IIS 4.0"
  18. 18. OpenBSD/Apache(scalp=) “powered by Apache” “powered by openbsd"
  19. 19. Apache 1.2.6 Intitle:”Test Page for Apache” “It Worked!”
  20. 20. Apache 1.3.0 – 1.3.9 Intitle:”Test Page for Apache” “It worked!” “this web site!”
  21. 21. Apache 1.3.11 - 1.3.26 "seeing this instead" intitle:"Test Page for Apache"
  22. 22. Apache 2.0 Intitle:”Simple page for Apache” “Apache Hook Functions”
  23. 23. Apache Version Info Apache Number of Version Servers 1.3.6 119,000.00 1.3.3 151,000.00 1.3.14 159,000.00 1.3.24 171,000.00 Google told 1.3.9 203,000.00 us all this. 2.0.39 256,000.00 We’ll discuss 1.3.23 259,000.00 how in the next section. 1.3.19 260,000.00 1.3.12 300,000.00 1.3.20 353,000.00 1.3.22 495,000.00 1.3.26 896,000.00
  24. 24. IntuitiveSear chesDirectory Listings
  25. 25. Directory Listings  Directory listings are often misconfigurations in the web server.  A directory listing shows a list of files in a directory as opposed to presenting a web page.  Directory listings can provide very useful information.
  26. 26. Directory Example Intitle:”Index of” This query serves as the basis for all directory searches…
  27. 27. Directory InfoGathering Some servers, like Apache, generate a server version tag.
  28. 28. Esoteric ApacheVersioning Esoteric Apache Versions found on Google query: intitle:"Index of" "Apache/[ver] Server at"Number of Servers 80000 69,300 64,200 65,000 70000 60,500 62,900 60000 45,200 50000 40000 27,300 30000 20000 9,400 10000 33 30 245 310 5 207 93 74 61 3 9 20 2 1 30 474 ,1 1 20 ,1 739 0 1.3.26+interserver 1.3.xx 1.3.4-dev 1.3.7-dev 2.0.40-dev 1.3.15-dev 1.3.21-dev 1.3.23-dev 1.3.24-dev 2.0.37-dev 1.3.17-HOF 1.2.6 1.3.0 1.3.1 1.3.2 1.3.4 1.3.11 1.3.17 2.0.16 2.0.18 2.0.28 2.0.32 2.0.35 2.0.36 1.3b6 Ap a c h e V e r s io n
  29. 29. Common ApacheVersioning Common Apache Versions found on Google query: intitle:"Index of" "Apache/[ver] Server at" 1.000.000,00 896.000Number of Servers 800.000,00 600.000,00 495.000 353.000 400.000,00 300.000 260.000 259.000 256.000 159.000 171.000 151.000 203.000 200.000,00 119.000 0,00 1.3.12 1.3.14 1.3.19 1.3.20 1.3.22 1.3.23 1.3.24 1.3.26 2.0.39 1.3.3 1.3.6 1.3.9 Apache Server Version
  30. 30. Intuitive SearchesFinding Files
  31. 31. test-cgi Intitle:”Index of” test-cgi
  32. 32. ws_ftp.log Intitle:”Index of” ws_ftp.log
  33. 33. Secring.pgp Intitle:”Index of” secring.php
  34. 34. config.php Intitle:”Index of” config.php
  35. 35. administrators.pwd Intitle:”Index of” administrators.pwd
  36. 36. ws_ftp.ini Intitle:”Index of” ws_ftp.iniTip: Got to http://www.hispasec.com/directorio/laboratorio/Software/ws_ftp.html
  37. 37. .htpasswd Intitle:”Index of” .htpasswd
  38. 38. .htpasswd Intitle:”Index of” .htpasswd
  39. 39. /etc/shadow Intitle:”Index of” etc shadow
  40. 40. AdvancedTechniquesGooglescan
  41. 41. Googlescan With a known set of file-based web vulnerabilities, a vulnerability scanner based on search engines is certainly a reality.
  42. 42. Googlescan … /scancfg.cgi /cgi-bin/CrazyWWWBoard.cgi Armed with a list /cgi-bin/pals-cgi of cgi exploits /ROADS/cgi-bin/search.pl from any /way-board/way-board.cgi common CGI /cgi-bin/replicator/webpage.cgi scanner… /cgi-bin/auktion.pl /cgi-bin/webspirs.cgi /cgi-bin/ipf/etc/gfw/ui/pwd.dat /cgi-bin/hsx.cgi /cgi-bin/mailnews.cgi /cgi-bin/adcycle /cgi-bin/post-query /cgi-bin/ikonboard/help.cgi /cgi-bin/webspirs.cgi …
  43. 43. Googlescan.sh rm temp awk -F"/" {print $NF"|http://www.google.com/search?q= intitle%3A%22Index+of%22+"$NF} vuln_files > queries for query in `cat queries` do echo -n $query"|" >> temp echo $query | awk -F"|" {print $2} lynx -source `echo $query | awk -F"|" {print $2}` | grep "of about" | awk -F "of about" {print $2} | awk -F"." {print $1} | tr -d "</b>[:cntrl:] " >> temp echo " " >> temp Done cat temp | awk -F"|" {print "<A HREF="" $2 "">" $1 " (" $3 "hits) </A><BR><BR>"} | grep -v "(1,770,000" > report.html
  44. 44. Googlescan.sh A simple shell script presents an html- formatted list of potentially vulnerable or interesting web servers.
  45. 45. Googlescan.sh output
  46. 46. Niktoogle.exe output
  47. 47. http://johnny.ihackstuff.com/googledorks.shtml
  48. 48. AdvancedTechniquesRise of the Robots
  49. 49. Rise of the Robots  Michal Zalewski wrote a great article for Phrack (57/10) which presented the idea of the use of autonomous search robots in server exploitation
  50. 50. Rise of the Robots “Consider a remote exploit that is able to compromise a remote system without sending any attack code to his victim. Consider an exploit which simply creates local file to compromise thousands of computers, and which does not involve any local resources in the attack. Welcome to the world of zero-effort exploit techniques. Welcome to the world of automation, welcome to the world of anonymous, dramatically difficult to stop attacks resulting from increasing Internet complexity.” –Michal Zalewski
  51. 51. The Concept Web robots crawl a web page indexing files it is allowed to find. Any links that are found on the indexed pages are followed as well. Instead of standard web links, create a payload of “exploit” links for the crawlers to consume.
  52. 52. Simple ExampleMichal presents the following example links on his indexed web page: http://somehost/cgi-bin/script.pl?p1=../../../../attack http://somehost/cgi-bin/script.pl?p1=;attack http://somehost/cgi-bin/script.pl?p1=|attack http://somehost/cgi-bin/script.pl?p1=`attack` http://somehost/cgi-bin/script.pl?p1=$(attack) http://somehost:54321/attack?`id` http://somehost/AAAAAAAAAAAAAAAAAAAAA...
  53. 53. Simple Example The robots followed all the links as written, including connecting to non-http ports. The robots followed the “attack links,” performing the attack completely unaware.
  54. 54. Think Big  Michael goes on to postulate that randomly generated, massive lists would cause much more of a problem.  A simple PERL or CGI script randomly generating attack links in the thousands and teens of thousands would create a huge problem!  Who would be liable?
  55. 55. Google doesn’t stop  Tomorrow there will be even more sofisticated features…try this:  http://labs1.google.com/cgi-bin/gviewer.cgi?q= intitle%3Aindex.of.private&delay=8&start=0  http://labs.google.com/sets?hl=en&q1=password& passwd&q3=shadow&q4=etc&q5=&btn =Large+Set
  56. 56. Pr eventionLocking it down
  57. 57. Advice Google says it isn’t Google’s fault. Google is very happy to remove references. See http://www.google.com/remove.html. Follow the webmaster’s advice found at http://www.google.com/webmasters/ Get smarter.
  58. 58. /misc: “Google Hacks” There is this book. And it’s an O’REILLY book. But it’s not about hacking. It’s about searching.
  59. 59. Google Hotspots Google APIs: http://www.google.com/apis/ Google voice search: http://labs.google .com/gvs.html Google sets: http://labs.google.com/sets Google catalog search: http://catalogs. google.com/ Google news search: http://news.google .com Google weblog: http://google.blogspace .com/
  60. 60. EOF Watch googleDorks. Questions?

×