Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Gathering With Google


Published on

c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community is organizing a 2 day International Security and Hacking Conference titled c0c0n 2010, as part of Information Security Day 2010. The event is supported by the Kochi City Police. Various technical, non-technical, legal and community events are organized as part of the program. c0c0n 2010 is scheduled on 05, 06 Aug 2010

The number of digital security incidents and cyber crimes are increasing daily on a proportionate rate. The industry is demanding more and more security professionals and controls to curb this never ending threat to information systems.

c0c0n is aimed at providing a platform to discuss, showcase, educate, understand and spread awareness on the latest trends in information, cyber and hi-tech crimes. It also aims to provide a hand-shaking platform for various corporate, government organizations including the various investigation agencies, academia, research organizations and other industry leaders and players for better co-ordination in making the cyber world a better and safe place to be.

Published in: Technology
  • Login to see the comments

Information Gathering With Google

  1. 1. Maximiliano Soler e-Mail: Twitter: @maxisoler Information Gathering with G o o g l e
  2. 2. <ul><li>Presentation </li></ul>
  3. 3. <ul><li>Who am I? </li></ul><ul><li>Maximiliano Soler , Security Researcher & Enthusiast. Actually working as Security Administrator, in a International Bank. I have discovered vulnerabilities in different applications Web and products of Microsoft. </li></ul><ul><li>Too working like Security Consultant in some projects: OWASP , WASSEC , Security-Database and Zero Science Lab . </li></ul><ul><li>Fanatic of the open standards like CVE , CWE , OVAL , CCE . </li></ul>
  4. 4. <ul><li>Objective of the Talk </li></ul><ul><li>Demonstrate the variety of information to which is possible to access without using sophisticated mechanisms, within reach of anyone. </li></ul><ul><li>From the Browser to our objective, gathering information to carry out the attack . </li></ul>
  5. 5. <ul><li>General Information </li></ul>
  6. 6. <ul><li>Why Google? </li></ul><ul><li>» It only returns pages that contain the terms that you entered. </li></ul><ul><li>» It considers the location of the search terms in the page. </li></ul><ul><li>» It offers an outstanding summary of each result. </li></ul><ul><li>» It keeps pages Web in your cache. </li></ul>
  7. 7. <ul><li>Information Ga…what? </li></ul><ul><li>A great part of process of hacking or harm systems, consist on the gathering information . </li></ul><ul><li>Without the appropriated investigation, on what services, ports, applications o Web servers are running it would take us very much of time carry out the attack or win access to the objective system . </li></ul><ul><li>The technique is considered an activity of the passive type . It doesn't involve invasion or manipulation of the objective. It is hidden . </li></ul>
  8. 8. <ul><li>Information Ga…what? </li></ul><ul><li>This information can be obtained through public resources, executing utilities like Whois , NSLookup , NetCraft , DNS Reports or simply looking for manually through the Web. </li></ul>
  9. 9. <ul><li>Stages of Information Gathering </li></ul><ul><li>01 - Gathering information </li></ul><ul><li>02 - Locating the network range </li></ul><ul><li>03 - Identifying active machines </li></ul><ul><li>04 - Finding open ports and applications </li></ul><ul><li>05 - Detecting operating systems </li></ul><ul><li>06 - Fingerprinting services </li></ul><ul><li>07 - Mapping the network </li></ul><ul><li>Source: Certified Ethical Hacker, EC Council </li></ul>
  10. 10. <ul><li>Stages of Information Gathering </li></ul>Information Gathering about the objective. Identify vulnerabilities. Exploit vulnerabilities. got r00t?
  11. 11. <ul><li>Using Google </li></ul><ul><li>Dorks / Search Operators </li></ul>
  12. 12. <ul><li>Using Google </li></ul><ul><li>Dorks / Search Operators </li></ul><ul><li>What are they? </li></ul><ul><li>The operators of search of Google are consultation terms or symbols that carry out special actions. These operators allow to be what you look for in a quick and precise way, offering additional control beyond the page Advanced Search . </li></ul>
  13. 13. <ul><li>Dorks / Search Operators </li></ul>
  14. 14. <ul><li>Dorks / Search Operators </li></ul><ul><li>How do they work? </li></ul><ul><li>Use of quotation marks “” : It can specify to the motor of Google that wants to look for an expression made up of two or more words literally, writing the terms to look for among quotation marks. </li></ul><ul><li>Example: “ c0c0n 2010 ” . </li></ul><ul><li>Asterisk &quot; * &quot;: It allows to substitute words, and to enlarge this way the searches. </li></ul><ul><li>Example: “c 0c0n * ”. </li></ul>
  15. 15. <ul><li>Dorks / Search Operators </li></ul><ul><li>AND : In a predetermined way Google looks for results uniting the words introduced by the user using this operator. This way the final result of a search without specifying anything or using will be the same. </li></ul><ul><li>Example: “ c0c0n AND security conference “. </li></ul><ul><li>Operator &quot; – &quot;: It is good to exclude results of the search. It should be specified before the term to obviate. </li></ul><ul><li>Example: “c0c0n - Hacking &quot;. </li></ul>
  16. 16. <ul><li>Dorks / Search Operators </li></ul><ul><li>OR or symbol&quot; | &quot;: The condition “ OR” indicates that could not be simultaneously the two words in each result of the search, but each one of them for separate, it will specify the operator OR among the terms that should complete this approach. </li></ul><ul><li>Example: “ c0c0n OR Security Conference ”. </li></ul><ul><li>Operator “ ~ ”: It allows to look for synonyms of a term. </li></ul><ul><li>Example: &quot; ~ Security “. </li></ul>
  17. 17. <ul><li>Dorks / Search Operators </li></ul><ul><li>Ranges &quot;num1 .. num2&quot;: If the beginning of a range is known, is possible to look for until a certain number. </li></ul><ul><li>Example: “ .. 255 “. </li></ul><ul><li>Various operators in a logical way can be used, containing them among parenthesis. </li></ul>
  18. 18. <ul><li>Dorks / Search Operators </li></ul>inanchor: allinanchor: intext: allintext: intitle: allintitle: inurl: allinurl: link: cache: filetype: define: phonebook: related: info: site: id:
  19. 19. <ul><li>Dorks / Search Operators </li></ul>intitle: site: inurl: filetype:
  20. 20. <ul><li>Dorks / Search Operators </li></ul><ul><li>inanchor: It only shows the pages that have the keyword or keywords in the text of the links that point to her. Based on the backlinks or external links. </li></ul><ul><li>allinanchor: Contrary to the previous sample the whole coincidence. </li></ul><ul><li>intext: It only shows the pages that have the keyword or keywords inside the body of the pages. </li></ul><ul><li>allintext: It only shows the pages that have the keyword or keywords in the text of the page. Complete coincidence. </li></ul>
  21. 21. <ul><li>Dorks / Search Operators </li></ul><ul><li>intitle: It shows only the pages that have the keyword or keywords inside the title of the pages. </li></ul><ul><li>allintitle: It establishes a complete coincidence of the looked for terms. </li></ul><ul><li>inurl: It shows only the pages that have the keyword o keywords in the URL of pages. </li></ul><ul><li>allinurl: It establishes a complete coincidence of the looked for terms. </li></ul>
  22. 22. <ul><li>Dorks / Search Operators </li></ul><ul><li>link: It shows the links of a domain of Web pages. </li></ul><ul><li>cache: It shows cache of a domain of Web pages. </li></ul><ul><li>define: It shows definitions for a search. </li></ul><ul><li>related: It shows Web pages related . </li></ul><ul><li>phonebook: It looks for in the public listings of telephones, name, address, telephone numbers. </li></ul><ul><li>info: o id: It will show information that Google keeps about a place or resource Web. </li></ul>
  23. 23. <ul><li>Dorks / Search Operators </li></ul><ul><li>filetype: It filters the results for file types. (pdf, ppt, doc, txt, etc). </li></ul><ul><li>site: It shows the indexed Web pages by Google for a domain or subdomain. Depending if is specified “ www ”, it will include or not the subdomains . </li></ul>
  24. 24. <ul><li>and Now… </li></ul><ul><li>What we can find?! </li></ul>
  25. 25. <ul><li>What we can find?! </li></ul><ul><li>» Vulnerable products. </li></ul><ul><li>» Error messages. </li></ul><ul><li>» Files that contain sensitive information. </li></ul><ul><li>» Files that contain passwords . </li></ul><ul><li>» Files that contain usernames . </li></ul><ul><li>» Foot-holds and support information to the access. </li></ul><ul><li>» Pages with access forms. </li></ul><ul><li>» Pages that contain relative data to vulnerabilities. </li></ul><ul><li>» Directory sensitive. </li></ul><ul><li>» Sensitive information on e-commerce and e-banking. </li></ul><ul><li>» Devices online hardware. </li></ul><ul><li>» Vulnerable files. </li></ul><ul><li>» Vulnerable servers. </li></ul><ul><li>» Detection of Web Servers. </li></ul>
  26. 26. <ul><li>What we can find?! </li></ul>Maybe this it is your face, after seeing all the information that we can find .
  27. 27. <ul><li>» Vulnerable products </li></ul><ul><li>Through different publications about vulnerabilities discovered, we can identifying vulnerable servers. Generally related to the versions. </li></ul>
  28. 28. <ul><li>» Vulnerable products </li></ul> + intext:phpinfo
  29. 29. <ul><li>» Error messages </li></ul><ul><li>The error messages, many times they offer valuable information to understand how the applications/scripts is executed and what user they use is this time. </li></ul>
  30. 30. <ul><li>» Error messages </li></ul>intext:&quot;access denied for user&quot; &quot;using password&quot;
  31. 31. <ul><li>» Files that contain sensitive information </li></ul><ul><li>Without users or passwords, interesting and useful information. </li></ul>
  32. 32. <ul><li>» Files that contain sensitive information </li></ul> inurl:robots.txt
  33. 33. <ul><li>» Files that contain passwords </li></ul><ul><li>And yes, passwords! as easy as to look for. :-D </li></ul>
  34. 34. <ul><li>» Files that contain passwords </li></ul> + inurl:config.xml
  35. 35. <ul><li>» Files that contain usernames </li></ul><ul><li>Files that contain usernames, without passwords. </li></ul>
  36. 36. <ul><li>» Files that contain usernames </li></ul>inurl:admin inurl:userlist
  37. 37. <ul><li>» Foot-holds and support information to the access </li></ul><ul><li>A simple way to win access, looking for files without protection. </li></ul>
  38. 38. <ul><li>» Foot-holds and support information to the access </li></ul>intitle:&quot;PHP Shell *&quot; &quot;Enable stderr&quot; filetype:php
  39. 39. <ul><li>» Pages with access forms </li></ul><ul><li>The typical login pages, through portals, blogs, or any system that it is administered via Web. </li></ul>
  40. 40. <ul><li>» Pages with access forms </li></ul> inurl:wp-login.php
  41. 41. <ul><li>» Pages that contain relative data to vulnerabilities </li></ul><ul><li>Interesting information, firewall logs, report of vulnerabilities, services in execution and muuuch more. </li></ul>
  42. 42. <ul><li>» Pages that contain relative data to vulnerabilities </li></ul>intitle:&quot;Nessus Scan Report&quot; &quot;This file was generated by Nessus&quot;
  43. 43. <ul><li>» Directory sensitive </li></ul><ul><li>Depending on the case, we will find information more or less sensitive. Use general. </li></ul>
  44. 44. <ul><li>» Directory sensitive </li></ul>inurl:backup intitle:index.of inurl:admin
  45. 45. <ul><li>» Sensitive information on e-commerce and e-banking </li></ul><ul><li>Where do you buy and what do you buy? information about clients, salespersons, order of purchase, and e-commerce exposed. </li></ul>
  46. 46. <ul><li>» Sensitive information on e-commerce and e-banking </li></ul>inurl:&quot;shopadmin.asp&quot; &quot;Shop Administrators only&quot; SecurityTracker Alert ID: 1004384
  47. 47. <ul><li>» Devices online hardware </li></ul><ul><li>The possibility to administer printers, video cameras, to spy to other, etc. </li></ul>
  48. 48. <ul><li>» Devices online hardware </li></ul>intitle:&quot;EverFocus EDSR Applet&quot; Which is the default login?! YES, it works!
  49. 49. <ul><li>» Vulnerable files </li></ul><ul><li>A lot of vulnerable files , within reach of a click. </li></ul>
  50. 50. <ul><li>» Vulnerable files </li></ul>intext:&quot;File Upload Manager v1.3&quot; &quot;rename to&quot;
  51. 51. <ul><li>» Vulnerable servers </li></ul><ul><li>Different ways of access to servers, installations by default, scripts without configuring. </li></ul>
  52. 52. <ul><li>» Vulnerable servers </li></ul>intitle:&quot;Remote Desktop Web Connection&quot;
  53. 53. <ul><li>» Detection of Web Servers </li></ul><ul><li>Identify through versions, vulnerable servers, access by default, documents of help, logins, etc. </li></ul>
  54. 54. <ul><li>» Detection of Web Servers </li></ul>intext:&quot;Microsoft-IIS/5.0 server at&quot; inurl:gov.*
  55. 55. <ul><li>Looking for the Code </li></ul>
  56. 56. <ul><li>» Looking for the Code </li></ul><ul><li>Google provides a simple way of finding vulnerabilities in software, through Google Code Search , we can find vulnerabilities in the code source. </li></ul><ul><li> </li></ul>
  57. 57. <ul><li>» Looking for the Code </li></ul>JavaServer Pages (.jsp) Cross Site Scripting <%=.*getParameter
  58. 58. <ul><li>» Looking for the Code </li></ul>JavaServer Pages (.jsp) SQL Injection executeQuery.*getParameter
  59. 59. <ul><li>» Looking for the Code </li></ul>PHP - Cross Site Scripting lang:php (print(|echo)s$_(GET|REQUEST)
  60. 60. <ul><li>Playing with the API of Google </li></ul><ul><li>What are the APIs? </li></ul><ul><li>API is the initials of Application Programming Interface . In other words, they are the methods that the developer of any application offers to other developers so that they can use with its application. </li></ul><ul><li>With what programming languages can I use the APIs of Google? </li></ul><ul><li>The developers can make petitions to Google, using several languages, as Java , Perl or Visual Studio. NET , others. </li></ul>
  61. 61. <ul><li>Playing with the API of Google </li></ul><ul><li>What applications can I make with the APIs of Google? </li></ul><ul><li>So a lot of applications can be developed in environment Web and inside a classic program too. </li></ul><ul><li>How does the APIs of Google work? </li></ul><ul><li>The applications wrote by the developers are connected to the service Web API of Google. This communication is carried out by the protocol named SOAP ( Simple Object Access Protocol ). It is based on XML , and it is used for the exchange of information among applications. </li></ul>
  62. 62. <ul><li>Tools and Utilities </li></ul>
  63. 63. <ul><li>Tools </li></ul><ul><li>Gooscan v1.0 </li></ul><ul><li>Gooscan is a tool that automates the consultations toward Google. Thought as a Scanner CGI , the communication is not made directly on the objective. It is Google who responds. </li></ul><ul><li>Features </li></ul><ul><li>» Developed in C. </li></ul><ul><li>» Is possible to add or remove dorks . </li></ul><ul><li>» Automate searches can infringe the Terms of Use of Google. </li></ul><ul><li> </li></ul>
  64. 64. <ul><li>Tools </li></ul><ul><li>SiteDigger v3.0 </li></ul><ul><li>SiteDigger looks for in the cache of Google, to find vulnerabilities, errors, configuration by defaultt, and another type of information related to the security of the Website. </li></ul><ul><li>Features </li></ul><ul><li>» Improved user interface, signature upgrade and page of results. </li></ul><ul><li>» API of Google doesn't require. </li></ul><ul><li>» Support for Proxy and TOR . </li></ul><ul><li>» Results in real time.. </li></ul><ul><li>» Update of signatures. </li></ul><ul><li>» Possibility to keep the signatures and configuration. </li></ul><ul><li>» Requires: Microsoft .NET Framework v3.5 </li></ul>
  65. 65. <ul><li>SiteDigger v3.0 </li></ul><ul><li> </li></ul>
  66. 66. <ul><li>Tools </li></ul><ul><li>Athena v2.0 </li></ul><ul><li>It uses files XML with the searches, it can be personalized. It works in the same way that a navigator Web. </li></ul><ul><li>Features </li></ul><ul><li>» Compatibility with SiteDigger . </li></ul><ul><li>» Modify files XML. </li></ul><ul><li>» It doesn’t use API of Google. </li></ul><ul><li>» A search at the same time. </li></ul><ul><li>» Requires: Microsoft .NET Framework v1.1 </li></ul><ul><li> </li></ul>
  67. 67. <ul><li>Tools </li></ul><ul><li>Athena v2.0 </li></ul>
  68. 68. <ul><li>Tools </li></ul><ul><li>ProminentDork v1.0 </li></ul><ul><li>Oriented to carry out fuzzing and to find SQLi, XSS, LFI, RFI trough Google. </li></ul><ul><li>Features </li></ul><ul><li>» Developed in C#, license GNU. </li></ul><ul><li>» Multiple queries. </li></ul><ul><li>» Support for GHDB . </li></ul><ul><li>» Use Proxy . </li></ul><ul><li>» Recognizes the CAPTCHA . </li></ul><ul><li> </li></ul>
  69. 69. <ul><li>Tools </li></ul><ul><li>ProminentDork v1.0 </li></ul>
  70. 70. <ul><li>Tools </li></ul><ul><li>Advanced Dork (Firefox Addon) </li></ul><ul><li>It is an extension for Firefox that allows in an easy and quick way through a contextual menu to use more than 15 dorks. </li></ul><ul><li> </li></ul>
  71. 71. <ul><li>Tools </li></ul><ul><li>Advanced Dork (Firefox Addon) </li></ul>
  72. 72. <ul><li>Social Engineering </li></ul><ul><li>Increasing the game </li></ul>
  73. 73. <ul><li>Social Engineering…increasing the game </li></ul><ul><li>We can discover information about the administrators and the environment where they act: </li></ul><ul><li>» Used technologies, via job searches. </li></ul><ul><li>» Level of knowledge, via technical publications. </li></ul><ul><li>» Hobbies. </li></ul><ul><li>» Skills. </li></ul><ul><li>» Friends, via social networks like Facebook, </li></ul><ul><li>Linkedin, Google/Yahoo! Groups,). </li></ul><ul><li>» Or also...personal telephone ;-) -----> </li></ul>
  74. 74. <ul><li>Recommendations </li></ul>
  75. 75. <ul><li>Recommendations </li></ul><ul><li>» Secure the Servers and the Web applications used. </li></ul><ul><li>» Testing and implementing trough political of security the last available upgrades. </li></ul><ul><li>» Disable the browsing for directory. </li></ul><ul><li>» Not to publish sensitive information without authentication. </li></ul><ul><li>» Analyze the searches that conduces to our Websites, could be entering HTTP Logs. </li></ul>
  76. 76. <ul><li>Recommendations </li></ul><ul><li>What do we make if we discover that Google is indexing sensitive information?! </li></ul><ul><li>We should inform it to Google and they will proceed to eliminate of their cache this information: </li></ul><ul><li> </li></ul>
  77. 77. <ul><li>Conclusions </li></ul>
  78. 78. <ul><li>Conclusions </li></ul><ul><li>» Information Gathering , is a very useful technique. :-) </li></ul><ul><li>» Files with sensitive information, no matter if is deleted of the Web Servers they continue being in the cache of Google. </li></ul><ul><li>» Use the google dorks, to see what information we can find about our Website in Google. </li></ul><ul><li>» Learn and understand the different techniques and tools mentioned. </li></ul><ul><li>» The security by darkness, doesn't exist! </li></ul><ul><li>Accept our vulnerability instead of trying to hide it is the best way to adapt to the reality. </li></ul>
  79. 79. <ul><li>Recommended Websites </li></ul><ul><li>Google Guide </li></ul><ul><li>- </li></ul><ul><li>Dirson </li></ul><ul><li>- </li></ul><ul><li>Official Blog of Google (This Week Search) </li></ul><ul><li>- </li></ul><ul><li>Google Help: Cheat Sheet </li></ul><ul><li>- </li></ul><ul><li>Google Hacking Database (Johnny) </li></ul><ul><li>- </li></ul>
  80. 80. <ul><li>Recommended Websites </li></ul><ul><li>Gooscan v1.0 </li></ul><ul><li> </li></ul><ul><li>SiteDigger v3.0 </li></ul><ul><li> </li></ul><ul><li>ProminentDork v1.0 </li></ul><ul><li> </li></ul><ul><li>Athena 2.0 </li></ul><ul><li> </li></ul><ul><li>Advanced Dork (Firefox Addon) </li></ul><ul><li> </li></ul>
  81. 81. <ul><li>Questions… </li></ul>
  82. 82. <ul><li>Thank you!! </li></ul>Maximiliano Soler e-Mail: Twitter: @maxisoler