Scribd
Upload
536 views110 pages

Exploiting Search Engines for Targets

The document discusses using search engines like Google to find exploitable targets on the web by searching for specific operating systems, web server software, and vulnerabilities. It proposes automating the process with a tool called "googlescan" and outlines some techniques for doing so, including using advanced search options, browsing cached pages, and leveraging language translations on sites like Google Translate to act as a proxy server. It also describes how search queries can help find development sites, bypass authentication, and gather directory information to profile server software versions.

Uploaded by

KiranDev
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
536 views110 pages

Exploiting Search Engines for Targets

The document discusses using search engines like Google to find exploitable targets on the web by searching for specific operating systems, web server software, and vulnerabilities. It proposes automating the process with a tool called "googlescan" and outlines some techniques for doing so, including using advanced search options, browsing cached pages, and leveraging language translations on sites like Google Translate to act as a proxy server. It also describes how search queries can help find development sites, bypass authentication, and gather directory information to profile server software versions.

Uploaded by

KiranDev
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 110

Watching the

Watchers
Target Exploitation via Public
Search Engines
mail://[email protected]
http://johnny.ihackstuff.com
what’s this about?

 using search engines to do interesting


(sometimes unintended) stuff
 sp3ak l1ke l33to hax0rs
 act as transparent proxy servers
 sneak past security
 find development sites
what’s this about?

 using search engines to find exploitable


targets on the web which
 run certain operating systems
 run certain web server software
 harbor specific vulnerabilities
 harbor sensitive data in public directories
 harbor sensitive data in public files
 automating the process: googlescan
pick your poison

we have certain needs from a search engine:

 advanced search options (not just AND’s and OR’s)


 browsing down or changed pages (caching)
 instant response (zero-wait)
 document and language translations
 web, news, image and ftp searches

The obvious choice: Google


not new... Vincent GAILLOT
<[email protected]
lyon.fr> posted this to
BUGTRAQ nearly two
years ago...
doing interesting stuff

hax0r, “Google hacks,” proxy, auth


bypass, finding development sites
hax0r
for those of us
spending way
too much time
spe@king
hax0r...
/misc: “Google Hacks”
There is this book.
And it’s an O’REILLY book.
But it’s not about hacking.
It’s about searching.
I didn’t write it.
Because if I wrote it, it would really be about hacking
using Google and that would get both Google and
O’REILLY both really upset and then lawyers would get
involved, which is never good unless of course the lawyer
happens to be Jennifer Granick... =)
proxy

Google offers a
very nice
language
translation
service.
proxy

for example,
translating from
english to
spanish...
proxy
Our english-to-spanish translated Google page is:

http://translate.google.com/translate (main URL)


?u=http://www.defcon.org&langpair=en|es (options)

What happens if we play with the options a bit to provide an


english-to-english translation, for example?

http://translate.google.com/translate (main URL)


?u=http://www.defcon.org&langpair=en|en (options)
proxy

we’re surfing
through Google,
not to the evil
DEFCON page.
The boss will be
sooo proud! 8P
proxy

 Google proxy bouncers


 http://exploit.wox.org/tools/googleproxy.html
 http://johnny.ihackstuff.com
finding development sites
use unique phrases from
an existing site to find
mirrors or development
servers hosting the same
page.

this is a copy of a
production site found on
a web development
company’s server...
finding development sites

• troll the development site with another search looking


for more files on that server...
finding development sites

• eventually, creative searching can lead to pay dirt: a source code dump
auth bypass

 Let’s say an attacker is interested in


what’s behind www.thin-ice.com, a
password protected page:
auth bypass

 One search gives us insight into the


structure of the site:
auth bypass

 Another search gives a cache link:


auth bypass

 Another click takes us to the cached version of


the page (no password needed!)
auth bypass

 One more click to the really interesting


stuff... site source code!

*this site was notified and secured before making this public. sorry, kids ;-)
evil searching: the
basics

tools of the trade


Google search syntax

Tossing Google around requires a firm


grasp of the basics.

Many of the details can be found here:


http://www.google.com/apis/reference.html
simple word search

A simple search...
simple word search

...can return amazing results. This is the contents of a


live .bash_history file!
simple word search

Crawling around on the same web site reveals a


firewall configuration file complete with a username and
password...
simple word search

...as well as an ssh known hosts file!


simple phrase search

Creativity with search phrases (note the use of quotes)…


simple phrase search

...can reveal interesting tidbits like


this Cold Fusion error message.
simple phrase search
(Error messages
can be very
revealing. )
simple phrase search II

Sometimes the most idiotic searches


(“enter UNIX command”)...
simple phrase search II

...can be the most rewarding!


special characters
symbol use

+ (plus) AND, force use

- (dash) NOT (when used outside


quotes)
. (period) any character

- (dash) space (when used in


quotes)
* (asterisk) wildcard word (when used
in quotes)
site: site-specific search
site:gov boobs
site: crawling

site:defcon.org defcon

-use the site: keyword


along with the site name
for a quick list of
potential servers and
directories
site: crawling
-use the site: keyword
along with a common file
extension to find
accidental directory
listings..
Date Searching
• If you want to limit your results to documents that
were published within a specific date range, then
you can use the “daterange: “ query term to
accomplish this. The “daterange:” query term
must be in the following format:
• daterange:<start_date>-<end date> where
• Date Restricted • Star Wars daterange:2452122-
• <start_date> = Julian date indicating the start of
Search 2452234
the date range
<end_date> = Julian date indicating the end of
the date range
• The Julian date is calculated by the number of
days since January 1, 4713 BC. For example, the
Julian date for August 1, 2001 is 2452122.
Title searching

If you prepend "intitle:" to a query term,


Google search restricts the results to
documents containing that word in the
title. Note there can be no space between
Title Search (term) intitle:Google search
the "intitle:" and the following word.
Note: Putting "intitle:" in front of every word
in your query is equivalent to putting
"allintitle:" at the front of your query.

Starting a query with the term "allintitle:"


Title Search (all) allintitle: Google search restricts the results to those with all of the
query words in the title.
INURL: URL Searches
inurl: find the search term within the URL
inurl:admin

inurl:admin
users mbox
inurl:admin users
passwords
filetype:
filetype:xls “checking
account” “credit card”

many more examples


coming... patience...
finding interesting stuff

finding OS and web server versions


Windows-based default server

intitle:"Welcome to Windows 2000 Internet Services"


Windows-based default server

intitle:"Under construction" "does not currently have"


Windows NT 4.0
intitle:“Welcome to IIS 4.0"
OpenBSD/Apache (scalp=)
“powered by Apache” “powered by openbsd"
Apache 1.2.6

Intitle:”Test Page for Apache” “It Worked!”


Apache 1.3.0 – 1.3.9

Intitle:”Test Page for Apache” “It worked!” “this web site!”


Apache 1.3.11 - 1.3.26

"seeing this instead" intitle:"Test Page for Apache"


Apache 2.0

Intitle:”Simple page for Apache” “Apache Hook Functions”


Directory Info Gathering

• Some servers, like Apache, generate a server version tag...


Apache Version Info
•Apache •Number
Version of Servers
• 119,00
• 1.3.6 0.00
• 151,00
• 1.3.3 0.00
• 159,00
• 1.3.14 0.00
• 171,00
• 1.3.24 0.00
• 203,00
• 1.3.9 0.00
• 256,00
• 2.0.39 0.00
• 259,00
• 1.3.23 0.00
• 260,00
• 1.3.19 0.00
• 300,00
• 1.3.12 0.00
...which we can harvest for some quick stats...
• 353,00
Weird Apache Versions
Esoteric Apache Versions found on Google
query: intitle:"Index of" "Apache/[ver] Server at"
Number of Servers

80000 69 ,30 0
6 4,2 00 65 ,00 0
70000 60 ,50 0 62 ,90 0
60000 45,200
50000
40000
27,300
30000
20000 9,4 00
10000 33 30 24 5 310 5 207 93 74 61 3 9 20 2 1,130 4 74
1,120
739
0

1.3.26+interserver
1.3.xx
1.3.23-dev
1.3.24-dev
1.3.15-dev

1.3.21-dev

2.0.37-dev
2.0.40-dev
1.3.4-dev

1.3.7-dev
1.2.6

1.3.17-HOF
1.3.11

2.0.28
2.0.32
2.0.35
2.0.36
1.3.17
1.3b6
1.3.0
1.3.1
1.3.2

1.3.4

2.0.16
2.0.18
Apa che Ve rsio n
Common Apache Versions
Common Apache Versions found on Google
query: intitle:"Index of" "Apache/[ver] Server at"

1,000,000.00 896,000
Number of Servers

800,000.00

600,000.00 495,000

353,000
400,000.00 300,000
260,000 259,000 256,000
159,000 171,000 151,000 203,000
200,000.00 119,000

0.00

1.3.6

1.3.9
1.3.12

1.3.14

1.3.20

1.3.22

1.3.23

1.3.24

1.3.3
1.3.19

1.3.26

2.0.39
Apache Server Version
vulnerability trolling

finding 0day targets...


vulnerability trolling

A new vulnerability hits the streets...


vulnerability trolling

The vulnerability lies in a cgi script called “normal_html.cgi”


vulnerability trolling
212 sites are
found with the
vulnerable CGI
the day the exploit
is released.
more interesting stuff...

finding sensitive data in directories


and files
Directory Listings
 Directory listings are often misconfigurations in
the web server.

 A directory listing shows a list of files in a


directory as opposed to presenting a web
page.

 Directory listings can provide very useful


information.
Directory Example
a query of
intitle:”Index of”
reveals sites like
this one.

The “intitle”
keyword is one
of the most
powerful in the
google master’s
arsenal...
Directory Example
notice that the
directory listing
shows the
names of the
files in the
directory.

we can combine
our “intitle”
search with
another search
to find specific
files available on
the web.
Intitle:”Index of” .htpasswd

Lots more
examples
coming. Stick
around for the
grand finale...
finding interesting stuff

automation: googlescan
Googlescan

 With a known set of file-based web


vulnerabilities, a vulnerability scanner
based on search engines is certainly a
reality.
 Let’s take a look at a painfully simple
example using nothing more than UNIX
shell commands...
Googlescan.sh first, create a file
(vuln_files) with the
names of cgi
programs...
Googlescan.sh
...then, use this shell
rm temp script...
awk -F"/"
'{print $NF"|http://www.google.com/search?q=
intitle%3A%22Index+of%22+"$NF}' vuln_files > queries

for query in `cat queries`


do
echo -n $query"|" >> temp
echo $query | awk -F"|" '{print $2}'
lynx -source `echo $query | awk -F"|" '{print $2}'` |
grep "of about" |
awk -F "of about" '{print $2}' |
awk -F"." '{print $1}' |
tr -d "</b>[:cntrl:] " >> temp
echo " " >> temp
Done

cat temp |
awk -F"|" '{print "<A HREF=\"" $2 "\">" $1 " (" $3 "hits)
</A><BR><BR>"}' | grep -v "(1,770,000" > report.html
Googlescan.sh output

...to output an
html list of
potentially
vulnerable or
interesting web
servers
according to
Google.
http://johnny.ihackstuff.com/googledorks.shtml
more interesting stuff

Rise of the Robots


Rise of the Robots

 “Rise of the Robots”, Phrack 57-10 by


Michal Zalewski: autonomous malicious
robots powered by public search engines
 Search engine crawlers pick up malicious
links and follow them, actively exploiting
targets
Rise of the Robots: Example

Michal presents the following example links on his


indexed web page:

http://somehost/cgi-bin/script.pl?p1=../../../../attack
http://somehost/cgi-bin/script.pl?p1=;attack
http://somehost/cgi-bin/script.pl?p1=|attack
http://somehost/cgi-bin/script.pl?p1=`attack`
http://somehost/cgi-bin/script.pl?p1=$(attack)
http://somehost:54321/attack?`id`
http://somehost/AAAAAAAAAAAAAAAAAAAAA...
Rise of the Robots: Results

 Within Michal’s study, the robots followed all


the links as written, including connecting to
non-http ports!
 The robots followed the “attack links,”
performing the attack completely unawares.
 Moral: Search engines can attack for you, and
store the results, all without an attacker
sending a single packet directly to the target.
Prevention

Locking it down
Google’s advice

 This isn’t Google’s fault.


 Google is very happy to remove
references. See
http://www.google.com/remove.html.
 Follow the webmaster advice found at
http://www.google.com/webmasters/faq.h
tml.
My advice

 Don’t be a dork. Keep it off the web!


 Scan yourself.
 Be proactive.
 Watch googledorks
(http://johnny.ihackstuff.com/googledorks.shtml)
Finally....

The Grand Finale!


intitle:index.of test-cgi
intitle:index.of page.cfm
exploitable by
passing invalid
?page_id=
intitle:index.of dead.letter
intitle:index.of pwd.db
passwd –pam.conf
intitle:index.of master.passwd
intitle:index.of..etc passwd
intitle:index.of passwd
intitle:"Index.of..etc" passwd
intitle:"Index.of..etc" passwd
intitle:"Index.of..etc" passwd
intitle:index.of auth_user_file.txt
intitle:index.of pwd.db
passwd –pam.conf
intitle:index.of ws_ftp.ini
intitle:index.of
administrators.pwd
intitle:index.of people.lst
intitle:index.of passlist
intitle:index.of .htpasswd
intitle:index.of “.htpasswd” htpasswd.bak
intitle:index.of “.htpasswd” htpasswd.bak
intitle:index.of “.htpasswd” htpasswd.bak
intitle:index.of secring.pgp
intitle:index.of..etc hosts
intitle:index.of..etc hosts
intitle:Index.of etc shadow
intitle:index.of passlist
filetype:xls username password email
intitle:index.of config.php
social security numbers

how about a few


names and
SSN’s?
social security numbers II
How about a few
thousand
names and
SSN’s?
social security numbers III
How about a few
thousand more
names and
SSN’s?
Final words...
other google press..
 “Mowse: Google Knowledge: Exposing Sensitive data with Google”
 http://www.digivill.net/~mowse/code/mowse-googleknowledge.pdf
 “Autism: Using google to hack”
 www.smart-dev.com/texts/google.txt
 “Google hacking”:
 https://www.securedome.de/?a=actually%20report (German)
 “Google: Net Hacker Tool du Jour”
 http://www.wired.com/news/infostructure/0,1377,57897,00.html
EOF

 <plug> Watch googleDorks. </plug>


 Questions?

Contact Me / Get stuff:


http://johnny.ihackstuff.com
[email protected]

Special Thanks to j3n, m@c, tr3 and p3@nut! =)

You might also like