Google as a Hacking Tool
Download as PPT, PDF1 like78,604 views
The document describes an upcoming security conference titled "First Improvised Security Testing Conference" to be held on August 8th, 2003 in Madrid. It then provides details about a talk to be given by speaker Vicente Aceituno titled "Advanced Google Searching: Google as a hacking tool". The talk will cover various advanced search techniques using Google to find vulnerable servers, files, and other useful information for security testing purposes. These techniques include directory listings, common default pages, language translations, and the potential use of autonomous "robots" to identify targets.
![Esoteric Apache
Versioning
Esoteric Apache Versions found on Google
query: intitle:"Index of" "Apache/[ver] Server at"
Number of Servers
80000 69,300
64,200 65,000
70000 60,500 62,900
60000 45,200
50000
40000
27,300
30000
20000 9,400
10000 33 30 245 310 5 207 93 74 61 3 9 20 2 1 30 474
,1
1 20
,1
739
0
1.3.26+interserver
1.3.xx
1.3.4-dev
1.3.7-dev
2.0.40-dev
1.3.15-dev
1.3.21-dev
1.3.23-dev
1.3.24-dev
2.0.37-dev
1.3.17-HOF
1.2.6
1.3.0
1.3.1
1.3.2
1.3.4
1.3.11
1.3.17
2.0.16
2.0.18
2.0.28
2.0.32
2.0.35
2.0.36
1.3b6
Ap a c h e V e r s io n](https://image.slidesharecdn.com/googleasahackingtool-130215135518-phpapp01/85/Google-as-a-Hacking-Tool-28-320.jpg)
![Common Apache
Versioning
Common Apache Versions found on Google
query: intitle:"Index of" "Apache/[ver] Server at"
1.000.000,00 896.000
Number of Servers
800.000,00
600.000,00 495.000
353.000
400.000,00 300.000
260.000 259.000 256.000
159.000 171.000 151.000 203.000
200.000,00 119.000
0,00
1.3.12
1.3.14
1.3.19
1.3.20
1.3.22
1.3.23
1.3.24
1.3.26
2.0.39
1.3.3
1.3.6
1.3.9
Apache Server Version](https://image.slidesharecdn.com/googleasahackingtool-130215135518-phpapp01/85/Google-as-a-Hacking-Tool-29-320.jpg)
![Googlescan.sh
rm temp
awk -F"/"
'{print $NF"|http://www.google.com/search?q=
intitle%3A%22Index+of%22+"$NF}' vuln_files > queries
for query in `cat queries`
do
echo -n $query"|" >> temp
echo $query | awk -F"|" '{print $2}'
lynx -source `echo $query | awk -F"|" '{print $2}'` |
grep "of about" |
awk -F "of about" '{print $2}' |
awk -F"." '{print $1}' |
tr -d "</b>[:cntrl:] " >> temp
echo " " >> temp
Done
cat temp |
awk -F"|" '{print "<A HREF="" $2 "">" $1 " (" $3 "hits)
</A><BR><BR>"}' | grep -v "(1,770,000" > report.html](https://image.slidesharecdn.com/googleasahackingtool-130215135518-phpapp01/85/Google-as-a-Hacking-Tool-43-320.jpg)
Google as a Hacking Tool
- 1. First Improvised Security Testing Conference Madrid, 8th August 2003 Advanced Google Sear ching Google as a hacking tool Author: Johnny Long [email protected] http://johnny.ihackstuff.com Speaker: Vicente Aceituno
- 2. Why Google? Google caches all crawled web pages Google provides instant response Google provides document translations Google provides language translation Google provides web, news, catalog and ftp searches Google is cool
- 3. Index Google Searching Default Web pages Directory listings Finding files Googlescan tools Rise of the Robots Prevention
- 4. Google Searching Google provides a great deal of information about using it’s search engine in it’s fullest capacity. The following tables are copied verbatim from Google’s usage documents
- 5. Basic Searching Special Query Example Query Description Capability If a common word is essential to getting the results you Include Query Star Wars Episode want, you can include it by putting a "+" sign in Term +I front of it. You can exclude a word from your search by putting a Exclude Query bass -music minus sign ("-") immediately in front of the term you Term want to exclude from the search results. Search for complete phrases by enclosing them in quotation marks or connecting them with hyphens. Words marked in this way will appear together in Phrase Search "yellow pages" all results exactly as entered. Note: You may need to use a "+" to force inclusion of common words in a phrase. Google search supports the Boolean "OR" operator. To Boolean OR vacation london OR retrieve pages that include either word A or word Search paris B, use an uppercase OR between terms.
- 6. Filtering/Exclusion The query prefix "filetype:" filters the results returned to include only documents with the extension specified immediately after. Note there can be no space Google filetype:doc OR File Type Filtering between "filetype:" and the specified filetype:pdf extension. Note: Multiple file types can be included in a filtered search by adding more "filetype:" terms to the search query. The query prefix "-filetype:" filters the results to exclude documents with the extension specified immediately after. Google -filetype:doc - Note there can be no space between "- File Type Exclusion filetype:pdf filetype:" and the specified extension. Note: Multiple file types can be excluded in a filtered search by adding more "- filetype:" terms to the search query.
- 7. Filtering site/date If you know the specific web site you want to search but aren’t sure where the information is located within that site, you can use Google to search only within a specific web site. Do this by entering your query followed by the Site Restricted admission site:www.stanford.edu string “site:” followed by the host name. Search Note: The exclusion operator (“-“) can be applied to this query term to remove a web site from consideration in the search. Note: Only one site: term per query is supported. If you want to limit your results to documents that were published within a specific date range, then you can use the “daterange: “ query term to accomplish this. The “daterange:” query term must be in the following format: daterange:<start_date>-<end date> where Date Restricted Star Wars daterange:2452122- <start_date> = Julian date indicating the start of Search 2452234 the date range <end_date> = Julian date indicating the end of the date range The Julian date is calculated by the number of days since January 1, 4713 BC. For example, the Julian date for August 1, 2001 is 2452122.
- 8. Title searching If you prepend "intitle:" to a query term, Google search restricts the results to documents containing that word in the title. Note there can be no space between Title Search (term) intitle:Google search the "intitle:" and the following word. Note: Putting "intitle:" in front of every word in your query is equivalent to putting "allintitle:" at the front of your query. Starting a query with the term "allintitle:" Title Search (all) allintitle: Google search restricts the results to those with all of the query words in the title.
- 9. URL Searches If you prepend "inurl:" to a query term, Google search restricts the results to documents containing that word in the result URL. Note there can be no space between the "inurl:" and the following word. Note: "inurl:" works only on words , not URL components. In particular, it ignores URL Search (term) inurl:Google search punctuation and uses only the first word following the "inurl:" operator. To find multiple words in a result URL, use the "inurl:" operator for each word. Note: Putting "inurl:" in front of every word in your query is equivalent to putting "allinurl:" at the front of your query. Starting a query with the term "allinurl:" restricts the results to those with all of the query words in the result URL. Note: "allinurl:" works only on words, not URL components. In particular, it ignores punctuation. Thus, "allinurl: foo/bar" restricts URL Search (all) allinurl: Google search the results to pages with the words "foo" and "bar" in the URL, but does not require that they be separated by a slash within that URL, that they be adjacent, or that they be in that particular word order. There is currently no way to enforce these constraints.
- 10. Text/Link Searching Starting a query with the term “allintext:” allintext: Google restricts the results to those with all of Text Only Search (all) search the query words in only the body text, ignoring link, URL, and title matches. Starting a query with the term “allinlinks:” allinlinks: Google restricts the results to those with all of Links Only Search (all) search the query words in the URL links on the page.
- 11. Link Searches The query prefix "link:" lists web pages that have links to the specified web page. Note there can be no space between Back Links link:www.google.com "link:" and the web page URL. Note: No other query terms can be specified when using this special query term. The query prefix "related:" lists web pages that are similar to the specified web related:www.google.co page. Note there can be no space Related Links m between "link:" and the web page URL. Note: No other query terms can be specified when using this special query term.
- 12. Translation service Google offers a very nice language translation service.
- 13. Tricks When www.google.com is not available, try www2.google.com or www3.google.com. Reading the google’s cache can prevent filters to know what page are you seeing. You can get the same result we trick an english-to-english translation. http://translate.google.com/translate (main URL) ?u=http://www.defcon.org&langpair=en|en (options)
- 14. Intuitive Google Sear ches Default Web Pages
- 15. Windows-based default server intitle:"Welcome to Windows 2000 Internet Services"
- 16. Windows-based default server intitle:"Under construction" "does not currently have"
- 17. Windows NT 4.0 intitle:“Welcome to IIS 4.0"
- 18. OpenBSD/Apache (scalp=) “powered by Apache” “powered by openbsd"
- 19. Apache 1.2.6 Intitle:”Test Page for Apache” “It Worked!”
- 20. Apache 1.3.0 – 1.3.9 Intitle:”Test Page for Apache” “It worked!” “this web site!”
- 21. Apache 1.3.11 - 1.3.26 "seeing this instead" intitle:"Test Page for Apache"
- 22. Apache 2.0 Intitle:”Simple page for Apache” “Apache Hook Functions”
- 23. Apache Version Info Apache Number of Version Servers 1.3.6 119,000.00 1.3.3 151,000.00 1.3.14 159,000.00 1.3.24 171,000.00 Google told 1.3.9 203,000.00 us all this. 2.0.39 256,000.00 We’ll discuss 1.3.23 259,000.00 how in the next section. 1.3.19 260,000.00 1.3.12 300,000.00 1.3.20 353,000.00 1.3.22 495,000.00 1.3.26 896,000.00
- 25. Directory Listings Directory listings are often misconfigurations in the web server. A directory listing shows a list of files in a directory as opposed to presenting a web page. Directory listings can provide very useful information.
- 26. Directory Example Intitle:”Index of” This query serves as the basis for all directory searches…
- 27. Directory Info Gathering Some servers, like Apache, generate a server version tag.
- 28. Esoteric Apache Versioning Esoteric Apache Versions found on Google query: intitle:"Index of" "Apache/[ver] Server at" Number of Servers 80000 69,300 64,200 65,000 70000 60,500 62,900 60000 45,200 50000 40000 27,300 30000 20000 9,400 10000 33 30 245 310 5 207 93 74 61 3 9 20 2 1 30 474 ,1 1 20 ,1 739 0 1.3.26+interserver 1.3.xx 1.3.4-dev 1.3.7-dev 2.0.40-dev 1.3.15-dev 1.3.21-dev 1.3.23-dev 1.3.24-dev 2.0.37-dev 1.3.17-HOF 1.2.6 1.3.0 1.3.1 1.3.2 1.3.4 1.3.11 1.3.17 2.0.16 2.0.18 2.0.28 2.0.32 2.0.35 2.0.36 1.3b6 Ap a c h e V e r s io n
- 29. Common Apache Versioning Common Apache Versions found on Google query: intitle:"Index of" "Apache/[ver] Server at" 1.000.000,00 896.000 Number of Servers 800.000,00 600.000,00 495.000 353.000 400.000,00 300.000 260.000 259.000 256.000 159.000 171.000 151.000 203.000 200.000,00 119.000 0,00 1.3.12 1.3.14 1.3.19 1.3.20 1.3.22 1.3.23 1.3.24 1.3.26 2.0.39 1.3.3 1.3.6 1.3.9 Apache Server Version
- 31. test-cgi Intitle:”Index of” test-cgi
- 32. ws_ftp.log Intitle:”Index of” ws_ftp.log
- 33. Secring.pgp Intitle:”Index of” secring.php
- 34. config.php Intitle:”Index of” config.php
- 35. administrators.pwd Intitle:”Index of” administrators.pwd
- 36. ws_ftp.ini Intitle:”Index of” ws_ftp.ini Tip: Got to http://www.hispasec.com/directorio/laboratorio/Software/ws_ftp.html
- 37. .htpasswd Intitle:”Index of” .htpasswd
- 38. .htpasswd Intitle:”Index of” .htpasswd
- 39. /etc/shadow Intitle:”Index of” etc shadow
- 41. Googlescan With a known set of file-based web vulnerabilities, a vulnerability scanner based on search engines is certainly a reality.
- 42. Googlescan … /scancfg.cgi /cgi-bin/CrazyWWWBoard.cgi Armed with a list /cgi-bin/pals-cgi of cgi exploits /ROADS/cgi-bin/search.pl from any /way-board/way-board.cgi common CGI /cgi-bin/replicator/webpage.cgi scanner… /cgi-bin/auktion.pl /cgi-bin/webspirs.cgi /cgi-bin/ipf/etc/gfw/ui/pwd.dat /cgi-bin/hsx.cgi /cgi-bin/mailnews.cgi /cgi-bin/adcycle /cgi-bin/post-query /cgi-bin/ikonboard/help.cgi /cgi-bin/webspirs.cgi …
- 43. Googlescan.sh rm temp awk -F"/" '{print $NF"|http://www.google.com/search?q= intitle%3A%22Index+of%22+"$NF}' vuln_files > queries for query in `cat queries` do echo -n $query"|" >> temp echo $query | awk -F"|" '{print $2}' lynx -source `echo $query | awk -F"|" '{print $2}'` | grep "of about" | awk -F "of about" '{print $2}' | awk -F"." '{print $1}' | tr -d "</b>[:cntrl:] " >> temp echo " " >> temp Done cat temp | awk -F"|" '{print "<A HREF="" $2 "">" $1 " (" $3 "hits) </A><BR><BR>"}' | grep -v "(1,770,000" > report.html
- 44. Googlescan.sh A simple shell script presents an html- formatted list of potentially vulnerable or interesting web servers.
- 48. Advanced Techniques Rise of the Robots
- 49. Rise of the Robots Michal Zalewski wrote a great article for Phrack (57/10) which presented the idea of the use of autonomous search robots in server exploitation
- 50. Rise of the Robots “Consider a remote exploit that is able to compromise a remote system without sending any attack code to his victim. Consider an exploit which simply creates local file to compromise thousands of computers, and which does not involve any local resources in the attack. Welcome to the world of zero-effort exploit techniques. Welcome to the world of automation, welcome to the world of anonymous, dramatically difficult to stop attacks resulting from increasing Internet complexity.” –Michal Zalewski
- 51. The Concept Web robots crawl a web page indexing files it is allowed to find. Any links that are found on the indexed pages are followed as well. Instead of standard web links, create a payload of “exploit” links for the crawlers to consume.
- 52. Simple Example Michal presents the following example links on his indexed web page: http://somehost/cgi-bin/script.pl?p1=../../../../attack http://somehost/cgi-bin/script.pl?p1=;attack http://somehost/cgi-bin/script.pl?p1=|attack http://somehost/cgi-bin/script.pl?p1=`attack` http://somehost/cgi-bin/script.pl?p1=$(attack) http://somehost:54321/attack?`id` http://somehost/AAAAAAAAAAAAAAAAAAAAA...
- 53. Simple Example The robots followed all the links as written, including connecting to non-http ports. The robots followed the “attack links,” performing the attack completely unaware.
- 54. Think Big Michael goes on to postulate that randomly generated, massive lists would cause much more of a problem. A simple PERL or CGI script randomly generating attack links in the thousands and teens of thousands would create a huge problem! Who would be liable?
- 55. Google doesn’t stop Tomorrow there will be even more sofisticated features…try this: http://labs1.google.com/cgi-bin/gviewer.cgi?q= intitle%3Aindex.of.private&delay=8&start=0 http://labs.google.com/sets?hl=en&q1=password& passwd&q3=shadow&q4=etc&q5=&btn =Large+Set
- 56. Pr evention Locking it down
- 57. Advice Google says it isn’t Google’s fault. Google is very happy to remove references. See http://www.google.com/remove.html. Follow the webmaster’s advice found at http://www.google.com/webmasters/ Get smarter.
- 58. /misc: “Google Hacks” There is this book. And it’s an O’REILLY book. But it’s not about hacking. It’s about searching.
- 59. Google Hotspots Google APIs: http://www.google.com/apis/ Google voice search: http://labs.google .com/gvs.html Google sets: http://labs.google.com/sets Google catalog search: http://catalogs. google.com/ Google news search: http://news.google .com Google weblog: http://google.blogspace .com/
- 60. EOF Watch googleDorks. Questions?
Editor's Notes
- #47: Esta herramienta usa búsquedas de palabras individuales en un dominio determinado.