Information Gathering With Google
-
Upload
zero-science-lab -
Category
Technology
-
view
104.568 -
download
1
description
Transcript of Information Gathering With Google
Maximiliano Solere-Mail:Twitter: @maxisoler
Information Gathering
with Google
2c0c0n 2010 @ Kochi, India
Information Gathering with Google
Presentation
3c0c0n 2010 @ Kochi, India
Information Gathering with Google
Who am I?
Maximiliano Soler, Security Researcher & Enthusiast. Actually
working as Security Administrator, in a International Bank. I have
discovered vulnerabilities in different applications Web and products
of Microsoft.
Too working like Security Consultant in some projects: OWASP,
WASSEC, Security-Database and Zero Science Lab.
Fanatic of the open standards like CVE, CWE, OVAL, CCE.
4c0c0n 2010 @ Kochi, India
Information Gathering with Google
Objective of the Talk
Demonstrate the variety of information to which is possible to access
without using sophisticated mechanisms, within reach of anyone.
From the Browser to our objective, gathering information to carry out
the attack.
5c0c0n 2010 @ Kochi, India
Information Gathering with Google
General Information
6c0c0n 2010 @ Kochi, India
Information Gathering with Google
Why Google?
» It only returns pages that contain the terms that you entered.
» It considers the location of the search terms in the page.
» It offers an outstanding summary of each result.
» It keeps pages Web in your cache.
7c0c0n 2010 @ Kochi, India
Information Gathering with Google
Information Ga…what?
A great part of process of hacking or harm systems, consist on the
gathering information.
Without the appropriated investigation, on what services, ports,
applications o Web servers are running it would take us very much of
time carry out the attack or win access to the objective system.
The technique is considered an activity of the passive type. It
doesn't involve invasion or manipulation of the objective. It is
hidden.
8c0c0n 2010 @ Kochi, India
Information Gathering with Google
Information Ga…what?
This information can be obtained through public resources, executing
utilities like Whois, NSLookup, NetCraft, DNS Reports or simply
looking for manually through the Web.
9c0c0n 2010 @ Kochi, India
Information Gathering with Google
Stages of Information Gathering
01 - Gathering information
02 - Locating the network range
03 - Identifying active machines
04 - Finding open ports and applications
05 - Detecting operating systems
06 - Fingerprinting services
07 - Mapping the network
Source: Certified Ethical Hacker, EC Council
10c0c0n 2010 @ Kochi, India
Information Gathering with Google
Stages of Information Gathering
Information Gathering about the objective.
Identify vulnerabilities.
Exploit vulnerabilities.
got r00t?
11c0c0n 2010 @ Kochi, India
Information Gathering with Google
Using Google
Dorks / Search Operators
12c0c0n 2010 @ Kochi, India
Information Gathering with Google
Using Google
Dorks / Search Operators
What are they?
The operators of search of Google are consultation terms or
symbols that carry out special actions. These operators allow to be
what you look for in a quick and precise way, offering additional
control beyond the page Advanced Search.
13c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
14c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
How do they work?
Use of quotation marks “”: It can specify to the motor of Google that wants to look for an expression made up of two or more words literally, writing the terms to look for among quotation marks.
Example: “c0c0n 2010”.
Asterisk "*": It allows to substitute words, and to enlarge this way the searches.
Example: “c0c0n *”.
15c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
AND: In a predetermined way Google looks for results uniting the words introduced by the user using this operator. This way the final result of a search without specifying anything or using will be the same.
Example: “c0c0n AND security conference“.
Operator "–": It is good to exclude results of the search. It should be specified before the term to obviate.
Example: “c0c0n -Hacking".
16c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
OR or symbol"|": The condition “OR” indicates that could not be simultaneously the two words in each result of the search, but each one of them for separate, it will specify the operator OR among the terms that should complete this approach.
Example: “c0c0n OR Security Conference”.
Operator “~”: It allows to look for synonyms of a term.
Example: "~Security“.
17c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
Ranges "num1..num2": If the beginning of a range is known, is possible to look for until a certain number.
Example: “72.14.253.104..255“.
Various operators in a logical way can be used, containing them among parenthesis.
18c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
inanchor: allinanchor:
intext: allintext:
intitle: allintitle:
inurl: allinurl:
link: cache:
filetype: define:
phonebook: related:
info: site:
id:
19c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
intitle:
site: inurl: filetype:
20c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
inanchor: It only shows the pages that have the keyword or keywords in the text of the links that point to her. Based on the backlinks or external links.
allinanchor: Contrary to the previous sample the whole coincidence.
intext: It only shows the pages that have the keyword or keywords inside the body of the pages.
allintext: It only shows the pages that have the keyword or keywords in the text of the page. Complete coincidence.
21c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
intitle: It shows only the pages that have the keyword or keywords inside the title of the pages.
allintitle: It establishes a complete coincidence of the looked for terms.
inurl: It shows only the pages that have the keyword o keywords in the URL of pages.
allinurl: It establishes a complete coincidence of the looked for terms.
22c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
link: It shows the links of a domain of Web pages.
cache: It shows cache of a domain of Web pages.
define: It shows definitions for a search.
related: It shows Web pages related.
phonebook: It looks for in the public listings of telephones, name, address, telephone numbers.
info: o id: It will show information that Google keeps about a place or resource Web.
23c0c0n 2010 @ Kochi, India
Information Gathering with Google
Dorks / Search Operators
filetype: It filters the results for file types. (pdf, ppt, doc, txt, etc).
site: It shows the indexed Web pages by Google for a domain or subdomain. Depending if is specified “www”, it will include or not the subdomains.
24c0c0n 2010 @ Kochi, India
Information Gathering with Google
and Now…
What we can find?!
25c0c0n 2010 @ Kochi, India
Information Gathering with Google
What we can find?!
» Vulnerable products.» Error messages.» Files that contain sensitive information.» Files that contain passwords.» Files that contain usernames.» Foot-holds and support information to the access.» Pages with access forms.» Pages that contain relative data to vulnerabilities.» Directory sensitive.» Sensitive information on e-commerce and e-banking.» Devices online hardware.» Vulnerable files.» Vulnerable servers.» Detection of Web Servers.
26c0c0n 2010 @ Kochi, India
Information Gathering with Google
What we can find?!
Maybe this it is your face, after seeing all the information that we can find.
27c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Vulnerable products
Through different publications about vulnerabilities discovered, we
can identifying vulnerable servers. Generally related to the versions.
28c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Vulnerable products
inurl:gov.ar + intext:phpinfo
29c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Error messages
The error messages, many times they offer valuable information to
understand how the applications/scripts is executed and what user
they use is this time.
30c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Error messages
intext:"access denied for user" "using password" inurl:gov.ar
31c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Files that contain sensitive information
Without users or passwords, interesting and useful information.
32c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Files that contain sensitive information
inurl:gov.ar inurl:robots.txt
33c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Files that contain passwords
And yes, passwords! as easy as to look for. :-D
34c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Files that contain passwords
inurl:gov.ar + inurl:config.xml
35c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Files that contain usernames
Files that contain usernames, without passwords.
36c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Files that contain usernames
inurl:admin inurl:userlist
37c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Foot-holds and support information to the access
A simple way to win access, looking for files without protection.
38c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Foot-holds and support information to the access
intitle:"PHP Shell *" "Enable stderr" filetype:php
39c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Pages with access forms
The typical login pages, through portals, blogs, or any system that it
is administered via Web.
40c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Pages with access forms
inurl:gov.ar inurl:wp-login.php
41c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Pages that contain relative data to vulnerabilities
Interesting information, firewall logs, report of vulnerabilities,
services in execution and muuuch more.
42c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Pages that contain relative data to vulnerabilities
intitle:"Nessus Scan Report" "This file was generated by Nessus"
43c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Directory sensitive
Depending on the case, we will find information more or less
sensitive. Use general.
44c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Directory sensitive
inurl:backup intitle:index.of inurl:admin
45c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Sensitive information on e-commerce and e-banking
Where do you buy and what do you buy? information about clients,
salespersons, order of purchase, and e-commerce exposed.
46c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Sensitive information on e-commerce and e-banking
inurl:"shopadmin.asp" "Shop Administrators only"
SecurityTracker Alert ID: 1004384
47c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Devices online hardware
The possibility to administer printers, video cameras, to spy to other,
etc.
48c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Devices online hardware
intitle:"EverFocus EDSR Applet"
Which is the default login?! YES, it works!
49c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Vulnerable files
A lot of vulnerable files, within reach of a click.
50c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Vulnerable files
intext:"File Upload Manager v1.3" "rename to"
51c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Vulnerable servers
Different ways of access to servers, installations by default, scripts
without configuring.
52c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Vulnerable servers
intitle:"Remote Desktop Web Connection"
53c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Detection of Web Servers
Identify through versions, vulnerable servers, access by default,
documents of help, logins, etc.
54c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Detection of Web Servers
intext:"Microsoft-IIS/5.0 server at" inurl:gov.*
55c0c0n 2010 @ Kochi, India
Information Gathering with Google
Looking for the Code
56c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Looking for the Code
Google provides a simple way of finding vulnerabilities in software,
through Google Code Search, we can find vulnerabilities in the
code source.
http://www.google.com/codesearch
57c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Looking for the Code
JavaServer Pages (.jsp) Cross Site Scripting
<%=.*getParameter
58c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Looking for the Code
JavaServer Pages (.jsp) SQL Injection
executeQuery.*getParameter
59c0c0n 2010 @ Kochi, India
Information Gathering with Google
» Looking for the Code
PHP - Cross Site Scripting
lang:php (print\(|echo)\s\$_(GET|REQUEST)
60c0c0n 2010 @ Kochi, India
Information Gathering with Google
Playing with the API of Google
What are the APIs?
API is the initials of Application Programming Interface. In other words, they are the methods that the developer of any application offers to other developers so that they can use with its application.
With what programming languages can I use the APIs of Google?
The developers can make petitions to Google, using several languages, as Java, Perl or Visual Studio. NET, others.
61c0c0n 2010 @ Kochi, India
Information Gathering with Google
Playing with the API of Google
What applications can I make with the APIs of Google?
So a lot of applications can be developed in environment Web and inside a classic program too.
How does the APIs of Google work?
The applications wrote by the developers are connected to the service Web API of Google. This communication is carried out by the protocol named SOAP (Simple Object Access Protocol). It is based on XML, and it is used for the exchange of information among applications.
62c0c0n 2010 @ Kochi, India
Information Gathering with Google
Tools and Utilities
63c0c0n 2010 @ Kochi, India
Information Gathering with Google
Tools
Gooscan v1.0
Gooscan is a tool that automates the consultations toward Google. Thought as a Scanner CGI, the communication is not made directly on the objective. It is Google who responds.
Features
» Developed in C.» Is possible to add or remove dorks.» Automate searches can infringe the Terms of Use of Google.
http://security-sh3ll.blogspot.com/2008/11/gooscan-automated-google-hacking-tool.html
64c0c0n 2010 @ Kochi, India
Information Gathering with Google
Tools
SiteDigger v3.0
SiteDigger looks for in the cache of Google, to find vulnerabilities, errors, configuration by defaultt, and another type of information related to the security of the Website.
Features
» Improved user interface, signature upgrade and page of results.» API of Google doesn't require.» Support for Proxy and TOR.» Results in real time.. » Update of signatures.» Possibility to keep the signatures and configuration.» Requires: Microsoft .NET Framework v3.5
65c0c0n 2010 @ Kochi, India
Information Gathering with Google
SiteDigger v3.0
http://www.foundstone.com/us/resources/proddesc/sitedigger.htm
66c0c0n 2010 @ Kochi, India
Information Gathering with Google
Tools
Athena v2.0
It uses files XML with the searches, it can be personalized. It works in the same way that a navigator Web.
Features
» Compatibility with SiteDigger.» Modify files XML.» It doesn’t use API of Google.» A search at the same time.» Requires: Microsoft .NET Framework v1.1
http://snakeoillabs.com/wordpress/2004/11/07/athena-20-is-go/
67c0c0n 2010 @ Kochi, India
Information Gathering with Google
Tools
Athena v2.0
68c0c0n 2010 @ Kochi, India
Information Gathering with Google
Tools
ProminentDork v1.0
Oriented to carry out fuzzing and to find SQLi, XSS, LFI, RFI trough Google.
Features
» Developed in C#, license GNU.» Multiple queries.» Support for GHDB.» Use Proxy.» Recognizes the CAPTCHA.
http://prominentsecurity.com
69c0c0n 2010 @ Kochi, India
Information Gathering with Google
Tools
ProminentDork v1.0
70c0c0n 2010 @ Kochi, India
Information Gathering with Google
Tools
Advanced Dork (Firefox Addon)
It is an extension for Firefox that allows in an easy and quick way through a contextual menu to use more than 15 dorks.
https://addons.mozilla.org/en-US/firefox/addon/2144/
71c0c0n 2010 @ Kochi, India
Information Gathering with Google
Tools
Advanced Dork (Firefox Addon)
72c0c0n 2010 @ Kochi, India
Information Gathering with Google
Social Engineering
Increasing the game
73c0c0n 2010 @ Kochi, India
Information Gathering with Google
Social Engineering…increasing the game
We can discover information about the administrators and the environment where they act:
» Used technologies, via job searches.
» Level of knowledge, via technical publications.
» Hobbies.
» Skills.
» Friends, via social networks like Facebook,
Linkedin, Google/Yahoo! Groups,).
» Or also...personal telephone ;-) ----->
74c0c0n 2010 @ Kochi, India
Information Gathering with Google
Recommendations
75c0c0n 2010 @ Kochi, India
Information Gathering with Google
Recommendations
» Secure the Servers and the Web applications used.
» Testing and implementing trough political of security the last
available upgrades.
» Disable the browsing for directory.
» Not to publish sensitive information without authentication.
» Analyze the searches that conduces to our Websites, could be
entering HTTP Logs.
76c0c0n 2010 @ Kochi, India
Information Gathering with Google
Recommendations
What do we make if we discover that Google is indexing sensitive information?!
We should inform it to Google and they will proceed to eliminate of their cache this information:
http://www.google.com/remove.html
77c0c0n 2010 @ Kochi, India
Information Gathering with Google
Conclusions
78c0c0n 2010 @ Kochi, India
Information Gathering with Google
Conclusions
» Information Gathering, is a very useful technique. :-)
» Files with sensitive information, no matter if is deleted of the Web Servers they continue being in the cache of Google.
» Use the google dorks, to see what information we can find about our Website in Google.
» Learn and understand the different techniques and tools mentioned.
» The security by darkness, doesn't exist!
Accept our vulnerability instead of trying to hide it is the best way to adapt to the reality.
79c0c0n 2010 @ Kochi, India
Information Gathering with Google
Recommended Websites
Google Guide- http://www.googleguide.com/
Dirson- http://google.dirson.com
Official Blog of Google (This Week Search)- http://googleblog.blogspot.com/
Google Help: Cheat Sheet- http://www.google.com/help/cheatsheet.html
Google Hacking Database (Johnny)- http://www.hackersforcharity.org/ghdb/
80c0c0n 2010 @ Kochi, India
Information Gathering with Google
Recommended Websites
Gooscan v1.0http://security-sh3ll.blogspot.com/2008/11/gooscan-automated-google-hacking-tool.html
SiteDigger v3.0http://www.foundstone.com/us/resources/proddesc/sitedigger.htm
ProminentDork v1.0http://prominentsecurity.com/?p=91
Athena 2.0http://snakeoillabs.com/wordpress/2004/11/07/athena-20-is-go/
Advanced Dork (Firefox Addon)https://addons.mozilla.org/en-US/firefox/addon/2144/
81c0c0n 2010 @ Kochi, India
Information Gathering with Google
Questions…
82c0c0n 2010 @ Kochi, India
Information Gathering with Google
Thank you!!
Maximiliano Solere-Mail:Twitter: @maxisoler