google as a hacking tool
TRANSCRIPT
Advanced Google Advanced Google SearchingSearchingGoogle as a hacking toolGoogle as a hacking tool
Author: Johnny LongAuthor: Johnny [email protected]
http://johnny.ihackstuff.comhttp://johnny.ihackstuff.com
Speaker: Vicente AceitunoSpeaker: Vicente Aceituno
First Improvised Security Testing Conference
Madrid, 8th August 2003
Why Google?Why Google?
Google caches all crawled web pagesGoogle caches all crawled web pages Google provides instant responseGoogle provides instant response Google provides document translationsGoogle provides document translations Google provides language translationGoogle provides language translation Google provides web, news, catalog and Google provides web, news, catalog and
ftp searchesftp searches Google is coolGoogle is cool
IndexIndex
Google SearchingGoogle SearchingDefault Web pagesDefault Web pagesDirectory listingsDirectory listingsFinding filesFinding filesGooglescan toolsGooglescan toolsRise of the RobotsRise of the RobotsPreventionPrevention
Google SearchingGoogle Searching
Google provides a great deal of Google provides a great deal of information about using it’s search information about using it’s search engine in it’s fullest capacity.engine in it’s fullest capacity.
The following tables are copied verbatim The following tables are copied verbatim from Google’s usage documentsfrom Google’s usage documents
Basic SearchingBasic Searching
Special Query Capability
Example Query Description
Include Query Term
Star Wars Episode +I
If a common word is essential to getting the results you want, you can include it by putting a "+" sign in front of it.
Exclude Query Term
bass -musicYou can exclude a word from your search by putting a
minus sign ("-") immediately in front of the term you want to exclude from the search results.
Phrase Search "yellow pages"
Search for complete phrases by enclosing them in quotation marks or connecting them with hyphens. Words marked in this way will appear together in all results exactly as entered.
Note: You may need to use a "+" to force inclusion of common words in a phrase.
Boolean OR Search
vacation london OR paris
Google search supports the Boolean "OR" operator. To retrieve pages that include either word A or word B, use an uppercase OR between terms.
Filtering/ExclusionFiltering/Exclusion
File Type FilteringGoogle filetype:doc OR
filetype:pdf
The query prefix "filetype:" filters the results returned to include only documents with the extension specified immediately after. Note there can be no space between "filetype:" and the specified extension.
Note: Multiple file types can be included in a filtered search by adding more "filetype:" terms to the search query.
File Type ExclusionGoogle -filetype:doc -
filetype:pdf
The query prefix "-filetype:" filters the results to exclude documents with the extension specified immediately after. Note there can be no space between "-filetype:" and the specified extension.
Note: Multiple file types can be excluded in a filtered search by adding more "-filetype:" terms to the search query.
Filtering site/dateFiltering site/date
Site Restricted Search
admission site:www.stanford.edu
If you know the specific web site you want to search but aren’t sure where the information is located within that site, you can use Google to search only within a specific web site.
Do this by entering your query followed by the string “site:” followed by the host name.
Note: The exclusion operator (“-“) can be applied to this query term to remove a web site from consideration in the search.Note: Only one site: term per query is supported.
Date Restricted Search
Star Wars daterange:2452122-2452234
If you want to limit your results to documents that were published within a specific date range, then you can use the “daterange: “ query term to accomplish this. The “daterange:” query term must be in the following format:
daterange:<start_date>-<end date> where<start_date> = Julian date indicating the start of
the date range<end_date> = Julian date indicating the end of the date range
The Julian date is calculated by the number of days since January 1, 4713 BC. For example, the Julian date for August 1, 2001 is 2452122.
Title searchingTitle searching
Title Search (term) intitle:Google search
If you prepend "intitle:" to a query term, Google search restricts the results to documents containing that word in the title. Note there can be no space between the "intitle:" and the following word. Note: Putting "intitle:" in front of every word in your query is equivalent to putting "allintitle:" at the front of your query.
Title Search (all) allintitle: Google searchStarting a query with the term "allintitle:" restricts the results to those with all of the query words in the title.
URL SearchesURL Searches
URL Search (term) inurl:Google search
If you prepend "inurl:" to a query term, Google search restricts the results to documents containing that word in the result URL. Note there can be no space between the "inurl:" and the following word.
Note: "inurl:" works only on words , not URL components. In particular, it ignores punctuation and uses only the first word following the "inurl:" operator. To find multiple words in a result URL, use the "inurl:" operator for each word.
Note: Putting "inurl:" in front of every word in your query is equivalent to putting "allinurl:" at the front of your query.
URL Search (all) allinurl: Google search
Starting a query with the term "allinurl:" restricts the results to those with all of the query words in the result URL.
Note: "allinurl:" works only on words, not URL components. In particular, it ignores punctuation. Thus, "allinurl: foo/bar" restricts the results to pages with the words "foo" and "bar" in the URL, but does not require that they be separated by a slash within that URL, that they be adjacent, or that they be in that particular word order. There is currently no way to enforce these constraints.
Text/Link SearchingText/Link Searching
Text Only Search (all)allintext: Google
search
Starting a query with the term “allintext:” restricts the results to those with all of the query words in only the body text, ignoring link, URL, and title matches.
Links Only Search (all)allinlinks: Google
search
Starting a query with the term “allinlinks:” restricts the results to those with all of the query words in the URL links on the page.
Link SearchesLink Searches
Back Links link:www.google.com
The query prefix "link:" lists web pages that have links to the specified web page. Note there can be no space between "link:" and the web page URL.
Note: No other query terms can be specified when using this special query term.
Related Linksrelated:www.google.co
m
The query prefix "related:" lists web pages that are similar to the specified web page. Note there can be no space between "link:" and the web page URL.
Note: No other query terms can be specified when using this special query term.
Translation serviceTranslation service
Google offers a very nice language translation
service.
TricksTricks
When When www.google.com is not available, try is not available, try www2.google.com or www3.google.com.www2.google.com or www3.google.com.
Reading the google’s cache can prevent filters Reading the google’s cache can prevent filters to know what page are you seeing.to know what page are you seeing.
You can get the same result we trick an You can get the same result we trick an english-to-english translation.english-to-english translation.http://translate.google.com/translate (main URL) (main URL)
?u=http://www.defcon.org&langpair=?u=http://www.defcon.org&langpair=en|enen|en (options)(options)
Intuitive Google Intuitive Google SearchesSearchesDefault Web PagesDefault Web Pages
Windows-based default Windows-based default serverserver
intitle:"Welcome to Windows 2000 Internet Services"
Windows-based default Windows-based default serverserver
intitle:"Under construction" "does not currently have"
Windows NT 4.0Windows NT 4.0
intitle:“Welcome to IIS 4.0"
OpenBSD/Apache OpenBSD/Apache (scalp=)(scalp=)
“powered by Apache” “powered by openbsd"
Apache 1.2.6Apache 1.2.6
Intitle:”Test Page for Apache” “It Worked!”
Apache 1.3.0 – 1.3.9Apache 1.3.0 – 1.3.9
Intitle:”Test Page for Apache” “It worked!” “this web site!”
Apache 1.3.11 - 1.3.26Apache 1.3.11 - 1.3.26
"seeing this instead" intitle:"Test Page for Apache"
Apache 2.0Apache 2.0
Intitle:”Simple page for Apache” “Apache Hook Functions”
Apache Version InfoApache Version InfoApache Version
Number of Servers
1.3.6 119,000.00
1.3.3 151,000.00
1.3.14 159,000.00
1.3.24 171,000.00
1.3.9 203,000.00
2.0.39 256,000.00
1.3.23 259,000.00
1.3.19 260,000.00
1.3.12 300,000.00
1.3.20 353,000.00
1.3.22 495,000.00
1.3.26 896,000.00
Google told us all this. We’ll discuss how in the next section.
Intuitive SearchesIntuitive Searches
Directory ListingsDirectory Listings
Directory ListingsDirectory Listings
Directory listings are often misconfigurations in Directory listings are often misconfigurations in the web server.the web server.
A directory listing shows a list of files in a A directory listing shows a list of files in a directory as opposed to presenting a web directory as opposed to presenting a web page.page.
Directory listings can provide very useful Directory listings can provide very useful information.information.
Directory ExampleDirectory Example
Intitle:”Index of”
This query serves as the basis for all directory searches…
Directory Info GatheringDirectory Info Gathering
Some servers, like Apache, generate a server version tag.
Esoteric Apache VersioningEsoteric Apache Versioning
Esoteric Apache Versions found on Googlequery: intitle:"Index of" "Apache/[ver] Server at"
310
27,300
5
60,500
69,300
74 61 3 9 20 2 1,130 474
62,900
9,400
73933 30 207 932451,120
65,00064,200
45,200
01000020000300004000050000600007000080000
1.2
.6
1.3
b6
1.3
.0
1.3
.1
1.3
.2
1.3
.4-d
ev
1.3
.4
1.3
.7-d
ev
1.3
.11
1.3
.15
-de
v
1.3
.17
1.3
.17
-HO
F
1.3
.21
-de
v
1.3
.23
-de
v
1.3
.24
-de
v
1.3
.26
+in
ters
erv
er
1.3
.xx
2.0
.16
2.0
.18
2.0
.28
2.0
.32
2.0
.35
2.0
.36
2.0
.37
-de
v
2.0
.40
-de
v
A p a c h e V e r s i o n
Nu
mb
er o
f S
erve
rs
Common Apache VersioningCommon Apache Versioning
Common Apache Versions found on Googlequery: intitle:"Index of" "Apache/[ver] Server at"
159.000
260.000353.000
495.000
259.000171.000
896.000
256.000
119.000151.000 203.000
300.000
0,00
200.000,00
400.000,00
600.000,00
800.000,00
1.000.000,001
.3.1
2
1.3
.14
1.3
.19
1.3
.20
1.3
.22
1.3
.23
1.3
.24
1.3
.26
1.3
.3
1.3
.6
1.3
.9
2.0
.39
Apache Server Version
Nu
mb
er
of
Se
rve
rs
Intuitive SearchesIntuitive Searches
Finding FilesFinding Files
test-cgitest-cgi
Intitle:”Index of” test-cgi
ws_ftp.logws_ftp.log
Intitle:”Index of” ws_ftp.log
Secring.pgpSecring.pgp
Intitle:”Index of” secring.php
config.phpconfig.php
Intitle:”Index of” config.php
administrators.pwdadministrators.pwd
Intitle:”Index of” administrators.pwd
ws_ftp.iniws_ftp.ini
Intitle:”Index of” ws_ftp.ini
Tip: Got to http://www.hispasec.com/directorio/laboratorio/Software/ws_ftp.html
.htpasswd.htpasswd
Intitle:”Index of” .htpasswd
.htpasswd.htpasswd
Intitle:”Index of” .htpasswd
/etc/shadow/etc/shadow
Intitle:”Index of” etc shadow
Advanced TechniquesAdvanced Techniques
GooglescanGooglescan
GooglescanGooglescan
With a known set of file-based web With a known set of file-based web vulnerabilities, a vulnerability scanner vulnerabilities, a vulnerability scanner based on search engines is certainly a based on search engines is certainly a reality.reality.
GooglescanGooglescan…/scancfg.cgi/cgi-bin/CrazyWWWBoard.cgi/cgi-bin/pals-cgi/ROADS/cgi-bin/search.pl/way-board/way-board.cgi/cgi-bin/replicator/webpage.cgi/cgi-bin/auktion.pl/cgi-bin/webspirs.cgi/cgi-bin/ipf/etc/gfw/ui/pwd.dat/cgi-bin/hsx.cgi/cgi-bin/mailnews.cgi/cgi-bin/adcycle/cgi-bin/post-query/cgi-bin/ikonboard/help.cgi/cgi-bin/webspirs.cgi…
Armed with a list of cgi exploits from any common CGI scanner…
Googlescan.shGooglescan.sh
rm tempawk -F"/" '{print $NF"|http://www.google.com/search?q= intitle%3A%22Index+of%22+"$NF}' vuln_files > queries
for query in `cat queries`do echo -n $query"|" >> temp echo $query | awk -F"|" '{print $2}' lynx -source `echo $query | awk -F"|" '{print $2}'` | grep "of about" | awk -F "of about" '{print $2}' | awk -F"." '{print $1}' | tr -d "</b>[:cntrl:] " >> temp echo " " >> tempDone
cat temp | awk -F"|" '{print "<A HREF=\"" $2 "\">" $1 " (" $3 "hits) </A><BR><BR>"}' | grep -v "(1,770,000" > report.html
Googlescan.shGooglescan.sh
A simple shell script presents an html-A simple shell script presents an html-formatted list of potentially vulnerable or formatted list of potentially vulnerable or interesting web servers.interesting web servers.
Googlescan.sh outputGooglescan.sh output
Niktoogle.exe outputNiktoogle.exe output
http://johnny.ihackstuff.com/googledorks.shtml
Advanced TechniquesAdvanced Techniques
Rise of the RobotsRise of the Robots
Rise of the RobotsRise of the Robots
Michal Zalewski wrote a great article for Michal Zalewski wrote a great article for Phrack (57/10) which presented the idea Phrack (57/10) which presented the idea of the use of autonomous search robots of the use of autonomous search robots in server exploitationin server exploitation
Rise of the RobotsRise of the Robots
“Consider a remote exploit that is able to compromise a remote system without sending any attack code to his victim. Consider an exploit which simply creates local file to compromise thousands of computers, and which does not involve any local resources in the attack. Welcome to the world of zero-effort exploit techniques. Welcome to the world of automation, welcome to the world of anonymous, dramatically difficult to stop attacks resulting from increasing Internet complexity.” –Michal Zalewski
The ConceptThe Concept
Web robots crawl a web page indexing files it is Web robots crawl a web page indexing files it is allowed to find.allowed to find.
Any links that are found on the indexed pages Any links that are found on the indexed pages are followed as well.are followed as well.
Instead of standard web links, create a payload Instead of standard web links, create a payload of “exploit” links for the crawlers to consume.of “exploit” links for the crawlers to consume.
Simple ExampleSimple Example
Michal presents the following example links on his Michal presents the following example links on his indexed web page:indexed web page:
http://somehost/cgi-bin/script.pl?p1=../../../../attackhttp://somehost/cgi-bin/script.pl?p1=../../../../attack http://somehost/cgi-bin/script.pl?p1=;attackhttp://somehost/cgi-bin/script.pl?p1=;attack http://somehost/cgi-bin/script.pl?p1=|attackhttp://somehost/cgi-bin/script.pl?p1=|attack http://somehost/cgi-bin/script.pl?p1=`attack`http://somehost/cgi-bin/script.pl?p1=`attack` http://somehost/cgi-bin/script.pl?p1=$(attack)http://somehost/cgi-bin/script.pl?p1=$(attack) http://somehost:54321/attack?`id`http://somehost:54321/attack?`id` http://somehost/AAAAAAAAAAAAAAAAAAAAA...http://somehost/AAAAAAAAAAAAAAAAAAAAA...
Simple ExampleSimple Example
The robots followed all the links as The robots followed all the links as written, including connecting to non-http written, including connecting to non-http ports.ports.
The robots followed the “attack links,” The robots followed the “attack links,” performing the attack completely performing the attack completely unaware.unaware.
Think BigThink Big
Michael goes on to postulate that randomly Michael goes on to postulate that randomly generated, massive lists would cause much generated, massive lists would cause much more of a problem.more of a problem.
A simple PERL or CGI script randomly A simple PERL or CGI script randomly generating attack links in the thousands and generating attack links in the thousands and teens of thousands would create a huge teens of thousands would create a huge problem!problem!
Who would be liable?Who would be liable?
Google doesn’t stopGoogle doesn’t stop
Tomorrow there will be even more sofisticated Tomorrow there will be even more sofisticated features…try this:features…try this:
http://labs1.google.com/cgi-bin/http://labs1.google.com/cgi-bin/gviewergviewer.cgi?q=.cgi?q=intitleintitle%3Aindex.of.private&delay=8&start=0%3Aindex.of.private&delay=8&start=0
http://labs.google.com/sets?hl=en&q1=passworhttp://labs.google.com/sets?hl=en&q1=password&q2=d&q2=passwdpasswd&q3=shadow&q4=etc&q5=&&q3=shadow&q4=etc&q5=&btnbtn=Large+Set=Large+Set
PreventionPrevention
Locking it downLocking it down
AdviceAdvice
Google says it isn’t Google’s fault. Google says it isn’t Google’s fault. Google is very happy to remove Google is very happy to remove
references. See references. See http://www.google.com/remove.html.http://www.google.com/remove.html.
Follow the webmaster’s advice found at Follow the webmaster’s advice found at http://www.google.com/webmasters/http://www.google.com/webmasters/
Get smarter.Get smarter.
/misc: “Google Hacks”/misc: “Google Hacks”
There is this book. And it’s an O’REILLY book.But it’s not about hacking.It’s about searching.
Google HotspotsGoogle Hotspots
Google APIs: Google APIs: http://www.google.com/apis/http://www.google.com/apis/
Google voice search: Google voice search: http://labs.http://labs.googlegoogle.com/.com/gvsgvs.html.html
Google sets: Google sets: http://labs.http://labs.googlegoogle.com/sets.com/sets Google catalog search: Google catalog search: http://catalogs.http://catalogs.googlegoogle
.com/.com/ Google news search: Google news search: http://news.http://news.googlegoogle.com.com Google weblog: Google weblog: http://http://googlegoogle..blogspaceblogspace.com/.com/
EOFEOF
Watch googleDorks.Watch googleDorks. Questions?Questions?