Part I: Casing the Establishment

Previous page
Table of content
Next page

CHAPTER LIST

Chapter 1: Footprinting
Chapter 2: Scanning
Chapter 3: Enumeration

CASE STUDY: GOOGLING YOUR WAY TO INSECURITY

By all accounts, Google is one of the rare companies that have created technology that revolutionized the Internet. From its early days of Spartan searches with no advertising, to an IPO that broke all conventional standards, Google is ubiquitous. Google technology powers many sites on the Internet, and its simple search portal is used by millions of people every second of every day. While the majority of people use Google to find everything from rare Linux kernel settings to cures for their aching backs, there are a few who have figured out Google's dirty little secret: It provides a treasure trove of information that attackers are using every day to target, assess, and compromise systems on the Internet.

It is often said that the very characteristic that makes you special can be your Achilles heel. Plain and simple, Google is too damn good at what it does. That is, it is deadly efficient at finding information on the Web. It's very common for organizations and users to leave sensitive informationincluding many sensitive tidbits that would make you shake your head in disbelief on their websites , and Google will find it, archive it, and display it to anyone who can craft the right search criteria.

The secret to meticulously combing billions of web pages with fatal efficiency is the Google Bots. Google Bots are not something out of a sci-fithriller, they are persistent web robots that scourer the Internet at a vociferous rate. Unless instructed otherwise , they will happily follow any link on their ownwhich can spell disaster for you!

Lock and Load with Google

As many administrators and security professionals are all too aware, there are literally dozens of new vulnerabilities that are discovered each day. It can be a daunting task to try to find the vulnerable systems, let alone keep them all patchedand that is exactly what attackers are counting on. They will use the art of footprinting to zero in on vulnerable systems, discovering juicy info that could be used to compromise the security of your site. One particular favorite is using Google as their targeting mechanism. Here is how it works.

Joe Hacker seems to have endless time on his hands. As you struggle to figure out if you are working yet another weekend to patch vulnerable systems, he doesn't have a care in the worldexcept finding systems that are ripe for attack and are more than willing to cough up the goods. Joe Hacker has been refining his Google Hackingthat is, using Google to target systems and sensitive information. He fancies himself a Windows hacker extraordinaire, but in reality he is a master at finding targets of opportunity. Let's peer into his world, examine his handiwork, and see what kind of searches he is performing straight from http://www.google.com.

His first search appears innocuous enough:

intitle:"Welcome to IIS 4.0"

Results 1 - 10 of about 63 for intitle:"Welcome to IIS 4.0" . ( 0.10 seconds)

What could he be looking for? A listing of Windows IIS 4.0 servers, which have had a plethora of security vulnerabilities, and are usually easy pickings for most attackers.

Joe Hacker tucks this info away as he searches for more victims. Next on his hit list are users running VNC Server via the Web.

"VNC Desktop" inurl:5800

Results 1 - 10 of about 112 for "VNC Desktop" inurl:5800 . ( 0.27 seconds)

VNC Server allows remote users to connect and control a user 's desktop. It is possible for this service to be configured without a password and allow direct access to the desktop. Yikes!

Last but not least in his targeting searches, includes the ever-popular and time- tested search for Microsoft FrontPage extensions that haven't been properly secured:

filetype:pwd service

Results 1 - 10 of about 173 for filetype:pwd service . ( 0.28 seconds)

A quick click on one of the links reveals several usernames and UNIX passwords: 

 # -FrontPage- ekendall:bYld1Sr73NLKo louisa:5zm94d7cdDFiQ

Joe Hacker loads up a copy of John the Ripper, a password-cracking tool, and instantly cracks Louisa's password" trumpet ". Joe is now sitting pretty with a FrontPage username and password.

Defacing websites via FrontPage insecurities was all the rage a few years back, and Joe figures that, for old time's sake, he'll make a few "enhancements" to some of the users' web pages.

After finding some good targets, Joe Hacker turns his attention to finding sensitive information on the Web, such as passwords and financial information. A quick search of

filetype:bak inurl:"htaccesspasswdshadowhtusers"

Results 1 - 10 of about 59 for filetype:bak inurl:"htaccesspasswdshadowhtusers" . ( 0.18 seconds)

reveals all kinds of information related to password files that store usernames and encrypted passwords (which can easily be cracked). In fact, Joe Hacker hit the jackpot as he pulled back an unshadowed UNIX password file with hundreds of users from one of the top universities in America. Not bad for a few seconds' worth of work.

How about a little database hacking now, Joe? Not a problem.

filetype:properties inurl:db intext:password

Results 1 - 10 of about 854 for filetype:properties inurl:db intext:password . ( 0.21 seconds)

A quick click on one of the results reveals database passwords in clear text! 

 drivers=sun.jdbc.odbc.JdbcOdbcDriver jdbc.idbDriver logfile=D:\user\src\java\DBConnectionManager\log.txt idb.url=jdbc:idb:c:\local\javawebserver1.1\db\db.prp idb.maxconn=2 access.url=jdbc:odbc:demo access.user=demo access.password=demopw

Unfortunately Joe isn't much for preserving your confidentiality. Then again, you many not be either if you leave sensitive information on the Web. He targets university sites (.edu), looking for confidential information.

"not for distribution" confidential site:edu

Results 1 - 10 of about 138 for "not for distribution" confidential site:edu . ( 0.21 seconds)

Yet again, Joe is rewarded for his searching prowess. Over 100 confidential documents are revealed at the click of a button. Too bad that university left their students' social security numbers in that PDF document.

As the anticipation in actually hacking these systems grows, Joe Hacker decides to go for the kill:

This file was generated by Nessus

Results 1 - 10 of about 75,300 for This file was generated by Nessus . ( 0.20 seconds)

Nessus is a very popular vulnerability scanner that many administrators use. Unfortunately for the unsuspecting victims, Joe Hacker has now located hundreds of Nessus reports that have inadvertently been left on users' systems. This is an amazing bounty of systems accessible via the Internet that provides a blueprint of all their vulnerabilities! What could be easier for Joe? He doesn't even have to run Nessus himselfhe just uses what the admin left for him.

As you will discover in the following chapters, footprinting, scanning, and enumeration are all valuable and necessary steps that an attacker will employ to find your soft underbelly. Google Hacking is just one of the many methods available to your adversaries, and you should heed our advice: Assess your own systems, because the bad guys will be sure to do it for you. And if you are feeling beleaguered, don't despairthere are hacking countermeasures. We will discuss these throughout the book.


Previous page
Table of content
Next page
Hacking Exposed
Hacking Exposed 5th Edition
ISBN: B0018SYWW0
EAN: N/A
Year: 2003
Pages: 127
Authors: Stuart McClure, Joel Scambray, George Kurtz
BUY ON AMAZON
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Documenting Software Architectures: Views and Beyond
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Sap Bw: a Step By Step Guide for Bw 2.0
Web Systems Design and Online Consumer Behavior
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy