Once again, we have used the popular Hacking Exposed format for the fifth edition; every attack technique is highlighted in the margin like this:


Making it easy to identify specific penetration tools and methodologies. Every attack is countered with practical, relevant, field- tested workarounds, which have their own special Countermeasure icon.


Get right to fixing the problem and keeping the attackers out.

  • Pay special attention to highlighted user input as bold text in the code listing.

  • Every attack is accompanied by an updated Risk Rating derived from three components based on the authors' combined experience:


    The frequency of use in the wild against live targets, with 1 being rarest, 10 being widely used


    The degree of skill necessary to execute the attack, with 1 being a seasoned security programmer, 10 being little or no skill


    The potential damage caused by successful execution of the attack, with 1 being revelation of trivial information about the target, 10 being superuser-account compromise or equivalent

    Risk Rating:

    The overall risk rating (average of the preceding three values)


Hacking Exposed has gone from a small skunks work project designed to help document hacking techniques and disseminate them to people who were passionate about security, to a book with a cult following that has been translated into over 20 languages. The success of Hacking Exposed and all its subsequent editions has been phenomenal and greatly exceeded every expectation we had. The authors routinely travel around the world, and it has been extremely rewarding to hear people say, "Yes, I have the Bible of Security Books Hacking Exposed. "

Since our first edition, there have been many books written in a style similar to Hacking Exposed. While you may have read other books on security, our formula is simple, tried, and true: Provide timely and relevant information about hacker techniques, tools, and associated countermeasures to empower readers to protect themselves . We have not deviated from our formula in this latest edition. If you are joining the Hacking Exposed family for the first time, welcome. If you are a longtime reader, we hope you enjoy this edition as much as prior editions. Remember what Sir Francis Bacon said, "Knowledge is power"power that should not be abused, but rather used to protect and defend. Fight the good fight and stay secure.

Part I: Casing the Establishment


Chapter 1: Footprinting
Chapter 2: Scanning
Chapter 3: Enumeration


By all accounts, Google is one of the rare companies that have created technology that revolutionized the Internet. From its early days of Spartan searches with no advertising, to an IPO that broke all conventional standards, Google is ubiquitous. Google technology powers many sites on the Internet, and its simple search portal is used by millions of people every second of every day. While the majority of people use Google to find everything from rare Linux kernel settings to cures for their aching backs, there are a few who have figured out Google's dirty little secret: It provides a treasure trove of information that attackers are using every day to target, assess, and compromise systems on the Internet.

It is often said that the very characteristic that makes you special can be your Achilles heel. Plain and simple, Google is too damn good at what it does. That is, it is deadly efficient at finding information on the Web. It's very common for organizations and users to leave sensitive informationincluding many sensitive tidbits that would make you shake your head in disbelief on their websites , and Google will find it, archive it, and display it to anyone who can craft the right search criteria.

The secret to meticulously combing billions of web pages with fatal efficiency is the Google Bots. Google Bots are not something out of a sci-fithriller, they are persistent web robots that scourer the Internet at a vociferous rate. Unless instructed otherwise , they will happily follow any link on their ownwhich can spell disaster for you!

Lock and Load with Google

As many administrators and security professionals are all too aware, there are literally dozens of new vulnerabilities that are discovered each day. It can be a daunting task to try to find the vulnerable systems, let alone keep them all patchedand that is exactly what attackers are counting on. They will use the art of footprinting to zero in on vulnerable systems, discovering juicy info that could be used to compromise the security of your site. One particular favorite is using Google as their targeting mechanism. Here is how it works.

Joe Hacker seems to have endless time on his hands. As you struggle to figure out if you are working yet another weekend to patch vulnerable systems, he doesn't have a care in the worldexcept finding systems that are ripe for attack and are more than willing to cough up the goods. Joe Hacker has been refining his Google Hackingthat is, using Google to target systems and sensitive information. He fancies himself a Windows hacker extraordinaire, but in reality he is a master at finding targets of opportunity. Let's peer into his world, examine his handiwork, and see what kind of searches he is performing straight from

His first search appears innocuous enough:

intitle:"Welcome to IIS 4.0"

Results 1 - 10 of about 63 for intitle:"Welcome to IIS 4.0" . ( 0.10 seconds)

What could he be looking for? A listing of Windows IIS 4.0 servers, which have had a plethora of security vulnerabilities, and are usually easy pickings for most attackers.

Joe Hacker tucks this info away as he searches for more victims. Next on his hit list are users running VNC Server via the Web.

"VNC Desktop" inurl:5800

Results 1 - 10 of about 112 for "VNC Desktop" inurl:5800 . ( 0.27 seconds)

VNC Server allows remote users to connect and control a user 's desktop. It is possible for this service to be configured without a password and allow direct access to the desktop. Yikes!

Last but not least in his targeting searches, includes the ever-popular and time- tested search for Microsoft FrontPage extensions that haven't been properly secured:

filetype:pwd service

Results 1 - 10 of about 173 for filetype:pwd service . ( 0.28 seconds)

A quick click on one of the links reveals several usernames and UNIX passwords:

 # -FrontPage-

Joe Hacker loads up a copy of John the Ripper, a password-cracking tool, and instantly cracks Louisa's password" trumpet ". Joe is now sitting pretty with a FrontPage username and password.

Defacing websites via FrontPage insecurities was all the rage a few years back, and Joe figures that, for old time's sake, he'll make a few "enhancements" to some of the users' web pages.

After finding some good targets, Joe Hacker turns his attention to finding sensitive information on the Web, such as passwords and financial information. A quick search of

filetype:bak inurl:"htaccesspasswdshadowhtusers"

Results 1 - 10 of about 59 for filetype:bak inurl:"htaccesspasswdshadowhtusers" . ( 0.18 seconds)

reveals all kinds of information related to password files that store usernames and encrypted passwords (which can easily be cracked). In fact, Joe Hacker hit the jackpot as he pulled back an unshadowed UNIX password file with hundreds of users from one of the top universities in America. Not bad for a few seconds' worth of work.

How about a little database hacking now, Joe? Not a problem.

filetype:properties inurl:db intext:password

Results 1 - 10 of about 854 for filetype:properties inurl:db intext:password . ( 0.21 seconds)

A quick click on one of the results reveals database passwords in clear text!

 drivers=sun.jdbc.odbc.JdbcOdbcDriver jdbc.idbDriver



Unfortunately Joe isn't much for preserving your confidentiality. Then again, you many not be either if you leave sensitive information on the Web. He targets university sites (.edu), looking for confidential information.

"not for distribution" confidential site:edu

Results 1 - 10 of about 138 for "not for distribution" confidential site:edu . ( 0.21 seconds)

Yet again, Joe is rewarded for his searching prowess. Over 100 confidential documents are revealed at the click of a button. Too bad that university left their students' social security numbers in that PDF document.

As the anticipation in actually hacking these systems grows, Joe Hacker decides to go for the kill:

This file was generated by Nessus

Results 1 - 10 of about 75,300 for This file was generated by Nessus . ( 0.20 seconds)

Nessus is a very popular vulnerability scanner that many administrators use. Unfortunately for the unsuspecting victims, Joe Hacker has now located hundreds of Nessus reports that have inadvertently been left on users' systems. This is an amazing bounty of systems accessible via the Internet that provides a blueprint of all their vulnerabilities! What could be easier for Joe? He doesn't even have to run Nessus himselfhe just uses what the admin left for him.

As you will discover in the following chapters, footprinting, scanning, and enumeration are all valuable and necessary steps that an attacker will employ to find your soft underbelly. Google Hacking is just one of the many methods available to your adversaries, and you should heed our advice: Assess your own systems, because the bad guys will be sure to do it for you. And if you are feeling beleaguered, don't despairthere are hacking countermeasures. We will discuss these throughout the book.