Google hacking for penetration tester - part 13 doc

Consider the file shown in Figure 4.2.This file, found with a query such as filetype:ini inurl:ws_ftp, is a configuration file used by the WS_FTP client program.. Although this might not

Document Grinding and Database Digging

Solutions in this chapter:

■ Configuration Files

■ Log Files

■ Office Documents

■ Database Information

■ Automated Grinding

■ Google Desktop

■ Links to Sites

Chapter 4

Summary

Solutions Fast Track

Frequently Asked Questions

There’s no shortage of documents on the Internet Good guys and bad guys alike can use information found in documents to achieve their distinct purposes In this chapter we take a look at ways you can use Google to not only locate these documents but to search within these documents to locate information.There are so many different types of documents and

we can’t cover them all, but we’ll look at the documents in distinct categories based on their function Specifically, we’ll take a look at configuration files, log files, and office documents Once we’ve looked at distinct file types, we’ll delve into the realm of database digging We won’t examine the details of the Structured Query Language (SQL) or database architecture and interaction; rather, we’ll look at the many ways Google hackers can locate and abuse database systems armed with nothing more than a search engine

One important thing to remember about document digging is that Google will only

search the rendered, or visible, view of a document For example, consider a Microsoft Word document.This type of document can contain metadata, as shown in Figure 4.1.These fields

include such things as the subject, author, manager, company, and much more Google will not search these fields If you’re interested in getting to the metadata within a file, you’ll have to download the actual file and check the metadata yourself, as discussed in Chapter 5

Figure 4.1Microsoft Word Metadata

Configuration Files

Configuration files store program settings An attacker (or “security specialist”) can use these

files to glean insight into the way a program is used and perhaps, by extension, into how the

system or network it’s on is used or configured As we’ve seen in previous chapters, even the

smallest tidbit of information can be of interest to a skilled attacker

Consider the file shown in Figure 4.2.This file, found with a query such as filetype:ini

inurl:ws_ftp, is a configuration file used by the WS_FTP client program When the WS_FTP

program is downloaded and installed, the configuration file contains nothing more than a list

of popular, public Internet FTP servers However, over time, this configuration file can be

automatically updated to include the name, directory, username, and password of FTP servers the user connects to Although the password is encoded when it is stored, some free

pro-grams can crack these passwords with relative ease

Figure 4.2 The WS_FTP.INI File Contains Hosts, Usernames, and Passwords

Underground Googling

Locating Files

To locate files, it’s best to try different types of queries For example, intitle:index.of

ws_ftp.ini will return results, but so will filetype:ini inurl:ws_ftp.ini The inurl search,

however, is often the better choice First, the filetype search allows you to browse

right to a cached version of the page Second, the directory listings found by the

index.of search might allow you to view a list of files but not allow you access to the

actual file Third, directory listings are not overly common The filetype search will locate your file no matter how Google found it

Regardless of the type of data in a configuration file, sometimes the mere existence of a configuration file is significant If a configuration file is located on a server, there’s a chance that the accompanying program is installed somewhere on that server or on neighboring machines on the network Although this might not seem like a big deal in the case of FTP

client software, consider a search like filetype:conf inurl:firewall, which can locate generic

fire-wall configuration files.This example demonstrates one of the most generic naming

conven-tions for a configuration file, the use of the conf file extension Other generic naming

conventions can be combined to locate other equally common naming conventions One of

the most common base searches for locating configuration files is simply (inurl:conf OR

inurl:config OR inurl:cfg), which incorporates the three most common configuration file

pre-fixes.You may also opt to use the filetype operator.

If an attacker knows the name of a configuration file as it shipped from the software

author or vendor, he can simply create a search targeting that filename using the filetype and

inurl operators However, most programs allow you to reference a configuration file of any

name, making a Google search slightly more difficult In these cases, it helps to get an idea of

the contents of the configuration file, which could be used to extract unique strings for use in

an effective base search Sometimes, combining a generic base search with the name (or

acronym) of a software product can have satisfactory results, as a search for (inurl:conf OR

inurl:config OR inurl:cfg) MRTG shows in Figure 4.3.

Figure 4.3Generic Configuration File Searching

Although this first search is not far off the mark, it’s fairly common for even the best config file search to return page after page of sample or example files, like the sample

MRTG configuration file shown in Figure 4.4

Figure 4.4Sample Config Files Need Filtering

This brings us back, once again, to perhaps the most valuable weapon in a Google hacker’s arsenal: effective search reduction Here’s a list of the most common points a Google hacker considers when trolling for configuration files:

■ Create a strong base search using unique words or phrases from live files

■ Filter out the words sample, example, test, howto, and tutorial to narrow the obvious

example files

■ Filter out CVS repositories, which often house default config files, with –cvs.

■ Filter out manpage or Manual if you’re searching for a UNIX program’s

configura-tion file

■ Locate the one most commonly changed field in a sample configuration file and perform a negative search on that field, reducing potentially “lame” or sample files

To illustrate these points, consider the search filetype:cfg mrtg “target[*]” -sample -cvs

–example, which locates potentially live MRTG files As shown in Figure 4.5, this query uses

a unique string “target[*]” (which is a bit ubiquitous to Google, but still a decent place to

start) and removes potential example and CVS files, returning decent results

Figure 4.5 A Common Search Reduction Technique

Some of the results shown in Figure 4.5 might not be real, live MRTG configuration files, but they all have potential, with the exception of the first hit, located in “/Squid-Book.”

There’s a good chance that this is a sample file, but because of the reduction techniques we’ve used, the other results are potentially live, production MRTG configuration files

Table 4.1 lists a collection of searches that locate various configuration files.These entries were gathered by the many contributors to the GHDB.This list highlights the

var-ious methods that can be used to target configuration files.You’ll see examples of CVS

reduction, sample reduction, unique word and phrase isolation, and more Most of these

queries took imagination on the part of the creator and in many cases took several rounds of reduction by several searchers to get to the query you see here Learn from these queries,

and try them out for yourself It might be helpful to remove some of the qualifiers, such as

–cvs or –sample, where applicable, to get an idea of what the “messy” version of the search

might look like

Table 4.1Configuration File Search Examples

PHP configuration file intitle:index.of config.php

PHP configuration file inurl:config.php dbuname dbpass

CGIIRC configuration file intitle:index.of cgiirc.config

CGIIRG configuration file inurl:cgiirc.config

IPSEC configuration file inurl:ipsec.conf -intitle:manpage

ws_ftp configuration file intitle:index.of ws_ftp.ini

eggdrop configuration file eggdrop filetype:user user

samba configuration file inurl:”smb.conf” intext:”workgroup”

filetype:conf

firewall configuration file filetype:conf inurl:firewall -intitle:cvs

vtunnelD configuration file inurl:vtund.conf intext:pass -cvs

OpenLDAP configuration file filetype:conf slapd.conf

PHP configuration file inurl:php.ini filetype:ini

FTP configuration file filetype:conf inurl:proftpd.conf -sample

WV Dial configuration file inurl:”wvdial.conf” intext:”password”

OpenLDAP configuration file inurl:”slapd.conf” intext:”credentials”

manpage ”Manual Page” man: -sample

OpenLDAP configuration file inurl:”slapd.conf” intext:”rootpw”

manpage ”Manual Page” man: -sample

WS_FTP configuration file filetype:ini ws_ftp pwd

Continued

Table 4.1 continuedConfiguration File Search Examples

MRTG configuration file filetype:cfg mrtg “target[*]” sample

-cvs -example WRQ Reflection configuration file filetype:r2w r2w

Prestige router configuration file “Welcome to the Prestige Web-Based

Configurator”

GNU Zebra configuration file inurl:zebra.conf intext:password -sample

-test -tutorial -download GNU Zebra configuration file inurl:ospfd.conf intext:password -sample

-test -tutorial -download YAST configuration file filetype:cfg ks intext:rootpw sample

-test -howto Netscape server configuration file allinurl:”.nsconfig” sample howto

-tutorial UnrealIRCd configuration file filetype:conf inurl:unrealircd.conf cvs

-gentoo psyBNC configuration file filetype:conf inurl:psybnc.conf

“USER.PASS=”

SSL configuration file inurl:ssl.conf filetype:conf

LILO configuration file inurl:lilo.conf filetype:conf password

-tatercounter2000 -bootpwd -man MySQL configuration file filetype:cnf my.cnf -cvs -example

oracle client configuration file filetype:ora ora

Mandrake configuration file filetype:cfg auto_inst.cfg

Oekakibss configuration file filetype:conf oekakibbs

LeapFTP client configuration file LeapFTP intitle:”index.of./” sites.ini

modified

a Net Web Application filetype:config config intext:appSettings configuration file “User ID”

WS_FTP configuration file “index of/” “ws_ftp.ini” “parent

directory”

ODBC client configuration files inurl:odbc.ini ext:ini -cvs

FlashFXP configuration file filetype:ini inurl:flashFXP.ini

Generic configuration file ext:ini intext:env.ini

Certificate Services configuration file filetype:inf inurl:capolicy.inf

NoCatAuth configuration file ext:conf NoCatAuth -cvs

Continued

Table 4.1 continuedConfiguration File Search Examples

Putty saved session data inurl:”putty.reg”

Icecast configuration file “liveice configuration file” ext:cfg

-site:sourceforge.net SoftCart configuration file intitle:Configuration.File

inurl:softcart.exe Cisco configuration data intext:”enable secret 5 $”

IIS Web.config file filetype:config web.config -CVS

VMWare configuration files ext:vmx vmx

Radiator Radius configuration file ext:cfg radius.cfg

Rsync configuration file ext:conf inurl:rsyncd.conf -cvs -man

Eudora configuration file ext:ini eudora.ini

emule configuration file inurl:preferences.ini “[emule]”

abyss webserver configuration file intitle:index.of abyss.conf

Frontpage Extensions for Unix filetype:cnf inurl:_vti_pvt access.cnf

configuration file

Shoutcast configuration file intitle:”Index of” sc_serv.conf sc_serv

content

HP Ethernet switch configuration file intitle:”DEFAULT_CONFIG - HP”

Oracle configuration files filetype:ora tnsnames

Counterstrike configuration file inurl:server.cfg rcon password

Steam configuration file intext:”SteamUserPassphrase=”

intext:”SteamAppUser=” ”username”

-”user”

CGI Calendar configuration file inurl:cgi-bin inurl:calendar.cfg

Cisco configuration file intext:”enable password 7”

YABB Forum administration file inurl:/yabb/Members/Admin.dat

FlashFXP site data file inurl:”Sites.dat”+”PASS=”

Ruby on Rails database connector file ext:yml database inurl:config

Cisco configuration file enable password | secret “current

con-figuration” -intext:the Generic configuration file intitle:index.of.config

Log Files

Log files record information Depending on the application, the information recorded in a log file can include anything from timestamps and IP addresses to usernames and pass-words—even incredibly sensitive data such as credit card numbers!

Like configuration files, log files often have a default name that can be used as part of a

base search.The most common file extension for a log file is simply log, making the sim-plest base search for log files simply filetype:log inurl:log or the even simpler ext:log log Remember that the ext (filetype) operator requires at least one search argument Log file

searches seem to return fewer samples and example files than configuration file searches, but search reduction is still required in some cases Refer to the rules for configuration file reduction listed previously

Table 4.2 lists a collection of log file searches collected from the GHDB.These searches show the various techniques that are employed by Google hackers and serve as an excellent learning tool for constructing your own searches during a penetration test

Table 4.2Log File Search Examples

“ZoneAlarm Logging Client” ZoneAlarm log files

“admin account info” filetype:log Admin logs

“apricot - admin” 00h Apricot logs

“by Reimar Hoven All Rights PHP Web Statistik logs

Reserved Disclaimer” | inurl:

”log/logdb.dta”

“generated by wwwstat” www statistics

“Index of” / “chat/logs” Chat logs

“MacHTTP” filetype:log MacHTTP

inurl:machttp.log

“Most Submitted Forms and Scripts” www statistics

“this section”

“sets mode: +k” IRC logs, channel key set

“sets mode: +p” IRC chat logs

“sets mode: +s” IRC logs, secret channel set

“The statistics were last updated” Network activity logs

“Daily”-microsoft.com

“This report was generated by weblog-generated statistics

WebLog”

“your password is” filetype:log Password logs

Continued