Google hacking for penetration tester - part 35 potx

Using and Locating Various Web Utilities Web-enabled network devices can be located with simple Google queries.. Locating Various Network Reports Network statistic reports can be locat

Default pages, documentation, and programs speak volumes about the server that hosts them.They suggest that a server is not well maintained and is by extension vulnerable due to poor maintenance

Locating Login Portals

Login portals can draw attackers who are searching for specific types of software In addition, they can serve as a starting point for information-gathering attacks, since most login portals are designed to be user friendly, providing links to help

documents and procedures to aid new users Administrative login portals and remote administration tools are sometimes even more dangerous, especially if they are poorly configured

Locating Network Hardware

All sorts of network devices can be located with Google queries.These devices are more than a passing technological curiosity for some attackers, since many devices linked from the Web are poorly configured, trusted devices often overlooked by typical security auditors Web cameras are often overlooked devices that can provide insight for an attacker, even though an extremely small percentage of targets have Web cameras installed Network printers, when compromised, can reveal a great deal of sensitive information, especially for an attacker capable of viewing print jobs and network information

Using and Locating Various Web Utilities

Web-enabled network devices can be located with simple Google queries

The information from these devices can be used to help build a network map

Locating Various Network Reports

Network statistic reports can be located with simple Google queries

The information from these reports can be used to help build a network map

Q: I run an IIS 6.0 server, and I don’t like the idea of those static HTTP 1.1 error pages hanging around my site, luring potential malicious interest in my server How can I enable the customized error messages?

A: If you aren’t in the habit of just asking Google by now, you should be! Seriously, try a

Google search for site:microsoft.com “Configuring Custom Error Messages” IIS 6.0 At the

time of this writing, the article describing this procedure is the first hit.The procedure

involves firing up the IIS Manager, double-clicking My Computer, right-clicking the Web Sites folder, and selecting Properties See the Custom Errors tab.

Q: I run an Apache server, and I don’t like the idea of those server tags on error messages and directory listings How can I turn these off?

A: To remove the tags, locate the section in your httpd.conf file (usually in

/etc/httpd/conf/httpd.conf) that contains the following:

#

# Optionally add a line containing the server version and virtual host

# name to server-generated pages (error documents, FTP directory listings,

# mod_status and mod_info output etc., but not CGI generated documents).

# Set to "EMail" to also include a mailto: link to the ServerAdmin.

# Set to one of: On | Off | EMail

#

ServerSignature On

The ServerSignature setting can be changed to Off to remove the tag altogether or to Email, which presents an e-mail link with the ServerAdmin e-mail address as it appears in the httpd.conf file.

Q: I’ve got an idea for a search that’s not listed here If you’re so smart about Google, why isn’t my search listed in this book?

A: This book serves as more of a primer than a reference book.There are so many possible Google searches out there that it’s impossible to include them all in one book Most

342 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have

your questions about this chapter answered by the author, browse to www syngress.com/solutions and click on the “Ask the Author” form

searches listed in this book are the result of a community of people working together to come up with as many effective searches as possible Fortunately, this community of indi-viduals has created a unique and extensive database that is open to the public for the purposes of adequately defending against this unique threat.The Search Engine Hacking forum and the GHDB are both available at http://johnny.ihackstuff.com If you’ve got a new search, first search the database to make sure it’s unique If you think it is, submit it

to the forums, and your search could be the newest addition to the database But beware, Google searcher Google hacking is fun and addictive If you submit one search, I think you’ll find it’s hard to stop Just ask any of the individuals on the Google Master’s list

Some of them found it hard to stop at 10 or 20 unique submitted searches! Check out the Acknowledgments page for a list of users who have made a significant contribution

to the Google hacking community

Q: The NQT tool can only scan one port at a time Could this behavior be modified?

A: Without modifying the code on the remote NQT server, this task would require the

coding of a PHP loop that feeds the requests one at a time to the NQT server

Remember, though, that even single ports can play a critical role when it comes time to perform an actual network port scan For many different types of scans, it’s always advan-tageous to have a list of ports that are known to be open

Q: Aren’t there any Web-based tools besides NQT with a larger port scan range?

A: If you’re interested in scanning lots of ports, you might be better off with a standard

scanner like nmap However, to flex those Google muscles, try a query like

inurl:portscan.php (“from Port”|“Port Range”) suggested by Jimmy Neutron on the Google

Hacking Forums Although there aren’t many results, who knows what the future holds for this search!

Q: So Web interfaces on network devices are a bad idea?

A: They don’t have to be, but statistically they are for a few reasons First, they are often

excessive when you consider that the same task could be more securely accomplished via serial port connection or via a dedicated admin network connection Second, small devices require small servers, so some exotic Web servers are used that are not as well tested as Apache, for example (consider the vulnerabilities on Axis cams at security focus).Third, as we’ve seen in this chapter, the pages can be found with (or submitted to) Google if the admins are not careful.This opens the floodgates for all the fledgling Google hackers out there

Q: Our network devices (routers) can’t be accessed by anyone from the outside Does that

mean we are safe?

A: Even though it is not accessible from the wide area network (WAN), it may be acces-sible from a compromised host on your LAN Posting information about it on usenet or

tech forums is a risk For an example, try searching for intext:“enable secret 5 $” as

sug-gested by hevnsnt on the Google Hacking Forums.Then try the same on Google Groups It’s a good thing Cisco implemented strong encryption on those passwords, since these searches often reveal sensitive information about these devices

344 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware

Usernames, Passwords, and Secret Stuff, Oh My!

Solutions in this chapter:

■ Searching for Usernames

■ Searching for Passwords

■ Searching for Credit Card Numbers, Social Security Numbers, and More

■ Searching for Other Juicy Info

■ List of Sites

Chapter 9

Summary

Solutions Fast Track

Frequently Asked Questions

This chapter is not about finding sensitive data during an assessment as much as it is about what the “bad guys” might do to troll for the data.The examples presented in this chapter generally represent the lowest-hanging fruit on the security tree Hackers target this infor-mation on a daily basis.To protect against this type of attacker, we need to be fairly candid

about the worst-case possibilities We won’t be overly candid, however We don’t want to give

the bad guys any ideas they don’t already have

We start by looking at some queries that can be used to uncover usernames, the less important half of most authentication systems.The value of a username is often overlooked, but as we’ve already discussed, an entire multimillion-dollar security system can be shattered through skillful crafting of even the smallest, most innocuous bit of information

Next, we will take a look at queries that are designed to uncover passwords Some of the queries we look at reveal encrypted or encoded passwords, which will take a bit of work on the part of an attacker to use to his or her advantage We also take a look at queries that can

uncover cleartext passwords.These queries are some of the most dangerous in the hands of

even the most novice attacker What could make an attack easier than handing a username and cleartext password to an attacker?

We wrap up this chapter by discussing the very real possibility of uncovering highly

sen-sitive data such as credit card information and information used to commit identity theft, such as Social Security numbers Our goal here is to explore ways of protecting against this very real threat.To that end, we don’t go into details about uncovering financial information and the like If you’re a “dark side” hacker, you’ll need to figure these things out on your own, or make the wise decision to turn to the light side of the force

Searching for Usernames

Most authentication mechanisms use a username and password to protect information.To get through the “front door” of this type of protection, you’ll need to determine usernames

as well as passwords Usernames also can be used for social engineering efforts, as we dis-cussed earlier

Many methods can be used to determine usernames In the “Database Digging” chapter,

we explored ways of gathering usernames via database error messages In the “Tracking Down Web Servers” chapter, we explored Web server and application error messages that can reveal various information, including usernames.These indirect methods of locating usernames are helpful, but an attacker could target a usernames directory with a simple

query like “your username is” This phrase can locate help pages that describe the username

creation process, as shown in Figure 9.1

346 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My!

Figure 9.1 Help Documents Can Reveal Username Creation Processes

An attacker could use this information to postulate a username based on information gleaned from other sources, such as Google Groups posts or phone listings.The usernames

could then be recycled into various other phases of the attack, such as a worm-based spam

campaign or a social-engineering attempt An attacker can gather usernames from a variety

of sources, as shown in the sample queries listed in Table 9.1

Table 9.1 Sample Queries That Locate Usernames

Query Description

inurl:admin inurl:userlist Generic userlist files

inurl:admin filetype:asp inurl:userlist Generic userlist files

inurl:php inurl:hlstats intext: Half-life statistics file, lists username and

filetype:ctl inurl:haccess.ctl Basic Microsoft FrontPage equivalent(?)of

htaccess shows Web user credentials

filetype:reg reg intext:”internet Microsoft Internet Account Manager

Continued

Table 9.1 continued Sample Queries That Locate Usernames

Query Description

filetype:wab wab Microsoft Outlook Express Mail address

books

filetype:mdb inurl:profiles Microsoft Access databases containing

(user) profiles

index.of perform.ini mIRC IRC ini file can list IRC usernames

and other information

inurl:root.asp?acs=anon Outlook Mail Web Access directory can

be used to discover usernames

filetype:conf inurl:proftpd.conf –sample PROFTP FTP server configuration file

reveals username and server information

filetype:log username putty PUTTY SSH client logs can reveal

user-names and server information

filetype:rdp rdp Remote Desktop Connection files reveal

user credentials

intitle:index.of bash_history UNIX bash shell history reveals

com-mands typed at a bash command prompt; usernames are often typed as argument strings

intitle:index.of sh_history UNIX shell history reveals commands

typed at a shell command prompt; user-names are often typed as argument strings

“index of ” lck Various lock files list the user currently

using a file

+intext:webalizer +intext:Total Webalizer Web statistics page lists Web

Usernames +intext:”Usage Statistics for” usernames and statistical information filetype:reg reg HKEY_CURRENT_ Windows Registry exports can reveal

348 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My!

Underground Googling

Searching for a Known Filename

Remember that there are several ways to search for a known filename One way relies

on locating the file in a directory listing, like intitle:index.of install.log Another, often better, method relies on the filetype operator, as in filetype:log inurl:install.log.

Directory listings are not all that common Google will crawl a link to a file in a

direc-tory listing, meaning that the filetype method will find both direcdirec-tory listing entries

as well as files crawled in other ways.

In some cases, usernames can be gathered from Web-based statistical programs that check Web activity.The Webalizer program shows all sorts of information about a Web server’s

usage Output files for the Webalizer program can be located with a query such as

+intext:webalizer +intext:”Total Usernames” +intext:”Usage Statistics for” Among the

informa-tion displayed is the username that was used to connect to the Web server, as shown in

Figure 9.2 In some cases, however, the usernames displayed are not valid or current, but the

“Visits” column lists the number of times a user account was used during the capture

period.This enables an attacker to easily determine which accounts are more likely to be

valid

Figure 9.2The Webalizer Output Page Lists Web Usernames

The Windows registry holds all sorts of authentication information, including usernames and passwords.Though it is unlikely (and fairly uncommon) to locate live, exported

Windows registry files on the Web, at the time of this writing there are nearly 200 hits on

the query filetype:reg HKEY_CURRENT_USER username, which locates Windows registry files that contain the word username and in some cases passwords, as shown in Figure 9.3.

Figure 9.3 Generic Windows Registry Files Can Reveal Usernames and Passwords

As any talented attacker or security person will tell you, it’s rare to get information served to you on a silver platter Most decent finds take a bit of persistence, creativity, intelli-gence, and just a bit of good luck For example, consider the Microsoft Outlook Web Access

portal, which can be located with a query like inurl:root.asp?acs=anon There are few hits for

this query, even though there lots of sites run the Microsoft Web-based mail portal

Regardless of how you might locate a site running this e-mail gateway, it’s not uncommon for the site to host a public directory (denoted “Find Names,” by default), as shown in Figure 9.4

350 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My!