Google hacking for penetration tester - part 37 doc

Table 9.3 English Translations of the Word PasswordSearching for Credit Card Numbers, Social Security Numbers, and More Most people have heard news stories about Web hackers making off

Table 9.3 English Translations of the Word Password

Searching for Credit Card Numbers,

Social Security Numbers, and More

Most people have heard news stories about Web hackers making off with customer credit card

information With so many fly-by night retailers popping up on the Internet, it’s no wonder

that credit card fraud is so prolific.These mom-and-pop retailers are not the only ones success-fully compromised by hackers Corporate giants by the hundreds have had financial database

compromises over the years, victims of sometimes very technical, highly focused attackers

What might surprise you is that it doesn’t take a rocket scientist to uncover live credit card

numbers on the Internet, thanks to search engines like Google Everything from credit

infor-mation to banking data or supersensitive classified government documents can be found on

the Web Consider the (highly edited) Web page shown in Figure 9.9

Figure 9.9Google Stores Piles and Piles of Previously Pilfered Personal Data

This document, found using Google, lists hundreds and hundreds of credit card numbers (including expiration date and card validation numbers) as well as the owners’ names,

addresses, and phone numbers.This particular document also included phone card (calling card) numbers Notice the scroll bar on the right-hand side of Figure 9.9, an indicator that the displayed page is only a small part of this huge document—like many other documents

of its kind In most cases, pages that contain these numbers are not “leaked” from online retailers or e-commerce sites but rather are most likely the fruits of a scam known as

phishing, in which users are solicited via telephone or e-mail for personal information.

Several Web sites, including MillerSmiles.co.uk, document these scams and hoaxes Figure 9.10 shows a screen shot of a popular eBay phishing scam that encourages users to update their eBay profile information

Figure 9.10Screenshot of an eBay Phishing Scam

Once a user fills out this form, all the information is sent via e-mail to the attacker, who can use it for just about anything Sometimes this data is stored on a web server used by the attacker In some cases I’ve seen online ”phishing investigators” post reports which link to the phisher’s cache of pilfered personal data When a search engine crawls those links, all that personal data is suddenly available to even the most amateur Google hacker

Tools and Traps…

Catching Online Scammers

In some cases, you might be able to use Google to help nab the bad guys Phishing scams are effective because the fake page looks like an official page To create an offi-cial-looking page, the bad guys must have examples to work from, meaning that they must have visited a few legitimate companies’ Web sites If the fishing scam was cre-ated using text from several companies’ existing pages, you can key in on specific phrases from the fake page, creating Google queries designed to round up the servers that hosted some of the original content Once you’ve located the servers that con-tained the pilfered text, you can work with the companies involved to extract corre-lating connection data from their log files If the scammer visited each company’s Web page, collecting bits of realistic text, his IP should appear in each of the log files.

Auditors at SensePost (www.sensepost.com) have successfully used this technique to nab online scam artists Unfortunately, if the scammer uses an exact copy of a page from only one company, this task becomes much more difficult to accomplish.

Social Security Numbers

Attackers can use similar techniques to home in on Social Security numbers (SSNs) and

other sensitive data For a variety of reasons, SSNs might appear online—for example, educa-tional facilities are notorious for using an SSN as a student ID, then posting grades to a

public Web site with the “student ID” displayed next to the grade A creative attacker can do quite a bit with just an SSN, but in many cases it helps to also have a name associated with

that SSN Again, educational facilities have been found exposing this information via Excel

spreadsheets listing student’s names, grades, and SSNs, despite the fact that the student ID

number is often used to help protect the privacy of the student! Although I’ve never

revealed how to locate SSN’s, several media outlets have done just that—irresponsibly

posting the search details online Although the blame lies with the sites that are leaking this

information, in my opinion it’s still not right to draw attention to how exactly the

informa-tion can be located

Personal Financial Data

In some cases, phishing scams are responsible for publicizing personal information; in other

cases, hackers attacking online retails are to blame for this breach of privacy Sadly, there are

many instances where an individual is personally responsible for his own lack of privacy Such

is the case with personal financial information With the explosion of personal computers in

today’s society, users have literally hundreds of personal finance programs to choose from.

Many of these programs create data files with specific file extensions that can be searched with Google It’s hard to imagine why anyone would post personal financial information to

a public Web site (which subsequently gets crawled by Google), but it must happen quite a bit, judging by the number of hits for program files generated by Quicken and Microsoft Money, for example Although it would be somewhat irresponsible to provide queries here that would unearth personal financial data, it’s important to understand the types of data that could potentially be uncovered by an attacker.To that end,Table 9.4 shows file extensions for various financial, accounting, and tax return programs

Table 9.4 File Extensions for Various Financial Programs

File Extension Description

afm Abassis Finance Manager

ab4 Accounting and Business File

Iqd AmeriCalc Mutual Fund Tax Report

et2 Electronic Tax Return Security File (Australia)

tax Intuit TurboTax Tax Return

t98-t04 Kiplinger Tax Cut File (extension based on two-digit return year) mny Microsoft Money 2004 Money Data Files

mbf Microsoft Money Backup Files

inv MSN Money Investor File

ptdb Peachtree Accounting Database

qbb QuickBooks Backup Files reveal financial data

qdf Quicken personal finance data

soa Sage MAS 90 accounting software

tmd Time and Expense Tracking

tls Timeless Time & Expense

fec U.S Federal Campaign Expense Submission

wow Wings Accounting File

Searching for Other Juicy Info

As we’ve seen, Google can be used to locate all sorts of sensitive information In this section

we take a look at some of the data that Google can find that’s harder to categorize From

address books to chat log files and network vulnerability reports, there’s no shortage of sensi-tive data online.Table 9.5 shows some queries that can be used to uncover various types of

sensitive data

Table 9.5Queries That Locate Various Sensitive Information

intext:”Session Start * * * *:*:* *” AIM and IRC log files

filetype:log

filetype:blt blt +intext:screenname AIM buddy lists

intitle:index.of cgiirc.config CGIIRC (Web-based IRC client) config

file, shows IRC servers and user creden-tials

inurl:cgiirc.config CGIIRC (Web-based IRC client) config

file, shows IRC servers and user creden-tials

“Index of” / “chat/logs” Chat logs

intitle:”Index Of” cookies.txt “size” cookies.txt file reveals user information

“phone * * *” “address *” “e-mail” Curriculum vitae (resumes) reveal names

intitle:”curriculum vitae” and address information

ext:ini intext:env.ini Generic environment data

intitle:index.of inbox Generic mailbox files

“Running in Child mode” Gnutella client data and statistics

“:8080” “:3128” “:80” filetype:txt HTTP Proxy lists

intitle:”Index of” dbconvert.exe chats ICQ chat logs

“Host Vulnerability Summary Report” ISS vulnerability scanner reports, reveal

potential vulnerabilities on hosts and networks

“Network Vulnerability Assessment ISS vulnerability scanner reports, reveal

networks

Continued

Table 9.5 continuedQueries That Locate Various Sensitive Information

filetype:pot inurl:john.pot John the Ripper password cracker results

intitle:”Index Of” -inurl:maillog Maillog files reveals e-mail traffic

ext:mdb inurl:*.mdb inurl:fpdb Microsoft FrontPage database folders

shop.mdb

filetype:xls inurl:contact Microsoft Excel sheets containing

con-tact information

intitle:index.of haccess.ctl Microsoft FrontPage equivalent(?)of

htaccess shows Web authentication info

ext:log “Software: Microsoft Internet Microsoft Internet Information Services

Information Services *.*” (IIS) log files

filetype:pst inurl:”outlook.pst” Microsoft Outlook e-mail and calendar

backup files

intitle:index.of mt-db-pass.cgi Movable Type default file

filetype:ctt ctt messenger MSN Messenger contact lists

“This file was generated by Nessus” Nessus vulnerability scanner reports,

reveal potential vulnerabilities on hosts and networks

inurl:”newsletter/admin/” Newsletter administration information

inurl:”newsletter/admin/” intitle: Newsletter administration information

”newsletter admin”

filetype:eml eml intext:”Subject” +From Outlook Express e-mail files

intitle:index.of inbox dbx Outlook Express Mailbox files

intitle:index.of inbox dbx Outlook Express Mailbox files

filetype:mbx mbx intext:Subject Outlook v1–v4 or Eudora mailbox files

inurl:/public/?Cmd=contents Outlook Web Access public folders or

appointments

filetype:pdb pdb backup (Pilot | Palm Pilot Hotsync database files

Pluckerdb)

“This is a Shareaza Node” Shareaza client data and statistics

inurl:/_layouts/settings Sharepoint configuration information

inurl:ssl.conf filetype:conf SSL configuration files, reveal various

configuration information

intitle:index.of mystuff.xml Trillian user Web links

Continued

Table 9.5 continuedQueries That Locate Various Sensitive Information

inurl:forward filetype:forward –cvs UNIX mail forward files reveal e-mail

addresses

intitle:index.of dead.letter UNIX unfinished e-mails

filetype:conf inurl:unrealircd.conf UnrealIRCd config file reveals

Some of this information is fairly benign—for example, MSN Messenger contact list

files that can be found with a query like filetype:ctt messenger, or AOL Instant Messenger

(AIM) buddy lists that can be located with a query such as filetype:blt blt +intext:screenname, as

shown in Figure 9.11

Figure 9.11 AIM Buddy Lists Reveal Personal Relationships

This screen shows a list of “buddies,” or acquaintances an individual has entered into his

or her AIM client An attacker often uses personal information like this in a

social-engi-neering attack, attempting to convince the target that they are a friend or an acquaintance

This practice is akin to pilfering a Rolodex or address book from a target For a seasoned

attacker, information like this can lead to a successful compromise However, in some cases,

data found with a Google query reveals sensitive security-related information that even the most novice attacker could use to compromise a system

For example, consider the output of the Nessus security scanner available from

www.nessus.org.This excellent open-source tool conducts a series of security tests against a target, reporting on any potential vulnerability.The report generated by Nessus can then be used as a guide to help system administrators lock down any affected systems An attacker could also use a report like this to uncover a target’s potential vulnerabilities Using a Google

query such as “This file was generated by Nessus”, an attacker could locate reports generated

by the Nessus tool, as shown in Figure 9.12.This report lists the IP address of each tested machine as well as the ports opened and any vulnerabilities that were detected

Figure 9.12 Nessus Vulnerability Reports Found Online

In most cases, reports found in this manner are samples, or test reports, but in a few

cases, the reports are live and the tested systems are, in fact, exploitable as listed One can

only hope that the reported systems are honeypots—machines created for the sole purpose

of luring and tracing the activities of hackers In the next chapter, we’ll talk more about

“document-grinding” techniques, which are also useful for digging up this type of informa-tion.This chapter focused on locating the information based on the name of the file,

whereas the next chapter focuses on the actual content of a document rather than the name.

Make no mistake—there’s sensitive data on the Web, and Google can find it.There’s hardly

any limit to the scope of information that can be located, if only you can figure out the

right query From usernames to passwords, credit card and Social Security numbers, and per-sonal financial information, it’s all out there As a purveyor of the “dark arts,” you can relish

in the stupidity of others, but as a professional tasked with securing a customer’s site from

this dangerous form of information leakage, you could be overwhelmed by the sheer scale of your defensive duties

As droll as it might sound, a solid, enforced security policy is a great way to keep sensi-tive data from leaking to the Web If users understand the risks associated with information

leakage and understand the penalties that come with violating policy, they will be more

willing to cooperate in what should be a security partnership

In the meantime, it certainly doesn’t hurt to understand the tactics an adversary might employ in attacking a Web server One thing that should become clear as you read this book

is that any attacker has an overwhelming number of files to go after One way to prevent

dangerous Web information leakage is by denying requests for unknown file types Whether

your Web server normally serves up CFM, ASP, PHP, or HTML, it’s infinitely easier to

manage what should be served by the Web server instead of focusing on what should not be

served Adjust your servers or your border protection devices to allow only specific content

or file types

Solutions Fast Track

Searching for Usernames

Usernames can be found in a variety of locations

In some cases, digging through documents or e-mail directories might be required

A simple query such as “your username is” can be very effective in locating

usernames

Searching for Passwords

Passwords can also be found in a variety locations

A query such as “Your password” forgot can locate pages that provide a

forgotten-password recovery mechanism

intext:(password | passcode | pass) intext:(username | userid | user) is another generic

search for locating password information

Searching for Credit Cards Numbers,

Social Security Numbers, and More

Documents containing credit card and Social Security number information do exist and are relatively prolific

Some irresponsible news outlets have revealed functional queries that locate this information

There are relatively few examples of personal financial data online, but there is a great deal of variety

In most cases, specific file extensions can be searched for

Searching for Other Juicy Info

From address books and chat log files to network vulnerability reports, there’s no shortage of sensitive data online

Q: I’m concerned about phishing schemes Are there resources to help me understand the risks and learn some safeguards?

A: There’s an excellent Web site dedicated to the topic of phishing at

www.antiphishing.org.You can also read a great white paper by Next Generation

Security Software Ltd., The Phishing Guide: Understanding and Preventing Phishing Attacks,

available from www.ngssoftware.com/papers/NISR-WP-Phishing.pdf

Q: Why don’t you give more details about locating information such as credit card numbers and Social Security numbers?

A: To be honest, neither the authors nor the publisher is willing to take personal responsi-bility for encouraging potential illegal activity Most individuals interested in this kind of information will use it for illegal purposes If you are interested in scanning for your own personal information online, simply enter your information into Google If you get

some hits, you should be worried Of course entering all of your personal information

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have

your questions about this chapter answered by the author, browse to www.

syngress.com/solutions and click on the “Ask the Author” form