Google hacking for penetration tester - part 40 pptx

There are many different ways; the Calendar service can be abused.The main and most important security consideration that we, as users, need to make is whether the information that is en

Figure 10.12 reveals several scheduled telephone conferences Notice that the conference phone number and access code are also listed An attacker could easily join the telephone

conference at the scheduled time and silently eavesdrop on the conference Mission

accom-plished.There is a lot attackers can learn from the conversation, like corporate secrets,

tech-nical details about systems in operations, etc

Of course we can try variations of the above quires and even space them up with more

keywords so we can get a better picture For example the query “username password” returns

results about people who may stored sensitive login information within their calendar, as

shown in Figure 10.13

Figure 10.13 Calendar Search for “username password”

This is just the beginning though, how about looking for birthdays, pet’s names, etc As you probably know, a lot of password reminder facilities have a secret question.The secrets

answer is usually something that we choose from our daily life so there is no chance that we

can forget However, the Calendar application may also contain our daily activities When

we mash both, we might be able to crack into the targeted user account by simply reading

their calendar

There are many different ways; the Calendar service can be abused.The main and most important security consideration that we, as users, need to make is whether the information

that is enclosed within the Google’s shiny event cells is sensitive and can be used to harm us

Blogger and Google’s Blog Search

Blogger is Google’s blogging software hosted at blogger.com and blogspot.com Blogger is one of the most widely used blogging platforms It allows almost instant creations of mul-tiple blogs and has some great features for collaborating with others and preventing com-ment and trackback spam

When speaking about blogs, there are a several points that we need to take into consid-eration.The first and most important one is that blogs are public and are meant to be read

by the Internet community Saying that, it is important that you do not publish information about yourself which later may have serious consequences on your life What is born on the Web stays on the web Blog feeds are aggregated by numerous online services It is almost impossible to remove what you once have said.The information on your blog will most probably be used by your future employer as part of the standard background checks (See Figure 10.14), when applying for a job We have already proved that a few simple queries can reveal a lot of interesting information Google simplifies to a great extent the process of looking into interesting information in blogs Meat Google’s Blog Search (see Figure 10.14)

Figure 10.14 Google Blog Search

Despite the fact that Google’s Blogger service effectively blocks content and trackback SPAM, there’s one loophole: what happens when SPAM originates from blogs posts them-selves?

Enter the SPLOG Splogs, or Spam Blogs, are normal blogs that reflect content con-sumed/aggregated from external entities but also provide additional information to

accom-modate their owner’s purpose

There are a number of reasons why splogs are interesting to malicious minds.The first reason is that attackers do not have to write the blog, a task that is very time consuming, and yet make people subscribe or attend their content As a splog’s search engine ranking

increases, it attracts more visitors If an attacker stands up an exploit on the splog’s page

tar-geted at popular web browsers he may be able to take over hundreds of machines in mere

moments

In addition, splogs may contain ads which can generate income for the owner.The more popular the splog is, the more money it will make If a single splog can make $20 a day, mul-tiple splogs can make much more Splogging is a 24/7 business that earns big money

No matter whether malicious minds will use splogging techniques to attract victims or make money, it is interesting to see what’s behind the scenes In the following section we are going to take a detailed look at how splogging works We will examine a splog generation

script which makes use of Google’s Blogger service

Google Splogger

Google has excellent application programming interfaces (APIs) One of the most famous

Google Services is known as GData, from Google Data GData allows developers to perform programmatic operations on Google’s services For example, GData can be used to

program-matically update Google Calendar instances GData can also be used to create, delete and

manage Blogger entries and also manage our submissions to Google Base.The stage then

seems to be set for Google’s blogging service to be used as a base for splogging In this

sec-tion we’ll show how this could be accomplished, but please note that we’re not in the

busi-ness of educating criminals If you intend to use this information for malicious purposes, be

advised that Google has every right to block your access to their service.They may even

have the right to pursue legal action if you persist in performing malicious actions using

their services

In the following example we are going to make use of GData’s Blogger interface The fol-lowing script allows us to programmatically login into Blogger and submit a new post

Effectively we can use a similar approach to automatically harvest RSS feeds and then upload

them to a particular Blogger account which could then be used for splogging purposes

# GoogleSplogger

# Copyright (C) 2007 Petko D Petkov (GNUCITIZEN)

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

version = '1.0'

author = 'Petko D Petkov; pdp (architect)'

doc = """

GoogleSplogger (GNUCITIZEN) http://www.gnucitizen.org

by Petko D Petkov; pdp (arhictect)

"""

import atom

import gdata.service

class GoogleSplogger:

"""

GoogleSplogger

The power of Blogger in a single object

"""

def init (self, email, password):

self.client = gdata.service.GDataService(email, password) self.client.source = 'Splogger ' + version

self.client.service = 'blogger' self.client.server = 'www.blogger.com'

self.client.ProgrammaticLogin()

self.available_blogs = self.get_blogs()

def get_blogs(self):

get_blogs -> Dict

Get a dictionary of available blogs.

"""

blogs = {}

feed = self.client.Get('/feeds/default/blogs')

for i in feed.entry:

title = i.title.text for a in i.link:

if a.rel == 'self':

blogs[title] = a.href.split('/')[-1]

return blogs

def post(self, blog_name, title, content, author_name):

"""

post(blog_name, title, content, author_name) -> ?

Post a new entry to blog

"""

if blog_name not in self.available_blogs:

raise 'blog name not found'

entry = gdata.GDataEntry() entry.author.append(atom.Author(atom.Name(text=author_name))) entry.title = atom.Title('xhtml', title)

entry.content = atom.Content('html', '', content)

return self.client.Post(entry, '/feeds/' \ + self.available_blogs[blog_name] + '/posts/default')

def usage(prog):

print 'usage: ' + prog + ' -u username -p [password] -P blog ' \ '-t title -c [content] -a author'

print ' ' + prog + ' -u username -p [password] -l' print '-u username username for the login'

print '-p [password] password for the login'

print '-t title title for the new post'

print '-c [content] content for the new post'

print '-a author author for the new post'

print '-l list available blogs'

print '-h print this page'

if name == ' main ':

import sys

import getopt

import getpass

try:

opts, args = getopt.gnu_getopt(sys.argv[1:], 'hlcpu:p:P:t:c:a:')

except Exception, e:

print e print

usage(sys.argv[0]) sys.exit()

username = None

password = None

action = None

post_blog = None

post_title = None

post_author = None

post_content = None

for key, val in opts:

if key == '-h':

usage(sys.argv[0]);

sys.exit();

elif key == '-l':

action = 'list'

elif key == '-P':

post_blog = val

elif key == '-u':

username = val

elif key == '-p':

password = val

elif key == '-t':

post_title = val

elif key == '-a':

post_author = val

elif key == '-c':

post_content = val

if not action or not username:

usage(sys.argv[0]) sys.exit()

if action == 'post' and \ (not post_blog or not post_title or not post_author):

usage(sys.argv[0]) sys.exit()

if not password:

password = getpass.getpass('password: ')

try:

gs = GoogleSplogger(username, password)

except Exception, e:

print e sys.exit()

if action == 'post' and post_blog not in gs.available_blogs:

print 'blog not found within the user profile' sys.exit()

if action == 'post' and not post_content:

post_content = sys.stdin.read()

if action == 'list':

for i in gs.available_blogs:

print i

elif action == 'post':

gs.post(post_blog, post_title, post_content, post_author)

NOTE

GoogleSplogger.py requires the presence of Google’s GData API library for Python The library can be obtained from the following URL:

http://code.google.com/p/gdata-python-client/ Once the library is down-loaded, extract the content of the archive and enter into that folder via the command line Make sure that you have the permissions required to install

Python module and type: python setup.py.

The setup.py script should install the rest of the API without any problems

There are several ways you can run the script that we’ve listed here For example, in order to list the names of the blogs that are currently registered under our profile, type the following command:

python GoogleSplogger.py -l -u username -p password

Keep in mind that if you do not provide the value for the -p (password) flag, you will be asked to enter it at run time.This method is preferred since you may not want to leave traces of your password in the system and command log files Sample output from the com-mand is shown on Figure 10.15

Figure 10.15 Enumerating Current Blogs

Once we have the blog names, we can post to them For example:

python GoogleSplogger.py -u username -p -P blog_name_here -t title_for_the_post -a

author –c

After executing the command you will be asked to enter your password, followed by the post content When you are done entering the post, simply terminate the input by pressing

CTRL+Z within Windows or CTRL+D from within Unix See Figure 10.16

Figure 10.16 Command line Posting to Blogger

Figure 10.17 Result

This is simple enough, but the process can be streamlined further Here’s another way to post a new blog entry, this time with the password inline:

python GoogleSplogger.py -u username -p password -P blog_name_here -t

title_for_the_post -a author -c << EOF

Once you are done writing the post type EOF on a new line A post can also be

sub-mitted from a file:

python GoogleSplogger.py -u username -p password -P blog_name_here -t

title_for_the_post -a author -c < file.txt

Programmatically inserting new posts into Blogger is not that useful But the following example shows how easy it is to grab someone else’s blog data and inject it into our blog For that purpose, we are going to need another python utility which is based on a library

called FeedParser from http://cheeseshop.python.org/pypi/FeedParser/4.1.The installation

procedure for this package is the one used for all python packages

Start python from the command line and make sure that the GoogleSplogger.py script is within your current working directory.Type the following commands:

import feedparser