As shown in Figure 11.2, a well-placed Google query locates installations of this script, pro-viding web visitors with a finger client that allows them to query the service on remote mac
Trang 1Geek Stuff
This section is about computer stuff It’s about technical stuff, the stuff of geeks We will take
a look at some of the more interesting technical finds uncovered by Google hackers We’ll
begin by looking at various utilities that really have no business being online, unless of
course your goal is to aid hackers.Then we’ll look at open network devices and open
appli-cations, neither of which requires any real hacking to gain access to
Utilities
Any self-respecting hacker has a war chest of tools at his disposal, but the thing that’s
inter-esting about the tools in this section is that they are online—they run on a web server and
allow an attacker to effectively bounce his reconnaissance efforts off of that hosting web
server.To make matters worse, these application-hosting servers were each located with
clever Google queries We’ll begin with the handy PHP script shown in Figure 11.1 which
allows a web visitor to ping any target on the Internet A ping isn’t necessarily a bad thing,
but why offer the service to anonymous visitors?
Figure 11.1Php-ping.cgi Provides Free Ping Bounces
Unlike the ping tool, the finger tool has been out of commission for quite a long time.
This annoying service allowed attackers to query users on a UNIX machine, allowing
enu-meration of all sorts of information such as user connect times, home directory, full name
and more Enter the finger CGI script, an awkward attempt to “webify” this irritating service.
As shown in Figure 11.2, a well-placed Google query locates installations of this script,
pro-viding web visitors with a finger client that allows them to query the service on remote
machines
Trang 2Figure 11.2Finger CGI Script Allows Remote Fingering
Pings and finger lookups are relatively benign; most system administrators won’t even
notice them traversing their networks Port scans, on the other hand, are hardly ever
consid-ered benign, and a paranoid administrator (or piece of defense software) will take note of the source of a port scan Although most modern port scanners provide options which allow for covert operation, a little Google hacking can go a long way Figure 11.3 reveals a Google search submitted by Jimmy Neutron which locates sites that will allow a web visitor to portscan a target
Remember, scans performed in this way will originate from the web server, not from the attacker Even the most paranoid system administrator will struggle to trace a scan launched in this way Of course, most attackers won’t stop at a portscan.They will most likely opt to continue probing the target with any number of network utilities which could reveal their true location However, if an attacker locates a web page like the one shown in Figure 11.4 (submitted by Jimmy Neutron), he can channel various network probes through
the WebUtil Perl script hosted on that remote server Once again, the probes will appear to
come from the web server, not from the attacker
Trang 3Figure 11.3PHPPort Scanner- A Nifty Web-Based Portscanner
Figure 11.4 WebUtil Lets An Attacker Do Just About Anything
Trang 4The web page listed in Figure 11.5 (submitted by Golfo) lists the name, address and device information for a school’s “student enrollment” systems Clicking through the inter-face reveals more information about the architecture of the network, and the devices con-nected to it Consolidated into one easy-to-read interface and located with a Google search, this page makes short work of an attacker’s reconnaissance run
Figure 11.5WhatsUp Status Screen Provides Guests with a Wealth of Information
Open Network Devices
Why hack into a network server or device when you can just point and click your way into
an open network device? Management devices, like the one submitted by Jimmy Neutron in
Figure 11.6, often list all sorts of information about a variety of devices
Trang 5Figure 11.6Open APC Management Device
When m00d submitted the query shown in Figure 11.7, I honestly didn’t think much of it.The SpeedStream router is a decidedly lightweight device installed by home users, but I
was startled to find them sitting wide-open on the Internet I personally like the button in
the point-to-point summary listing Who do you want to disconnect today?
Figure 11.7 Open SpeedStream DSL Router Allows Remote Disconnects
Trang 6Belkin is a household name in home network gear With their easy-to-use web-based administrative interfaces, it makes sense that eventually pages like the one in Figure 11.8 would get crawled by Google Even without login credentials, this page reveals a ton of information that could be interesting to a potential attacker I got a real laugh out of the
Features section of the page The firewall is enabled, but the wireless interface is wide open
and unencrypted As a hacker with a social conscience, my first instinct is to enable encryp-tion on this access point—in an attempt to protect this poor home user from themselves
Figure 11.8Belkin Router Needs Hacker Help
Milkman brings us the query shown in Figure 11.9, which digs up the configuration interface for Smoothwall personal firewalls.There’s something just wrong about Google hacking someone’s firewall
Trang 7Figure 11.9 Smoothwall Firewall Needs Updating
As Jimmy Neutron reveals in the next two figures, even big-name gear like Cisco shows
up in the recesses of Google’s cache every now and again Although it’s not much to look at, the switch interface shown in Figure 11.10 leaves little to the imagination—all the
configu-ration and diagnostic tools are listed right on the main page
Figure 11.10 Open Cisco Switch
Trang 8This second Cisco screenshot should look familiar to Cisco geeks I don’t know why, but the Cisco nomenclature reminds me of a bad Hollywood flick I can almost hear the grating voice of an over-synthesized computer beckoning, “Welcome to Level 15.”
Figure 11.11Welcome to Cisco Level 15
The search shown in Figure 11.12 (submitted by Murfie) locates interfaces for an Axis network print server Most printer interfaces are really boring, but this one in particular
piqued my interest First, there’s the button named configuration wizard, which I’m pretty sure launches a configuration wizard.Then there’s the handy link labeled Print Jobs, which lists
the print jobs In case you haven’t already guessed, Google hacking sometimes leaves little to the imagination
Printers aren’t entirely boring things Consider the Web Image Monitor shown in Figure 11.13 I particularly like the document on Recent Religion Work That’s quite an honorable pursuit, except when combined with the document about Aphrodisiacs I really hope the two
documents are unrelated.Then again, nothing surprises me these days
Trang 9Figure 11.12Axis Print Server with Obscure Buttonage
Figure 11.13Ricoh Print Server Mixes Religion and Aphrodisiacs
Trang 10CP has a way of finding Google hacks that make me laugh, and Figure 11.14 is no exception.Yes, this is the web-based interface to a municipal water fountain
Figure 11.14 Hacking Water Fountains For Fun and Profit
After watching the water temperature fluctuate for a few intensely boring seconds, it’s
only logical to click on the Control link to see if it’s possible to actually control the
ipal water fountain As Figure 11.15 reveals, yes it is possible to remotely control the munic-ipal water fountain
One bit of advice though—if you happen to bump into one of these, be nice Don’t go rerouting the power into the water storage system I think that would definitely constitute
an act of terrorism