For example, selecting 1st photo with a PENTAX cam and clicking Search will deliver the Google results for that search, as shown in Figure 12.15.. Constructing Athena Config Files Athena
Trang 1included with Athena will load a nice array of digital photo searches Simply select a query
from the list and click the Search button For example, selecting 1st photo with a PENTAX
cam and clicking Search will deliver the Google results for that search, as shown in Figure
12.15
Figure 12.15 Basic Search Results
Athena also allows you to add modifiers to the query using the Refine Search box Using
the previous query, entering inurl:”buddylist.blt” into the Refine Search box and clicking
the Search button provides a much cleaner search (see Figure 12.16).
Trang 2Figure 12.16 Athena’s Refine Query Feature in Action
The results show that the image does not exist on the http://johnny.ihackstuff.com website At this point, Athena might seem rather pointless It functions just like a Web
browser, submitting queries into Google and displaying the results However, Athena’s most powerful functionality lies in its XML-based configuration files
Using Athena’s Config Files
Two of these files are included with Athena: Athena.xml and digicams.xml.These files con-tain custom queries and descriptions of those queries.The digicams file concon-tains sample queries for finding images and the Athena.xml file contains the queries found in the GHDB
To load the GHDB, simply select File | Open Config and select the Athena.XML file.
Trang 3Figure 12.17 Athena Loaded with Athena.XML
Jut as with the digicams image search, queries found in the GHDB can be modified and resubmitted through the Refine Search field.
Constructing Athena Config Files
Athena’s XML-based config files, can be modified or even completely overhauled based on
your needs.There are two main sections to the XML file: a searchEngine section and the
sig-nature section.The searchEngine section describes how a particular search engine’s queries are
constructed A typical searchEngine section is shown in the following code examples.
<searchEngine>
<searchEngineName>Google (UK)</searchEngineName>
<searchEnginePrefixUrl>http://www.google.co.uk/search?q=
</searchEnginePrefixUrl>
<searchEnginePostfixUrl>%26ie=UTF-8%26hl=en%26meta=
</searchEnginePostfixUrl>
Trang 4This section is responsible for describing how the various search engines handle search
requests.The searchEngineName field is simply a text-based field that describes the name of
the search engine.This name will appear in Athena’s drop-down box, allowing you to select
from among different search engines.The searchEnginePrefixUrl field represents the first part
of the search URL that is sent to the search engine It is assumed that the query part of the
search will be filled in after this prefix.The searchEnginePostfixURL field describes the part of
the URL that will come after the prefix and the query.This usually describes various
options such as output format (UTF-8) Note that Athena uses the <searchEngine> section, and SiteDigger does not.This section could be reworked to search the U.S.-based Google
engine with the following searchEngine section:
<searchEngine>
<searchEngineName>Google (US)</searchEngineName>
<searchEnginePrefixUrl>http://www.google.com/search?q=
</searchEnginePrefixUrl>
<searchEnginePostfixUrl>%26ie=UTF-8%26hl=en%26meta=
</searchEnginePostfixUrl>
</searchEngine>
The signature section describes the individual searches that are to be performed A typical signature section is shown in the following code example:
<signature>
<signatureReferenceNumber>22
</signatureReferenceNumber>
<categoryref>T1</categoryref>
<category>TECHNOLOGY PROFILE</category>
<querytype>DON</querytype>
<querystring>intitle:"Index of" secring.bak
</querystring>
<shortDescription>PGP Secret KeyRing Backup
</shortDescription>
<textualDescription>This query looked for a backup of the PGP secret key ring With this keyring an attacker could decrypt messages encrypted by the user </textualDescription>
<cveNumber>1000</cveNumber>
<cveLocation>http:// johnny.ihackstuff.com </cveLocation>
</signature>
The signatureReferenceNumber is a unique number assigned to each signature.The catego-ryref is a unique number that describes the signature in the context of its category, which is described in full by category.The querystring is the Google query that is to be performed It is made HTML-friendly and inserted between the searchEnginePrefixUrl and the
Trang 5searchEnginePostfixUrl in the URL sent to Google shortDescription and textualDescription are
short and long descriptions of the search, respectively.The cveNumber and cveLocation refer to
the www.cve.mitre.org Common Vulnerabilities and Exposures list
The header of the XML file should contain these lines:
<?xml version="1.0" encoding="utf-8"?>
<searchEngineSignature>
and the file should be closed out with a </searchEngineSignature> line as well.
Using this format, it’s fairly simple to create a file of custom queries.The file must con-form to the UTF-8 character set and be strictly XML compliant.This means that HTML
tags such as <A HREF> and <BR> must not only be matched with closing tags but that
each HTML tag be case sensitive Microsoft’s XML scanner will complain about an opening
<BR> tag followed by a closing <br> tag, since the case of the tags is different.The
less-than and greater-less-than symbols (< and >) can also cause problems when used improperly If
your data contains the Internet shorthand for “grin,” which is <G>, the MS XML scanner
will complain
Tools and Traps…
Current Config Files
The maintainers of the GHDB make available current config files for use with Athena.
This file can be downloaded from http://johnny.ihackstuff.com.
Wikto
Wikto is an amazing web scanning tool written by Roloef Temmingh while he was with
Sensepost (www.sensepost.com) Wikto does many different things, but since this book
focuses on Google hacking, we’ll take a look at the Google scanning portions of the tool By default, Wikto launches a wizard interface as shown in Figure 11.18
Trang 6Figure 12.18 Wikto’s Target Selection Panel
Wikto will first prompt for the target you wish to scan, as well as details about the target
server Clicking the Next button loads the Configuration panel as shown in Figure 11.19
Figure 12.19 Wikto’s Configuration Panel
This panel prompts for proxy information and asks for your Google API key.The API issue is tricky, as Google is no longer giving out SOAP API keys If you already have a SOAP API key (lucky you), enter it into the field and continue to the next panel
Otherwise, consider using Sensepost’s Aura (www.sensepost.com/research/aura) tool to sim-ulate Google SOAP API calls Download and install Aura from the SensePost website, then
click Start SensePost Aura to point Wikto at the Aura proxy After entering an API key (or
bypassing it with Aura), click through the rest of the wizard’s confirmation screens.The main
Wikto screen will be displayed We will first concentrate on the Googler tab Clicking Start
will launch a Google scan against the target site, searching for the specific file types listed in
Trang 7the File Types field Figure 12.20 shows the result of a scan against
http://johnny.ihackstuff.com
Figure 12.20 Wikto’s Googler function
Notice that the output fields list files and directories that were located on the target site
All of this information was gathered through Google queries, meaning the transactions are
transparent to the target Wikto will use this directory and file information in later scanning
stages
Next, we’ll take a look at the GoogleHacks tab, shown in Figure 12.21.
This scanning phase relies on the Google Hacking Database from http://johnny.ihack-stuff.com Clicking the Load Google Hacks Database will load the most current version of the
GHDB, providing Wikto with thousands of potentially malicious Google queries Once the
GHDB is loaded, pressing the Start button will begin the Google scan of the target site.
What’s basically happening here is Wikto is firing off tons of Google queries, each with a site
operator which points to the target website.The GHDB is shown in the upper panel, and
any results are presented in the lower panel Clicking on a result in the lower panel will
show the detailed information about that query (from the GHDB) in the middle panel In
this case, many results are returned, since the target website (http://johnny.ihackstuff.com)
mentions each of these queries in great detail
Trang 8Figure 12.21 Wikto’s GoogleHacks function
In addition to this automated scanning process, Wikto allows you to perform manual
Google queries against the target through the use of the Manual Query button and the
asso-ciated input field
Wikto is an amazing tool with loads of features Combined with GHDB compatibility, Wikto is definitely the best Google hacking tool currently available
Google Rower
Google Rower is a Firefox extension (and also a stand-alone Windows program) that uses brute force lookup techniques to expand a search Google Rower is a great tool to bypass the one thousand query lookup restriction It accomplishes this by adding “padding digits”
to a base query It then harvests the results, removes duplicates, and displays the results For
example, Google Rower can obtain more results for the query JeffBall5 by searching for Jeffball55 a, Jeffball55 b, Jeffball55 c, etc.
Google Rower can be downloaded from http://www.tankedgenius.com Installation is a simple straightforward Firefox xpi file installation After installing Google Rower, open
Firefox, select Tools->Google Rower and enter a query as shown in Figure 12.22.
Trang 9Figure 12.22 GoogleRower Option Screen
Entering a query of ihackstuff with the default options will query for the base term ihack-stuff followed by a series of characters, in this case the numbers one through nine.The results
are sorted and displayed, as shown in Figure 12.23
Figure 12.23 Google Rower Results
Alternatively you can right-click within Firefox and select Google Rower In this case,
Google Rower will launch with the query filled in based on the selected text
Trang 10Google Rower has several options to select from, as shown in Table 12.1.
Table 12.1 Google Rower Options
Duplicates/Separation Google Rower provides several different
options for separating the links via query and removing the duplicate links The different options affect speed and memory that the extension will use
the results returned by Google Selecting this option allows the titles of the pages as reported by Google to be outputted
No Headings in Output By default Google Rower outputs some
head-ings to show which links came from which query Selecting this option turns off those Headings This option is useful when the results will be piped into another program
Google Site Indexer
Google Site Indexer (GSI) was written by Jeffball55 ( Jeff Stewart) and CP GSI uses some of
Google’s Advanced Operators, specifically site and inurl in order to create a file and directory
map of a target web site By sending Google queries such as site:tankedgenius.com, GSI can incrementally index all files Google has indexed However, since Google only retrieves a maximum of a thousand results, GSI can mix the advanced operators (like site:tankedge-nius.com inurl:cp) in order to get a better mix of unique results GSI can be downloaded from www.tankedgenius.com
Installation is a simple affair: clicking on the xpi file from within Firefox will initiate the
installation process.To run Google Site Indexer, open Firefox and select Tools -> GSI.The
GSI interface will be displayed as shown in Figure 12.24