 We're we're on a time schedule. So I'm gonna I'm gonna be taking you through this whirlwind style. So Hold on to your butts. I got about 30 seconds for for each of these slides up until I get to the examples Which are the fun part. So I really want to get to the fun part. So Louder that better all right Okay, so anyway, my name is Johnny long and basically the the subtitle of this is really about hacking Using search engines going into a search engine finding information about a site That's exploitable or interesting Otherwise amusing so let's go ahead and get started maybe Okay, and just some idea of what we're going to be talking about here some of the things that we're going to learn to do with Google is to speak like Lito hack oars Because everybody has to know how to do that We're gonna use Google as a transparent proxy server. We're gonna use Google to sneak past site security I'm gonna use Google to find development sites and We're also going to use Google to find exploitable files on systems or directories on systems that fall into certain categories And these categories are somewhat arbitrary But based on the stuff that I found they fall into operating system vulnerabilities web server vulnerabilities Sensitive data in files and sensitive data and directories and we're gonna see examples of all that and we'll talk briefly about automating the process The reason I chose Google is pretty straightforward But Google gives us a lot of options that some search engines don't as an aside Yahoo offers the same options because Yahoo is Google for all intents and purposes They use the same search engines, but basically we need some advanced search options We need some ways to narrow down our hits Because as you're going to see some of the hits are going to give us too many results to be useful We need to have a caching feature that shows us down pages We need an instant response. We need to get a response quickly for our automated tools to work We need some translation features Translating documents back into HTML that you might not be able to read natively like PDFs or Excel files that sort of thing and also web news image and FTP searches and Google offers all that and more This is not a new thing. This isn't something that I came up with. This is a bug track post from about two years ago a guy named Vincent G However, you say that I'm not French but he came up with this very interesting idea of using Google to find cool stuff and his post looked like this put in index of slash admin to find sites that have admin directory listings out on the web Pretty straightforward stuff. The only thing he specifically launched against Google was down there on the fourth example where he uses file type Who's actually going out against Excel files and basically what I've done is I've taken this and sort of run with it So first of all This is very important for any self-respecting hacker is to use Google in hacker speak Okay, so if you want to use Google in your native language, you have to go here and do your search. Okay Sort of stupid, but can't resist There is this book that talks about Google hacking Even though I somewhat disagree with the title and you know if I had written the book It wouldn't necessarily be the way it was it'd be about real hacking and well then I'd be in trouble and I'd need a lawyer Like Jennifer Granik. She here Okay, Google is a proxy this is kind of cool Google offers a translation service So you can go from English to French French to English Spanish and all that stuff But what happens if you actually take that translation service and turn it back on itself? For example, here's how the normal translation looks Translating the DEF CON page from English into Spanish gives us a page that looks like this You can see everything is sort of in Spanish Well, the URLs that that gives you looks a little bit like this and the part that I'm going to show you bring your attention to Is right at the bottom of the URL there where we see lang pair equals en pipe us Okay, I'm sorry EN ES. This is translating from English to Spanish What happens if we turn the translation back on itself and translate from English to English? Well an interesting thing happens Google does nothing with the page It assumes you made some sort of mistake and just feeds the page back to you The beauty is you just proxied that hit off of Google. So you use Google as a proxy server Google grab the page for you kind of neat Okay, there's a couple places that you can go to get a nice little form to do this in an automated fashion On walks.org and also on my site. I've got a little box there so you can bounce off of a Google proxy to browse a site It is transparent. Okay, keep that in mind for all you proxy freaks out there It's not going to anonymize you, but it's another step in the chain that could help anonymize you Finding development sites. Okay, this is this is pretty straightforward The idea is you want to find corporate webpages or interesting webpages that aren't where they're supposed to be For example an anonymous telephone company Oops, never mind Verizon Okay, basically this site right here is not on Verizon's web servers. It's on the developers web servers The web developers put this page together in order to sell it to Verizon and go Here's what your web page is going to look like all the code is in there Okay, and as we can tell not only do we find it from Google We can crawl around that page where we actually found the development code. I actually used Photoshop on this one, so Sorry Crawl around with Google on the site where we actually found the development site Poke around long enough and eventually you'll find pay dirt in most cases in this case pay dirt is the actual source code of the web page Okay, the the HTML the JSP scripts and the developers were kind enough to include it all in a tar ball So you download the tar ball Open up all the source and basically you've got Verizon's web page Bypassing authentication. Okay, there's another cool Google trick The idea is this pretty straightforward. We got this this company thin ice calm I hope they're not actually here because it got fixed by itself And I really meant to call but I sort of forgot but Stuff sort of happens that way anyway thin ice calm has this nice little Authentication that comes up when you try to browse their web page. All right Using Google to actually search for information about thin ice calm We find some interesting links. This gives us an idea of what some of the hierarchy looks like on the page We see a search PHP script and a member PHP script Searching around a little more we eventually get to a cached link of thin ice calm If we click on the cached link It gives us what the web page looks like without authentication Okay, Google actually got past the authentication mechanism. Well, it's it's not really magic and Google doesn't put values in there And you know just try something randomly the authentication mechanism was broken when group Google crawled the site and Cached it for us and what we're seeing is the results of that bottom line is we're actually past the authentication and now we're seeing Not only directories, but again source code for the site and again This was another example where they were kind enough to include it all in a tar ball We could download and this one is fixed. So those of you on the wireless network be good All right now the some ideas about finding some files using Google There's some things that we need to talk about Basically some search terms that are unique to Google and you can get information about those on this link Google comm slash apis But to get to give you an idea of sort of how this works a very simple search like CD space LS Bash underscore history space SSH. Okay, it seems like disjointed terms But anybody that's looked at bash history files knows CD LS SSH are commands that will show up in those history files. So let's do an interesting search and The end result of one of those search is a live Bash history file. This is the file that records commands when somebody's sitting at a command prompt Why is it on the web? I have no clue, but that's not our problem It's there because we're being good and we're not surfing there right now, right? But basically here we go. We got this guy. He's actually SSHing out to a few sites and telnetting out to a few sites How's that for security running tracer outs? To take this a little bit farther Don't just stick with the search results dig a little bit farther with the web server You can find some more interesting stuff like for example this nick FTP any file Which lists the firewall username and password that his FTP program uses to get out to the net In addition, we've got his SSH known hosts file again all found through Google. All right, this shouldn't be on the web We will talk more about that site That was a simple search using disjointed words a little more complex is using phrases The beauty is in using phrases that are unique that are going to get us interesting results like this one error occurred While processing requests, okay, it sounds pretty benign But it's actually a cold fusion error message that generates instead of the pretty html that you're used to seeing on a site and The cold fusion error message itself actually has interesting information like the the real host Full path where the web server sitting any idea what the operating system is of this particular web server Yes, you all laugh that was correct All right. Now. Here's here's just a hacker's dream and this one's just too good to be true But let's do a search for enter eunuchs command in quotes Well, I know you think I'm kidding right? I'm not Notice I typed in your name into enter eunuchs command and it gave me the result Somebody actually put on the web a CGI interface that lets you type in eunuchs commands and get results How convenient is this? This could come in handy All right, some special characters that you should probably be aware of Plus and minus pretty straightforward ands and knots just like other search engines a Period is a wild card of sorts. I haven't completely figured it out But most of the time you can use a period like you'd use an asterisk Except or I should say a question mark in eunuchs meaning any character The dash when it's in quotes doesn't necessarily mean not like other search engines what it can mean when it's in quotes is a space This is all very confusing. I think they did this to confuse us. So we wouldn't figure this out But we did To give you an example, here's a Here's a simple example of a specific Google search Okay, using specific Google keywords this the keyword here is site This says only search sites that end in dot gov and Contain the word boobs Okay, get your mind out of the gutter. I was talking about politicians. Okay, but uh check out the results. Okay, here We have a gov site ncwg.cap.gov talking about inside for access only natural boobs Those aren't politicians folks or For example, if you want to use site to do crawling this doesn't mean def cons vulnerable It's just an example use the site keyword So we're going to look at def con.org and we're going to search def con.org for the word def con The results that we get back give us an idea of how def con.org is mapped out It gives us an idea of the directories where some of the files are Can be pretty handy Another thing to do is use a site keyword With a common file extension in this case we went after a jiff so site colon You know dot gov space jiff will give you sites that actually have directory listings where there are jiff files You know and when you get directory listings, those are good things because you can sort of crawl around Date searching I'm gonna skip this because we're short on time In title however is another Google specific search, which is very important This says look for the following word in the title of the web page Okay, so this says don't look for the word actually down in the text This is very important for example In URL is basically the same thing, but it's in the URL search for a specific word inside the URL For example in URL admin gives us one of many hits This one shows an actual IP map of A very prominent university and how all their workstations are laid out the second one in URL admin says find the word admin in The URL but also find the words users and M box on That page in addition to the URL here We actually have a mailbox file for an administrator on a site and the third one in URL admin with users and passwords Okay, that one's that one's pretty killer there. We actually have user names and encrypted passwords We're gonna have a lot more examples. So that's why I'm hurrying to get to a good stuff Here's an interesting one file type XLS Let's find Excel spreadsheets that have the words checking account and credit card in them. I Mean this isn't rocket science folks, but here we go credit card balance information deposits withdrawals and Actually the numbers were in there, but you know I have to do some editing Okay an interesting an interesting side effect to all of this is not just looking for Stuff that's dropped dead. Oh look what I found on this page But it's sort of harvesting some of the data and using it creatively for example We can find operating system and web server versions about our targets using Google Here's a here's a search in title welcome to Windows 2000 internet services Okay Windows 2000 puts that for you in the title of the default web page So if you search for that you're gonna find sites that are actually running a default web page on a Windows 2000 box Yes, they are out there Or under construction Whatever you do don't type under construction into Google just the way it is because you'll just get dumped on It's just gonna be ugly, but if you look for under construction in the title and the phrase does not currently have Okay, see the phrase in there. It does not currently have a default page What you're getting is another Windows based default server. Okay, it looks like a normal under construction page But Microsoft in their infinite wisdom changed the text a little bit. Maybe it was a copyright thing or something We can actually find servers this way Or how about this in title welcome to IIS 4.0 Where's that zone H guy? I talked to him because this is just this is even easier than the facing IS 4.0 Scary at least they install the option pack, right? Okay, generally open BSD and Apache is a good combination Scalp forgot about that one, but it was vulnerable for a little while Well, let's say you went out there and you actually found Apache open BSD servers when the scalp exploit was released Okay, not necessarily a good thing to make public if there's a vulnerability and Everybody loves these little powered by things that they put at the bottom of their site. So we use them All right getting a little more into the weeds since there's so many flavors of different types of web servers, especially Apache Here's a way that you can search for Apache by specific versions Which is very important if you're looking to exploit the site for example Apache 1 2 6 Look for in title test page for Apache and it worked Okay, they put that little thing there that says it worked. That's their default page. You find that page You found an Apache 1 2 6 server How about Apache 1 3 0 to 1 3 9 they changed the page a little bit It worked the Apache web server is installed. It was very creative helps us narrow down the version number Okay, 1 3 0 to 1 3 9 how about 1 3 11 to 1 3 26 Seeing this instead of the web page you expected again default Apache install boxes Okay, these people were smart enough to install a patchy, but weren't smart enough to change the default page What are the odds that they weren't smart enough to lock it down? Apache 2 oh we get a little more towards the top of the iceberg here as far as security But again the default web page makes it easier to search for and Another way that we can actually get this information is at the bottom of directory listings I'm sure you've run into in your surfing web pages that the default page is missing and you know You get this or the you know index files missing you get a directory listing well at the bottom of the directory listing the server Throws out its tag. Let's use Google to search for that tag There it is in black and white Apache 1 3 11 server gives us the version number According to Google here's some statistics on how many servers are actually running these specific versions of Apache and Have open directory listings for you to browse and sorry I format it as a number because it looks more impressive with more zeros but Sorry 119,000 people running Apache 1 3 6 151,000 servers running Apache 1 3 3 not only are they running it, but they're running it with a directory listing open Okay, good stats Excel is my friend sometimes here's some really esoteric versions of Apache that Google helps me find on the web Like a 1.3.26 plus inter server Many people are running that one that's got to have some problems a lot of these are development most of these were beta Okay, but we've got 64,000 69,000 lots of targets to choose from and using the same techniques Here's some more common Apache versions again that Google helped us find You don't have to send a single packet to the target to figure out the web server that they're running or to do Statistical information about it. You just pull it off of Google and use Google's cash Google's cash gives it to you. You never touch the site Okay, another way to use Google Finding targets for vulnerabilities that are released finding zero-day targets It's one thing to have a zero-day exploit, but you have something to use it against For example, here's a here's a vulnerability that hit the street. Thank you packet storm And thank you out there Here we have unhappy CGI dot text and this little guy Works against the normal underscore html.cgi script So basically what we do is we know that this exploit works against that CGI script now We just have to find that script on the web How about a Google search in URL normal underscore html.cgi? 212 sites found running this CGI script the day the exploits released that Google finds for us It doesn't get any easier than that Script kiddies everywhere rejoice Okay The other thing that's definitely worth talking about is you know, we've seen some interesting pages You know, we've seen some interesting examples But the bottom line is Google just gives us this this way of finding interesting files inside sensitive directories and finding sensitive data inside interesting files and The easiest way to do this is with the directory listings that we just talked about If you have a directory listing you get a list of files if you're looking for a specific file Where better to look than a directory listing? Okay, so this technique Actually uses the directory listing itself as a way to search for vulnerable files Look at the syntax here in title Index dot of remember the dot was a space or any character What we're looking for is web pages that come back to us and have the words index of in the title Index of in the title means it's a directory listing Still with me Throw another word after the index of like backup. Here's an example of one thing that we get Here's a here's a site that actually made backup files put them in a web accessible directory named backup and Google crawled them. So now we have to do is ask Google for that file You know, we look for the directory listing. Here's a backup directory and there's the file See all the names listed down the left-hand side there How about another interesting one in title index of dot ht password? Okay, these are people that have directory listings out there. That means their main web page is missing The file for their main web page is missing. They got a directory listing when Google browse them And this file is sitting in that directory You'll have more of these to come the the obvious Approach to all this is sort of automating the process, you know It's one thing to sit there at Google and just type your stuff in automation for this is just mindless I mean, it's just incredibly easy What you do is you take a CGI scanner any CGI scanner that's got a list of vulnerabilities CGI based vulnerabilities And you steal their list Okay, grab out all the all the interesting files all the CGI scripts that are vulnerable and You use that in an automated fashion something like this We have a list of CGI scripts Little shell, okay smoking mirrors, okay run some shell that shell script actually works, so I'll fear my coding skills You get a nice little output that looks something like this It's basically just a web page that you can browse that lists sites that actually had the vulnerable files In that list again, this is from Google. This isn't you sitting down and running a CGI scanner against your target This is you going out to Google Automating queries that come back with long lists of vulnerable servers that have vulnerable CGI scripts And of course when you click on each of these it takes you to the Google results page And you just take your pick Enter Google Dorks my name for it idiotic people Inept or foolish people as as revealed by Google. These are people that are just you just don't know any better I don't really want to call them stupid. You know, they're just dorks Okay, they didn't know any better. But what I did is I just put a collection of these together and sort of gave a running commentary You know why this is a bad thing, you know why it's bad that sites running Microsoft personal web services Shouldn't be accessible through Google and be discovered. So I put up a little page to categorize that stuff Taking the automation thing one step further Michael Zalewski came out with this very interesting article in frack 5710 called rise of the robots and His theory was okay. There's search engines that are going out there every single day They're crawling sites. They pick up links on the sites that they crawl and they follow those links When they follow those links, they grab more links and they follow those links to more and more sites That's basically how robots work Well, what happens if you put malicious links on your web page for example links that are designed to attack other sites CGI scripts are a good example of this So, you know watering these down a little bit just to give you an idea of how it works, you know Some host CGI bin script dot pearl and then you know, we have our little dot dot backslash Security problem which breaks out of the web directory. What happens when a web server comes to your page and sees that link? The default behavior is it's going to follow that link if it follows that link it exploited the target if it was vulnerable Okay, so all you did was stand up a web page with vulnerable links spiders came along. They crawled it They picked up a malicious link. They launched it against the target They did the work for you. That was the luski's idea He tested it and it worked not only did it work, but a lot of web browsers would happily Follow links to non-http ports For example, they would follow links to telnet ports. They would follow links to SSH ports So this wasn't strictly a web problem Web bots would pick up whatever you gave them in whatever format you gave them and it would follow them So this method could be used to attack non web-based services Okay, so anyway that the idea there is, you know, if if you can do all this through Google Why not automate the process upload malicious bots to web servers every time you attack one that changes their web page? Instead of the facing it you drop attack links to your next targets You go back to Google after Google's done all this and you harvest the results from the search engine Bottom line is Google did all the work for you and brought the results back Okay, the question the question is well, what can you do? Nothing. Thanks for coming Just kidding. There is some stuff you can do This really isn't Google's fault get Google's king of the world as far as search engines and they can they can really do No, wrong, so you know this this isn't really a Google problem and and Countless people have called them and said you can't crawl us anymore. We have a robots.txt file. Well Google doesn't care about those Okay The bottom line is you have to be proactive with your own sites You got a site that you want to lock down a site that you control that you care about You need to figure out what Google knows about that site You need to use that these sorts of techniques against your own page to see if you're vulnerable if you're vulnerable fix it Who cares if there's a Google cache in some cases just fix your site? And the best thing you can do is to watch my web page because that would make me happy All right, just kidding All right, the grand finale. I think I'm I think I'm okay on time. I'm aiming to be five minutes early here So basically what I'm going to do is I'm going to show you some examples of this technique in action And show you how it works. That was a bad example all right Entitled index of page dot CFM what the technical difficulties Okay, if you put this Google search in basically what you get is web servers that have page dot CFM Which is exploitable? Okay, you can basically throw an invalid page ID into any of these sites that have this problem and you can exploit them Okay, so one example of an exploitable site This one's funny index of dead dot letter. This is what happens when your mail program dies it creates dead dot letter and You can see here that we're reading somebody's mailbox and it says thank you very much and I can read Chinese Well, thank you very much. I can read your email Simple he's very easy. Here's a bad one Entitled index of master dot password somebody that's got a directory listing and has a master dot password file sitting in that directory Translation that's bad bad thing Let's get a little more complex Entitled index of so we're looking for directory listings again, but we want to look for pwd.db Password and we don't want to look for Pam.com. The reason I threw that in there is we don't want to find source dumps for password Okay, if you Put this search in without the minus Pam.com if you find all the sites that have the password Program source which we're not interested in but for example this particular search found us some sites and one of the files that we could Actually find was a group file a live group file from a government site Sorry, the road's getting dry Trivia question not to not to steal the thunder from hacker jeopardy. What's the unix spot? Unix password file called? an easy one password psswd Okay, Etsy password. Let's actually find some live examples Entitled index of dot dot Etsy password the dot dot leaves room for a space and a slash So we're finding directory listings of Etsy directories that contain password files. Here's one example Heck is dot cl Okay, here's another example index of password From MIT Sorry, I'm jealous. I don't have a degree Call me bitter All right index of dot dot Etsy password yet again Okay, another active password file and again it's time on an org site and again another comm site Okay, and Again, this one done a little bit differently again. We did the minus Pam.com But this one's actually a dot gov site. Not only did we get password We got PWD dot DB another password format a group file and an FTP message a day file from dot gov Okay, how about another interesting file index of Etsy hosts Etsy host files are always filled with interesting stuff Okay, so here's another here's an Etsy host file from some site on the intern on the in was it the Netherlands All right, I hear you all whining, but they don't have passwords They're all shadowed All right Well, let's look for password files that have passwords in them just to make you happy Look for index of Etsy hosts and look at other files in that directory Here's a password file that's actually got the shut the encrypted passwords in them right through a password cracker It's on the internet Google found it. It shouldn't be on the internet first of all, but it is There's another one in title index of author user file dot text not only do we have passwords and user names But we've got email addresses on this one again live files. This is actually from a shopping cart program About WS FTP any files host names user IDs and encoded passwords Some poor schmucks entire list of everywhere he FTPs to including his user names and his encoded passwords Which can be broken About administrators dot PWD user IDs and encrypted passwords I'm not really picking on the UK, but it seems like I got a lot of examples from there people dot list files user names encrypted passwords Here's a couple examples of past list files that are actually found on the internet again user names and encrypted passwords These can all be cracked. They shouldn't be available to web servers Okay, another trivia question most common Unix file used for web-based authentication HT password very good. I know it's easy How about HT password files that you can get from Google these things are supposed to authenticate users that come from your site Users are not supposed to be able to look at this file Why because the user names and passwords are in there the web the web server supposed to block this crap Okay, but this shows us some sites like Harvard Actually have problems and can't seem to keep that under control Other sites have problems too. Here's another one user ID encrypted password more user IDs and encrypted passwords again These are all web-based authentication files. You use these user names and these passwords to access these websites Google found them for us more Lots of stuff Another trivia question. What is the one file? in PGP That you want to keep secret one file Secret key ring Sackering dot PGP. Here's a way to keep it secret. Let's put it on the web God bless America Another one from MIT. God All right Another trivia question. What is the most sensitive file on a Unix system? Shadow I hear it out there Etsy shadow file. How about putting some Etsy shadow files out on the internet? Okay, and and yes, this one is live Okay Some more stuff. I hear y'all whining and complaining, but they're encrypted passwords. Okay. How about unencrypted clear-text passwords? Would that be good enough for you? okay User names and unencrypted passwords index of pass list. This will give it to you Okay, how about Excel files with user names password and email? Okay Clear-text folks don't know how don't have to run John a ripper any of that garbage Yeah Config.php That's a great one user name Database host and clear-text password files config.php should never come out on the web It should be blocked at the web server. It should just not be out there database clear-text passwords bad news It's not just one example There's quite a few of them And more and more and More okay, this is not an isolated thing. Okay, these things are everywhere user names hosts Unencrypted password last trivia question the most sensitive and personal nine-digit number in your life Social security number very good I'm not going to give you the actual Google phrases that caught these but you know I'm just going to give them to you as examples Excel spreadsheets with a couple names and social security numbers Okay, I used Photoshop to make them a little bit unreadable, but Okay So you know there are a couple of these you know out there very isolated or maybe not How about a couple thousand names and social security numbers? Alright, let's make it worse How about a few thousand more names social security numbers and phone numbers? Okay, this one actually came from a university. It's a student list user names I mean if we've got user names in here. We've got socials phone numbers names Okay skies the limit Some links to check out there are other people that are doing work in this arena I try to have a little more fun with it than you know the standard white paper people and Keep an eye on my site I like to taunt people that have these difficulties on a fairly regular basis and post the results of them on my web page So feel free to check that out I'm going to actually not do Q&A I'm going to do the same thing as a previous speaker and go out by the pool if it's not flooding To save some time, but a special thanks to a few people Jen Mac Trampina That's my family. Isn't that nice? Told him I'd do that Thanks guys