 Hi, my name is Fran Brown. I'm a manager partner at Stack & Lou. With me I have Rob Reagan. I'm a senior security associate at Stack & Lou and we're a company that helps IT organizations secure their businesses. And this is Tenacious Diggity. If you guys are looking for FX, we pull the switch with him. We're looking to get all of his fans and make some new fans and sales. So this is Tenacious Diggity. Ready to rock your socks off. How hard it rocks on a scale of 1 to 10. Quick question. How many people have here seen some of the talks that we've given before on previous versions? Cool. Thanks for coming back. We've got a lot of new stuff. Cool. So with that I'm going to jump right into a demo. Just let you guys know. Kind of set the pace for what we're looking to do here. Now it seems like a handful of people have seen some of our talks before. It seems like most people are newcomers. But basically these Diggity tools, arsenal of tools that we've released are a number of search engine hacking tools that use Google Bing and various other search engines and interesting ways for search engine hacking. We're going to see. So we have Google Diggity which is what you would think of as a traditional Google hacking type tool but upgraded to all the latest APIs and things like that. And we have Bing Diggity which is what you would think of as a Bing equivalent of a Bing hacking tool or of a Google hacking tool. That's really not what we're going to focus on today. We're going to focus on all new attack tools that we have. And what we've continued to do besides just Google and Bing hacking is what other ways can we utilize different search engines or existing search engines and weird features of them and new and interesting ways to find vulnerability information or you know find sensitive information disclosures. So this first talk is or this first video is going to be of code search Diggity which the new version of search Diggity which is the tool we see up here right now is the main attack tool which contains all other tools that we have for our Diggity attack tools. Right. These are all all categorized under open source intelligence gathering and that's to find information using freely available sources and produce actionable intelligence on it. So we're looking not just at the general search engines that are available but also specialized search engines and one of those being Google code search. So we're just going to show an example of what we can do with a specialized search engine like Google code search. I'll just give you a better understanding of what our tools are used for. And those of you guys who are familiar with Google code search in general know that it went away a few months ago but as of the latest release we found some work arounds and it's back in 3.0 which is available for download on our website now. Google code search reborn. Reborn back from the dead. So those of you who are not familiar with Google code search, Google code search is another Google product just like Gmail or something along those lines that originally was designed to allow people to have full regular expression search capability over every open source code project. Things like GitHub, CodePlex, SourceForge and Google's own freely available subversion repositories. And we found that developers often put sensitive information in their code and maybe they're an independent contractor and they're using those free resources to manage their code for their clients or we can also utilize regular expressions against a search engine like that to find vulnerabilities like simplistic examples of SQL injections or cross-site scripting or other web application vulnerabilities. So this first demo that I'm about to play right now is what we like to call taking over someone's Amazon cloud in 30 seconds or less. So what we're going to be doing here, you see I have the code search interface up. I'm just going to go ahead and check a number of regular expressions that we have set up to find Amazon EC2 keys embedded in people's open source code projects. And for those of you that don't know EC2 keys are like the keys to the castle of an elastic cloud service provided by Amazon. This can be things like S3 storage for storing large amounts of data or files or it can also be for the actual admin keys to manage that elastic cloud. That means that's the interface where you can put up new servers or take down servers. And of course if an attacker were able to get access to these keys they could put up new servers on someone else's dime or they could find sensitive information potentially exposed in their S3 storage. So we see here in this Google code project EC2 sample in the file state test.java someone has went ahead and embedded their Amazon EC2 keys. Their access key and their secret key. So Rob said is pretty much the equivalent of your username and password to be able to access someone's Amazon cloud. So we're just going to take that and using a Firefox plug-in called S3 Fox Organizer. We're just going to plug in this access key and secret key that we got out of somebody's state test.java some random test file. And now we have access to their Amazon S3 cloud storage. To verify that we actually had it we downloaded a single file EC2 server dot text. Literally the first file we downloaded. Open that up. And we see a text file by developer of administrator credentials, database administrator credentials, VPN administrator credentials. Literally, you know, you would think this is too good of an example that I probably comb through them for days. This was literally the first file I ever downloaded in this matter. And it just worked out that way. Developers don't think people are going to have access to their source code. They hard code all kinds of secret keys and secret data in there. And that also goes for developers that are putting things out on these freely available code repositories. Not thinking that they're being indexed by search engines and easily searchable. So in this video we're going to see another thing. Again, similar searches. A few keys embedded here. But this time we're going to use another free tool called elastic fox. Open that up. Create a new instance with this again. This Amazon access key and secret key. But this time instead of just their file storage we're actually going to take over their entire EC2 instance. Quick go. And then we pull up. We see that we're now connected. And we see that they actually have one virtual server running. That we can administer at this point a number of images up that are available to run. And at this point we're just, because one developer embedded in some random open source code project and some random file that they thought no one would ever look at their Amazon keys we can now can take full control of their Amazon EC2 instance and fire up our own virtual servers, take over theirs, do whatever we want at this point. A large organization probably isn't going to notice a few more servers added to their cloud. And there you go. Hackers free computing power. That's something that we've seen in our client source code as where we've done code reviews. And really the protection against this is a lot of these public cloud providers now do allow you to lock down those keys to have a minimalist set of permissions. And so that's really the recommendations to developers is only purpose this key for one server. Only purpose it for one use. And don't hard code those keys that have complete admin control over the cloud or over the storage in your code. Those need to be really closely guarded secrets. Yep. So we just like to start out with that because it kind of gives you an idea of besides just a slightly updated, better version of Google or Bing hacking tools, some of the new directions that we're trying to take things in, in terms of other search interfaces out there that we can leverage to in interesting ways for hacking. Yeah, we only think that search engine innovation is going to continue to explode over the coming years. There's going to be more and more competition out there. There's going to be more and more highly purpose search engines. And we want to utilize those for attack purposes and defense purposes. So we're really quickly just going to go through and show you just a list of some of the tools we've done in the past but then move right on to all entirely new tools that are on the 3.0 version that was uploaded to our website about an hour ago. For those of you who want to read about the old tools, check out the videos from last year. Yeah, just to reiterate that, everything we're showing is for free on our website, stackloo.com. So those of you not familiar with our project, it's the Google Hanking Digity project. It's a project where we release a number of open source, not open source, free anyway. Free search engine hacking tools, kind of broken up by attack tools and defensive tools. Our defensive tools, which we're not going to spend too much time on today, primarily rely on Google Alerts and other alerting and RSS capabilities to feed us real-time updates from Google and Bing and Shodan and other search engines. As Google finds a new website that would have attached some Google to work, we're getting real-time RSS updates about it and created a sort of intrusion detection system for Google hacking, if you will. And we'll show you some updates we've made to that. Some of the old tools, I mentioned earlier that Google Digity and Bing Digity, it's a traditional Google and Bing hacking tools. We have Flash Digity, which is Adobe Flash security scanning tool, which leverages Google and Bing to find Swift files out there, bulk download them, bulk decompile them back to their action script and then bulk look through them for Adobe Flash vulnerabilities. So we're penetration testers and we tried to design these tools with penetration testers in mind. We wanted to be able to target multiple sites at once. We wanted to be able to download and export the results to CSV files. We wanted to be able to gather all the information that we need as part of the footprinting phase and really it's the step one of any penetration test. Our DLP Digity tool, which I really encourage people to try, I went out and took every data loss prevention tool that I could find and I stole all the regexes for social security numbers and credit cards and things like that and compiled a master list of regular expressions that'll look through files for interesting data. This allows you to bulk, go out and find thousands of documents, download all of them and then look through them for credit cards and passwords and security numbers. We'll see what that looks like. But that's all the old tools. I want to get right into some of the new tools that I want to show you today that we just released and with that we're going to go right into the first one with, even before we get into that, one thing to note, until this version we had hooked up the Bing API for Bing Digity and the Google Custom Search API for Google. But now that Bing is moving to a pay model and just to get a number of results that we really want, we've implemented across all of the attack tools scraping of Google, which was no easy task. I spent quite a bit of time trying to make it so that you can do thousands and thousands of queries against Google scraping and effectively. And we built that into the actual engine for all the tools now, so it's all completely free. You don't have to sign up for the APIs. We found that API key to not be adequate and now across all the tools we can scrape Google effectively and get tens of thousand results in a few hours, which is the only search engine hacking tool that can do that right now. And we've done it for Bing as well and previously you'd have to sign up for a Google API key and you'd get max like 70-something results per search. We wanted for free and we wanted to get a thousand results. And one of the interesting things as well is that we actually have the ability to scrape the custom search engine interface, so you can actually get a thousand results from a custom search engine of Google that you built, so all the benefits and none of the drawbacks. And this is just kind of giving you an idea of an overview of some of the things we're doing in terms of taking your queries, spreading them across dozens of Google servers in different settings and dropping cookies and things like that to try to avoid bot detection. So we did all the legwork and the research on what query string parameters you need to send and how to best make your scraping look like a human as to prevent Google detecting you as a bot and put that in the suite across all the attack tools. So you can manually import proxies and things like that or we tried to make it as simple as possible. You can just open up this options proxies, do auto find, we go out and scrape a bunch of proxy sites for you and click test and it'll test if they're fast and not giving you garbage or inline ads or messing with the responses. Take care of all that for you and it's all seamless in terms of being able to spread all of your queries across tons of proxies. Real quick, I was asked to mention that track one and four were switched in case you didn't know. And depending on which one you're looking for, you can also manually specify the proxies here. So it just seems like some options and configurations but I can't tell you. I mean this has really opened it up where you can now do Google ending for free and instead of getting dozens of results, you can get hundreds of thousands of results very easily of doing this. If you need a list of valid OpenHTT proxies, I'd recommend going out, there's tons of services like this that you can pay like $25 for a lifetime subscription to something like hidemyass.com. And get 1,500 known good OpenHTT proxies emailed to you every day. Email your text files every day, once a day of all the latest proxies. And just import into this tool and now you're effectively scraping Google and Bing. So that being said, right into our first new attack tool, port scan diggity. So port scan diggity is kind of a really interesting tool that works on a feature of Google that is not documented and technically shouldn't even work as far as I know. But what we're doing here is we're actually finding websites that are listening on non-standard TCP ports that Google has basically went out there and indexed, you know, all 65,000 sum on ports. And I don't know exactly how or why they're doing this, we have a few theories. But you can effectively do passive port scanning instantly through Google. So, you know, with the advantages of being passive, you're not actually, you know, you're only talking with Google, you're not actually talking to your targets. I use this during scoping of engagements actually to try to see what other web servers are available out there because I haven't actually touched the client's sites yet, but I'm able to see these HTTP services that exist. The other big event you can do by domains as well as by IP address ranges, and we see here on the right side, you see we pretty much go through an entire B-class instantly at least as far as what Google knows about in terms of what IPs and what open ports there are. And you see port, you know, 998. That would take a lot longer if you're trying to use NMAP. Yeah, months, depending on if you're trying not to get detected. But to scan an entire B-class for a full port range. So this is kind of, I'll show you the tool in a second, but this is kind of to give you a background of how it's actually working. Not only can we just do this star side, it's listening on random ports. You can even specify exact port ranges. You see 8,000 and 9,000 here and 5,000 to 6,000. Being able to just get a complete list. And one other thing, besides just being a port scan, when you think about this every single one of these results, you see 216,400,000 results. Almost every single one of these are some web administrative interface of some kind. So it's, and especially combined with the scraping that we have now, it's an effective way to get millions of web administrative interfaces listening on random ports out there instantly. The reason they're not on standard ports is they're not really meant to be found, right? Like five minutes of playing with this tool, I found admin interface to a strip mall that accepts PayPal payments to buy products and they had exposed on that admin interface the ability to add yourself as an admin user and then get in and review orders and shipping addresses and things like that. These are things that are not meant to be seen and they really have a lax of security around them. And it can be used for, I don't know if any of you guys saw in the news two weeks ago, I think it was where they were, somebody was selling ODay for Plesk panel web administrative interface that was out there. So we see there on the left just doing a quick search for port 8443 and getting 66,000 sites that are running some version of Parallels Plesk panel management web interface. This ODay was literally like point at the admin interface and then through a vulnerability in the admin interface get me the password to log in as full admin. So in an age where we're saying mass SQL injection attacks and massive scale attacks of compromising and using malware distribution platforms hundreds of thousands and millions of sites this is a really easy way to go about that in terms of mass exploitation. But just to give you an idea of, so that's kind of how it works in theory and to show you how the tool actually works to the advantage of it. We actually just created an interface here in our main attack tool. I click I just put in com and the top right click go it finds for me every result that it can in terms of web interfaces listening on nonstander ports. And now I specify the 8443 just to target our Plesk panel which I mentioned earlier and now we could see, so we have the view of the actual role of results the URLs and things like that and you can even switch over to more of like a port scan kind of result view and see a list of hosts that we found and a list of ports that were open on those hosts effectively giving you how would you use this on your own? Let's say you were Wellington at Florida.gov I would plug in Wellington, Florida.gov and let me check port 8000 and 9000 and we see found two hosts one with a website listening on 8080 one with one listening on 8443 so we can effectively cut through and do port scanning via Google now and then export the results out to CSV and load that up into Burp or whatever, maybe you want to run some active web scanning on it but this was step one, you've identified all these admin interfaces that you can then manually go take a closer look at Any questions on that so far or anything we went over so far? I only got 50 minutes, I want to a lot I want to show you guys So just getting back into it So we see again a list of ports open for each host So now one of the more interesting new attack tools I want to go over and something that really evolved out of a need that just kept humming up and coming up again it's not my backyard, Diggity it's one of our new attack tools and just looking at the Verizon data breach investigation report from this past year they kind of jokingly put out there that perhaps we should create a new breach discovery classification of YouTube and PaySpin and Twitter just giving all the raw amount of data dumps from compromises out there on PaySpin and things of that nature noting that a large percentage of people finding out that they've had an incident only comes once people brag about it on Twitter or dump all the emails and passwords on PaySpin or something of that nature That was partially the inspiration for not in my backyard but also we saw the need from one of our clients that has hundreds of domains that they're responsible for and they were being targeted by Lulsek and Anonymous and they said a lot of the stuff that we're seeing isn't necessarily an issue on our site, it's data that's being stolen and put on another site, how can we use search engines to find that and that was really what brought about not in my backyard. We really wanted to make it as easy as possible for you to plug in your domain or your email or even your name as an individual check a bunch of boxes and click go and find your sensitive information all over the internet on third party sites from cloud storage to PaySpin to see if your personal information has been exposed on a third party site you don't control that is not in your backyard so we see here a number of PaySpin leaks just usernames and passwords being dumped on PaySpin also some of the more interesting ones is people are really starting to, individuals are starting to move over to use Dropbox and Google Drive and Microsoft Sky Drive and a number of other cloud based storage especially as people get iPads and iPhones and want to be able to easily hook that up with their cloud based storage and employees are throwing confidential financial information and spreadsheets up on their Dropbox and then not realizing that Google may be indexing that or I see more and more people using Google Docs for managing sensitive information not realizing that that's in Google's index and we just see a couple examples here of finding in Dropbox a completed tax form with people's personal information based on Sky Drive to people's Cisco configuration files hosted in Google Docs not realizing that these public folders are being indexed by Google and easily searchable but one other interesting thing that we found and this is kind of important is that Robots.txt is dead Google is not abiding by Robots.txt anymore and if any of you guys, how many people here use Dropbox anyway a decent amount of people how many people have clicked the setting for the newer I want to share all my photos via Dropbox that I take with my phone you plug in your phone and it says upload all my photos that I've taken and sync it with my Dropbox recently especially for Apple devices it's just a setting and most people are turning it on by default now just as you take pictures of what your phone it's automatically syncing to these galleries in the Dropbox and we see here in Dropbox is Robots.txt that they're saying disallow this slash gallery which is where all those things are hosted but just a quick look on Google and we see 164,000 people's personal photos galleries have been indexed and are easily searchable actually some really interesting personal photos out there probably spent a lot more time browsing through the photos that was really necessary yeah it's research honey yeah so this is just yet again another place out there that people aren't realizing that and in this case they're thinking that Dropbox Dropbox thinks they're safe in terms of people aren't indexing this and Google's just doing it anyway so it's definitely a good recipe for being able to find the latest celebrities new photos that they want to send out in their phone all the time if you want to get a picture or your photos and this is kind of part of just the data loss prevention side of it just looking for your information again out there this was in the news last year and there's been a million incidents since then seems like two a week now but just some Yale alumni just googling for his own name stumbled across an Excel spreadsheet with 43,000 of Yale alumni's just in one Excel spreadsheet that was just hanging out there on the wind just googling for his own name he stumbled across it so that's one of the beauties of not in my backyard is it can be used by an organization or by an individual for finding sensitive information disclosure yeah would have been helpful for the Yale alumni to run this tool so I'm going to pull up and show you guys this in a second but just some of the default locations that we're looking for we're basically going to be easy to plug in free form text of your name, your email domain you're interested in whatever you want to look for select from a list of locations which we see up here and then select from a list of certain files if you want to drill down on that file types as well as select a number of keyword groups that narrow down and find more interesting information like data dumps but some of the places that we're looking at in terms of locations are we're looking at files across really if I'm unchecked it's just looking for your name and stuff across the whole internet and what other filters you specify but it allows you to easily narrow down and start looking in cloud based storage, social networking document sharing sites like Scribd Payspin and every Payspin type site and again we've made this with the pentester in mind or with the hacker in mind so this is completely extensible and you can actually just go to where this application files and these are all in text files and the carriage return line feed delineated text files and you can add your own sites in there, you can add more locations you can add your own queries that you want to run by default and then just restart the application and that information will be loaded into the interface. Some of these are things you would never even think of like well some people know the Rape My Network Diagram is a funny one but even in Gliffy we're seeing people hosting extremely detailed internal network diagrams on Gliffy and sharing them out these are like online Visio applications and people are just putting their confidential or proprietary business workflows or their network diagram on there just to show off it's kind of funny that a lot of IT administrators may be uploading their whole internal architecture to RapeMyNetworkDiagram.com and showing an attacker exactly what they would need to know and where to go once they get inside so what we see here is the tool and we have you would plug in up in the targets your name, things like that, whatever you want to do then we have the locations tab in this particular example I'm just going to look on Payspin only but it'd be easy for you to just check all those boxes in this case since it's Payspin I'm not going to specify any file type but we'll now easily put like let me just look in Excel spreadsheets or database backup files or things like that and then we're going to select the keywords that are good for finding data dumps of personal information and click go so we see that it comes back with some results from Payspin I'm just looking at this one here we see Osiris owns MaxProtek and we see a few passwords and some headers here for Payspin so we go ahead and click that and you see some data dump from some hacker that is hacked by MaxProtek.com if any of you guys use MaxProtek.com you might want to go check that out and we see here anyone who's bought anything off them their names their personal addresses their email that they register with and the password that they used so just as an example of how an individual would use this besides just searching for everything let's say that I was Chuck.hsu at Wiley.com is Chuck in the room by any chance so sorry bing energy drink is almost as terrible as his password yeah ying 318 so in this case I would actually plug in let me use quotes so this is going to you can it'll use quotes for both Google and Bing or allow you to do in text which works better for Google or in body which works better for Bing depending on and you could check all of them so in this case I'm going to use quotes so it's just going to look for Chuck.hsu at Wiley's email and it's going to look across the things that I across pay span for information disclosures right so we tried to make it as easy as possible for anyone to build these advanced queries to go out and retrieve this information and really prepackage a lot of the types of information that you want to look for and where you want to look for it so you can get those the result to the top of your results which is an issue when you're dealing with so much data in these search engine indexes so you can see now if I was good old Chuck I would have just plugged in my name and clicked all the checkboxes and when I came back saying hey Chuck some random site on pay span because you bought equipment at max protack there is a link and you can see actually in the snippet of the results his email address and his password and personal information there that's kind of out as an individual how you would use it but you can plug in an email address your name domain whatever you want to look for and it makes it very easy to if you don't select any location it looks across the whole internet you could select down by just a pay spin or cloud stores whatever you're interested in or certain file types just excel spreadsheets or CSVs and then we have key words to find patient records personal information data dumps to things that basically it's just combining every permutation of all these different features and searching Google and being for them for you making it easy to find all of your personal information and we see that here kind of pointed out we got where to look what kind of files to look in key words to help narrow down false positives and you put your name or email whatever up there and we'll be putting up videos to demonstrate how to use these tools and so just check back on our website one other example just to show besides kind of an easy example that I just thought was great is this time in the screenshots you see we're looking in cloud storage we're going to look for people who are throwing files up on their Amazon S3 cloud storage we're going to be specifically looking at excel spreadsheets and I added the query appender just the word password and click go we see a copy of user.xls it found and just to see what it would have looked like on their face what it's kind of simulating is we see just password extension excel spreadsheet I know the other worksheets there this guy had basically all of his bank accounts all of his bills all of his other services his tax information account and his investments his FAFSA healthcare you name it all in one his pin for his ATM card I mean this guy had everything in one excel spreadsheet and this is just one guy you are also in the room I apologize I did black out the information but this is just yet another this is just like the Yale excel spreadsheet with all their personal information people just googling for their own name or just stumbling across hundreds of thousands of personal records and credit cards you know without even trying by accident and we're seeing this in the news like twice a week now it seems like where some major person has been compromised or is just throwing an excel spreadsheet out there somewhere with hundreds of thousands of emails and passwords where you almost become numb to even looking at the news headlines it doesn't even say 100,000 results or more I don't even bookmark this news story there's just so many yeah so any questions so far so the question was for the Google docs and the Amazon S31 were they public documents where the permissions were set in this case yes they were they weren't blocked but as we've seen especially with Dropbox have changed some of the rules and how they do things and sharing public folders and quickly these things are changing people by accident are sharing things out not realizing that they are public or that they can be public and as we saw in the one case some things that even are supposed to not be indexed are getting indexed anyway so it's one of those quickly changing things for a normal user or an employee at an organization that may not know any better may not know how to configure those settings to make some of the stuff in these cloud documents services private yeah and where they want to share it out with someone to begin with and you have to throw it in the public folder anyway to be able to share a link out to somebody and then not realizing who would ever guess this huge link not thinking the Google index that made it easy to find so one other thing and this is not so much a tool so much as an update to our main Bing hacking dictionary one thing I want to note is that due to some recent updates in Bing's API as well as some undocumented or poorly documented features we have released an updated version the Bing hacking database version 2.0 before we released our first Bing hacking database Bing or MSM before that was primarily used for foot printing finding host names finding applications or URLs and things like that it was primarily for foot printing purposes and that was because Bing had specifically disabled a handful of features most notable of which was in URL which broke like 95% of the Google hacking database and they specifically did it to try to prevent Bing hacking in the sense of Google hacking and they did that back in 2007 we released a few more work rounds for that and we're able to release a thousand or so queries for the first Bing hacking database but now we're proud to say in the latest version due to two major updates we are now for the first time able to make Bing hacking just as effective as a tool as Google hacking and that's because one Bing decided to enable the EXT colon operator to allow you to search by file extension from the last year one and two and this was the big one like 95% of the Google hacking database used this in URL colon operator which will allow you to specify you know random text that has to be found in the URL of the results by using this and we see it in the screenshot here in stream set colon URL colon in Bing you effectively get in URL and you can do in stream set body in stream set title or other parts of a typical HTML page but we found that using that in stream set URL which is kind of a footnote in their documentation that we came across we can revive Bing hacking and make it just as viable as Google hacking and we see in the screenshot this in stream set URL and WP config and you see out there a number of results of people with their WordPress configurations with their database passwords right there in the configuration file this is the type of query that we would not have been able to do with Bing before now so with the new version that we released in Bing Diggity we went from like a thousand or some odd mildly effective queries to I think like four to five thousand queries that are now pulling vulnerability information so kind of exciting Bing binary Bing binary malware search this is the one I just want to go over quickly but any of you guys familiar with HDMores tool MW search from a few years back search engines were indexing PE header info of executable files basically HD had a tool that used Google a few years back that allowed you to use Google to find people hosting malware based on searching for the PE header information Google disabled that feature so it kind of broke its tool and has been dead ever since but people didn't realize that Bing does have the ability to do that as well so in using we see here a picture of HD's old signature file and just throwing that up being able to find instances of malware via Bing we wanted to give something back to all of the malware researchers in the room and so this is something that can be effectively used to identify malware that's indexed by Bing although in our tests we found that it changes very rapidly because Bing doesn't want to distribute malware they don't want malware in their results so as soon as they're identifying them they're removing them but it's kind of like a first notice of okay if I search this I got this executable file back in the results and I can identify that as malware based on those that met information like size of code, entry point number of segments and another PE or portable executable meta information so the results are somewhat limited in being able to find tons of malware at this point one due to them removing it but two just looking at this we found some numbers on it's estimated from these researchers that Google's indexed about 50 billion pages and Bing has indexed about 3 billion so in just in terms of role you know size does matter in terms of role set of what you're looking for there's just not as many results in Bing as there is in Google for finding things anyway although you see in that graph in the last month it claims that Bing jumped up from 3 billion to about 16 billion but they're probably lying I don't know they lie all the time I mean if you ever clicked on it and it says a few hundred thousand results and you go to page 2 page 3 of results and it's like okay maybe there was like 20 you know you got us you know page 3 is the end of it so who knows how reliable these numbers really are but this was actually done by a group that goes out and they do like zip's law of statistical analysis and they go out and search a lot of keywords and basically count the results that come back to those keywords and then try to determine how much is in the index but kind of using them combined is what we think it works best Google and Bing cool so we got 10 minutes of speed along code search Diggie this is what we showed in the intro it was dead it's now back we give the ability to search across the version that's hooked up on the website right now is just for Google code projects but we'll shortly have everything back up and running very soon but you're going to at the very least search all Google code projects which is quite a bit for SQL injection we see here they're putting request.query string parameter right into a select statement so what we do with this is this is some trade form software we can go out there and find SQL injection and some popular blog software trade form software shopping cart software and then go to regular Google and do powered by that shopping cart software or something like that and it's a quick way doing some blogging software we found SQL injection like 11,000 sites in China using the blogging software that was available to SQL injection yeah so now we can just find the targets and we would go to the post.asp page and we would tamper with the reply underscore d parameter and we know exactly where to go for that for open source code and the way we're bringing this back is really by utilizing some freely available cloud services to go out and crawl the data there's one thing to note before we get into that is that just with that example with the Amazon cloud hacking that we showed earlier if you look at it if any of you guys remember the CIA tried a confidentiality integrity availability basically Amazon cloud and most cloud services promise you nothing in fact they distinctly tell you that we are not guaranteeing you in any way shape or form the confidentiality the integrity or the availability of your data take it or leave it kind of thing so we have to broker a better deal going forward as you know every employee out there and every corporation is just throwing stuff up in the cloud now leave that to the legal department so as we're saying we're bringing back code search by utilizing some of these cloud crawling based services and one in particular that I liked where we found is 80 legs and this is a service that you can go and utilize them to do your crawling for you even with a free account they'll do 10,000 pages and the for pay accounts are just dollars for 20 bucks you get like 10 million pages index or something in a matter of like an hour we can actually program into this as seed values of where to start crawling and say go out to github search for all PHP code and use that as my seed page and then I can put in a regular expression to say find all the links to the next page on that result for all the PHP code and go crawl those pages so basically it's going to then download all the PHP code from github and then I can put in some regular expressions to do analysis on that and say now find me all the uses of include that are also taking in a query string parameter and now I'm effectively identifying like remote file includes in these open source PHP projects and getting those results back and so as part of our efforts to make this available through our tool we're pulling those results into a cloud database that we can expose as a web service that anyone could make calls to to effectively query vulnerability information in these open source code projects and then we're going to have our client be able to call that service so that you can use it in the same old user interface that we always have. So Google wants to shut it down in favor of making Google plus or things like that we decided to just do it ourselves and you know make it searchable. And this is really just a proof of concept that is something that's really powerful that we identified as a penetration tester like you know I rely on certain tools and I rely on some things to go out and find certain types of information but if I have a really large scope I'm going to start turning to services like this to say go crawl these 10 million pages and do this analysis on them and give me the information back and now I know I have some really good starting points of where I may want to start probing an entire large organization. Okay, we got five minutes left so we'll speed through these last couple. Shodan Diggity, how many of you guys are familiar with Shodan, the search engine? Good amount of people. It indexes the actual headers that come back from a query to various services, HTTP and things like Telnet, SSH and actually records those and makes them searchable via an index. Yeah, it's like a search engine for network service banners more or less but it's really got some headlines in the last couple the last six months due to SCADA hacking critical infrastructure type things but basically what we're seeing is finding SCADA systems that are out there for the first time ever and this is something I really want to stress we have SCADA systems which are controlling everything from the air conditions in buildings to manufacturing plant floors to the electric grid to water pumps and these things have been around for a long time and are very easy to hack and in the last six months we've seen two major things happen. One, we're seeing point and click exploits for the first time ever in Metasploit where people are making it, you point it at a SCADA system and it's there to control so you have the ability to exploit easily as well as two, the ability for mass identification just one Cambridge student putting out a PhD paper you know, half messing around found, you see that map at the middle bottom there found 10,000 SCADA systems with a handful of SHODAN queries connected to the internet all the red dots as opposed to greens are ones that a public exploit just came out for so you have tens of thousands of systems that control water pumps to electric grids all connected to the internet easily findable by SHODAN and now easily exploitable on Metasploit I'd be surprised in the next year we didn't see some kind of major disaster of a physical nature so we've wired it up into our user interface and pre-packaged it with a lot of useful queries so that you can start targeting networks that you're looking at using the SHODAN search engine and get the results back in a nice malleable format and I'll skip the demo for that but this you can just plug in your SHODAN API key have a bunch of pre-queries already for you and spread a nice easy interface to use SHODAN because we wanted to have one so we decided to make one last and I only have like two minutes and I showed this before we have this alert-digity-db this is what's coming up next where we have these hundreds of thousands of results we're getting from scraping now we have three years of Google Alert feeds and Bing feeds that have been feeding into millions of entries things like 4 million records of vulnerabilities and sensitive information that correspond in every single RSS entry that you see there corresponds to some website on the internet that is vulnerable to something that some Google are being dork found and put up in Amazon RDS as a cloud-based database that we're going to be making available as soon as I work out the pricing model but you should see in the next few weeks this available to be able to query this massive repository so in the future you won't actually have to go to Google and do Google hacking anymore because we've already done it for you we've Google hacked, we've Bing hacked we have several years of results that is all in one big table that instead of going out and doing Google hacking search and pull all the results from several years of Google hacking and come to us instead of Google we've actually done this for some of our clients it's kind of a custom consulting project and just focused on what was available in search engines and gotten back a lot of really detailed information on what their exposure was and they appreciated that and were able to take that actionable intelligence and then go do some remediation and we're going to be hooking this up again to some charts in mobile business intelligence apps on your iPhone or iPad I want to monitor these domains and get a filtered view of this huge massive repository of vulnerabilities on the internet which is probably the world's largest single repository of live vulnerabilities on the internet that I'm aware of anyway most of you guys know of a bigger one and get a nice little view of that and this is as Rob just mentioned just looking at how you guys can start to analyze some of this information this is from DLP from the tool we did but basically pulling down using some of our tools this was on 54 domains for one of our clients and they couldn't even wrap their head around like okay we have 13,000 documents on these domains what do we even do to start to analyze this but we were able to use our DLP tool to start identifying sensitive information in those documents so that's kind of the very very quick view I think we're probably out of time now but if you guys are interested in some of those other tools that we talked about check out videos or if you go to follow me on Twitter if you want to keep up to date on what we're releasing the project page is at the bottom right there all these tools are free for download the new version is 3.0 it's up on the website right now there'll probably be some bug fixes and stuff that's a pretty fully functional version and all the new tools free for download free for use on the website