Casing the Establishment
CASE STUDY: GOOGLING YOUR WAY TO INSECURITY
By all accounts, Google is one of the rare companies that have created technology that revolutionized the Internet. From its early days of Spartan searches with no advertising, to an IPO that broke all conventional standards, Google is ubiquitous. Google technology powers many sites on the Internet, and its simple search portal is used by millions of people every second of every day. While the majority of people use Google to find everything from rare Linux kernel settings to cures for their aching backs, there are a few who have figured out Google's dirty little secret: It provides a treasure trove of information that attackers are using every day to target, assess, and compromise systems on the Internet.
It is often said that the very characteristic that makes you special can be your Achilles heel. Plain and simple, Google is too damn good at what it does. That is, it is deadly efficient at finding information on the Web. It's very common for organizations and users to leave sensitive information—including many sensitive tidbits that would make you shake your head in disbelief— on their websites, and Google will find it, archive it, and display it to anyone who can craft the right search criteria.
The secret to meticulously combing billions of web pages with fatal efficiency is the Google Bots. Google Bots are not something out of a sci-fithriller, they are persistent web robots that scourer the Internet at a vociferous rate. Unless instructed otherwise, they will happily follow any link on their own—which can spell disaster for you!
Lock and Load with Google
As many administrators and security professionals are all too aware, there are literally dozens of new vulnerabilities that are discovered each day. It can be a daunting task to try to find the vulnerable systems, let alone keep them all patched—and that is exactly what attackers are counting on. They will use the art of footprinting to zero in on vulnerable systems, discovering juicy info that could be used to compromise the security of your site. One particular favorite is using Google as their targeting mechanism. Here is how it works.
Joe Hacker seems to have endless time on his hands. As you struggle to figure out if you are working yet another weekend to patch vulnerable systems, he doesn't have a care in the world—except finding systems that are ripe for attack and are more than willing to cough up the goods. Joe Hacker has been refining his Google Hacking—that is, using Google to target systems and sensitive information. He fancies himself a Windows hacker extraordinaire, but in reality he is a master at finding targets of opportunity. Let's peer into his world, examine his handiwork, and see what kind of searches he is performing straight from http://www.google.com.
His first search appears innocuous enough:
intitle:"Welcome to IIS 4.0"
Results 1 - 10 of about 63 for intitle:"Welcome to IIS 4.0". (0.10 seconds)
What could he be looking for? A listing of Windows IIS 4.0 servers, which have had a plethora of security vulnerabilities, and are usually easy pickings for most attackers.
Joe Hacker tucks this info away as he searches for more victims. Next on his hit list are users running VNC Server via the Web.
"VNC Desktop" inurl:5800
Results 1 - 10 of about 112 for "VNC Desktop" inurl:5800. (0.27 seconds)
VNC Server allows remote users to connect and control a user's desktop. It is possible for this service to be configured without a password and allow direct access to the desktop. Yikes!
Last but not least in his targeting searches, includes the ever-popular and time-tested search for Microsoft FrontPage extensions that haven't been properly secured:
filetype:pwd service
Results 1 - 10 of about 173 for filetype:pwd service. (0.28 seconds)
A quick click on one of the links reveals several usernames and UNIX passwords:
# -FrontPage- ekendall:bYld1Sr73NLKo louisa:5zm94d7cdDFiQ
Joe Hacker loads up a copy of John the Ripper, a password-cracking tool, and instantly cracks Louisa's password—"trumpet". Joe is now sitting pretty with a FrontPage username and password.
Defacing websites via FrontPage insecurities was all the rage a few years back, and Joe figures that, for old time's sake, he'll make a few "enhancements" to some of the users' web pages.
After finding some good targets, Joe Hacker turns his attention to finding sensitive information on the Web, such as passwords and financial information. A quick search of
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
Results 1 - 10 of about 59 for filetype:bak inurl:"htaccess|passwd|shadow|htusers". (0.18 seconds)
reveals all kinds of information related to password files that store usernames and encrypted passwords (which can easily be cracked). In fact, Joe Hacker hit the jackpot as he pulled back an unshadowed UNIX password file with hundreds of users from one of the top universities in America. Not bad for a few seconds' worth of work.
How about a little database hacking now, Joe? Not a problem.
filetype:properties inurl:db intext:password
Results 1 - 10 of about 854 for filetype:properties inurl:db intext:password. (0.21 seconds)
A quick click on one of the results reveals database passwords in clear text!
drivers=sun.jdbc.odbc.JdbcOdbcDriver jdbc.idbDriver logfile=D:\\user\\src\\java\\DBConnectionManager\\log.txt idb.url=jdbc:idb:c:\\local\\javawebserver1.1\\db\\db.prp idb.maxconn=2 access.url=jdbc:odbc:demo access.user=demo access.password=demopw
Unfortunately Joe isn't much for preserving your confidentiality. Then again, you many not be either if you leave sensitive information on the Web. He targets university sites (.edu), looking for confidential information.
"not for distribution" confidential site:edu
Results 1 - 10 of about 138 for "not for distribution" confidential site:edu. (0.21 seconds)
Yet again, Joe is rewarded for his searching prowess. Over 100 confidential documents are revealed at the click of a button. Too bad that university left their students' social security numbers in that PDF document.
As the anticipation in actually hacking these systems grows, Joe Hacker decides to go for the kill:
This file was generated by Nessus
Results 1 - 10 of about 75,300 for This file was generated by Nessus. (0.20 seconds)
Nessus is a very popular vulnerability scanner that many administrators use. Unfortunately for the unsuspecting victims, Joe Hacker has now located hundreds of Nessus reports that have inadvertently been left on users' systems. This is an amazing bounty of systems accessible via the Internet that provides a blueprint of all their vulnerabilities! What could be easier for Joe? He doesn't even have to run Nessus himself—he just uses what the admin left for him.
1 Comments:
Post a Comment