WIXLIB

T23Concurrent Class10/3/2013 3:00:00 PM"The Google Hacking Database:A Key Resource to ExposingVulnerabilities"Presented by:Kiran KarnadMimos BerhadBrought to you by:340 Corporate Way, Suite 300, Orange Park, FL 32073888-268-8770 904-278-0524 sqeinfo@sqe.com www.sqe.com

Kiran KarnadMIMOS BerhadAfter more than sixteen years in software testing and implementation, Kiran Karnad found histrue calling in penetration testing. Proudly calling himself a hands-on lead for informationsecurity, Kiran has worked with several Fortune 500 companies and mentored software testteams in multiple geographies. Currently leading the functional and security efforts at MIMOS,Kiran strives to identify process improvement opportunities throughout the organization and toimplement them effectively.

9/19/2013The Google Hacking DatabaseProduct Quality and Reliability EngineeringTeam– Kiran Karnad, MIMOS BhdA Key Resource to exposing vulnerabilities1

9/19/2013DisclaimerDisclaimer2

9/19/2013What’s This All About?Google & Bing Basics - OSINTBasic, Phrase, Advanced SearchWhat’s Google Hacks All About?Sample HacksScript for OS INTIn the Recent PastIf you are not hacked, you are not important!3

9/19/2013What all can be hackedNetworkHardware hackingWirelessSocial EngineeringMobileLock PickingWeb hackingOS INTWhat you don’t know might hurt 4

9/19/2013OSINT – Let’s defineIntelligence collectedfrom public sources Google Social Engines Details on next slideOSINTCommunities Government – FBI, CBI etcMilitary – Defence Intel AgencyHomeland SecurityBusiness – Commercial,Competitor INT, BI Anonymous & LulzSec– shodan,GHDBOSINT – Some methods5

9/19/2013GOOGLE HACKINGIt’s what you exposeHow Google Works6

9/19/2013Search Types SupportedBasic SearchAdvancedOperatorsPhraseSearchBASIC SEARCHThe most used type of search7

9/19/2013So InSenSItiVe5W 1H – Google doesn’t mind8

9/19/2013Mark my Ten Words, that’s itThe reason for the previous results 9

9/19/2013* Avoiding * 10-word limitation *And I’m Always There10

9/19/2013Now, try this the * *Search TypesGeneral Search Not cAsE seNSitiVENo more than 10 keywords in a searchGoogle ignores “a”, 5w1h, this, to, weAND is always impliedDate of birth of Hugh JackmanPhrase Search “Use quotes”Use to force a term and – to excludeNo space follows these signsSee the SERPs for with and withoutquotes11

9/19/2013PHRASE SEARCH“More shrewd searches”“Is there a difference?”12

9/19/2013Force The Plus, Exclude The MinusOR vs. AND13

9/19/2013OR orA quick RecapOperators Logical OR – case sensitive Mathematical (must) and – (not) have special meaning No Stemming OK: “It’s the end of the * as we know it” KO: “American Psycho*” – wont give psychology orpsychophysics * represents a word, not the completion of a word Period is a single character wild card Let’s try some14

9/19/2013ADVANCED OPERATORSStop No More!Know Thy Web Page15

9/19/2013Intitle:inurl:Intext:Inanchor:16

9/19/2013filetype:Numrange:Let’s try one query:http://www.google.com/#q 100000000.999999999 filetype:sqlAdvanced Operators advanced queriesList of most used AdvancedoperatorsOperator:search term – no spaceafter and before the : Intitle: Inurl: Intext: Inanchor: Filetype: Continued 17

9/19/2013Advanced Operators contd More Advanced Operators Numrange: Daterange: Site: Related: Cache: Link:Try a space between the operatorand the term and see the resultscountT1ll n0w, w3 534Rch3d B451cPhr4530p3r4t0r5Fr0m n0w, w3 H4ck18

9/19/2013Intitle:index.of server.atSo What? What can a hacker do with this info?– Go to http://www.cvedetails.com– Check vulnerabilities for Apache 2.2.16– Trigger Metasploit19

9/19/2013Intitle:index.of server.at site:aol.com Linux server installer files are obtainedFiles on AOLserver.Files on MITserver.Hyped Music Query is: Intitle:index.of name size Check out the site hypem.com in SERPSTry directory traversalfrom any page, you candownload tons of music!Their business is sellingmusic online!20

9/19/2013Our Learning Till Now DirectoryListingsShow serverversioninformationUseful foran attackerintitle:index.of server.atintitle:index.of server.at of "parent directory"intitle:index.of name sizePiracy – MP3s Intitle:index.of mp3 jackson AND iso kaspersky– Remember, Google stems!21

9/19/2013Piracy – MP3s Intitle:index.of mp3 jackson– Yields 20 pages of songs in mp3 format– No need to wait for website instructions!– Remember, Google stems! Intitle:index.of iso kaspersky– Gets the AV installers from various websites– Most of them with professional key or cracks– Even beta versions are availableMore Piracy – ISO Inurl:microsoft intitle:index.of filetype:iso– Get MS ISO files from everywhere!22

9/19/2013Johnny’s DisclaimerListing all the index pages Each of these pages can be hacked since thehacker knows the version and type for theApp Server, Database & the Web Server23

9/19/2013Listing all the subdomainsHR Intranet with details on Some details a hackergets from here: HR Forms andPolicies New Staff Info Consultation Health Benefits Salary packaging Contact Person Office andMeeting RoomLayout Emails and Phones Training Pay Calculationinurl:intranet intitle:intranet intext:"human resources"24

9/19/2013PuTTY SSH Logs with juicy infoUsernames and PasswordsResults here: d:\official\white papers\starwest2013\uname-pwd.xlsAnd uname-pwd2.xls25

9/19/2013SQL Injectable WebsitesThe first query brought38K resultsJust by reordering, we got3.3 Mil in lesser time!Each of these can behacked with SQLI and allthese are just PHP!Our Learning Till Now Combining Inurl:microsoft.com –inurl:www.microsoft.comoperatorsdoes theInurl:intranet intitle:intranet intext:”human resource”magicFiletype:log username puttyinurl:admin intext:username AND email ANDpassword OR pass filetype:xlsintitle:index.of inurl:admin“Filetype:php inurl:id “26

9/19/2013Database QueryingQuery to get mySQLconnection detailsThis also enumerates allthe tables via the SQLSo you know theconnection details, IP andthe tables!Login, Password, Website – All in One!The Query: filetype:xls "username password“One of the results on page hers%20passwords.xlsNumber of results: 4650027

9/19/2013Login, Password, Website – All in One!The Query: filetype:xls "username password“One of the results on page hers%20passwords.xlsNumber of results: 46500A Quick QWhat do you think this query does?inurl:"passes" OR inurl:"passwords" OR inurl:"credentials" -search download -techsupt -git -games -gz -bypass -exe filetype:txt @yahoo.comOR @gmail OR @hotmail OR @rediff28

9/19/2013Our Learning Till Now “filetype:phps mysql connect”filetype:xls "username password“inurl:"passes" OR inurl:"passwords" OR inurl:"credentials" search -download -techsupt -git -games -gz -bypass -exefiletype:txt @yahoo.com OR @gmail OR @hotmail OR@rediffNOT BORED YET?Let’s dig in some more!29

9/19/2013Which sites have been hacked?All hacked sites have a r00t.phpinurl:”r00t.php”The Logs might helpChecking hacked website logs for more infoallintext:”fs-admin.php”30

9/19/2013Must TriesHacked websites inurl:”r00t.php”Hacked logs allintext:”fs-admin.php”Finding login for portals intitle:admin intitle:loginSSH usernames filetype:log username puttyGetting user list Inurl:admin inurl:userlistPasswords! filetype:pass pass intext:useridSQL Passwords filetype:sql passwordUsernames inurl:admin filetype:xlsPasswords inurl:password filetype:xlsMore!! inurl:passwd filetype:xls (pdf, doc, mdb)More Stuff!intitle:"Index of" passwords modifiedallinurl:auth user file.txt"access denied for user" "using password“"A syntax error has occurred" filetype:ihtmlallinurl: admin mdb"ORA-00921: unexpected end of SQL command“inurl:passlist.txt"Index of /backup“"Chatologica MetaSearch" "stack tracking:"31

9/19/2013Listings of what you wantChangethe wordafter theparentdirectoryto whatyouwant"parent directory " DVDRip -xxx -html -htm -php -shtmlopendivx -md5 -md5sums"parent directory "Xvid -xxx -html -htm -php -shtmlopendivx -md5 -md5sums"parent directory " Gamez -xxx -html -htm -php -shtmlopendivx -md5 -md5sums"parent directory " MP3 -xxx -html -htm -php -shtmlopendivx -md5 -md5sums"parent directory " Name of Singer or album” -xxx –html htm -php -shtml -opendivx md5 -md5sumsCGI ScannerGoogle can be used asa CGI scanner.The index.of or inurlsearchs are good toolsto find vulnerabletargets. For example, aGoogle search for this:allinurl:/random banner/index.cgiHurray! There are onlyfour two now thebrokenrandom bannerprogram will cough upany file on that webserver, including thepassword file 32

9/19/2013Passwords"# -FrontPage-" inurl:service.pwdFrontPage passwords. very niceclean searchresults listing !!This searches the password for"Website Access Analyzer", aJapanese software that createsweb statistics. For those who canread Japanese, check out theauthor's site at:This is a query to get inlinepasswords from search engines(not just Google), you must typein the query followed with thedomain name without the .comor .netAnother way is by just typing"AutoCreate TRUE password *"http://www.coara.or.jp/ passy/"http://*:*@www" domainname"http://*:*@www" gamespy or http://*:*@www”gamespy"http://bob:bob@www"More Passwords – IRC and Access"sets mode: k"This search reveals channelkeys (passwords) on IRC asrevealed from IRC chatlogs.These are eggdrop configfiles. Avoiding a fullblowndiscussion about eggdropsand IRC bots, suffice it tosay that this file containsusernames and passwordsfor IRC users.eggdrop filetype:user userallinurl: admin mdbNot all of these pages areadministrator's accessdatabases containingusernames, passwords andother sensitiveinformation, but many are!33

9/19/2013MySQL Passwords & ETC directoryintitle:"Index of" config.phpThis search brings up sites with"config.php" files. To skip thetechnical discussion, thisconfiguration file contains both ausername and a password for anSQL database. Most sites withforums run a PHP message base.This file gives you the keys to thatforum, including FULL ADMINaccess to the database.intitle:index.of.etcThis search gets you access to theetc directory, where many, many,many types of password files canbe found. This link is not asreliable, but crawling etcdirectories can be really fun!Passwords in backup filesfiletype:bakinurl:"htaccess passwd shadow htusers"This will search for backup files (*.bak) created bysome editors or even by the administrator himself(before activating a new version). Every attackerknows that changing the extension of a file on aweb server can have ugly consequences.34

9/19/2013Serial NumbersLet's pretend you need a serial number for Windows XP Pro.In the Google search bar type in just like this - "Windows XP Professional"94FBR the key is the 94FBR code. it was included with many MS Officeregistration codes so this will help you dramatically reduce the amount of'fake' sites (usually pornography) that trick you. Or if you want to find theserial for WinZip 8.1 "WinZip 8.1" 94FBRCredit Cards!!NumberRanges tofind CreditCard, SSN,AccountNumbersNumbersAmex: (15 digits)300000000000000.399999999999999MC: (16 digits)5178000000000000.5178999999999999Visa : (16 digits)4356000000000000.435699999999999935

9/19/2013Working Samples!Credit-Cards-Pastebin.txtSome More Working Samples 36

9/19/2013CC TV ControlThe first query produced3000 results!Let’s click on one ofthe SERPSPan, scan, tilt & zoomYou can controlthe cameraMany more queries possible for CCTVinurl:LvAppl intitle:liveappletinurl:"viewerframe?mode motion"intitle:"Live View / - AXIS"intitle:"snc-rz30 home"inurl:indexFrame.shtml "Axis Video Server“So where is the database?http://www.exploit-db.com/google-dorks/37

9/19/2013OK, I’M CONVINCEDSo, how do I secure myself?Securing ourselves from Google Hackers38

9/19/2013SOME ADDITIONAL INFOTo Inspire You To Be A Security TesterBHDB39