by Debasis Mohanty (Orissa, India) www.hackingspirits.com



Similar documents
Evaluation of Google Hacking

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

WEBSITE PENETRATION VIA SEARCH

Web Application Security

Thick Client Application Security

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Data Breaches and Web Servers: The Giant Sucking Sound

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Passing PCI Compliance How to Address the Application Security Mandates

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Penetration: from Application down to OS

Why Should You Care About Security Issues? SySmox WEB security Top seven ColdFusion Security Issues

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Web application security

Cloud Security:Threats & Mitgations

Criteria for web application security check. Version

What is Web Security? Motivation

5 Simple Steps to Secure Database Development

THE OPEN UNIVERSITY OF TANZANIA

White Paper BMC Remedy Action Request System Security

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

RACK911 Labs. Year in Review. May 6, 2014

Where every interaction matters.

Attack and Penetration Testing 101

OWASP AND APPLICATION SECURITY

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Payment Card Industry (PCI) Executive Report. Pukka Software

Magento Security and Vulnerabilities. Roman Stepanov

STABLE & SECURE BANK lab writeup. Page 1 of 21

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Pentests: Exposing real world attacks

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

APT Advanced Persistent Threat Time to rethink?

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Web Vulnerability Scanner by Using HTTP Method

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Columbia University Web Security Standards and Practices. Objective and Scope

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Essential IT Security Testing

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Application Security Testing. Generic Test Strategy

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

gathering Dave van Stein 9 april 2009

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Security Assessment through Google Tools -Focusing on the Korea University Website

Common Security Vulnerabilities in Online Payment Systems

The Top Web Application Attacks: Are you vulnerable?

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Penetration Testing Report Client: Business Solutions June 15 th 2015

SQL Injection January 23, 2013

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

RSA Security Anatomy of an Attack Lessons learned

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

05.0 Application Development

Advanced Operators. Chapter 6

Penetration Test Report

Simple Steps to Securing Your SSL VPN

Web Application Security Considerations

Web Application Report

Working Practices for Protecting Electronic Information

Post Exploitation. n00bpentesting.com

Hack Your SQL Server Database Before the Hackers Do

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Penetration Testing Scope Factors

April 11, (Revision 2)

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Secure Web Applications. The front line defense

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Attack Vector Detail Report Atlassian

Copyright

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Ethical Hacking & Cyber Security Workshop

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Five Steps to Improve Internal Network Security. Chattanooga ISSA

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Web Application Attacks And WAF Evasion

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Securing SharePoint 101. Rob Rachwald Imperva

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Basic Search Engine Handbook for Recruiters Use Search Engines to identify candidates on the Internet

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Transcription:

by Debasis Mohanty (Orissa, India) www.hackingspirits.com

Introduction I have been thinking of publishing this paper since long but due to lack of time I was not able to complete it. I use to add and keep this paper updated when I get tired of my daily research work. Google is world s most popular and powerful search engine which has the ability to accept pre-defined commands as inputs and produce unbelievable results. This enables malicious users like hackers, crackers, and script kiddies etc to use Google search engine extensively to gather confidential or sensitive information which are not visible through common searches. In this paper I shall cover the below given points that an administrators or security professionals must take into account to prevent such information disclosures: - Google s Advance Search Query Syntaxes - Querying for vulnerable sites or servers using Google s advance syntaxes - Securing servers or sites from Google s invasion

Google s Advance Search Query Syntaxes Below discussed are various Google s special commands and I shall be explaining each command in brief and will show how it can be used for critical information digging. [ intitle: ] The intitle: syntax helps Google restrict the search results to pages containing that word in the title. For example, intitle: login password (without quotes) will return links to those pages that has the word "login" in their title, and the word "password" anywhere in the page. Similarly, if one has to query for more than one word in the page title then in that case allintitle: can be used instead of intitle to get the list of pages containing all those words in its title. For example using intitle: login intitle: password is same as querying allintitle: login password. [ inurl: ] The inurl: syntax restricts the search results to those URLs containing the search keyword. For example: inurl: passwd (without quotes) will return only links to those pages that have "passwd" in the URL. Similarly, if one has to query for more than one word in an URL then in that case allinurl: can be used instead of inurl to get the list of URLs containing all those search keywords in it. For example: allinurl: etc/passwd will look for the URLs containing etc and passwd. The slash ( / ) between the words will be ignored by Google. [ site: ] The site: syntax restricts Google to query for certain keywords in a particular site or domain. For example: exploits site:hackingspirits.com (without quotes) will look for the keyword exploits in those pages present in all the links of the domain hackingspirits.com. There should not be any space between site: and the domain name. [ filetype: ] This filetype: syntax restricts Google search for files on internet with particular extensions (i.e. doc, pdf or ppt etc). For example: filetype:doc site:gov confidential (without quotes) will look for files with.doc extension in all government domains with.gov extension and containing the word confidential either in the pages or in the.doc file. i.e. the result will contain the links to all confidential word document files on the government sites. [ link: ] link: syntax will list down webpages that have links to the specified webpage. For Example: link:www.securityfocus.com will list webpages that have links pointing to the SecurityFocus homepage. Note there can be no space between the "link:" and the web page url.

[ related: ] The related: will list web pages that are "similar" to a specified web page. For Example: related:www.securityfocus.com will list web pages that are similar to the Securityfocus homepage. Note there can be no space between the "related:" and the web page url. [ cache: ] The query cache: will show the version of the web page that Google has in its cache. For Example: cache:www.hackingspirits.com will show Google's cache of the Google homepage. Note there can be no space between the "cache:" and the web page url. If you include other words in the query, Google will highlight those words within the cached document. For Example: cache:www.hackingspirits.com guest will show the cached content with the word "guest" highlighted. [ intext: ] The intext: syntax searches for words in a particular website. It ignores links or URLs and page titles. For example: intext:exploits (without quotes) will return only links to those web pages that has the search keyword "exploits" in its webpage. [ phonebook: ] phonebook searches for U.S. street address and phone number information. For Example: phonebook:lisa+ca will list down all names of person having Lisa in their names and located in California (CA). This can be used as a great tool for hackers incase someone want to do dig personal information for social engineering.

Querying for vulnerable sites or servers using Google s advance syntaxes Well, the Google s query syntaxes discussed above can really help people to precise their search and get what they are exactly looking for. Now Google being so intelligent search engine, malicious users don t mind exploiting its ability to dig confidential and secret information from internet which has got restricted access. Now I shall discuss those techniques in details how malicious user dig information from internet using Google as a tool. Using Index of syntax to find sites enabled with Index browsing A webserver with Index browsing enabled means anyone can browse the webserver directories like ordinary local directories. Here I shall discuss how one can use index of syntax to get a list links to webserver which has got directory browsing enabled. This becomes an easy source for information gathering for a hacker. Imagine if the get hold of password files or others sensitive files which are not normally visible to the internet. Below given are few examples using which one can get access to many sensitive information much easily. Index of /admin Index of /passwd Index of /password Index of /mail "Index of /" +passwd "Index of /" +password.txt "Index of /" +.htaccess "Index of /secret" "Index of /confidential" "Index of /root" "Index of /cgi-bin" "Index of /credit-card" "Index of /logs" "Index of /config"

Looking for vulnerable sites or servers using inurl: or allinurl: a. Using allinurl:winnt/system32/ (without quotes) will list down all the links to the server which gives access to restricted directories like system32 through web. If you are lucky enough then you might get access to the cmd.exe in the system32 directory. Once you have the access to cmd.exe and are able to execute it then you can go ahead in further escalating your privileges over the server and compromise it. b. Using allinurl:wwwboard/passwd.txt (without quotes) in the Google search will list down all the links to the server which are vulnerable to WWWBoard Password vulnerability. To know more about this vulnerability you can have a look at the following link: http://www.securiteam.com/exploits/2buq4s0saw.html c. Using inurl:.bash_history (without quotes) will list down all the links to the server which gives access to.bash_history file through web. This is a command history file. This file includes the list of command executed by the administrator, and sometimes includes sensitive information such as password typed in by the administrator. If this file is compromised and if contains the encrypted unix (or *nix) password then it can be easily cracked using John The Ripper. d. Using inurl:config.txt (without quotes) will list down all the links to the servers which gives access to config.txt file through web. This file contains sensitive information, including the hash value of the administrative password and database authentication credentials. For Example: Ingenium Learning Management System is a Web-based application for Windows based systems developed by Click2learn, Inc. Ingenium Learning Management System versions 5.1 and 6.1 stores sensitive information insecurely in the config.txt file. For more information refer the following links: http://www.securiteam.com/securitynews/6m00h2k5pg.html

Other similar search using inurl: or allinurl: combined with other syntaxs inurl:admin filetype:txt inurl:admin filetype:db inurl:admin filetype:cfg inurl:mysql filetype:cfg inurl:passwd filetype:txt inurl:iisadmin inurl:auth_user_file.txt inurl:orders.txt inurl:"wwwroot/*." inurl:adpassword.txt inurl:webeditor.php inurl:file_upload.php inurl:gov filetype:xls "restricted" index of ftp +.mdb allinurl:/cgi-bin/ +mailto

Looking for vulnerable sites or servers using intitle: or allintitle: a. Using [allintitle: "index of /root ] (without brackets) will list down the links to the web server which gives access to restricted directories like root through web. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests. b. Using [allintitle: "index of /admin ] (without brackets) will list down the links to the websites which has got index browsing enabled for restricted directories like admin through web. Most of the web application sometimes uses names like admin to store admin credentials in it. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests. Other similar search using intitle: or allintitle: combined with other syntaxs intitle:"index of".sh_history intitle:"index of".bash_history intitle:"index of" passwd intitle:"index of" people.lst intitle:"index of" pwd.db intitle:"index of" etc/shadow intitle:"index of" spwd intitle:"index of" master.passwd intitle:"index of" htpasswd intitle:"index of" members OR accounts intitle:"index of" user_carts OR user_cart allintitle: sensitive filetype:doc allintitle: restricted filetype :mail allintitle: restricted filetype:doc site:gov

Other interesting Search Queries To search for sites vulnerable to Cross-Sites Scripting (XSS) attacks: allinurl:/scripts/cart32.exe allinurl:/cutenews/show_archives.php allinurl:/phpinfo.php To search for sites vulnerable to SQL Injection attacks: allinurl:/privmsg.php allinurl:/privmsg.php

Securing servers or sites from Google s invasion Below given are the security measures which system administrators and security professionals must take into account to secure critical information available online, falling into wrong hands: - Install latest security patches available till date for the applications and as well as the operating system running on the servers. - Don t put critical and sensitive information on servers without any proper authentication system which can be directly accessible to anyone on internet. - Disable directory browsing on the webserver. Directory browsing should be enabled for those web-folders for which you want to give access to anyone on internet. - If you find any links to your restricted server or sites in Google search result then it should be removed. Visit the following link for more details: http://www.google.com/remove.html - Disable anonymous access in the webserver through internet to restricted systems directory. - Install filtering tools like URLScan for servers running IIS as webserver. Conclusion Sometimes increase in sophistication in the systems creates new problems. Google being so sophisticated can be used by any Tom, Dick & Harry on internet to dig sensitive information which is normally neither visible nor reachable to anyone. Well, one can t stop anyone making something sophisticated then the only options left for the security professionals and systems administrators is to secure and harden their systems from such un-authorized invasion.

About Me There is nothing much that I can tell about myself. Well to brief in, I spent most of my time doing vulnerability research, a cup of coffee and internet. That s all about me. To know more about me visit www.hackingspirits.com Debasis Mohanty www.hackingspirits.com Email: debasis_mty@yahoo.com I can also be found at: http://groups.yahoo.com/group/ring-of-fire Comments and suggestion are invited in debasis_mty@yahoo.com.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information