Hacking With The Google Search Engine
Original URL (The Web version of the article)
------------
http://www.defendingthenet.com/newsletters/HackingWithGoogl
e.htm
Title
------------
Hacking With The Google Search Engine
Google: Yes, You Can Find Just About Anything
------------
Hackers and security experts use various custom and open source
tools to complete their tasks. In fact, one of the tools they
use you probably use every time you browse the web, the Google
Search Engine.
I remember the first time I used the Google Search Engine years
ago. I was amazed at how quickly it fulfilled my search request.
Google's huge index of systems / information and it's ability to
perform complex searches have evolved over the years. When we
performed security assessments and penetration test, we
regularly use Google to locate information that organizations
typically want to keep private and confidential.
The reason for me writing this article is to give you several
examples of basic and complex Google search terms and queries.
As a disclaimer, it is not my intention that you use this
information to invade the privacy of someone else or access data
and files on systems that do not belong to you. It is strictly
educational information and a way to make people more aware of
what kind of information they may be exposing to the rest of the
world.
Using Google To Locate Password Files
------------
One of the most common remote web authoring tools is Microsoft's
Front Page. Front page extensions and WebDav, the services on
the web server that allow you to remotely connect and author web
pages, can be configured with a certain degree of security.
However, in certain configurations, the userID and password are
stored in local files on the server. Using a Google query, you
can easily locate thousands of these files and dump the
contents.
The query form is quite simple: "inurl:(filename).pwd", where
(filename) is the name of the .pwd file. This query can be
expanded to be very specific and target a specific site by using
a command to search for a specific site or domain. The results
of a specific search like this would list hundreds if not
thousands of these files that would contain something like "#
-FrontPage- dmiller:I1KEaH1TZqxEw". Basically dumping the userID
and password.
This type of basic query can be used to find all kinds of
interesting information such as using the "intitle:"index of"
(name of directory you want to locate)" which not only reveals
many web directory structures of "index of/", it also reveals
how many web servers on the Internet do not have even the most
basic forms of permissions and directory security. You will find
that once you access a particular directory, that you can then
move up the directory tree and you never know what you may find.
More Complex Search Queries
------------
The Google Search Engine supports very complex query types. For
instance, if you were to construct a query like ""parent
directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5
-md5sums", the query would result in lists upon list of systems
that have a /Gamez directory off the root of the "parent
directory" of the web server. Or, to locate music files of type
mp3 you could issue a query like "intitle:index.of mp3 (name of
band/song)".
The bottom line here is that it is possible to locate very
specific types of files. It is also possible to perform queries
for inline passwords from various search engines by performing a
query similar to "http://*:*@www".
What Else Can Be Found With Google Search Queries
------------
One of the things we do when we are performing a security
assessment is perform a quick review of the various web servers
to determine what types of scripting is being used. For
instance, a lot of people use PHP code to create dynamic
content. Many people install PHP example code and administrative
tools to help them manage their site. Unfortunately, most of the
time these files are not secured and contain login ID's and
passwords. We then use Google search queries to locate these
specific files on the servers in question. I'd say we are
successful in finding files like these that help us gain access
to systems approximately 60% of the time.
We recently learned of a financial institution that was taking
credit card information from one of their partners using a web
based upload service on their primary web server. The problem
was this file was being indexed by the Microsoft Index Service,
the information was being spidered by search engines, and the
file itself did not have effective security permissions on it.
The result, the file was indexed by Google and someone
performing a Google query found it and was able to open it in
the browser, revealing hundreds of credit card numbers, names,
and other personal information. This happens all the time.
Conclusion
------------
The Google Search Engine is a powerful tool that can be used by
people with ill intentions just as it can be used for basic web
searching. If you are setting up a web server at home or the
office, you need to understand that you may be publishing
information on the web that no one but you should see. This
could include financial files, credit card information, and
other private / personal information. There is a lot more to
setting up a "secure" site than just following the Microsoft
setup wizards.
About the author:
About The Author
------------
Darren Miller is an Information Security Consultant with over
sixteen years experience. He has written many technology &
security articles, some of which have been published in
nationally circulated magazines & periodicals. If you would like
to contact Darren you can e-mail him at
Darren.Miller@ParaLogic.Net. If you would like to know more
about computer security please visit us at http://www.defe