Google Hacking W4 - Using Google to Find Vulnerabilities in Your IT Environment 14 April 2013 InfoSec World 2013 Orlando, FL Presented by: Francis Brown & Rob Ragan Stach & Liu, LLC www.stachliu.com
Agenda O V E R V I E W Introduction/Background Advanced Attacks NEW Diggity Attack Tools Malware and Search Engines Non-Diggity Tools Advanced Defenses NEW AlertDiggity Cloud Database Future Directions 2
Introduction/Background GETTING UP TO SPEED 3
Open Source Intelligence S E A R C H I N G P U B L I C S O U R C E S OSINT is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. 4
Google/Bing Hacking S E A R C H E N G I N E A T T A C K S 5
Google vs Bing Size M O R E B A N G F O R Y O U R S E A R C H 6
Attack Targets G O O G L E H A C K I N G D A T A B A S E Advisories and Vulnerabilities (215) Error Messages (58) Files containing juicy info (230) Files containing passwords (135) Files containing usernames (15) Footholds (21) Pages containing login portals (232) Pages containing network or vulnerability data (59) Sensitive Directories (61) Sensitive Online Shopping Info (9) Various Online Devices (201) Vulnerable Files (57) Vulnerable Servers (48) Web Server Detection (72) 7
Google Hacking = Lulz R E A L W O R L D T H R E A T LulzSec and Anonymous believed to use Google Hacking as a primary means of identifying vulnerable targets. Their releases have nothing to do with their goals or their lulz. It's purely based on whatever they find with their "google hacking" queries and then release it. -- A-Team, 28 June 2011 8
Google Hacking = Lulz R E A L W O R L D T H R E A T 22:14 <@kayla> Sooooo...using the link above and the google hack string.!host=*.* intext:enc_userpassword=* ext:pcf Take your pick of VPNs you want access too. Ugghh.. Aaron Barr CEO HBGary Federal Inc. 22:15 <@kayla> download the pcf file 22:16 <@kayla> then use http://www.unix-ag.unikl.de/~massar/bin/cisco-decode?enc= to clear text it 22:16 <@kayla> = free VPN 9
Diggity Tools P R O J E C T O V E R V I E W 10
Diggity Tools A T T A C K T O O L S Tool GoogleDiggity BingDiggity FlashDiggity DLPDiggity LinkFromDomain CodeSearch Diggity MalwareDiggity Description Traditional Google hacking tool Bing equivalent of traditional Google hacking tool Adobe Flash security scanning tool Data loss prevention scanning tool Bing footprinting tool based on off-site links Open-source code vulnerability scanning tool Malware link detection tool for off-site links 11
Diggity Tools N E W A T T A C K T O O L S Tool PortScan Diggity NotInMyBackYard BHDB 2.0 Bing BinaryMalware CodeSearch REBORN SHODAN Diggity Description Passive port scanning via Google Easily find your info in third-party sites New Bing Hacking DB now as effective as Google Find malware via Bing s indexing of executables Brought back from the dead Easy interface to SHODAN search engine 12
Diggity Scraping N E W A C R O S S A L L A T T A C K T O O L S 13
Diggity Scraping P R O X I E S S P E C I F I C A T I O N 14
Diggity Scraping M A N U A L P R O X I E S S P E C I F I C A T I O N 15
Advanced Attacks W H A T Y O U S H O U L D K N O W 16
Diggity Core Tools S T A C H & L I U T O O L S Google Diggity Uses Google JSON/ATOM API Not blocked by Google bot detection Does not violate Terms of Service Max 100 results per query Max 10k queries per day. $5 per 1000 queries Required to use Bing Diggity Uses Bing Search API (Azure Marketplace) 5,000 queries per month for free Max 50 results per query Company/Webapp Profiling Enumerate: URLs, IP-to-virtual hosts, etc. Bing Hacking Database (BHDBv2) Vulnerability search queries in Bing format 17
New Features D I G G I T Y C O R E T O O L S Google Diggity - New API Updated to use Google JSON/ATOM API Due to deprecated Google AJAX API Misc. Feature Uprades Auto-update for dictionaries Output export formats Now also XLS and HTML Help File chm file added 18
New Features D O W N L O A D B U T T O N Download Buttons for Google/Bing Diggity Download actual files from Google/Bing search results Downloads to default: C:\DiggityDownloads\ Used by other tools for file download/analysis: FlashDiggity, DLP Diggity, MalwareDiggity, 19
New Features A U T O - U P D A T E S SLDB Updates in Progress Example: SharePoint Google Dictionary http://www.stachliu.com/resources/tools/sharepoint-hacking-diggityproject/#sharepoint GoogleDiggity Dictionary File 20
New Features I P A D D R E S S R A N G E S GoogleDiggity can now search for IP Address Ranges 21
New Features T A R G E T I N G H T T P A D M I N C O N S O L E S Searching for web admin interfaces on non-standard HTTP ports 22
Dictionary Updates T H I R D - P A R T Y I N T E G R A T I O N New maintainers of the GHDB 09 Nov 2010 http://www.exploit-db.com/google-hacking-database-reborn/ 23 tht
Google Diggity D I G G I T Y C O R E T O O L S 24
Hacking CSE s A L L T O P L E V E L D O M A I N S 25
Bypass Google CSE s F U L L W E B S E A R C H R E S U L T S 26
Bing Diggity D I G G I T Y C O R E T O O L S 27
N E W G O O G L E H A C K I N G T O O L S Bing Hacking Database v2.0 28
Bing Hacking Database v2.0 S T A C H & L I U T O O L S BHDB v2.0 Updates Bing hacking database Bing hacking limitations Disabled inurl:, link: and linkdomain: directives in March 2007 No support for ext:, allintitle:, allinurl: Limited filetype: functionality Only 12 extensions supported UPDATES (2012) ext: functionality now added inurl: work around by using instreamset:url: New BHDB 2.0 Several thousand more Bing dorks! 29
N E W G O O G L E H A C K I N G T O O L S NotInMyBackYard 30
Data Leaks on Third-Party Sites S E N S I T I V E I N F O E V E R Y W H E R E Verizon - 2012 Data Breach Investigation Report 31
PasteBin Twitter Leaks P A S S W O R D S I N P A S T E B I N. C O M P O S T S Twitter feed tracking passwords leaked via PasteBin 32
Cloud Docs Exposures P U B L I C C L O U D S E A R C H I N G Public cloud storage document exposures 33
Cloud Docs Exposures R O B O T S. T X T I S D E A D Personal photo galleries exposed 34
Data Loss In The News M A J O R D A T A L E A K S Yale Alumni 43,000 SSNs Exposed in Excel Spreadsheet 35
Data Loss In The News M A J O R D A T A L E A K S Lifeline170,000 SSNs Exposed in Customer Applications 36
NotInMyBackYard L O C A T I O N, L O C A T I O N, L O C A T I O N Cloud storage: Google Docs, DropBox, Microsoft SkyDrive, Amazon S3 Social networking sites: Facebook, Twitter, LinkedIn Public document sharing sites: scribd.com, 4shared.com, issuu.com, docstoc.com, PasteBin and text sharing sites: pastebin.com, pastie.org, Public presentations sharing sites: slideshare.net, prezi.com, present.me, authorstream.com Public charts and graphs sharing sites: ratemynetworkdiagram.com, gliffy.com, ManyEyes, lucidchart.com Video sharing sites: vimeo.com, dailymotion.com, metacafe.com, youtube.com 37
NotInMyBackYard P A S T E B I N E X A M P L E 38
NotInMyBackYard X L S I N C L O U D E X A M P L E 39
Cloud Docs Exposures P U B L I C C L O U D S E A R C H I N G Public cloud storage document exposures 40
NotInMyBackYard P E R S O N A L U S E 41
N E W G O O G L E H A C K I N G T O O L S PortScan Diggity 42
PortScanning T A R G E T I N G H T T P A D M I N C O N S O L E S Searching for web admin interfaces on non-standard HTTP ports 43
PortScanning T A R G E T I N G P O R T R A N G E S Searching for specific port ranges 44
PortScanning T A R G E T I N G V U L N E R A B I L I T Y Targeting specific HTTP ports example 45
PortScan Diggity T A R G E T I N G H T T P A D M I N C O N S O L E S 46
N E W G O O G L E H A C K I N G T O O L S CodeSearch Diggity 47
Google Code Search V U L N S I N O P E N S O U R C E C O D E Regex search for vulnerabilities in indexed public code, including popular open source code repositories: Example: SQL Injection in ASP querystring select.*from.*request\.querystring 48
CodeSearch Diggity A M A Z O N C L O U D S E C R E T K E Y S 49
Cloud Security N O P R O M I S E S...N O N E Amazon AWS Customer Agreement http://aws.amazon.com/agreement/#10 50
Cloud Crawling C R E A T E Y O U R O W N S E A R C H E N G I N E S 51
Google Code Search V U L N S I N O P E N S O U R C E C O D E 52
Google Code Search V U L N S I N O P E N S O U R C E C O D E 53
N E W G O O G L E H A C K I N G T O O L S SHODAN Diggity 54
SHODAN H A C K E R S E A R C H E N G I N E Indexed service banners for whole Internet for HTTP (Port 80), as well as some FTP (23), SSH (22) and Telnet (21) services 55
SHODAN F I N D I N G S C A D A S Y S T E M S 56
SHODAN F I N D I N G S C A D A S Y S T E M S 57
SHODAN Diggity F I N D I N G S C A D A S Y S T E M S 58
N E W G O O G L E H A C K I N G T O O L S Bing LinkFromDomainDiggity 59
Bing LinkFromDomain D I G G I T Y T O O L K I T 60
Bing LinkFromDomain F O O T P R I N T I N G L A R G E O R G A N I Z A T I O N S 61
N E W G O O G L E H A C K I N G T O O L S DLP Diggity 62
DLP Diggity L O T S O F F I L E S T O D A T A M I N E 63
DLP Diggity M O R E D A T A S E A R C H A B L E E V E R Y Y E A R Google Results for Common Docs 1,200,000,000 1,030,000,000 1,000,000,000 800,000,000 513,000,000 2004 2007 600,000,000 400,000,000 260,000,000 182,000,000 84,500,000 29,200,000 173,000,000 2011 2012 200,000,000 0 10,900,000 PDF 17,300,000 46,400,000 2012 42,000,000 16,100,000 30,100,000 2011 2,100,000 969,000 2007 1,720,000 DOC 2004 XLS TXT 64
Data Loss In The News M A J O R D A T A L E A K S Groupon.com Leaks 300,000 users emails and passwords filetype:sql hotmail gmail password 65
Data Loss In The News M A J O R D A T A L E A K S Yale Alumni 43,000 SSNs Exposed in Excel Spreadsheet 66
DLP Diggity D I G G I T Y T O O L K I T 67
DLP Reporting P R A C T I C A L E X A M P L E S 68
DLP Reporting P R A C T I C A L E X A M P L E S 69
N E W G O O G L E H A C K I N G T O O L S FlashDiggity 70
FlashDiggity D I G G I T Y T O O L K I T Google/Bing for SWF files on target domains Example search: filetype:swf site:example.com Download SWF files to C:\DiggityDownloads\ Disassemble SWF files and analyze for Flash vulnerabilities 71
Flash Non-SWF Hacking O T H E R F L A S H H A C K I N G Google/Bing for Non-SWF files on target domains, but related to Flash. Example queries: inurl:crossdomain.xml ext:xml intext:"secure" intext:"false intext:"swf" intext:"param name" intext:"allownetworking * all Download Non-SWF files to C:\DiggityDownloads\ Use DLPDiggity to analyze for non-swf Flash vulnerabilities, such as: Crossdomain.xml Insecure Settings Secure flag set to false Open * wildcard used Unsafe Flash HTML Embed Settings: AllowScriptAccess always AllowNetworking all AllowFullScreen true 72
N E W G O O G L E H A C K I N G T O O L S Baidu Diggity 73
BaiduDiggity C H I N A S E A R C H E N G I N E Fighting back 74
Malware and Search Engines UNHOLY UNION 75
Rise of Malware N O S I T E S A R E S A F E SOPHOS - Security Threat Report 2012 Popular websites victimized, become malware distribution sites to their own customers 76
Mass Injection Attacks M A L W A R E G O N E W I L D Malware Distribution Woes WSJ.com June2010 Popular websites victimized, become malware distribution sites to their own customers 77
Mass Injection Attacks M A L W A R E G O N E W I L D Malware Distribution Woes LizaMoon April2011 Popular websites victimized, become malware distribution sites to their own customers 78
Mass Injection Attacks M A L W A R E G O N E W I L D Malware Distribution Woes willysy.com - August2011 Popular websites victimized, become malware distribution sites to their own customers 79
Watering Hole Attacks M A L W A R E G O N E W I L D Malware Distribution Woes mysql.com - Sept2011 Popular websites victimized, become malware distribution sites to their own customers 80
Watering Hole Attacks M A L W A R E G O N E W I L D Malware Distribution Woes LATimes.com - Feb2013 Popular websites victimized, become malware distribution sites to their own customers 81
Watering Hole Attacks M A L W A R E G O N E W I L D Malware Distribution Woes iphonedevsdk.com - Feb2013 Popular websites victimized, become malware distribution sites to their own customers 82
Inconvenient Truth D * * * H E A D A L E R T S Y S T E M Malware Black List Woes Average web administrator has no idea when their site gets black listed 83
Malware SaaS Services C R I M I N A L T H I R D - P A R T Y S O L U T I O N S 84
N E W G O O G L E H A C K I N G T O O L S Malware Diggity 85
MalwareDiggity D I G G I T Y T O O L K I T 1. Leverages Bing s linkfromdomain: search operator to find off-site links of target applications/domains 2. Runs off-site links against Google s Safe Browsing API to determine if any are malware distribution sites 3. Return results that identify malware sites that your web applications are directly linking to 86
Malware Diggity D I G G I T Y T O O L K I T 87
Malware Diggity D I G G I T Y T O O L K I T 88
Malware Diggity D I A G N O S T I C S I N R E S U L T S 89
N E W G O O G L E H A C K I N G T O O L S BingBinaryMalwareSearch (BBMS) 90
Bing Malware Search T A R G E T I N G M A L W A R E Targeting known malware signatures 91
Black Hat SEO S E A R C H E N G I N E O P T I M I Z A T I O N Use popular search topics du jour Pollute results with links to badware Increase chances of a successful attack 92
Google Trends B L A C K H A T S E O R E C O N 93
Google Trends P R E D I C T I N G E L E C T I O N S 94
Malvertisements M A L W A R E A D S I N S E A R C H E N G I N E S 95
Google Vanity Alerts S P E A R P H I S H I N G V I A G O O G L E Malcious web sites created hosting some browser exploit Blackhat SEO to target Google Alerts of executives names Delivered right to targets email by Google Alerts service 96
Search Engine deoptimization B L A C K L I S T Y O U R F O E S Identify Malware Links Profit Mass Inject Competition Competition PageRank is 0 Competition Black Listed 97
Malware Defenses PROTECT YO NECK 98
Anti-virus is Dead M A L W A R E D E F E N S E S AntiVirus Wouldn t Play Those Odds Only 3 of 46 anti-virus vendors would have helped 99
Malware Defenses B L A C K H A T S E O D E F E N S E S Malware Warning Filters Google Safe Browsing Microsoft SmartScreen Filter Yahoo Search Scan Sandbox Software Sandboxie (sandboxie.com) Dell KACE - Secure Browser Office 2010 (Protected Mode) SharePoint 2010 (Sandboxed Solutions) Adobe Reader Sandbox (Protected Mode) Adobe Flash Sandbox (Protected Mode) NEW May2012 No-script and Ad-block browser plugins 100
Browser Filters M A L W A R E D E F E N S E S Protecting users from known threats Joint effort to protect customers from known malware and phishing links 101
MalwareDiggity Alerts M O N I T O R I N G F O R I N F E C T I O N S Identify External Links Alert Identify Incoming Links Detect Infections Compare to Black List 102
Monitoring Malware M A L W A R E D E F E N S E S Google Safe Browsing Alerts for Network Administrators Google s new service which greatly resembles MalwareDiggity Imitation is the sincerest form of flattery 103
Monitoring Malware M A L W A R E D E F E N S E S 104
Disable Java D O M I N A N T T H R E A T In the Cisco 2013 Annual Security Report, Java accounted for 87% of exploits reported in the survey, dwarfing the number of PDF, Flash and ActiveX attacks. If at all possible, disable Java in your browsers 87% 105
Disable Java M A L W A R E D E F E N S E S 106
Help from Google M A L W A R E D E F E N S E S Google releases Help for Hacked Sites 12Mar2013 107
N O N D I G G I T Y A T T A C K T O O L S Other Search Hacking Tools 108
Maltego I N F O R M A T I O N G A T H E R I N G T O O L 109
Maltego I N F O R M A T I O N G A T H E R I N G T O O L 110
Maltego I N F O R M A T I O N G A T H E R I N G T O O L 111
theharvester F O O T P R I N T I N G T O O L Gathers e-mail accounts, user names and hostnames, and subdomains 112
theharvester F O O T P R I N T I N G E X A M P L E 113
Metagoofil F O O T P R I N T I N G T O O L 114
SpiderFoot 2.0 F O O T P R I N T I N G T O O L 115
FOCA I N F O G A T H E R I N G A N D M E T A D A T A 116
SHODAN H A C K E R S E A R C H E N G I N E Indexed service banners for whole Internet for HTTP (Port 80), as well as some FTP (23), SSH (22) and Telnet (21) services 117
DeepMagic DNS F O O T P R I N T I N G D N S S E A R C H E N G I N E DNS/IP Addr records hacker search engine 118
PasteBin Leaks P A S S W O R D S I N P A S T E B I N. C O M P O S T S Twitter feed tracking passwords leaked via PasteBin 119
Internet Census 2012 N M A P O F E N T I R E I N T E R N E T ~420k botnet used to perform NMAP against entire IPv4 addr space! ICMP sweeps, SYN scans, Reverse DNS, and Service probes of 662 ports Free torrent of 568GB of NMAP results (9TB decompressed NMAP results) 120
Advanced Defenses P R O T E C T Y O N E C K 121
Traditional Defenses G O O G L E H A C K I N G D E F E N S E S Google Hack yourself organization Employ tools and techniques used by hackers Remove info leaks from Google cache http://www.google.com/remove.html Regularly update your robots.txt. Or robots meta tags for individual page exclusion Data Loss Prevention/Extrusion Prevention Systems Free Tools: OpenDLP, Senf Policy and Legal Restrictions 122
Existing Defenses H A C K Y O U R S E L F Tools exist Convenient Real-time updates Multi-engine results Historical archived data Multi-domain searching 123
Advanced Defenses N E W H O T S I Z Z L E Stach & Liu now proudly presents: Google and Bing Hacking Alerts SharePoint Hacking Alerts 118 dorks SHODAN Hacking Alerts 26 dorks Diggity Alerts FUNdle Bundles Consolidated alerts into 1 RSS feed Alert Client Tools Alert Diggity Windows systray notifications idiggity Alerts iphone notification app 124
Google Hacking Alerts A D V A N C E D D E F E N S E S Google Hacking Alerts All hacking database queries using Real-time vuln updates to >2400 hack queries via RSS Organized and available via importable file 125
Google Hacking Alerts A D V A N C E D D E F E N S E S 126
Bing Hacking Alerts A D V A N C E D D E F E N S E S Bing Hacking Alerts Bing searches with regexs from BHDB Leverages http://api.bing.com/rss.aspx Real-time vuln updates to >900 Bing hack queries via RSS 127
Bing/Google Alerts L I V E V U L N E R A B I L I T Y F E E D S World s Largest Live Vulnerability Repository Daily updates of ~3000 new hits per day 128
Diggity Alerts One Feed to Rule Them All A D V A N C E D D E F E N S E T O O L S Diggity Alert Fundle Bundle 129
FUNdle Bundle A D V A N C E D D E F E N S E S 130
FUNdle Bundle A D V A N C E D D E F E N S E S 131
FUNdle Bundle M O B I L E F R I E N D L Y 132
A D V A N C E D D E F E N S E T O O L S SHODAN Alerts 133
SHODAN Alerts F I N D I N G S C A D A S Y S T E M S 134
SHODAN Alerts F I N D I N G S C A D A S Y S T E M S 135
SHODAN Alerts S H O D A N R S S F E E D S 136
Bing/Google Alerts T H I C K C L I E N T S T O O L S Google/Bing Hacking Alert Thick Clients Google/Bing Alerts RSS feeds as input Allow user to set one or more filters e.g. yourcompany.com in the URL Several thick clients being released: Windows Systray App Droid app (coming soon) iphone app 137
A D V A N C E D D E F E N S E T O O L S Alert Diggity 138
Alerts Diggity A D V A N C E D D E F E N S E S 139
idiggity Alerts A D V A N C E D D E F E N S E T O O L S idiggity Alerts 140
idiggity Alerts A D V A N C E D D E F E N S E S 141
idiggity Alerts A D V A N C E D D E F E N S E S 142
New Defenses G O O G L E / B I N G H A C K A L E R T S Tools exist Convenient Real-time updates Multi-engine results Historical archived data Multi-domain searching 143
Diggity Alert DB D A T A M I N I N G V U L N S Diggity Alerts Database 144
Future Direction I S N O W 145
Diggity Dashboards C O M I N G S O O N Google Charts Mobile BI Apps 146
Questions? Ask us something We ll try to answer it. For more info: Fran Brown Rob Ragan (@sweepthatleg) Email: contact@stachliu.com Project: diggity@stachliu.com Stach & Liu, LLC www.stachliu.com
Thank You Stach & Liu Google Hacking Diggity Project info: http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/ 148