Google: Yes, You Can Find Just About Anything
Hackers and security experts use various custom and
open source tools to complete their tasks. In fact, one of the tools
they use you probably use every time you browse the web, the Google
Search Engine.
I remember the first time I used the Google Search
Engine years ago. I was amazed at how quickly it fulfilled my search
request. Google's huge index of systems / information and it's
ability to perform complex searches have evolved over the years. When
we performed security assessments and penetration test, we regularly
use Google to locate information that organizations typically want to
keep private and confidential.
The reason for me writing this article is to give you
several examples of basic and complex Google search terms and queries.
As a disclaimer, it is not my intention that you use this information
to invade the privacy of someone else or access data and files on systems
that do not belong to you. It is strictly educational information and
a way to make people more aware of what kind of information they may
be exposing to the rest of the world.
Using Google To Locate Password Files
One of the most common remote web authoring tools is
Microsoft's Front Page. Front page extensions and WebDav, the services
on the web server that allow you to remotely connect and author web
pages, can be configured with a certain degree of security. However,
in certain configurations, the userID and password are stored in local
files on the server. Using a Google query, you can easily locate thousands
of these files and dump the contents.
The query form is quite simple: "inurl:(filename).pwd",
where (filename) is the name of the .pwd file. This query can be expanded
to be very specific and target a specific site by using a command to
search for a specific site or domain. The results of a specific search
like this would list hundreds if not thousands of these files that would
contain something like "# -FrontPage- dmiller:I1KEaH1TZqxEw". Basically
dumping the userID and password.
This type of basic query can be used to find all kinds
of interesting information such as using the "intitle:"index of" (name
of directory you want to locate)" which not only reveals many web directory
structures of "index of/", it also reveals how many web servers on the
Internet do not have even the most basic forms of permissions and directory
security. You will find that once you access a particular directory,
that you can then move up the directory tree and you never know what
you may find.
More Complex Search Queries
The Google Search Engine supports very complex query
types. For instance, if you were to construct a query like ""parent
directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums",
the query would result in lists upon list of systems that have a /Gamez
directory off the root of the "parent directory" of the web server.
Or, to locate music files of type mp3 you could issue a query like "intitle:index.of
mp3 (name of band/song)".
The bottom line here is that it is possible to locate
very specific types of files. It is also possible to perform queries
for inline passwords from various search engines by performing a query
similar to "http://*:*@www".
What Else Can Be Found With Google Search Queries
One of the things we do when we are performing a security
assessment is perform a quick review of the various web servers to determine
what types of scripting is being used. For instance, a lot of people
use PHP code to create dynamic content. Many people install PHP example
code and administrative tools to help them manage their site. Unfortunately,
most of the time these files are not secured and contain login ID's
and passwords. We then use Google search queries to locate these specific
files on the servers in question. I'd say we are successful in finding
files like these that help us gain access to systems approximately 60%
of the time.
We recently learned of a financial institution that
was taking credit card information from one of their partners using
a web based upload service on their primary web server. The problem
was this file was being indexed by the Microsoft Index Service, the
information was being spidered by search engines, and the file itself
did not have effective security permissions on it. The result, the file
was indexed by Google and someone performing a Google query found it
and was able to open it in the browser, revealing hundreds of credit
card numbers, names, and other personal information. This happens all
the time.
Conclusion
The Google Search Engine is a powerful tool that can
be used by people with ill intentions just as it can be used for basic
web searching. If you are setting up a web server at home or the office,
you need to understand that you may be publishing information on the
web that no one but you should see. This could include financial files,
credit card information, and other private / personal information. There
is a lot more to setting up a "secure" site than just following the
Microsoft setup wizards.
Return to the top of
Hacking With The Google Search Engine page
|