ECSAv4 Module 02 Advanced Googling

Advanced
Penetration Testing
and Security Analysis
Module 2
Advanced Googling
g g
Copyright by EC-Council
EC-Council All Rights
Copyright 2004 EC-Council. All rights reserved worldwide.Reserved. Reproduction is Strictly Prohibited
Module Objective
This module will familiarize you with:

Site Operator
intitle:index.of
error | warning
login
g | logon
g
admin | administrator
Google Advanced Search Form
Categorization of the Operators
Viewing g Live Web Cams
Locating Source Code with Common Strings
Locating Vulnerable Targets
Locating Targets Via Demonstration Pages
Locating g Targets
g Via Source Code
Vulnerable web Application Examples
Locating Targets Via CGI Scanning
A Single CGI Scan-Style Query
Directoryy Listings
g
Web Server Software Error Messages
The Goolag Scanner
Site Operator
The site operator is absolutely invaluable during the

information-gathering phase of an assessment.
A ssite
te sea
search
c ca
can be used to gat
gather
e information
o at o about tthee
servers and hosts that a target hosts.
Usingg simple
p reduction techniques,
q , we can quickly
q y get
g an
idea about a targets online presence.
Consider the following

g simple
p example:
p
site:washingtonpost.com site:www.washingtonpost.com
This query effectively locates pages on the

washingtonpost.com
hi t t domain
d i other
th ththan
www.washingtonpost.com
Site Operator (contd)
intitle:index.of
In most cases, this search applies

only to Apache-based servers, but
due to the overwhelming number
intitle:index.of is the universal
of Apache
Apache-derived
derived web servers on
search for directory listings.
the Internet, theres a good
chance that the server youre
profiling will be Apache-based.
intitle:index.of
error | warning
Error messages can reveal a great deal of information about a target.
Often overlooked, error messages can provide insight into the application or
operating system software a target is running, the architecture of the network the
target is on
on, information about users on the system
system, and much more
more.
Not only are error messages informative, they are prolific.
A query of intitle:error results in over 55 million results.
error | warning (contd)
login | logon
Login portals can reveal the software and operating system of a

target and in many cases self-help
target, self help documentation is linked
from the main page of a login portal.
These documents are designed

g to assist users who run into
problems during the login process.
Whether the user has forgotten his or her password or even

username, thi
this d
documentst can provide
id clues
l that
th t might
i ht h
help
l an
attacker.
Documentation linked from login portals lists email addresses,

phone
h numbers,
b or URLs off h
human assistants
i who
h can hhelp
l a
troubled user regain lost access.
These assistants,
assistants or help desk operators,
operators are perfect targets for
a social engineering attack.
login | logon (contd)
username | userid |
employee ID | your
employee.ID your username is
is
There are many different ways to obtain a username from a target system.
Even though a username is the less important half of most authentication mechanisms, it
should at least be marginally protected from outsiders.
password | passcode | your password is
The word password is so common on the Internet,

there are over 73 million results for this one-word
query.
During an assessment,
assessment its
it s very likely that results for
this query combined with a site operator will include
pages that provide help to users who have forgotten
their passwords.
In some cases, this query will locate pages that provide

policy information about the creation of a password.
This type of information can be used in an intelligent-

guessing,
g g, or even a brute-force,, campaign
p g against
g a
password field.
password | passcode | your
password is
is (cont
(contd)
d)
admin | administrator
The word administrator is often used to describe the person in control of a

network or system.
The word administrator can also be used to locate administrative login pages, or
login portals.
The phrase Contact your system administrator is a fairly common phrase on the
web, as are several basic derivations.
A query such as please contact your * administrator will return results that
reference local,
local company
company, site
site, department
department, server
server, system
system, network
network, database
database,
email, and even tennis administrators.
If a web user is told to contact an administrator, the odds are that theres data of
at least moderate importance to a security tester.
admin | administrator (contd)
admin login
admin login reveals administrative login pages.
ext:html ext:htm
ext:shtml
ext:shtml ext:asp
ext:asp ext:php
ext:php
The ext:html ext:htm ext:shtml ext:asp p ext:php
p pqqueryy uses ext,, a
synonym for the filetype operator, and is a negative query.
It returns no results when used alone and should be combined with a site
operator to work properly.
The idea behind this query is to exclude some of the most common
Internet file types in an attempt to find files that might be more
interesting.
ext:html ext:htm ext:shtml
ext:asp ext:php
ext:php (cont
(contd)
d)
inurl:temp | inurl:tmp |
inurl:backup | inurl:bak
The inurl:temp p | inurl:tmp

p | inurl:backup
p | inurl:bak q
query,
y, combined with the
site operator searches for temporary or backup files or directories on a server.
Although there are many possible naming conventions for temporary or backup
files, this search focuses on the most common terms.
Since this search uses the inurl operator, it will also locate files that contain these
terms as file extensions, such as index.html.bak.
Google Advanced Search Form
Googles advanced search form is easy to use and provides more options for the
search.
search
It allows a user to select or prohibit pages with more accuracy.
It focuses on options, which results in more targeted and accurate search.
One can categorize the search by giving all word, exact phrase, or at least one
word.
B following
By f ll i the
h below
b l procedure,
d iit iis simple
i l to perform
f an advanced
d d search:
h
Go to Googles standard search text box.

Click on Advanced search at right side of the search box.
Google Advanced Search
Form: Screenshot
Categorization of the
Operators
Search Service Search Operators

allinanchor:, allintext:, allintitle:, allinurl:, cache:, define:,
Web Search filetype:, id:, inanchor:, info:, intext:, intitle:, inurl:,
phonebook:,, related:,, rphonebook:,
p p , site:,, stocks:,,
Image Search allintitle:, allinurl:, filetype:, inurl:, intitle:, site:
allintext:, allintitle:, author:, group:, insubject:, intext:,

Groups i titl
intitle:
allintext:, allintitle:, allinurl:, ext:, filetype:, intext:,

Directory intitle:, inurl:
allintext:, allintitle:, allinurl:, intext:, intitle:, inurl:,

News location:, source:
Froogle allintext:, allintitle:, store:
allinanchor:
allinanchor:
The query with allinanchor restricts the results to the

pages containing all the query terms in their inbound-
links.
Avoid
A id the
th use off any other
th search h operators
t while
hil using
i
allinanchor.
Example: allinanchor: Longest river:
It will
ill return
t th
the results
lt that
th t contain
t i l
longest
t and
d river
i iin th
the
anchor text of the pages.
Screenshot - allinanchor:
allintext:
allintext:
The query with allintext restricts the results to the pages

containing g all q
queryy terms onlyy in the text ((does not check
in the url, title).
Example: allintext: Best travel:
It will return the results that contain Best and travel in the text
of the page.
Screenshot - allintext:
allintitle:
allintitle:
The query with allintitle restricts results to pages containing

all query terms specified in the title.
Avoid the use of any other search operators while using
allintitle.
Example: allintitle: Vulnerability attacks:
It will return the results which contain vulnerability and attacks
in the title.
In image search, allintitle returns images that contain the
terms specified.
Screenshot - allintitle:
author:
author:
The query with author includes newsgroup articles by the

author,
h specified
ifi d iin the
h query.
The author name can be full name, partial name, or email ID.
Example: Hacking author: Linda Lee:
It will return the articles that contain the word Hacking written by
Linda Lee.
Screenshot - author:
cache:
cache:
The query cache:url displays Googles cached version of a

web
b page.
Do not put a space between cache: and the URL.
Example: cache:www.eccouncil.org:
It shows the cache version of eccouncil.
Screenshot - cache:
define:
define:
f
The query with define shows definitions from pages on the

web b for
f the
h term specified.
ifi d
It is useful for finding definitions of words, phrases, and
acronyms.
Example:
E l define:
d fi h
hacking:
ki
It shows the definitions for the term Hacking.
Screenshot - define:
filetype:
ffiletype:
yp
The query with filetype:suffix shows the result pages whose

names end in suffix.
Example: web attacks filetype:pdf:
It returns Adobe Acrobat PDF files that match the term web
web and
attacks
Screenshot - filetype:
group:
group:
The query with group restricts results to newsgroup articles

from certain groups or subareas.
Example: Sleep group:misc.kids:
It returns articles in the subarea misc.kids
misc.kids that contain the word
sleep.
Screenshot - group:
inanchor:
inanchor:
Searches for the text representation of the link.

The query with inanchor restricts results to pages
containing the query terms specified.
Example: restaurants inanchor: menu:
It returns pages with anchor text in the links to the pages
containing
i i theh wordd menu and
d the
h page containsi theh word
d
restaurants.
Screenshot - inanchor:
insubject:
insubject:
The query with insubject restricts articles in Google group to

pages, containing
t i i th the query tterms specified.
ifi d
Example: Insubject:Security issue:
It returns Google Group articles that contain the phrase
S
Security
it iissue iin th
the subject.
bj t
It is equivalent to intitle:
Screenshot in subject:
intext:
intext:
The q
queryy with intext:term restricts results to documents
containing the term in the text.
There must be no space between the intext: and the following
word.
Example: intext:poem
Screenshot - intext:
link:
link:
The query with link:URL shows pages that point to that

URL.
URL
Example: link:www.googleguide.com
Screenshot - link:
location:
location:
The q
queryy with location will show articles from Google
g
News, and only from the location specified.
Example: Hackers location: China:
It shows articles that match the term Hackers from sites in
China.
Screenshot - location:
Viewing Live Web Cams
You can find out live security cameras, traffic monitoring

cameras and many more using simple Google search
operators like: inurl, intitle, and intext.
These cameras generally use known protocols, which makes

it easy for anyone to access them.
Following are a few Google search links to find publicly

accessible live streaming feeds:
Viewing Live Web Cams
(cont d)
(contd)
inurl:/view.shtml
intitle:Live View / - AXIS | inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis cgi/jpg
inurl:axis-cgi/jpg
allintitle:Network Camera NetworkCamera
intitle:axis intitle:video server
intitle:liveapplet inurl:LvAppl
intitle:EvoCam inurl:webcam.html
Screenshot - Live Web
Cams
At a Traffic
ffi Signal
i l
Live Web Cams Traffic
Signals 1
Signals 2
Signals 3
Signals 4
Signals 5
Signals 6
Signals 7
Signals 8
Signals 9
Signals 10
intranet | help.desk
The term intranet,

intranet despite more specific
technical meanings, has become a generic
term that describes a network confined to a
small group.
In most cases the term intranet describes a

closed or private network, unavailable to
the general public.
Many sites have configured portals that

allow access to an intranet from the
Internet, bringing this typically closed
network one step closer to potential
attackers
attackers.
Locating Public Exploit Sites
One way to locate exploit code is to focus on the file extension of the source code and then
search for specific content within that code.
code
Since source code is the text-based representation of the difficult-to-read machine code,
Google is well suited for this task.
For example, a large number of exploits are written in C, which generally uses source code
ending in a .c extension.
Aqqueryy for ffiletype:c

yp exploit
p returns around 5,
5,000 results,, most of which are exactlyy the
types of programs were looking for.
These are the most popular sites hosting C source code containing the word exploit, the
returned list is a good start for a list of bookmarks.
Using page-scraping techniques, we can isolate these sites by running a UNIX command
against the dumped Google results page.
grep Cached exp | awk F" " '{print $1}' | sort u
Locating Exploits via
Common Code Strings
Another way to locate exploit code is to focus on common strings within the
source code itself.
One way to do this is to focus on common inclusions or header file references.

references
For example, many C programs include the standard input/output library

f
functions,
ti which
hi h are referenced
f dbby an iinclude
l d statement
t t t such
h as #i
#include
l d
<stdio.h> within the source code.
A query like this would locate C source code that contained the word exploit,
exploit
regardless of the files extension.
#include <stdio.h> Usage exploit

Searching for Exploit Code
with Nonstandard Extensions
Locating Source Code with
Common Strings
Locating Vulnerable Targets
Attackers are increasingly using Google to locate web-based targets that are
p
vulnerable to specific exploits.
p
In fact, its not uncommon for public vulnerability announcements to contain
Google links to potentially vulnerable targets.
Locating Targets via
Demonstration Pages
Our goal is to develop a query string to locate vulnerable targets on the web; the vendors
website is a good place to discover what exactly the products
product s web pages look like.
like
For example, some administrators might modify the format of a vendor-supplied web page to
fit the theme of the site.
These types of modifications can impact the effectiveness of a Google search that targets a
vendor-supplied page format.
We can find that most sites look very similar and that nearly every site has a powered by
message at the bottom of the main page.
Powered by Tags are Common Query
Fodder for Finding Web Applications
Locating Targets via Source
Code
Lets take a look at how a hacker might
g use the source code of a p
program
g to
discover ways to search for that software with Google.
To find the best search string

g to locate p
potentiallyy vulnerable targets,
g , we can visit
the web page of the software vendor to find the source code of the offending
software.
In cases where source code is not available

available, an attacker might opt to simply
download the malicious software and run it on a machine he controls to get ideas
for potential searches.
Vulnerable Web Application
Examples
Vulnerable Web Application
Examples (cont
(contd)
d)
Locating Targets via CGI
Scanning
One of the oldest and most familiar techniques for locating vulnerable web servers is
through
g the use of a CGI scanner.
These programs parse a list of known bad or vulnerable web files and attempt to locate
those files on a web server.
Based on various response
p codes,, the scanner could detect the presence
p of these p
potentiallyy
vulnerable files.
A CGI scanner can list vulnerable files and directories in a data file, such as:
A Single CGI Scan-Style Query
Example: search for inurl:/cgi-bin/userreg.cgi
Directory Listings
The server tag at the bottom of a directory listing can provide explicit detail about the type of
web server software that
thatss running.
running
If an attacker has an exploit for Apache 2.0.52 running on a UNIX server, a query such as
server.at Apache/2.0.52 will locate servers that host a directory listing with an Apache
2 0 52 server tag.
2.0.52 tag
Finding IIS 5.0 Servers
Query for Microsoft-IIS/5.0 server at
Web Server Software Error
Messages
Error messages contain a lot of useful information, but in the context of locating specific
servers,, we can use portions
p of various error messages
g to locate servers running g specific
p
software versions.
The absolute best way to find error messages is to figure out what messages the server is
capable of generating.
You could gather these messages by examining the server source code or configuration files
or by actually generating the errors on the server yourself.
The best way to get this information from IIS is by examining the source code of the error
pages themselves.
IIS 5 and 6, by default, display static HTTP/1.1 error messages when the server encounters
some sort of problem.
These error pages are stored by default in the %SYSTEMROOT%\help\iisHelp\common

directory.
Web Server Software Error
Messages (cont
(contd)
d)
A query such as intitle: The page cannot be found please following Internet *
S i can b
Services be used d tto search
h ffor IIS servers that
th t presentt a 400 error.
IIS HTTP/1.1 Error Page Titles
IIS HTTP/1.1 Error Page Titles
(cont d)
(contd)
Object Not Found Error
Message Used to Find IIS 5.0
50
Apache Web Server
Apache web servers can also be located by focusing on server-generated error messages.
Some generic searches such as Apache/1.3.27 Server at -intitle:index.of intitle:inf or

Apache/1.3.27 Server at -intitle:index.of intitle:error
Apache 2.0 Error Pages
Application Software Error
Messages
Although this ASP message is fairly benign, some ASP error messages are
much more revealing.
Consider the query ASP.NET_SessionIddata source=, which locates

unique strings found in ASP.NET application state dumps.
These dumps reveal all sorts of information about the running application
and the web server that hosts that application.
An advanced attacker could use encrypted password data and variable

information in these stack traces to subvert the security of the application
andd perhaps
h the
h webb server iitself.
lf
ASP Dumps Provide
Dangerous Details
Many Errors Reveal Pathnames
and Filenames
CGI Environment Listings
Reveal Lots of Information
Default Pages
Another wayy to locate specific

p types
yp of servers or web software is to search for
default web pages.
Most web software,, including

g the web server software itself,, ships
p with one or
more default or test pages.
These p
pages
g can make it easyy for a site administrator to test the installation of a
web server or application.
Google crawls a web server while it is in its earliest stages of installation, still
displaying a set of default pages.
In these cases, theres generally a short window of time between the moment
when Google crawls the site and when the intended content is actually placed on
the server.
A Typical Apache
Default Web Page
Locating Default Installations of
IIS 4.0
4 0 on Windows NT 4 4.0/OP
0/OP
Default Pages Query for Web
Server
Many different types of web servers can be located by querying for default
pages as well.
ll
Outlook Web Access Default
Portal
Query allinurl:exchange/logon.asp
Searching for Passwords
Password data, one of the Holy Grails during a penetration test, should be
protected.
Unfortunately, many examples of Google queries can be used to locate passwords
on the web.
Windows Registry Entries can
Reveal Passwords
A query, such as filetype:reg intext: internet account manager could reveal
interesting keys containing password data.
Usernames, Cleartext
Passwords and Hostnames
Passwords,
A search for password information,

information intext:(password | passcode | pass)
intext:(username | userid | user), combines common words for
passwords and user IDs into one query.
Goolag Scanner
Goolag Scanner is a software published by a famous hacker group, Cult

off the
h Dead
d Cow (CDC).
This software turns Googles

Google s search engine into a vulnerability scanner.
scanner
It allows to scan websites or Internet domains for vulnerabilities.

vulnerabilities
It works on the Dork

Dork pattern:
Dork is a search pattern used with Google's search engine.

The results o
of a do
dork search explores
po po
possible
b securityy attacks.
Features of Goolag
Goolag scanner uses simple and readable xml documents.
It simplifies the use of myriad numbers of dorks to a few mouse clicks.

clicks
Knowledge of cryptic command line options and Google hacking basics are not
required to use this scanner.
scanner
It helps to check the website before criminals can attack weak points.
Goolag Scanner
Screenshot
Summary
In this module, we have reviewed Google penetration

t ti
testing.
We have discussed the advanced

Google techniques:
Overview of software error messages

Overview of default pages
Explanation of techniques to reveal password
L ti targets
Locating t t
Searching passwords

ECSAv4 Module 02 Advanced Googling

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ECSAv4 Module 02 Advanced Googling

Transféré par

Droits d'auteur :

Formats disponibles

Advanced

This module will familiarize you with:

The site operator is absolutely invaluable during the

Consider the following

This query effectively locates pages on the

In most cases, this search applies

Error messages can reveal a great deal of information about a target.

Not only are error messages informative, they are prolific.

A query of intitle:error results in over 55 million results.

Login portals can reveal the software and operating system of a

These documents are designed

Whether the user has forgotten his or her password or even

Documentation linked from login portals lists email addresses,

The word password is so common on the Internet,

In some cases, this query will locate pages that provide

This type of information can be used in an intelligent-

The word administrator is often used to describe the person in control of a

The inurl:temp p | inurl:tmp

It allows a user to select or prohibit pages with more accuracy.

It focuses on options, which results in more targeted and accurate search.

Go to Googles standard search text box.

Search Service Search Operators

Image Search allintitle:, allinurl:, filetype:, inurl:, intitle:, site:

allintext:, allintitle:, author:, group:, insubject:, intext:,

allintext:, allintitle:, allinurl:, ext:, filetype:, intext:,

allintext:, allintitle:, allinurl:, intext:, intitle:, inurl:,

Froogle allintext:, allintitle:, store:

The query with allinanchor restricts the results to the

The query with allintext restricts the results to the pages

The query with allintitle restricts results to pages containing

The query with author includes newsgroup articles by the

The query cache:url displays Googles cached version of a

The query with define shows definitions from pages on the

The query with filetype:suffix shows the result pages whose

The query with group restricts results to newsgroup articles

Searches for the text representation of the link.

The query with insubject restricts articles in Google group to

The query with link:URL shows pages that point to that

You can find out live security cameras, traffic monitoring

These cameras generally use known protocols, which makes

Following are a few Google search links to find publicly

intitle:Live View / - AXIS | inurl:view/view.shtml^

allintitle:Network Camera NetworkCamera

intitle:axis intitle:video server

The term intranet,

In most cases the term intranet describes a

Many sites have configured portals that

Aqqueryy for ffiletype:c

grep Cached exp | awk F" " '{print $1}' | sort u

One way to do this is to focus on common inclusions or header file references.

For example, many C programs include the standard input/output library

#include <stdio.h> Usage exploit

To find the best search string

In cases where source code is not available

Example: search for inurl:/cgi-bin/userreg.cgi

Query for Microsoft-IIS/5.0 server at

These error pages are stored by default in the %SYSTEMROOT%\help\iisHelp\common

Some generic searches such as Apache/1.3.27 Server at -intitle:index.of intitle:inf or

Consider the query ASP.NET_SessionIddata source=, which locates

An advanced attacker could use encrypted password data and variable

Another wayy to locate specific

Most web software,, including

A search for password information,