The search engines available today are truly fantastic. Within seconds, you can find just
about anything you could ever want to know. Many of today’s popular search engines
provide for advanced searching capabilities that can help you home in on that tidbit
of information that makes the difference. Some of our favorite search engines are
http://www.google.com, http://search.yahoo.com, http://www.altavista.com, and
http://www.dogpile.com (which sends your search to multiple search engines such as
Google, Yahoo, Microsoft Live Search, and Ask.com). It is worth the effort to become
familiar with the advanced searching capabilities of these sites. There is so much sensitive
information available through these sites that there have even been books written on
how to “hack” with search engines—for example, Google Hacking for Penetration Testers
Vol. 2, by Johnny Long (Syngress, 2007).
Here is a simple example: If you search Google for “allinurl:tsweb/default.htm,”
Google will reveal Microsoft Windows servers with Remote Desktop Web Connection
exposed. This could eventually lead to full graphical console access to the server via the
Remote Desktop Protocol (RDP) using only Internet Explorer and the ActiveX RDP client
that the target Windows server offers to the attacker when this feature is enabled. There
are literally hundreds of other searches that reveal everything from exposed web cameras
to remote admin services to passwords to databases. We won’t attempt to reinvent the
wheel here but instead will refer you to one of the definitive Google hacking sites
available at http://johnny.ihackstuff.com. Johnny Long compiled the Google Hacking
Database (GHDB): http://johnny.ihackstuff.com/ghdb.php. Despite this hacking
database not being updated frequently, it offers a fantastic basic listing of many of the
best Google search strings that hackers will use to dig up information on the Web.
Of course, just having the database of searches isn’t good enough, right? A few tools
have been released recently that take this concept to the next level: Athena 2.0 by Steve
at snakeoillabs (http://www.snakeoillabs.com); SiteDigger 2.0 (http://www.foundstone.
com); and Wikto 2.0 by Roelof and the crew (http://www.sensepost.com/research/
wikto). They search Google’s cache to look for the plethora of vulnerabilities, errors,
configuration issues, proprietary information, and interesting security nuggets hiding
on websites around the world. SiteDigger allows you to target specific
domains, uses the GHDB or the streamlined Foundstone list of searches, allows you to
submit new searches to be added to the database, allows for raw searches, and—best of
all—has an update feature that downloads the latest GHDB and/or Foundstone searches
right into the tool so you never miss a beat.
The Usenet discussion forums or news groups are a rich resource of sensitive
information, as well. One of the most common uses of the news groups among IT
professionals is to get quick access to help with problems they can’t easily solve
themselves. Google provides a nice web interface to the Usenet news groups, complete
with its now-famous advanced searching capabilities. For example, a simple search for
“pix firewall config help” yields hundreds of postings from people requesting help with
their Cisco PIX firewall configurations. Some of these postings
actually include cut-and-pasted copies of their production configuration, including IP
addresses, ACLs, password hashes, network address translation (NAT) mappings, and
so on. This type of search can be further refined to home in on postings from e-mail
addresses at specific domains (in other words, @company.com) or other interesting search
strings.
If the person in need of help knows to not post their configuration details to a public
forum like this, they might still fall prey to a social engineering attack. An attacker could
respond with a friendly offer to assist the weary admin with their issue. If the attacker
can finagle a position of trust, they may end up with the same sensitive information
despite the initial caution of the admin.
Another interesting source of information lies in the myriad of resumes available
online. With the IT profession being as vast and diverse as it is, finding a perfect employeeto-
position match can be quite difficult. One of the best ways to reduce the large number
of false positives is to provide very detailed, often sensitive, information in both the job
postings and in the resumes.Imagine that an organization is in need of a seasoned IT security professional to
assume very specific roles and job functions. This security professional needs to be
proficient with this, that, and the other thing, as well as able to program this and that—
you get the idea. The company must provide those details in order to get qualified leads
(vendors, versions, specific responsibilities, level of experience required, etc.). If the
organization is posting for a security professional with, say, five or more years’ experience
working with CheckPoint firewalls and Snort IDS, what kind of firewall and IDS do you
think they use? Maybe they are advertising for an intrusion-detection expert to develop
and lead their IR team. What does this say about their current incident detection and
response capabilities? Could they be in a bit of disarray? Do they even have one currently?
If the posting doesn’t provide the details, maybe a phone call will. The same is true for
an interesting resume—impersonate a headhunter and start asking questions. These
kinds of details can help an attacker paint a detailed picture of security posture of the
target organization—very important when planning an attack!
If you do a search on Google for something like “company resume firewall,” where
company is the name of the target organization, you will most likely find a number of
resumes from current and/or past employees of the target that include very detailed
information about technologies they use and initiatives they are working on. Job sites
like http://www.monster.com and http://www.careerbuilder.com contain tens of
millions of resumes and job postings. Searching on organization names may yield
amazing technical details. In order to tap into the vast sea of resumes on these sites, you
have to be a registered organization and pay access fees. However, it is not too hard for
an attacker to front a fake company and pay the fee in order to access the millions of
resumes.
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন