Google attacks. Patrick Chambet Edelweb ON-X Group We re in Vegas, right?

Transcription

1 We re in Vegas, right? EdelWeb Edelweb ON-X Grop

2 Planning General points Some examples Recommendations Conclsion Page 2

3 General Points Information gathering is the first step dring a pen-test (or a real attack) A search engine is an obvios and common pen test tool Passive Stealth Uses the hge memory of the Net Google cache Google grops Page 3

4 Typical pen-test process Information gathering abot the target Vlnerabilities identification Vlnerabilities exploitation Go frther! Page 4

5 Planning General points Some examples Recommendations Conclsion Page 5

6 Some examples (1/7) Passive Web server identification Invisible corporate HTTP and FTP otgoing proxies detection SMTP headers No need to send a fake mail to a non existent ser any more! Sensitive files gone offline bt still present in Google cache Ex-employees, now in competing companies Page 6

7 Some examples (2/7) Google How To Special chars "foo1.foo2" +foo bar Usefl Google keywords filetype:abc site:foo.com intext:foo [all]intitle:footitle [all]inrl:foo link: cache: related: phonebook:bill Gates+WA define:foo Page 7

8 Some examples (3/7) Browsing a site offline site:foo.com foo -> retrns every cached page on the site Stealth CGI scanner Passwords "Index of" htpasswd / passwd filetype:xls sername password "WS_FTP.LOG" "config.php" allinrl: : admin mdb service filetype:pwd (FrontPage) Page 8

9 Some examples (4/7) Page 9

10 Some examples (5/7) Sensitive files / interesting attack data "robots.txt"" "Disallow:" filetype:txt inrl:_vti_cnf (FrontPage files) allinrl:winnt/system32/ allinrl:/msadc/samples/selector/showcode.asp allinrl:/examples/jsp/snp/snoop.jsp allinrl:phpinfo.php ipsec filetype:conf intitle:"error occrred" ODBC reqest WHERE (SELECT INSERT) "mydomain.com" nesss report "report generated by" Page 10

11 Some examples (6/7) Help me! messages I have the net-to-net configration: x.x.x.202 x.x.x.31 Localhost================Roter================Remotehost x.x.x.205 x.x.x.32 I work on Linx Red Hat with x509 patched freeswan I have pdated my ipsec.conf configration file with: "conn net-to-net left=x.x.x.x (...) " The password is: (jst kidding) My problem is the following: ( ) Please, help me qickly! Thanks a lot, Jack Page 11

12 Some examples (7/7) The cache can be sed to cover one's tracks Search terms can be crafted to inclde known exploits in them Social engineering Personal information abot administrators and sers Hobbies Skills Expertise and motivation level Friends Etc. Page 12

13 Planning General points Some examples Recommendations Conclsion Page 13

14 Recommendations (1/2) On yor webservers Apply latest secrity patches and secre the server Disable directory browsing Don t pt sensitive information withot athentication Do not rely on scripts/java/activex URL obfscation Analyze Google qeries that condcted to sensitive data on yor site (HTTP logs) and modify yor site Web-based based honeypots and honeytokens Page 14

15 Recommendations (2/2) Control Google content Information abot yor company Information abot yor sers and employees Links pointing to yor Web sites Organize a reglar watch Ask Google to delete some search reslts from its cache Page 15

16 Conclsion Google is the pen-tester s best friend And also the attacker s Yo have to pay attention to information leakage on the Web abot yo A reglar watch is necessary Do not hesitate to ask for modification or deletion of information abot yor company Page 16

17 Links Google Google APIs: Remove reslts: hac/papers/ Demystifying%20Google%20Hacks.pdf Googledorks johnny.ihackstff.com/index.php?modle=prodreviewsprodreviews _engine/ Athena tool Page 17

18 Qestions & Answers Page 18