After submitting

After submitting this query, it's a simple task to simply click on the results pages to locate a working NQT program. However, the NQT program accepts remote POSTS, which means it's possible to send an NQT "command" from your Web server to the foo.com server, which would execute the NQT "com­mand" on your behalf. If this seems pointless, consider the fact that this would allow for simple extension of NQT's layout and capabilities. We could, for example, easily craft an NQT "rotator" that would execute NQT commands against a target, first bouncing it off an Internet NQT server. Let's take a look at how that might work.
First, we'll scrape the results page shown in Figure 5.11, creating a list of sites that host NQT. Consider the following Linux/Mac OS X command:
This command grabs 100 results of the Google query inurl:nqt.php intitle:"Network Query Tool", locates the word nqt.php at the end of a line, removes any line that contains the word google, prints the second field in the list (which is the URL of the NQT site), and uniquely sorts that list.This com­mand will not catch NQT URLs that contain parameters (since nqt.php will not be the last word in the link), but it produces clean output that might look some­thing like this:
We could dump this output into a file by appending >> nqtfile.txt to the end of the previous sort command. Now that we have a working list of NQT servers, we'll need a copy of the NQT code that produces the interface displayed in Figure 5.10.This interface, with its buttons and "enter host or IP" field, will serve as the interface for our "rotator" program. Getting a copy of this interface is as easy as viewing the source of an existing nqt.php Web page (say, from the list of sites in the nqtfile.txt file), and saving the HTML content to a file we'll call rotator.php on our own Web server. At this point, we have two files in the same directory of our Web server—an nqtfile.txt file containing a list of NQT servers, and a rotator.php file that contains the HTML source of NQT. We'll be replacing a single line in the rotator.php file to create our "rotator" program.This line, which is the beginning of the NQT input form, reads:
This line indicates that once the "Do it" button is pressed, data will be sent to a script called nqt.php. If we were to modify this form field to , our rotator program would
send the NQT command to the NQT program located at foo.com, which would execute it on our behalf. We're going to take this one step further, inserting PHP code that will read a random site from the nqtfile.txt program, inserting it into the form line for us.This code might look something like this (lines numbered for clarity):
This PHP code segment is meant to replace the line in the original NQT HTML code. Line 1 indicates that a PHP code segment is about to begin. Since the rest of the rotator.php file is HTML, this line, as well as line 7 that terminates the PHP code segment, is required. Line 2 reads our nqtsites.txt file, assigning each line in the file (a URL to an NQT site) to an array element. Line 3, included as a separate line for read­ability, assigns one random line from the nqtsites.txt program to the variable $site. Line 4 outputs the modified version of the original form line, modifying the action target to point to a random remote NQT site. Lines 5 and 6 simply output informative messages about the NQT site that was selected, and instruc­tions for loading a new NQT site. The next line in the rotator.php script would be the table line that draws the main NQT table. When rotator.php is saved and viewed in a browser, it should look similar to Figure 5.12.
Our rotator program looks very similar to the standard NQT program inter­face, with the addition of the two initial lines of text. However, when the "check port" box is checked, www.microsoft.com is entered into the host field, and the Do It button is clicked, we are whisked away to the results page on a remote NQT server that displays the results—port 80 is, in fact, open and accepting con­nections as shown in Figure 5.13.
This example is designed to suggest that Google can be used to supplement the use of many Web-based applications. All that's required is a bit of Google know-how and a healthy dose of creativity.
Netcraft ala Google
The Netcraft page at www.netcraft.com/whatis is excellent for getting a quick idea of the type of Web server used by an organization. However, an interesting twist suggested by offtopic@mail.ru involves using Google to search for previously Googled Netcraft results. A query like site:netcraft.com intitle:That.Site.Running will show cached results pages. Want to troll for Apache servers? Toss the word Apache on the end of the query. Netscape? Tomcat? You name it; Netcraft's seen just about them all.
Targeting Web-Enabled Network Devices
Google can also be used to detect the presence of many Web-enabled network devices. Many network devices come preinstalled with a Web interface to allow an administrator to query the status of the device or to change device settings with a Web browser. While this is convenient, and can even be primitively secured through the use of an SSL-enabled connection, if the Web interface of a device is crawled with Google, even the mere existence of that device can add to a silently created network map. For example, a query like intitle: "BorderManager information alert" can reveal the existence of a Novell BorderManager Proxy/Firewall server as shown in Figure 5.14.
A crafty attacker could use the mere existence of this device to craft his attack against the target network. For example, if this device is acting as a proxy server, the attacker might attempt to use it to gain access to machines inside a trusted network by bouncing connections off this server. Additionally, an attacker might search for any public vulnerabilities for this product in an attempt to exploit this device directly. Although many different devices can be located in this way, it's generally easier to harvest IP and network data using the output from network statistical programs as we'll see in the next section.To get an idea of the types of devices that can be located with this technique, consider queries like "Version Info" "Boot Version" "Internet Settings" , which locate Belkin Cable/DSL routers; intitle:"wbem" compaq login, which locates HP Insight Management Agents; intitle:"lantronix web-manager", which locates Lantronix web-managers; inurl:tech-support inurl:show Cisco or intitle:"switch home page" "cisco systems" "Telnet - to", which locates various Cisco products; or intitle:"axis storpoint CD" intitle:"ip address", which can locate Axis StorPoint servers. Each of these queries reveals pages that report various bits of information about the networks on which they
Locating Various Network Reports
In addition to targeting network devices directly, various network documents and status reports can be located with Google that give an outsider access to every­thing from IP addresses on the network to complete, ready-to-use network dia­grams. For example, the query "Looking Glass" (inurl:"lg/" | inurl:lookingglass) will locate looking glass servers that show router statistical information as shown in Figure 5.15.
The ntop program shown network traffic statistics that can be used to deter­mine the network architecture of a target.The query intitle:"Welcome to ntop!" will locate servers that have publicized their ntop programs, which pro­duces the output shown in Figure 5.16.
Practically any Web-based network statistics package can be located with Google.Table 5.1 reveals several examples from the Google Hacking Database that show searches for various network documentation.
Table 5.1 Examples of Network Documentation from the GHDB
Query
Device/Report
cacti reveals internal network info including architecture, hosts, and services.
fastcgi echo program reveals detailed server information.
Getstats program reveals server statistical information.
Continued
Table 5.1 Examples of Network Documentation from the GHDB
Query
Device/Report
filetype:reg "Terminal Server Client"
intext:"Tobias Oetiker" "traffic analysis"
intitle:"Welcome to ntop!"

inurl:"smb.conf" intext: "workgroup" filetype:conf

intitle:"Ganglia" "Cluster Report for"

intitle:"System Statistics" "System and Network Information Center"

intitle:"ADSL Configuration page"

"cacheserverreport for" "This analysis was produced by calamaris"

inurl:vbstats.php "page generated"

filetype:vsd vsd network -samples -examples

grapher.cgi reveals networks information like configuration, services, and band­width.

HP Switch Web Interface.

Looking Glass network stats output.

Microsoft Terminal Services connection settings Registry files reveal credentials and configuration data.

MRTG analysis pages reveals various network statistical information.

ntop program shows current network usage.

Samba config file reveals server and network data.

Server Cluster Reports

SNIC reveals internal network information including network configuration, ping times, services, and host information.

SolWise ADSL Modem Network Stats.

Squid Cache Server Reports.

vbstats report reveals server statistical information.

Visio network drawings.

This type of information is a huge asset during a security audit, which can save a lot of time, but realize that any information found in this manner should be validated before using it in any type of finished report.

Summary

Network data can be obtained in a variety of ways, but Google can play an important role during the information-gathering phase of a network assessment. By starting with generic information and applying a basic methodology, the details of a network begin to piece together, from the simple determination of domain names used by the target down to specific details about machines on the network. No piece of data should be overlooked during an assessment, especially when dealing with a well-secured target. Domain names can be acquired by using simple site queries combined with a bit of page scraping, or by more advanced tools like the BiLE toolkit written by SensePost. Google can be used to locate or augment Web-based networking tools like NQT, which enables remote execution of various network-querying applications. Using creative queries, Google may even locate Web-enabled network devices in use by the target or output from network statistical packages. Whatever your goal during a network-based assessment, there's a good chance Google can be used to augment your existing tools and techniques.

Solutions Fast Track

Mapping Methodology

0 Simple yet effective, the basic methodology presented in this chapter describes the process required to advance your insight into a target's Internet presence.

Mapping Techniques

0 Domain names can be determined through the use of the site operator. Page scraping techniques can be used to extract domain names from Google results pages.

0 Link Mapping is a fairly complex process that determines nonobvious relationships between sites.The BiLE toolkit from SensePost makes quick work out of this fairly complex technique.

0 Group Tracing can turn simple author searches into detailed information about a network and its users.

■

0 Non-Google Web Utilities can be located and enhanced with creative use of Google. We examined the NQT tool, converting it into an anonymized rotator that bounces commands off of remote servers before communicating with the target.

Targeting Web-Enabled Network Devices

0 Web-enabled network devices can be located with simple Google queries.

0 The information from these devices can be used to help build a network map.

Locating Various Network Reports

0 Network statistic reports can be located with simple Google queries.

0 The information from these reports can be used to help build a network map.



Links to Sites

www.sensepost.com: Home of the BiLE and BiLE-weigh utilities.

Q: Our network devices (routers) can't be accessed by anyone from outside; does that mean we are safe?

A: Even though it is not accessible from the WAN, it may be accessible from a compromised host on your LAN. Posting information about it on usenet or tech forums is a risk. For an example, try searching for intext:"enable secret 5 $" as suggested by hevnsnt on the Google Hacking Forums.Then try the same on Google Groups. It's a good thing Cisco implemented strong 1 encryption on those passwords, since these searches often reveal sensitive information about these devices.