Penetration testers are sometimes thought of as professional hackers since they essentially break into their customers' networks in an attempt to locate, document, and ultimately help resolve security flaws in a system or network. However, pen testers and hackers differ quite a bit in several ways.
For example, most penetration testers are provided with specific instructions about which networks and systems they will be testing.Their targets are specified, for many reasons (see Appendix A for more insight about the pen testing methodology), but in all cases, their targets are clearly defined or bounded in some fashion. Hackers, on the other hand, have the luxury of selecting from a wider target base. Depending on his or her motivations and skill level, the attacker might opt to select a target based on known exploits at the attacker's disposal. This reverses the model used by pen testers, and as such it affects the structure we will use to explore the topic of Google hacking.The techniques we'll explore in the next few chapters are most often employed by hackers, the "bad guys."
Penetration testers obviously have access to the techniques we'll explore in these chapters, but in many cases these techniques are too cumbersome for use during a vulnerability assessment, when time is of the essence. Security professionals often use specialized tools that perform these tasks in a much more streamlined fashion, but these tools make lots of noise and often overlook the simplest form of information leakage that Google is so capable of revealing—and revealing in a way that's nearly impossible to catch on the "radar." The techniques we'll examine here are used on a daily basis to locate and explore the systems and networks attached to the Internet, so it's important that we explore how these techniques are used to better understand the level of exposure and how that exposure can be properly mitigated.
The techniques we explore in this chapter are used to locate and analyze the front-end systems on an Internet-connected network. We look at ways an attacker can profile Web servers using seemingly insignificant clues found with Google queries. Next, we look at methods used to locate login portals, the literal front door of most Web sites. As we will see, some login portals provide administrators of a system an access point for performing various administrative functions. Most login portals provide clues to an attacker about what software is in use on the server and act as a magnet, drawing attackers that are armed with an exploit for that particular type of software. We round out the chapter by showing
techniques that can be used to locate all sorts of network devices—firewalls, routers, network printers, and even Web cameras!
Locating and Profiling Web Servers
If an attacker hasn't already decided on a target, he might begin with a Google search for specific targets that match an exploit at his disposal. He might focus specifically on the operating system, the version and brand of Web server software, default configurations, vulnerable scripts, or any combination of factors.
There are many different ways to locate a server. The most common way is with a simple portscan. Using a tool such as Nmap, a simple scan of port 80 across a class C will expose potential Web servers. Integrated tools such as Nessus, H.E.A.T., or Retina will run some type of portscan, followed by a series of security tests.These functions can be replicated with Google queries, although in most cases the results are nowhere near as effective as the results from a well thought out vulnerability scanner or Web assessment tool. Remember, though, that Google queries are less obvious and provide a degree of separation between an attacker and a target. Also remember that hackers can use Google hacking techniques to find systems you are charged with protecting. The bottom line is that it's important to understand the capabilities of the Google hacker and realize the role Google can play in an attacker's methodology.
Directory Listings
We discussed directory listings in Chapter 3, but the importance of directory listings with regard to profiling methods is important.The server tag at the bottom of a directory listing can provide explicit detail about the type of Web server software that's running. If an attacker has an exploit for Apache 2.0.52 running on a UNIX server, a query such as server.at "Apache/2.0.52" will locate servers that host a directory listing with an Apache 2.0.52 server tag, as shown in Figure
Tip
Remember to always check the real page (as opposed to the cached page), because server version numbers could change between crawls.
Not all Web servers place this tag at the bottom of directory listings, but most Apache derivatives turn on this feature by default. Other platforms, such as Microsoft's IIS, display server tags as well, as a query for "Microsoft-IIS/5.0 server at" shows in Figure 8.2.
When searching for these directory tags, keep in mind that your syntax is very important.There are many irrelevant results from a query for "Microsoft-IIS/6.0" "server at", whereas a query like "Microsoft-IIS/6.0 server at" provides very relevant results. Since we've already covered directory listings, we won't dwell on it here. Refer back to Chapter 3 if you need a refresher on directory listings.
Web Server Software Error Messages
Error messages contain a lot of useful information, but in the context of locating specific servers, we can use portions of various error messages to locate servers running specific software versions. We'll begin our discussion by looking at error messages that are generated by the Web server software itself.
Microsoft Internet Information Server (IIS)
The absolute best way to find error messages is to figure out what messages the server is capable of generating.You could gather these messages by examining the server source code or configuration files or by actually generating the errors on the server yourself. The best way to get this information from IIS is by examining the source code of the error pages themselves.
IIS 5 and 6, by default, display static HTTP/1.1 error messages when the server encounters some sort of problem.These error pages are stored by default in the %SYSTEMROOT%\help\iisHelp\common directory.These files are essentially HTML files named by the type of error they produce, such as 400.htm, 401-1.htm, 501.htm, and so on. By analyzing these files, we can come up with trends and commonalities between the pages that are essential for effective Google searching. For example, the file that produces 400 error pages, 400.htm, contains a line (line 12) that looks like this:
The page cannot be found
This is a dead giveaway for an effective intitle query such as intitle:"The page cannot be found". Unfortunately, this search yields (as you might guess) far too many results. We'll need to dig deeper into the 400.htm file to get more clues about what to look for. Lines 65—88 of 400.htm are shown here:
65.
Please try the following:
66.
67.
69.
7 0.
71.
72.
The requested URL was not found on this server. The link on the
referring page seems to be wrong or outdated. Please inform the author of that page about the error.
en--
Notice that the sections of the error page are clearly labeled, making it easy
to translate into Google queries.The TITLE variable, shown near the top of the
listing, indicates that the text "Object not found!" will be displayed in the
browser's title bar. When this file is processed and displayed in a Web browser, it
will look like Figure 8.2. However, Google hacking is not always this easy. A
search for intitle:"Object not found!" is too generic, returning the results shown in
Figure 8.7.
These results are not what we're looking for. To narrow our results, we need a better base search. Constructing our base search from the template files included with the Apache 2.0 source code not only enables us to locate all the potential error messages the server is capable of producing, it also shows us how those messages are translated into other languages, resulting in very solid multilingual base searches.
The HTTP_NOT_FOUND.html.var file listed previously references two virtual include lines, one near the top (include/top.html) and one near the bottom (include/bottom.html).These lines instruct Apache to read and insert the contents of these two files (located in our case in the /var/www/error/include directory) into the current file.The following code lists the contents of the bottom.html file and show some subtleties that will help construct that perfect base search:
Error
First, notice line 4, which will display the word "Error" on the page. Although this might seem very generic, it's an important subtlety that would keep results like the ones in Figure 8.7 from displaying. Line 2 shows that another file (/var/www/error/contact.html.var) is read and included into this file.The contents of this file, listed as follows, contain more details we can include into our base search:
1. Content-language: en
2. Content-type: text/html
3. Body: en--
4. If you think this is a server error, please contact
5. the webmaster
6. en--
This file, like the file that started this whole "include chain," is broken up into sections by language.The portion of this file listed here shows yet another unique string we can use. We'll select a fairly unique piece of this line, "think this is a server error" as a portion of our base search instead ofjust the word error, which we used initially to remove some false positives.The other part of our base search, intitle:"Object not found!", was originally found in the /error/http_BAD_REQUEST.html.var file.The final base search for this file then becomes intitle:"Object Not Found!" "think this is a server error", which returns very accurate results, as shown in Figure 8.8.
Web images Groups News Frooole more ■
Web Results 1 -10 of about 3.u3p for intme:MObjaet Not Foundl" "mink this is a server error" (fl.53 seconds)
Object not found!
Object not found! The requested URL was not found on this server ... If you think this is a server error, please contact the webmaster Error 404....
www.lyc-hoche-versailles.ac-versaillBa.fr/ -saadadrpQuitter.html- 2k - Cached - Similar pages
Object not found!
... Object not found! The requested URL was not found on this server. ... if you think this la a server error, please contact the webmaster Error 404....
search.goforit.com/default?catid=1198872& cached=www.comitau.org/Fueddanusartluilalianu.hlm -3k -Cached - Similar pages
Object not found!
Object not found! The requested URL (/abe) was not found on this server, this is a server error, please contact the webmaster Error 404....
jms.w.cl/alse - 2k - Cached - Similar pages
. If you think
Now that we've found a good base search for one error page, we can automate the query-hunting process to determine good base searches for the other error pages referenced in the httpd.conf file, helping us create solid base searches for each and every default Apache (2.0) error page.The contact.html.var file that we saw previously is included in each and every Apache 2.0 error page via the bottom.html file.This means that "think this is a server error" will work for all the different error pages Apache 2.0 will produce.The other critical element to our search was the intitle search, which we could grep for in each of the error files. While we're at it, we should also try to grab a snippet of the text that is printed in each of the error pages, remembering that in some cases a more specific search might be needed. Using some basic shell commands, we can isolate both the title of an error page and the text that might appear on the error page:
grep -h -r "Content-language: en" -A 10 | grep -A5 "TITLE" | grep -v virtual
This Linux bash shell command, when run against the Apache 2.0 source code tree, will produce output similar to that shown in Table 8.2.This table lists the title of each English Apache (2.0 and newer) error page as well as a portion of the text that will be located on the page. Instead of searching for English messages only, we could search for errors in other Apache-supported languages by simply replacing the Content-language string in the previous grep command from en to either de, es,fr, or sv, for German, Spanish, French, or Swedish, respectively.
Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware Table 8.2 The Title and Partial Text of English Apache 2.0 Error Pages
Error Page Title
Error Page Partial Text
Bad gateway! Bad request! Access forbidden!
Resource is no longer available!
Server error!
Method not allowed!
No acceptable object
The proxy server received an invalid response from an upstream server.
Your browser (or proxy) sent a request that this server could not understand.
You don't have permission to access the requested directory. Either there is no index document or the directory is read-protected.
The requested URL is no longer available on this server and there is no forwarding address.
The server encountered an internal error and was unable to complete your request.
A request with the method is not allowed for the requested URL.
found! An appropriate representation of the requested resource could not be found on this server.
Object not found! Cannot process request!
Precondition failed!
Request entity too large!
Request time-out!
Submitted URI too large!
Service unavailable!
Authentication required!
The requested URL was not found on this server.
The server does not support the action requested by the browser.
The precondition on the request for the URL failed positive evaluation.
The method does not allow the data transmitted, or the data volume exceeds the capacity limit.
The server closed the network connection because the browser didn't finish the request within the specified time.
The length of the requested URL exceeds the capacity limit for this server. The request cannot be processed.
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
This server could not verify that you are authorized to access the URL. You either supplied the wrong credentials (such as a bad password) or your browser doesn't understand how to supply the credentials required.
Continued
Table 8.2 The Title and Partial Text of English Apache 2.0 Error Pages
Error Page Title Error Page Partial Text
Unsupported media type! The server does not support the media type
transmitted in the request.
Variant also varies! A variant for the requested entity is itself a
negotiable resource. Access not possible.
To use this table, simply supply the text in the Error Page Title column as an intitle search and a portion of the text column as an additional phrase in the search query. Since some of the text is lengthy, you might need to select a unique portion of the text or replace common words with the asterisk, which will reduce your search query to the 10-word limit imposed on Google queries. For example, a good query for the first line of the table might be "response from * upstream server." intitle:"Bad Gateway!". Alternately, you could also rely on the "think this is a server error" phrase combined with a title search, such as "think this is a server error" intitle:"Bad Gateway!". Different versions of Apache will display slightly different error messages, but the process of locating and creating solid base searches from software source code is something you should get comfortable with to stay ahead of the ever-changing software market.
This technique can be expanded to find Apache servers in other languages by reviewing the rest of the contact.html.var file.The important strings from that file are listed in Table 8.3. Because these sentences and phrases are included in every Apache 2.0 error message, they should appear in the text of every error page that the Apache server produces, making them ideal for base searches. It is possible (and fairly easy) to modify these error pages to provide a more polished appearance when a user encounters an error, but remember: Hackers have different motivations. Some are simply interested in locating particular versions of a server, perhaps to exploit. With that criteria, there is no shortage of servers on the Internet that are using these default error phrases.
Besides Apache and IIS, other servers can be located by searching for server-produced error messages, but we're trying to keep this book just a bit thinner than your local yellow pages, so we'll draw the line at just these two servers.
Application Software Error Messages
The error messages we've looked at so far have all been generated by the Web server itself. In many cases, applications running on the Web server can generate errors that reveal information about the server as well. There are untold thousands of Web applications on the Internet, each of which can generate any number of error messages. Dedicated Web assessment tools such as SPI Dynamic's WebInspect excel at performing detailed Web application assessments, making it seem a bit pointless to troll Google for application error messages. However, we search for error message output throughout this book simply because the data contained in error messages should not be overlooked.
We've looked at various error messages in previous chapters, and we'll see more error messages in later chapters, but let's take a quick look at how error messages can help profile a Web server and its applications. Admittedly, we will hardly scratch the surface of this topic, but we'll make an effort to stimulate your thinking about Google's ability to locate these sometimes very telling error messages.
One query, "Fatal error: Call to undefined function" -reply -the —next, will locate Active Server Page (ASP) error messages. These messages often reveal information about the database software in use on the server as well as information about the application that caused the error (see Figure 8.9).
Although this ASP message is fairly benign, some ASP error messages are much more revealing. Consider the query "ASP.NET_SessionId" "data source=", which locates unique strings found in ASP.NET application state dumps, as shown in Figure 8.10.These dumps reveal all sorts of information about the running application and the Web server that hosts that application. An advanced attacker could use encrypted password data and variable information in these stack traces to subvert the security of the application and perhaps the Web server itself.
PHP application errors are fairly commonplace. They can reveal all sorts of information that an attacker can use to profile a server. One very common error can be found with a query such as intext:"Warning: Failed opening" include_path, as shown in Figure 8.11.
environment variable dumps. A typical environmental variable output page is shown in Figure 8.12.
This screen shows information about the Web server and the client that connected to the page when the data was produced. Since Google's bot crawls pages for us, one way to find these CGI environment pages is to focus on the trail left by the bot, reflected in these pages as the "HTTP_FROM=googlebot" line. We can search for pages like this with a query such as "HTTP_FROM=googlebot" googlebot.com "Server_Software". These pages are dynamically generated, which means that you must look at Google's cache to see the document as it was crawled.
To locate good base searches for a particular application, it's best to look at the source code of that application. Using the techniques we've explored so far, it's simple to create these searches.
Default Pages
Another way to locate specific types of servers or Web software is to search for default Web pages. Most Web software, including the Web server software itself, ships with one or more default or test pages. These pages can make it easy for a site administrator to test the installation of a Web server or application. By providing a simple page to test, the administrator can simply connect to his own Web server with a browser to validate that the Web software was installed correctly. Some operating systems even come with Web server software already installed. In this case, the owner of the machine might not even realize that a Web server is running on his machine. This type of casual behavior on the part of the owner will lead an attacker to rightly assume that the Web software is not well maintained and is, by extension, insecure. By further extension, the attacker can also assume that the entire operating system of the server might be vulnerable by virtue of poor maintenance.
In some cases, Google crawls a Web server while it is in its earliest stages of installation, still displaying a set of default pages. In these cases there's generally a short window of time between the moment when Google crawls the site and when the intended content is actually placed on the server. This means that there could be a disparity between what the live page is displaying and what Google's cache displays. This makes little difference from a Google hacker's perspective, since even the past existence of a default page is enough for profiling purposes. Remember, we're essentially searching Google's cached version of a page when we submit a query. Regardless of the reason a server has default pages installed, there's an attacker somewhere who will eventually show interest in a machine displaying default pages found with a Google search.
A classic example of a default page is the Apache Web server default page, shown in Figure 8.13.
Notice that the administrator's e-mail is generic as well, indicating that not a lot of attention was paid to detail during the installation of this server. These default pages do not list the version number of the server, which is a required piece of information for a successful attack. It is possible, however, that an attacker could search for specific variations in these default pages to find specific ranges of server versions. As shown in Figure 8.14, an Apache server running versions 1.3.11 through 1.3.26 shows a slightly different page than the Apache server version 1.3.11 through 1.3.26, shown in Figure 8.13.
Figure 8.14 Subtle Differences in Apache Default Pages
f> Test Page for Apache Installation
Tf you can sco (his, il means that the installation of [he Apache wch server software on [his system was successful. You may now add content to this directory and replace this page. Hello Sharon from the new Apache
Seeing this instead of the website you expected?
This page is here because the site administrator has changed [he configuration of this web server. Please contact the person responsible for maintaining this server with questions.
The Apache Software Foundation, which wrote the wco server software this site administrator is using, has nothing to do with maintaining this site and cannot help resolve configuration issues.
The Apache documentation has been included with this distribution.
You arc free ro use the image below on an Apachc-powcrcd web server. Thanks for using Apache!
Using these subtle differences to our advantage, we can use specific Google queries to locate servers with these default pages, indicating that they are most likely running a specific version of Apache.Table 8.4 shows queries that can be used to locate specific families of Apache running default pages.
Table 8.4 Queries That Locate Default Apache Installations
Apache Server Version Query
Apache 1.2.6
Apache 1.3.0-1.3.9
Apache 1.3.11-1.3.31 Apache 2.0
Apache SSL/TLS
Apache on Red Hat
Apache on Fedora
intitle:"Test Page for Apache Installation" "You are free"
intitle:"Test Page for Apache" "It worked!" "this Web site!"
intitle:Test.Page.for.Apache seeing.this.instead
intitle:Simple.page.for.Apache Apache.Hook.Functions
intitle:test.page "Hey, it worked !" "SSL/TLS-aware"
"Test Page for the Apache Web Server on Red Hat Linux"
intitle:"test page for the apache http server on fedora core"
Continued
Table 8.4 Queries That Locate Default Apache Installations
Apache Server Version Query
Apache on Debian Apache on other Linux
intitle:"Welcome to Your New Home Page!" debian
intitle:"Test Page Apache Web Server on " -red.hat -fedora
IIS also displays a default Web page when first installed. A query such as intitle:"Welcome to IIS 4.0" can locate very specific versions of IIS, as shown in Figure 8.15.
Table 8.5 Queries That Locate Specific IIS Server Versions
IIS Server Version Query
Many Unknown IIS 4.0 IIS 4.0 IIS 4.0 IIS 5.0 IIS 6.0
intitle:"welcome to" intitle:internet IIS intitle:"Under construction" "does not currently have" intitle:"welcome to IIS 4.0"
allintitle:Welcome to Windows NT 4.0 Option Pack
allintitle:Welcome to Internet Information Server
allintitle:Welcome to Windows 2000 Internet Services
allintitle:Welcome to Windows XP Server Internet Services
Although each version of IIS displays distinct default Web pages, in some cases service packs or hotfixes could alter the content of a default page. In these cases, the subtle page changes can be incorporated into the search to find not only the operating system version and Web server version but also the service pack level and security patch level. This information is invaluable to an attacker bent on hacking not only the Web server, but hacking beyond the Web server and into the operating system itself. In most cases, an attacker with control of the operating system can wreak more havoc on a machine than a hacker who controls only the Web server.
Netscape servers can also be located with simple queries such as allintitle:Netscape Enterprise Server Home Page, as shown in Figure 8.16.
Other Netscape servers can be found with simple allintitle searches, as shown in Table 8.6.
Table 8.6 Queries That Locate Netscape Servers
Netscape Server Type Query
Enterprise Server FastTrack Server
allintitle:Netscape Enterprise Server Home Page allintitleiNetscape FastTrack Server Home Page
Many different types of Web server can be located by querying for default pages as well.Table 8.7 lists a sample of more esoteric Web servers that can be profiled with this technique.
Table 8.7 Queries That Locate More Esoteric Servers
Server/Version
Query
Cisco Micro Webserver 200 Generic Appliance
HP appliance sa1
iPlanet/Many Intel Netstructure
JWS/1.0.3-2.0
J2EE/Many
Jigsaw/2.2.3
Jigsaw/Many
KFSensor honeypot
Kwiki
Matrix Appliance
NetWare 6
Resin/Many
Resin/Enterprise
Sambar Server
Sun AnswerBook Server
TivoConnect Server
"micro webserver home page"
"default web page" congratulations "hosting appliance"
intitle:"default domain page" "congratulations" "hp web"
intitle:"web server, enterprise edition"
"congratulations on choosing" intel netstructure
allintitle:default home page java web server
intitle:"default j2ee home page"
intitle:"jigsaw overview" "this is your"
intitle:"jigsaw overview"
"KF Web Server Home Page"
"Congratulations! You've created a new Kwiki website."
"Welcome to your domain web page" matrix intitle:"welcome to netware 6" allintitle:Resin Default Home Page allintitle:Resin-Enterprise Default Home Page intitle:"sambar server" "1997..2004 Sambar" inurl:"Answerbook2options" inurl:/TiVoConnect
Default Documentation
Web server software often ships with manuals and documentation that ends up in the Web directories. An attacker could use this documentation to either profile or locate Web software. For example, Apache Web servers ship with documentation in HTML format, as shown in In most cases, default documentation does not as accurately portray the server version as well as error messages or default pages, but this information can certainly be used to locate targets and to gain an understanding of the potential security posture of the server. If the server administrator has forgotten to delete the default documentation, an attacker has every reason to believe that other details such as security have been overlooked as well. Other Web servers, such as IIS, ship with default documentation as well, as shown in Figure 8.18.
In most cases, specialized programs such as CGI scanners or Web application assessment tools are better suited for finding these default pages and programs, but if Google has crawled the pages (from a link on a default main page for example), you'll be able to locate these pages with Google queries. Some queries that can be used to locate default documentation are listed in Table 8.8.
Sample Programs
In addition to documentation and manuals that ship with Web software, it is fairly common for default applications to be included with a software package. These default applications, like default Web pages, help demonstrate the functionality of the software and serve as a starting point for developers, providing sample routines and code that could be used as learning tools. Unfortunately, these sample programs can be used to not only profile a Web server; often these sample programs contain flaws or functionality an attacker could use to compromise the server.The Microsoft Index Server simple content query page, shown in Figure 8.19, allows Web visitors to search through the content of a Web site. In
some cases, this query page could locate pages that are not linked from any other page or that contain sensitive information.
As with default pages, specialized programs designed to crawl a Web site in search of these default programs are much better suited for finding these pages. However, if a default page provided with a Web server contains links to demonstration pages and programs, Google will find them. In some cases, the cache of these pages will remain even after the main page has been updated and the links removed.Table 8.9 shows some queries that can be used to locate default-installed programs.
Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware Table 8.9 Queries That Locate Default Programs
Software
Query
Apache Cocoon
inurlicocoon/samples/welcome
Generic
inurlidemo | inurlidemos
Generic
inurlisample | inurlisamples
IBM Websphere
inurliWebSphereSamples
Lotus Domino 4.6
inurli /sample/framew46
Lotus Domino 4.6
inurli/sample/faqw46
Lotus Domino 4.6
inurli/sample/pagesw46
Lotus Domino 4.6
inurli/sample/siregw46
Lotus Domino 4.6
inurli/sample/faqw46
Microsoft Index Server
inurlisamples/Search/queryhit
Microsoft Site Server
inurlisiteserver/docs
Novell NetWare 5
inurli/lcgi/sewse.nlm
Novell GroupWise WebPublisher
inurli/servlet/webpub groupwise
Netware WebSphere
inurli/servlet/SessionServlet
OpenVMS!
inurlisys$common
Oracle Demos
inurli/demo/sql/index.jsp
Oracle JSP Demos
inurlidemo/basic/info
Oracle JSP Scripts
inurliojspdemos
Oracle 9i
inurli/pls/simpledad/admin_
IIS/Various
inurliiissamples
IIS/Various
inurli/scripts/samples/search
Sambar Server
intitlei"Sambar Server Samples"
Locating Login Portals
The term login portal describes a Web page that serves as a "front door" to a Web site. Login portals are designed to allow access to specific features or functions after a user logs in. Google hackers search for login portals as a way to profile the
software that's in use on a target and to locate links and documentation that might provide useful information for an attack. In addition, if an attacker has an exploit for a particular piece of software, and that software provides a login portal, the attacker can use Google queries to locate potential targets.
Some login portals, like the one shown in Figure 8.20, captured with allinurl:"exchange/logon.asp", are obviously default pages provided by the software manufacturer—in this case, Microsoft. Just as an attacker can get an idea of the potential security of a target by simply looking for default pages, a default login portal can indicate that the technical skill of the server's administrators is generally low, revealing that the security of the site will most likely be poor as well.To make matters worse, default login portals like the one shown in Figure 8.20 indicate the software revision of the program—in this case, version 5.5 SP4.An attacker can use this information to search for known vulnerabilities in that software version.
By following links from the login portal, an attacker can often gain access to other information about the target.The Outlook Web Access portal is particularly renowned for this type of information leak because it provides an anonymous public access area that can be viewed without logging in to the mail system. This public access area sometimes provides access to a public directory or to broadcast e-mails that can be used to gather usernames or information, as shown in Figure 8.21. Some login portals provide more details than others. As shown in Figure 8.22, the Novell Management Portal provides a great deal of information about the server, including server software version and revision, application software version and revision, software upgrade date, and server uptime.This type of information is very handy for an attacker staging an attack against the server.
Table 8.9 shows some queries that can be used to locate various login portals. Refer to Chapter 4 for more information about login portals and the information they reveal.
Query
4Images GMS Apache Tomcat Admin ASP.NET
Citrix Metaframe Citrix Metaframe ColdFusion Admin ColdFusion Generic Compaq Insight Manager CuteNews Easy File Sharing
Emule
Ensim Enterprise
Generic Admin Generic User Generic GradeSpeed Infopop UBB Jetbox CMS
Lotus Domino Admin Lotus Domino Mambo CMS Admin Microsoft Certificate Server
Microsoft Outlook Web Access
"4images Administration Control Panel"
intitle:"Tomcat Server Administration"
inurl:ASP.login_aspx
inurl:/Citrix/Nfuse17/
inurl:citrix/metaframexp/default/login.asp
intitle:"ColdFusion Administrator Login"
inurl:login.cfm
inurlxpqlogin.htm
"powered by CuteNews . © CutePHP
intitle:"Login - powered by Easy File Sharing Web
"Web Control Panel" "Enter your password here"
intitle:"Welcome Site/User Administrator" "Please
inurl:/admin/login.asp
inurl:login.asp
"please log in"
inurl:"gs/adminlogin.aspx"
inurl:cgi-bin/ultimatebb.cgi?ubb=login
Login ("Powered by Jetbox One CMS ™" | "Powered by Jetstream © ")
inurl:"webadmin" filetype:nsf
inurl:names.nsf?opendatabase
inurl:administrator "welcome to mambo"
intitle:"microsoft certificate services" inurl:certsrv
allinurl:"exchange/logon.asp"
Continued
Table 8.9 Queries That Locate Login Portals
Login Portal
Query
Microsoft Outlook Web Access
inurl:"exchange/logon.asp" or
intitle:"Microsoft Outlook Web Access -
Logon"
Microsoft Remote Desktop
intitle:Remote.Desktop.Web.Connection
inurl:tsweb
Network Appliance Admin
inurl:na_admin
Novell Groupwise Web Access
inurl:/servlet/webacc Novell
Novell Groupwise
intitle:Novell intitle:WebAccess "Copyright -
Novell, Inc"
Novell Management Portal
Novell NetWare intext:"netware management
portal version"
OpenExchange Admin
filetype:pl "Download: SuSE Linux
Openexchange Server CA"
phpMySearch Admin
inurl:search/admin.php
PhpWebMail
filetype:php login inurl:phpWebMail
(intitle:phpWe
Remedy Action Request
(inurl:"ars/cgi-bin/arweb?O=0" |
inurl:arweb.jsp)
SAP ITS
intitle:"ITS System Information" "Please log on
to the SAP System"
Shockwave Flash Login
inurl:login filetype:swf swf
SilkRoad Eprise
inurl:/eprise/
SQWebmail
inurl:/cgi-bin/sqwebmail?noframes=1
Synchronet BBS
intitle:Node.List Win32.Version.3.11
Tarantella
"ttawlogin.cgi/?action = "
TeamSpeak Admin
intitle:"teamspeak server-administration
Tivoli Server Administration
intitle:"Server Administration" "Tivoli power"
TUTOS
intitle:"TUTOS Login"
TYPO3 CMS
inurl:"typo3/index.php?u=" -demo
Ultima Online Servers
filetype:cfg login "LoginServer="
Usermin
"Login to Usermin"inurl:20000
UtiliPro Workforce
inurl:"utilities/TreeView. asp"
Management
Continued
Table 8.9 Queries That Locate Login Portals
Login Portal
Query
Virtual Network Computing (VNC)
WebAdmin
Webmail
Webmin Admin
WebSTAR Mail "VNC Desktop" inurl:5800
filetypeiphp inurl:"webeditor.php" intitle:Login 1&1 Webmailer inurl:":10000" intext:webmin "WebSTAR Mail - Please Log In"
Login portals provide great information for use during a vulnerability assessment. Chapter 4 provides more details on getting the most from these pages.
Locating Network Hardware
It's not uncommon for a network-connected device to have a Web page of some sort. If that device is connected to the Internet and a link to that device's Web page ever existed, there's a good chance that that page is in Google's database, waiting to be located with a crafty query. As we discussed in Chapter 5, these pages can reveal information about the target network, as shown in Figure 8.23.This type of information can play a very important role in mapping a target network.
All types of devices can be connected to a network. In Chapter 5, we discussed network devices that reveal a great deal of information about the network they are attached to. These devices, ranging from switches and routers to printers and even firewalls, are considered great finds for any attacker interested in network reconnaissance, but some devices such as Webcams are interesting finds for an attacker as well.
In most cases, a network-connected Webcam is not considered a security threat but more a source of entertainment for any Web surfer. Keep a few things in mind, however. First, some companies consider it trendy and cool to provide customers a look around their workplace. Netscape was known for this back in its heyday. The Webcams located on these companies' premises were obviously authorized by upper management. A look inside a facility can be a huge benefit if your job boils down to a physical assessment. Second, it's not all that uncommon for a Webcam to be placed outside a facility, as shown in Figure 8.24.This type of cam is a boon for a physical assessment. Also, don't forget that what an employee does at work doesn't necessarily reflect what he does on his own time. If you locate an employee's personal Web space, there's a fair chance that these types of devices will exist.
Most network printers manufactured these days have some sort of Web-based interface installed. If these devices (or even the documentation or drivers supplied with these devices) are linked from a Web page, various Google queries can be used to locate them. Once located, network printers can provide an attacker with a wealth of information. As shown in Figure 8.25, it is very common for a network printer to list details about the surrounding network, naming conventions, and more. Many devices located through a Google search are still running a default, insecure configuration with no username or password needed to control the device. In a worst-case scenario, attackers can view print jobs and even coerce these printers to store files or even send network commands. Table 8.10 shows queries that can be used to locate various network devices. Refer back to Chapter 5 for more conventional network devices such as routers, switches, proxy servers, and firewalls.
Summary
Attackers use Google for a variety of reasons. An attacker might have access to an exploit for a particular version of Web software and may be on the prowl for vulnerable targets. Other times the attacker might have decided on a target and is using Google to locate information about other devices on the network. In some cases, an attacker could simply be looking for Web devices that are poorly configured with default pages and programs, indicating that the security around the device is soft.
Directory listings provide information about the software versions in use on a device. Server and application error messages can provide a wealth of information to an attacker and are perhaps the most underestimated of all information-gathering techniques. Default pages, programs, and documentation not only can be used to profile a target, but they serve as an indicator that the server is somewhat neglected and perhaps vulnerable to exploitation. Login portals, while serving as the "front door" of a Web server for regular users, can be used to profile a target, used to locate more information about services and procedures in use, and as a virtual magnet for attackers armed with matching exploits. In some cases, login portals are set up by administrators to allow remote access to a server or net-work.This type of login portal, if compromised, can provide an entry point for an intruder as well.
Whatever motivates an attacker, it's best to understand the techniques he or she could employ so that you protect yourself and your customers from this type of threat.
Solutions Fast Track
Locating and Profiling Web Servers
0 Directory listings and default server-generated error messages can
provide details about the server. Even though this information could be obtained by connecting directly to the server, an attacker armed with an exploit for a particular version of software could find a target using a Google query designed to locate this information.
0 Server and application error message proved a great deal of information, ranging from software versions and patch level to snippets of source code and information about system processes and programs. Error
messages are one of the most underestimated forms of information leakage.
0 Default pages, documentation, and programs speak volumes about the server that hosts them. They suggest that a server is not well maintained and is by extension vulnerable due to poor maintenance.
Locating Login Portals
0 Login portals can draw attackers who are searching for specific types of software. In addition, they can serve as a starting point for information-gathering attacks, since most login portals are designed to be user friendly, providing links to help documents and procedures to aid new users. Administrative login portals and remote administration tools are sometimes even more dangerous, especially if they are poorly configured.
Locating Network Hardware
0 All sorts of network devices can be located with Google queries.These devices are more than a passing technological curiosity for some attackers, since many devices linked from the Web are poorly configured, trusted devices often overlooked by typical security auditors. Web cameras are often overlooked devices that can provide insight for an attacker, even though an extremely small percentage of targets have Web cameras installed. Network printers, when compromised, can reveal a great deal of sensitive information, especially for an attacker capable of viewing print jobs and network information.
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the "Ask the Author" form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: I run an IIS 6.0 server, and I don't like the idea of those static HTTP 1.1 error pages hanging around my site, luring potential malicious interest in my server. How can I enable the customized error messages?
A: If you aren't in the habit ofjust asking Google by now, you should be!
Seriously, try a Google search for site:microsoft.com "Configuring Custom Error Messages" IIS 6.0. At the time of this writing, the article describing this procedure is the first hit.The procedure involves firing up the IIS Manager, double-clicking My Computer, right-clicking the Web Sites folder, and selecting Properties. See the Custom Errors tab.
Q: I run an Apache server, and I don't like the idea of those server tags on error messages and directory listings. How can I turn these off?
A: To remove the tags, locate the section in your httpd.conf file (usually in /etc/httpd/conf/httpd.conf) that contains the following:
#
# Optionally add a line containing the server version and virtual host M
# name to server-generated pages (error documents, FTP directory listings, ^^^^
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail #
The ServerSignature setting can be changed to Off to remove the tag altogether or to Email, which presents an e-mail link with the ServerAdmin email address as it appears in the httpd.conf file.
I've got an idea for a search that's not listed here. If you're so smart about Google, why isn't my search listed in this book?
This book serves as more of a primer than a reference book. There are so many possible Google searches out there that it's impossible to include them all in one book. Most searches listed in this book are the result of a community of people working together to come up with as many effective searches as possible. Fortunately, this community of individuals has created a unique and extensive database that is open to the public for the purposes of adequately defending against this unique threat. The Search Engine Hacking forum and the Google Hacking Database (GHDB) are both available at http://johnny.ihackstuff.com. If you've got a new search, first search the database to make sure it's unique. If you think it is, submit it to the forums, and your search could be the newest addition to the database. But beware, Google searcher. Google hacking is fun and addictive. If you submit one search, I think you'll find it's hard to stop. Just ask any of the individuals on the Google Master's list. Some of them found it hard to stop at 10 or 20 unique submitted searches! Check out the Acknowledgments page for a list of users who have made a significant contribution to the Google hacking community.
No comments:
Post a Comment