Solutions in this Chapter:
■ Searching for Usernames
■ Searching for Passwords
■ Searching for Credit Card Numbers, Social Security Numbers, and More
■ Searching for Other Juicy Info
■ List of Sites
0 Summary
0 Solutions Fast Track
0 Frequently Asked Questions
Introduction
This chapter is not about finding sensitive data during an assessment as much as it is about what the "bad guys" might do to troll for the data. The examples presented in this chapter generally represent the lowest-hanging fruit on the security tree. Hackers target this information on a daily basis. To protect against this type of attacker, we need to be fairly candid about the worst-case possibilities. We won't be overly candid, however.
We start by looking at some queries that can be used to uncover usernames, the less important half of most authentication systems.The value of a username is often overlooked, but as we saw in Chapters 4 and 5, an entire multimillion-dollar security system can be shattered through skillful crafting of even the smallest, most innocuous bit of information.
Next, we take a look at queries that are designed to uncover passwords. Some of the queries we look at reveal encrypted or encoded passwords, which will take a bit of work on the part of an attacker to use to his or her advantage. We also take a look at queries that can uncover cleartext passwords.These queries are some of the most dangerous in the hands of even the most novice attacker. What could make an attack easier than handing a username and cleartext password to an attacker?
We wrap up this chapter by discussing the very real possibility of uncovering highly sensitive data such as credit card information and information used to commit identity theft, such as Social Security numbers. Our goal here is to explore ways of protecting against this very real threat.To that end, we don't go into details about uncovering financial information and the like. If you're a "dark side" hacker, you'll need to figure these things out on your own.
Searching for Usernames
Most authentication mechanisms use a username and password to protect information. To get through the "front door" of this type of protection, you'll need to determine usernames as well as passwords. Usernames also can be used for social engineering efforts, as we discussed earlier.
Many methods can be used to determine usernames. In Chapter 10, we explored ways of gathering usernames via database error messages. In Chapter 8 we explored Web server and application error messages that can reveal various information, including usernames.These indirect methods of locating usernames are helpful, but an attacker could target a usernames directory with a simple
query like "your username is". This phrase can locate help pages that describe the username creation process, as shown in Figure 9.1.
Figure 9.1 Help Documents Can Reveal Username Creation Processes
■four atcouflt - LJiCfn-irnei
MJOul
Undergraduates and Taught Postgraduates
_
□sememes for urdergraduetes arc! taughl costgreduale-s consist ol your initials, a number (usad todiNorentiate belween cwnmon sals of initials) a^d the yaar of enhy. abcSOi or JtyiSQS
abc50Z ■'rtuW ft tho umihotj of 1he fiflh porson lo sutscribo ™th ino iMi&s a.B.C. dunr.* tha O&rjfl academic year and xyzЈD3 would be the second person to subscribe wd.l the initials K.Y.Z during the 03/04 academic yea-' You cannol change your usemama. Vour usemarra will also fonn pan of y-our email address.
Staff and Rosea rch Postgrad uatas
a riefaull usomams is created fry Sfafl end research po-stflfjtfiiates based m the Initials ol /our lums.
If your peniculs.' oombinalhon of initiala is already in uaer a umber will be added a1 the and.
If you w = - you may change your username to one ol your own choice when you subscribe. Howworr as: every uЈernarn& musl bo unique, you may rind your choice is. acoeplud because H Is already Sei/tg used. Once you ha^e acceded e username you cannot chente n.
You cen be sent ema.1 ,i -■: an address baaed on your username.
..k-jЈ
Stafr ami researtfi studonis also have a more formal email address based on iheir actual names. [7
a-CCarruOienffl * .
An attacker could use this information to postulate a username based on information gleaned from other sources, such as Google Groups posts or phone listings. The usernames could then be recycled into various other phases of the attack, such as a worm-based spam campaign or a social-engineering attempt. An attacker can gather usernames from a variety of sources, as shown in the sample queries listed in Table 9.1.
Description
filetypeireg reg intext: "internet account manager"
filetypeiwab wab
filetypeimdb inurliprofiles
index.of perform.ini
inurl:root.asp?acs=anon
filetypeiconf inurliproftpd. conf -sample
filetypeilog username putty filetypeirdp rdp intitleiindex.of .bash_history
intitleiindex.of .sh_history
"index of " lck
+intextiwebalizer +intexti Total Usernames +intexti "Usage Statistics for"
filetypeireg reg HKEY_ CURRENTUSER username
Microsoft Internet Account Manager can reveal usernames and more
Microsoft Outlook Express Mail address books
Microsoft Access databases containing (user) profiles.
mIRC IRC ini file can list IRC usernames and other information
Outlook Mail Web Access directory can be used to discover usernames
PROFTP FTP server configuration file reveals username and server information
PUTTY SSH client logs can reveal usernames and server information
Remote Desktop Connection files reveal user credentials
UNIX bash shell history reveals commands typed at a bash command prompt; user-names are often typed as argument strings
UNIX shell history reveals commands typed at a shell command prompt; usernames are often typed as argument strings
Various lock files list the user currently using a file
Webalizer Web statistics page lists Web user-names and statistical information
Windows Registry exports can reveal usernames and other information
Searching for a Known Filename
Remember that there are several ways to search for a known filename. One way relies on locating the file in a directory listing, like intitle:index.of install.log. Another, often better, method relies on the filetype operator, as in filetype:log inurhinstall.log. Directory listings are not all that common. Google will crawl a link to a file in a directory listing, meaning that the filetype method will find both directory listing entries as well as files crawled in other ways.
In some cases, usernames can be gathered from Web-based statistical programs that check Web activity.The Webalizer program shows all sorts of information about a Web server's usage. Output files for the Webalizer program can be located with a query such as intext:webalizer intext:"Total Usernames" intext:"Usage Statistics for". Among the information displayed is the username that was used to connect to the Web server, as shown in Figure 9.2. In some cases, however, the usernames displayed are not valid or current, but the "Visits" column lists the number of times a user account was used during the capture period.This enables an attacker to easily determine which accounts are more likely to be valid.
The Windows registry holds all sorts of authentication information, including usernames and passwords.Though it is unlikely (and fairly uncommon) to locate live, exported Windows registry files on the Web, at the time of this writing there are nearly 100 hits on the query filetype:reg HKEY_CURRENT_USER username, which locates Windows registry files that contain the word username and in some cases passwords, as shown in Figure 9.3.
As any talented attacker or security person will tell you, it's rare to get information served to you on a silver platter. Most decent finds take a bit of persistence, creativity, intelligence, and just a bit of good luck. For example, consider the Microsoft Outlook Web Access portal, which can be located with a query like inurl:root.asp?acs=anon. At the time of this writing, fewer than 50 sites are returned by this query, even though there a certainly more than 50 sites running the Microsoft Web-based mail portal. Regardless of how you might locate a site running this e-mail gateway, it's not uncommon for the site to host a public directory (denoted "Find Names," by default), as shown in Figure 9.4.
Figure 9.4 Microsoft Outlook Web Access Hosts a Public Directory
o o o
Microsoft Outlook Web Access
I - - llcl ©1
Qr inur[:roo(,asp?acs=anon ©1
Public Folders
Public Folders
Find Naraea
&
Log Off
^ Public Folders
Display a menu ^
The public directory allows access to a search page that can be used to find users by name. In most cases, wildcard searching is not allowed, meaning that a search for * will not return a list of all users, as might be expected. Entering a search for a space is an interesting idea, since most user descriptions contain a space, but most large directories will return the error message "This query would return too many addresses!" Applying a bit of creativity, an attacker could begin searching for individual common letters, such as the "Wheel of Fortune letters" R, S, T, L, N, and E. Eventually one of these searches will most likely reveal a list of user information like the one shown in Figure 9.5.
Once a list of user information is returned, the attacker can then recycle the search with words contained in the user list, searching for the words Voyager, Freshmen, or Campus, for example. Those results can then be recycled, eventually resulting in a nearly complete list of user information.
Searching for Passwords
Password data, one of the "Holy Grails" during a penetration test, should be protected. Unfortunately, many examples of Google queries can be used to locate passwords on the Web, as shown in Table 9.2.
Table 9.2 Queries That Locate Password Information
Query
Description
inurl:/db/main.mdb
filetypexfm "cfapplication name" password
filetypeipass pass intext:userid
allinurl:auth_user_file.txt
eggdrop filetypeiuser user
filetypeiini inurliflashFXP.ini
filetypeiurl +inurl:"ftp://" +inurl:"@"
inurl:zebra.conf intext: password -sample -test -tutorial -download
filetype:htpasswd htpasswd
intitle:"lndex of" ".htpasswd" "htgroup" -intitle:"dist" -apache -htpasswd.c
intitle:"lndex of" ".htpasswd" htpasswd.bak
"http://* :*@www" bob:bob
"sets mode: +k"
"Your password is * Remember this for later use"
signin filetype:url
ASP-Nuke passwords
ColdFusion source with potential passwords
dbman credentials
DCForum user passwords
Eggdrop IRC user credentials
FlashFXP FTP credentials
FTP bookmarks cleartext passwords
GNU Zebra passwords
HTTP htpasswd Web user credentials HTTP htpasswd Web user credentials
HTTP htpasswd Web user credentials
HTTP passwords (bob is a sample username)
IRC channel keys (passwords)
IRC NickServ registration passwords
JavaScript authentication credentials
Table 9.2 Queries That Locate Password Information
Query
Description
LeapFTP intitle:"index.of./" sites.ini modified
LeapFTP client login credentials LILO passwords
inurlililo.conf filetype:conf password -tatercounter2000 -bootpwd -man
filetype:config config intext: appSettings "User ID"
filetype:pwd service
intitle:index.of administrators.pwd
"# -FrontPage-" inurl:service.pwd Microsoft FrontPage Web passwords
ext:pwd inurl:_vti_pvt inurl: Microsoft FrontPage Web passwords (Service | authors | administrators)
mIRC nickserv credentials mySQL database credentials
Oekakibss user passwords
Opera, AuMagic Wand,Au Web credentials
OSPF Daemon Passwords
Passlist user credentials passlist.txt file user credentials password.dat files
password.log file reveals usernames, passwords, and hostnames
filetype:log inurl:"password.log" password.log files cleartext passwords
inurl:people.lst filetype:lst People.lst generic password file
intitle:index.of config.php PHP Configuration File database credentials
inurl:config.php dbuname dbpass PHP Configuration File database credentials
inurl:nuke filetype:sql PHP-Nuke credentials
Continued
Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! Table 9.2 Queries That Locate Password Information
Query
Description
filetypexonf inurl:psybnc.conf "USER.PASS="
filetypeiini ServUDaemon
filetypexonf slapd.conf
inurli"slapd.conf" intext: "credentials" -manpage -"Manual Page" -man: -sample
inurl:"slapd.conf" intext: "rootpw" -manpage -"Manual Page" -man: -sample
filetype:sql "IDENTIFIED BY" -cvs
filetype:sql password
filetype:ini wcx_ftp
filetype:netrc password
index.of.etc tial files
intitle:"Index of..etc" passwd
intitle:index.of passwd passwd.bak
intitle:"Index of" pwd.db
intitle:Index.of etc shadow
intitle:index.of master.passwd
intitle:"Index of" spwd.db passwd -pam.conf
filetype:bak inurl:"htaccess\ passwd\shadow\htusers
filetype:inc dbconn
filetype:inc intext:mysql_ connect
filetype:properties inurl:db intext:password
inurl:vtund.conf intext:pass -cvs
inurl:"wvdial.conf" intext: "password"
psyBNC IRC user credentials
servU FTP Daemon credentials
slapd configuration files root password
slapd LDAP credentials
slapd LDAP root password
SQL passwords SQL passwords
Total Commander FTP passwords
UNIX .netrc user credentials
UNIX /etc directories contain various creden-
UNIX /etc/passwd user credentials UNIX /etc/passwd user credentials
UNIX /etc/pwd.db credentials UNIX /etc/shadow user credentials UNIX master.passwd user credentials UNIX spwd.db credentials
UNIX various password file backups
Various database credentials
Various database credentials, server names
Various database credentials, server names
Virtual Tunnel Daemon passwords wdial dialup user credentials
Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 Table 9.2 Queries That Locate Password Information
Query
Description
filetypeimdb wwforum Web Wiz Forums Web credentials
"AutoCreate=TRUEpassword=*"Website Access Analyzer user passwords
Windows Registry Keys containing user credentials
Windows Registry Keys containing user credentials
WS_FTP FTP credentials
WS_FTP FTP user credentials wwwboard user credentials
filetypeipwl pwl Windows Password List user credentials
filetypeireg reg +intext: "defaultusername" intext: "defaultpassword"
filetypeireg reg +intext: "internet account manager"
"index of/" "ws_ftp.ini" "parent directory"
filetypeiini ws_ftp pwd
inurl:/wwwboard
In most cases, passwords discovered on the Web are either encrypted or encoded in some way. In most cases, these passwords can be fed into a password cracker such as John the Ripper from www.openwall.com/john to produce plaintext passwords that can be used in an attack. Figure 9.6 shows the results of the search ext:pwd inurl:_vti_pvt inurl:(Service | authors | administrators), which combines a search for some common Microsoft FrontPage support files.
Figure 9.6 Encrypted or Encoded Passwords
O n Google Search: ext:pwd i n u rl: _vti_pvt inurl: (Service | authors | administrators}
/www.googie. " CL- ext:pwd in url :_vn_pvi inurJ:{5*ruice | authors | administrators
F'ontP3QS-ekendall:bYld1Sr73NLKQlQuiЈa:5^rn94d,rJcdDFiQ
it -FrartPage-efcencall oY d-Br?jH_Ko louisa:5zm94d7cdDFiO
. rxrjigarderribe.' vti p^t/service pwd ■ "< -1 ,'-rr -:- - Јim-nr rsTiww
FrontPage- admin:YbVJ JnafKRrnnQ
FrontPage- grahaalaiylLSFaEgkrcQB ftpdch:Zh4nBb7KWKBxl rinsarrfo
:.- I n>'-no -v-^iyc y LSl-blidh-cQs ':D(lcr- 2h4n3brKWKs*i rineerdojcaskSSqUyj^G cpyVacwi :VFthzdwct3oVFtl
va.uar"Sc^od^DC^E/_uiJ_j]vtrsBTvf^.Fwo! - Ik - Supplemental Ftesiult - Cached - Simiiar papas
FrontPage- orahaale:5XLzoNL12VsNE ftphrp:Јd8A/1 Icpwfoc
it -FrontPage- grahaale- 5X _zcNLJ ZJ eN E ftobrp:EdSAJ 11 cpwfqc
Qj^BItt* " va. ua/SchcolaJB RPM/ti jyinVaetvice pwd - 1k - Supplemental Result -Cachod - Similar papos
FrontPa ge- frs b :S Up 5leU_h H S 36 VqjrVw I AS Yz3qlBy3cA.
-FrontPage- r-ree:SiIpaeU..hHЈ^^Vwu\SYz3q|&yJcA.
comr'_vti_pvLi'service.pwd - Ik - Cached: - Smilar pages
FrontPage-fpadmin:rjlV41rinLw6f6kg kherad:GFbtN4AJa1rOfY
krreradi'_vti_pvti'service.pwd - Ik - Cached - 5i—-ilar pages
FrontPage- admin:Oc2yl_XS:cpQy2
it -FrarLPage-admir:0c2yUKBtcpOv2 DiSpUy i i?
Exported Windows registry files often contain encrypted or encoded passwords as well. If a user exports the Windows registry to a file and Google subsequently crawls that file, a query like filetype:reg intext:"internet account manager" could reveal interesting keys containing password data, as shown in Figure 9.7.
Figure 9.7 Specific Windows Registry Entries Can Reveal Passwords
OOO http://216.239.39.104/search?q=cache:fpU
Qr filetypeireg reg + intext:"internet account manager'
[ HKEy_CURXENT_USER\Sof tware\Microsof tMnternet Account Manager\Accounts\00000008
"Account Name"="LiSP Email"
"Connection Type'=dword* 00000001
"POP3 Server"="mail.
"P0P3 User Wame"=""
"SMTP Server"="mail.
"SMTP Display Wame"=""
"SMTP Email Address"=""
"POP3 Skip Account"=dwords00000000
"SMTP Use Sicily"=dword!00000000
"Connection Flags"=dword:00000000
"POP3 Password:"=hex:01,02,4c,00,69,00,53,00,50,00,20,00,45,00,6d,00,61,00,69,\
00, 6c, 00, 41,00,46,00,32,00,34,00,46,00,44,00,45,00,30,00,00,00 "P0P3 Port"-dword:0000006e "POP3 Secure Connection"^dword:00000000 "POP3 Timeout rJ=dword: 0000005a "Leave Mail On Server "=dword: 00000000 "SMTP Port "-dword:00000019 "SMTP Secure Connection"-dword: 00000000 "SMTP Timeout rJ=dword: 0000005a "SMTP Split Messages"=dwords00000000
Note that live, exported Windows registry files are not very common, but it's not uncommon for an attacker to target a site simply because of one exceptionally insecure file. It's also possible for a Google query to uncover cleartext pass-words.These passwords can be used as is without having to employ a password-cracking utility. In these extreme cases, the only challenge is determining the username as well as the host on which the password can be used. As shown in Figure 9.8, certain queries will locate all the following information: usernames, cleartext passwords, and the host that uses that authentication!
Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 Figure 9.8 The Holy Grail: Usernames, Cleartext Passwords, and Hostnames!
name: - "momo": password: - "momo": URL: - "password.htm"...
name: = "momo"; password: = "rnorno"; URL: = "password.htm"; END_FILE
net/pas sword, log -1k- Supplemental Result - Cached - Similar pages
name: - "jbhunt"; password: - "jbhunt"; URL: - "http://home.nc.rr....
name: = "jbhunt"; password: = "jbhunt"; URL: = "http: /clay 123/ref23.
html"; Beth Haas name: = "BHaas11; password: = "Beth Haas"; URL: = "http ...
,com/day 123/pas sword, log - 2k - Supplemental Result - Cached - Similar pages
name: - "dv21": password: = ndv21 2004": URL: - "intem.htm": name [
Translate this page ]
name: = "dv21"; password: = "dv2l 2004"; URL: = "intem.htm"; name: = "dv22"; password "dv22. 2004"; URL - "intem.htm"; name: = "dv23"; password ...
■V de/gros smarm/password, log - 1k - Cached - Similar pages
There is no magic query for locating passwords, but during an assessment, remember that the simplest queries directed at a site can have amazing results, as we discussed in , Chapter 7, Ten Simple Searches. For example, a query like "Your password"forgot would locate pages that provide a forgotten password recovery mechanism.The information from this type of query can be used to formulate any of a number of attacks against a password. As always, effective social engineering is a terrific nontechnical solution to "forgotten" passwords.
Another generic search for password information, intext:(password | passcode | pass) intext:(username | userid | user), combines common words for passwords and user IDs into one query.This query returns a lot of results, but the vast majority of the top hits refer to pages that list forgotten password information, including either links or contact information. Using Google's translate feature, found at http://translate.google.com/translate_t, we could also create multilingual password searches.Table 9.3 lists common translations for the word password.
276 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! Table 9.3 English Translations of the Word Password
Language Word Translation
German
password
Kennwort
Spanish
password
contrasena
French
password
mot de passe
Italian
password
parola d'accesso
Portuguese
password
senha
Dutch
password
Paswoord
Note
The terms username and userid in most languages translate to username and userid, respectively.
Searching for Credit Card Numbers, Social Security Numbers, and More
Most people have heard news stories about Web hackers making off with customer credit card information. With so many fly-by night retailers popping up on the Internet, it's no wonder that credit card fraud is so prolific. These mom-and-pop retailers are not the only ones successfully compromised by hackers. Corporate giants by the hundreds have had financial database compromises over the years, victims of sometimes very technical, highly focused attackers. What might surprise you is that it doesn't take a rocket scientist to uncover live credit card numbers on the Internet, thanks to search engines like Google. Everything from credit information to banking data or supersensitive classified government documents can be found on the Web. Consider the (highly edited) Web page shown in Figure 9.9.
Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 277 Figure 9.9 Google Stores Piles and Piles of Previously Pilfered Personal Data
This document, found using Google, lists hundreds and hundreds of credit card numbers (including expiration date and card validation numbers) as well as the owners' names, addresses, and phone numbers.This particular document also included phone card (calling card) numbers. Notice the scroll bar on the right-hand side of Figure 9.9, an indicator that the displayed page is only a small part of this huge document—like many other documents of its kind. In most cases, pages that contain these numbers are not "leaked" from online retailers or e-commerce sites but rather are most likely the fruits of a scam known as phishing, in which users are solicited via telephone or e-mail for personal information. Several Web sites, including MillerSmiles.co.uk, document these scams and hoaxes. Figure 9.10 shows a screen shot of a popular eBay phishing scam that encourages users to update their eBay profile information.
Once a user fills out this form, all the information is sent via e-mail to the attacker, who can use it for just about anything.
Catching Online Scammers
In some cases, you might be able to use Google to help nab the bad guys. Phishing scams are effective because the fake page looks like an official page. To create an official-looking page, the bad guys must have examples to work from, meaning that they must have visited a few legitimate companies' Web sites. If the fishing scam was created using text from several companies' existing pages, you can key in on specific phrases from the fake page, creating Google queries designed to round up the servers that hosted some of the original content. Once you've located the servers that contained the pilfered text, you can work with the companies involved to extract correlating connection data from their log files. If the scammer visited each company's Web page, collecting bits of realistic text, his IP should appear in each of the log files. Auditors at SensePost (www.sensepost.com) have successfully used this technique to nab online scam artists.
Unfortunately, if the scammer uses an exact copy of a page from only one company, this task becomes much more difficult to accomplish.
Social Security Numbers
Social Security numbers (SSNs) and other sensitive data can be easily located with Google as well as via the same techniques used to locate credit card numbers. For a variety of reasons, SSNs might appear online—for example, educational facilities are notorious for using an SSN as a student ID, then posting grades to a public Web site with the "student ID" displayed next to the grade. A creative attacker can do quite a bit with just an SSN, but in many cases it helps to also have a name associated with that SSN. Again, educational facilities have been found exposing this information via Excel spreadsheets listing student's names, grades, and SSNs, despite the fact that the student ID number is often used to help protect the privacy of the student! Although we don't feel it's right to go into the details of how this data is located, several media outlets have irresponsibly posted the details online. Although the blame lies with the sites that are leaking this information, in our opinion it's still not right to draw attention to how exactly the information can be located.
Personal Financial Data
In some cases, phishing scams are responsible for publicizing personal information; in other cases, hackers attacking online retails are to blame for this breach of privacy. Sadly, there are many instances where an individual is personally responsible for his own lack of privacy. Such is the case with personal financial information. With the explosion of personal computers in today's society, users have literally hundreds of personal finance programs to choose from. Many of these programs create data files with specific file extensions that can be searched with Google. It's hard to imagine why anyone would post personal financial information to a public Web site (which subsequently gets crawled by Google), but it must happen quite a bit, judging by the number of hits for program files generated by Quicken and Microsoft Money, for example. Although it would be somewhat irresponsible to provide queries here that would unearth personal financial data, it's important to understand the types of data that could potentially be uncovered by an attacker.To that end,Table 9.4 shows file extensions for various financial, accounting, and tax return programs. Ensure that these filetypes aren't listed on a webserver you're charged with protecting.
Table 9.4 File Extensions for Various Financial Programs
File Extension
Description
afm
Abassis Finance Manager
ab4
Accounting and Business File
mmw
AceMoney File
Iqd
AmeriCalc Mutual Fund Tax Report
et2
Electronic Tax Return Security File (Australia)
tax
Intuit TurboTax Tax Return
t98-t04
Kiplinger Tax Cut File (extension based on two-digit return
year)
mny
Microsoft Money 2004 Money Data Files
mbf
Microsoft Money Backup Files
inv
MSN Money Investor File
ptdb
Peachtree Accounting Database
qbb
QuickBooks Backup Files reveal financial data
qdf
Quicken personal finance data
soa
Sage MAS 90 accounting software
sdb
Simply Accounting
stx
Simply Tax Form
tmd
Time and Expense Tracking
tls
Timeless Time & Expense
fec
U.S. Federal Campaign Expense Submission
wow
Wings Accounting File
Searching for Other Juicy Info
As we've seen, Google can be used to locate all sorts of sensitive information. In this section we take a look at some of the data that Google can find that's harder to categorize. From address books to chat log files and network vulnerability reports, there's no shortage of sensitive data online.Table 9.5 shows some queries that can be used to uncover various types of sensitive data.
Table 9.5 Queries That Locate Various Sensitive Information
Query
Description
intext:"Session Start
filetype:log
filetype:blt bit +intext: screenname
buddylist.blt
intitle:index.of cgiirc.config inurl:cgiirc.config
"Index of" / "chat/logs"
intitle:"lndex Of" cookies.txt "size"
"phone ***" "address *" "e-mail"intitle:"curriculum vitae"
ext:ini intext:env.ini
intitle:index.of inbox
"Running in Child mode"
":8080" ":3128" ":80" filetype:txt
intitle:"lndex of" dbconvert.exe chats
"sets mode: +p"
"sets mode: +s"
"Host Vulnerability Summary Report"
"Network Vulnerability Assessment Report"
filetype:pot inurl:john.pot
intitle:"lndex Of" -inurl:maillog maillog size
ext:mdb inurl: * .mdb inurl: fpdb shop.mdb
AIM and IRC log files AIM buddy lists AIM buddy lists
CGIIRC (Web-based IRC client) config file, shows IRC servers and user credentials
CGIIRC (Web-based IRC client) config file, shows IRC servers and user credentials
Chat logs
cookies.txt file reveals user information
Curriculum vitae (resumes) reveal names and address information
Generic environment data
Generic mailbox files
Gnutella client data and statistics
HTTP Proxy lists
ICQ chat logs
IRC private channel information
IRC secret channel information
ISS vulnerability scanner reports, reveal potential vulnerabilities on hosts and networks
ISS vulnerability scanner reports, reveal potential vulnerabilities on hosts and networks
John the Ripper password cracker results
Maillog files reveals e-mail traffic information
Microsoft FrontPage database folders
Continued
Table 9.5 Queries That Locate Various Sensitive Information
Query
Description
filetype:xls inurl:contact
intitle:index.of haccess.ctl
ext:log "Software: Microsoft Internet Information Services *.*"
filetype:pst inurl:"outlook.pst"
intitle:index.of mt-db-pass.cgi
filetype:ctt ctt messenger
"This file was generated by Nessus"
inurl:"newsletter/admin/"
inurl:"newsletter/admin/" intitle:"newsletter admin"
filetype:eml eml intext: "Subject" +From
intitle:index.of inbox dbx
intitle:index.of inbox dbx
filetype:mbx mbx intext:Subject
inurl:/public/?Cmd=contents
filetype:pdb pdb backup (Pilot | Pluckerdb)
"This is a Shareaza Node" inurl:/_layouts/settings inurl:ssl.conf filetype:conf
site:edu admin grades
intitle:index.of mystuff.xml
inurl:forward filetype: forward -cvs
intitle:index.of dead.letter
Microsoft Excel sheets containing contact information.
Microsoft FrontPage equivalent(?)of htac-cess shows Web authentication info
Microsoft Internet Information Services (IIS) log files
Microsoft Outlook e-mail and calendar backup files
Movable Type default file
MSN Messenger contact lists
Nessus vulnerability scanner reports, reveal potential vulnerabilities on hosts and networks
Newsletter administration information Newsletter administration information
Outlook Express e-mail files
Outlook Express Mailbox files
Outlook Express Mailbox files
Outlook v1-v4 or Eudora mailbox files
Outlook Web Access public folders or appointments
Palm Pilot Hotsync database files
Shareaza client data and statistics
Sharepoint configuration information
SSL configuration files, reveal various configuration information
Student grades
Trillian user Web links
UNIX mail forward files reveal e-mail addresses
UNIX unfinished e-mails
Some of this information is fairly benign—for example, MSN Messenger contact list files that can be found with a query like filetype:ctt messenger, or AOL Instant Messenger (AIM) buddy lists that can be located with a query such as file-type:blt bit +intext:screenname, as shown in Figure 9.11.
This screen shows a list of "buddies," or acquaintances an individual has entered into his or her AIM client. An attacker often uses personal information like this in a social-engineering attack, attempting to convince the target that they are a friend or an acquaintance. This practice is akin to pilfering a Rolodex or address book from a target. For a seasoned attacker, information like this can lead to a successful compromise. However, in some cases, data found with a Google query reveals sensitive security-related information that even the most novice attacker could use to compromise a system.
For example, consider the output of the Nessus security scanner available from www.nessus.org.This excellent open-source tool conducts a series of security tests against a target, reporting on any potential vulnerability. The report generated by Nessus can then be used as a guide to help system administrators lock down any affected systems. An attacker could also use a report like this to locate vulnerabilities on a potential target. Using a Google query such as "This file was generated by Nessus", an attacker could locate reports generated by the Nessus tool, as shown in Figure 9.12.This report lists the IP address of each tested machine as well as the ports opened and any vulnerabilities that were detected.
In most cases, reports found in this manner are samples, or test reports, but in a few cases, the reports are live and the tested systems are, in fact, exploitable as listed. One can only hope that the reported systems are honeypots—machines created for the sole purpose of luring and tracing the activities of hackers. In the next chapter, we'll talk more about "document-grinding" techniques, which are also useful for digging up this type of information.This chapter focused on locating the information based on the name of the file, whereas the next chapter focuses on the actual content of a document rather than the name.
Summary
Make no mistake—there's sensitive data on the Web, and Google can find it. There's hardly any limit to the scope of information that can be located, if only you can figure out the right query. From usernames to passwords, credit card and Social Security numbers, and personal financial information, it's all out there. As a purveyor of the "dark arts," you can relish in the stupidity of others, but as a professional tasked with securing a customer's site from this dangerous form of information leakage, you could be overwhelmed by the sheer scale of your defensive duties.
As droll as it might sound, a solid, enforced security policy is a great way to keep sensitive data from leaking to the Web. If users understand the risks associated with information leakage and understand the penalties that come with violating policy, they will be more willing to cooperate in what should be a security partnership.
In the meantime, it certainly doesn't hurt to understand the tactics an adversary might employ in attacking a Web server. One thing that should become clear as you read this book is that any attacker has an overwhelming number of files to go after. One way to prevent dangerous Web information leakage is by denying requests for unknown file types. Whether your Web server normally serves up CFM, ASP, PHP, or HTML, it's infinitely easier to manage what should be served by the Web server instead of focusing on what should not be served. Adjust your servers or your border protection devices to allow only specific content or file types.
Solutions Fast Track
Searching for Usernames
0 Usernames can be found in a variety of locations.
0 In some cases, digging through documents or e-mail directories might be required.
Searching for Passwords
0 Passwords can also be found in a variety locations.
0 A query such as "Your password"forgot can locate pages that provide a forgotten-password recovery mechanism.
0 intext:(password | passcode | pass) intext:(username | userid | user) is another generic search for locating password information.
Searching for Credit Cards
Numbers, Social Security Numbers, and More
Documents containing credit card and Social Security number information do exist and are relatively prolific.
Some irresponsible news outlets have revealed functional queries that locate this information.
0
There are relatively few examples of personal financial data online, but there is a great deal of variety.
0 In most cases, specific file extensions can be searched for.
Searching for Other Juicy Info
0 From address books and chat log files to network vulnerability reports, there's no shortage of sensitive data online.
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the "Ask the Author" form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: I'm concerned about phishing schemes. Are there resources to help me understand the risks and learn some safeguards?
A: There's an excellent Web site dedicated to the topic of phishing at www.antiphishing.org.You can also read a great white paper by Next Generation Security Software Ltd., The Phishing Guide: Understanding and Preventing Phishing Attacks, available from www.ngssoftware.com/ papers/NISR-WP-Phishing.pdf.
Q: Why don't you give more details about locating information such as credit card numbers and Social Security numbers?
A: To be honest, neither the authors nor the publisher is willing to take personal responsibility for encouraging potential illegal activity. Most individuals interested in this kind of information will use it for illegal purposes. If you are interested in scanning for your own personal information online, simply enter your information into Google. If you get some hits, you should be worried.
Q: Many passwords grant access to meaningless services. Why should I be worried about the password for a useless service leaking out to the Web?
A: Studies have shown that the majority of people often opt for the easiest path to completing a task. In the world of security, this means that many people share passwords (or password cues) across many different applications on many different servers. This means that one compromised password can provide clues about passwords used on other systems. Most policies forbid this type of password sharing, but this restriction is often hard to enforce.
Q: What can bad guys do with the password to our database? And if the information is not sensitive, why go the extra mile to protect it ?
A: Users generally have a small set of passwords they can remember.This means that once a bad guy has a valid password, chances are good that it will "Open Sesame" to more sensitive data.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment