Pulp Google Hacking The Next Generation Search Engine Hacking - - PowerPoint PPT Presentation

Pulp Google Hacking

The Next Generation Search Engine Hacking Arsenal

3 August 2011 – Black Hat 2011 – Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com

Agenda

2

• Introduc

ucti tion/B /Background und

• Advan

anced A d Attac acks

• Google/Bing Hacking - Core Tools
• NEW Diggity Attack Tools
• Advanced

ed D Defenses es

• Google/Bing Hacking Alert RSS Feeds
• NEW Diggity Alert Feeds and Updates
• NEW Diggity Alert RSS Feed Client Tools
• Futur

uture Di Directi tions O V E R V I E W

Introduction/ Background

3

G E T T I N G U P T O S P E E D

Open Source Intelligence

4

S E A R C H I N G P U B L I C S O U R C E S

OSI OSINT – is a form of intelligence collection management that involves finding, selecting, and acquiring information from pu publ blicly av y avai ailab able sources and analyzing it to prod

• duce

uce actiona nabl ble intel elligenc ence.

Google/Bing Hacking

5

S E A R C H E N G I N E A T T A C K S

Google/Bing Hacking

6

S E A R C H E N G I N E A T T A C K S

Bing's source leaked!

class Bing { public static string Search(string query) { return Google.Search(query); } }

Attack Targets

7

• Advisories and Vulnerabilities (215)
• Error Messages (58)
• Files containing juicy info (230)
• Files containing passwords (135)
• Files containing usernames (15)
• Footholds (21)
• Pages containing login portals (232)

G O O G L E H A C K I N G D A T A B A S E

• Pages containing network or

vulnerability data (59)

• Sensitive Directories (61)
• Sensitive Online Shopping Info (9)
• Various Online Devices (201)
• Vulnerable Files (57)
• Vulnerable Servers (48)
• Web Server Detection (72)

Google Hacking = Lulz

8

Lul LulzSec and Anony nymo mous s believed to use Goog

• ogle H

Hacki cking g as a primary means of identifying vulnerable targets.

Their releases have nothing to do with their goals

• r their lulz. It's purely based on whatever they

find with their "google hacking" queries and then release it.

• - A-Team, 28 June 2011

R E A L W O R L D T H R E A T

Google Hacking = Lulz

9

R E A L W O R L D T H R E A T

22: 22:14 <@k 14 <@kay ayla la> > Sooooo...using the link above and the google hack string. !Host=*.* intext:enc_UserPassword=* ext:pcf Take your pick of VPNs you want access too. Ugghh.. Aaron Barr CEO HBGary Federal Inc. 22: 22:15 15 <@k <@kay ayla> la> download the pcf file 22: 22:16 <@k 16 <@kay ayla> la> then use http://www.unix-ag.uni- kl.de/~massar/bin/cisco-decode?enc= to clear text it 22: 22:16 <@k 16 <@kay ayla> la> = free VPN

Quick History

10

G O O G L E H A C K I N G R E C A P

Dates Event 2004 Google Hacking Database (GHDB) begins May 2004 Foundstone SiteDigger v1 released Jan 2005 Foundstone SiteDigger v2 released Feb 13, 2005 Google Hack Honeypot first release Feb 20, 2005 Google Hacking v1 released by Johnny Long Jan 10, 2006 MSNPawn v1.0 released by NetSquare Dec 5, 2006 Google stops issuing Google SOAP API keys Mar 2007 Bing disables inurl: link: and linkdomain: Nov 2, 2007 Google Hacking v2 released

Quick History…cont.

11

G O O G L E H A C K I N G R E C A P

Dates Event Mar 2008 cDc Goolag - gui tool released Sept 7, 2009 Google shuts down SOAP Search API Nov 2009 Binging tool released by Blueinfy Dec 1, 2009 FoundStone SiteDigger v 3.0 released 2010 Googlag.org disappears April 21, 2010 Google Hacking Diggity Project initial releases Nov 1, 2010 Google AJAX API slated for retirement Nov 9, 2010 GHDB Reborn Announced – Exploit-db.com July 2011 Bing ceases ‘&format=rss’ support

Advanced Attacks

12

W H A T Y O U S H O U L D K N O W

Diggity Core Tools

13

Google Diggity

• Uses Google J

le JSON/ATO TOM A API

• Not blocked by Google bot detection
• Does not violate Terms of Service
• Required to use

Bing Diggity

• Uses Bing 2.0 SOAP API
• Company/Webapp Profiling
• Enumerate: URLs, IP-to-virtual hosts, etc.
• Bing Hacking Database (BHDB)
• Vulnerability search queries in Bing format

S T A C H & L I U T O O L S

New Features

14

Google Diggity - New API

• Updated to use Googl
• ogle J

JSON ON/ATOM AP API

• Due to deprecated Google AJAX API
• Misc. Feature Uprades
• Auto-update for dictionaries
• Output export formats
• Now also XLS and HTML
• Help File – chm file added

D I G G I T Y C O R E T O O L S

New Features

15

Download Buttons for Google/Bing Diggity

• Download actual files from Google/Bing search results
• Downloads to default: C:\DiggityDownloads\
• Used by other tools for file download/analysis:
• FlashDiggity, DLP Diggity, MalwareDiggity,…

D O W N L O A D B U T T O N

New Features

16

SLDB Updates in Progress

• Example: SharePoint Google Dictionary
• http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-

project/#SharePoint – GoogleDiggity Dictionary File

A U T O - U P D A T E S

Google Diggity

17

D I G G I T Y C O R E T O O L S

Bing Diggity

18

D I G G I T Y C O R E T O O L S

Bing Hacking Database

19

BHDB – Bing Hacking Data Base

• First ever Bing hacking database
• Bing hacking limitations
• Disabled inurl

rl:, li link nk: and li link nkdomain: directives in March 2007

• No support for ext:

t:, allin inti titl tle:, allinu inurl:

• Limited fil

ilety type: : functionality

• Only 12 extensions supported

Example - Bing vulnerability search:

• GHDB query
• "allintitle:Netscape FastTrack Server Home Page"
• BHDB version
• intitle:”Netscape FastTrack Server Home Page"

S T A C H & L I U T O O L S

Hacking CSE’s

20

A L L T O P L E V E L D O M A I N S

N E W G O O G L E H A C K I N G T O O L S

21

Code Search Diggity

Google Code Search

22

V U L N S I N O P E N S O U R C E C O D E

• Regex search for vulnerabilities in indexed

public code, including popular open source code repositories:

• Example: SQL Injection in ASP querystring
• select.*from.*request\.QUERYSTRING

CodeSearch Diggity

23

A M A Z O N C L O U D S E C R E T K E Y S

N E W G O O G L E H A C K I N G T O O L S

24

Bing LinkFromDomainDiggity

Bing LinkFromDomain

25

D I G G I T Y T O O L K I T

Bing LinkFromDomain

26

F O O T P R I N T I N G L A R G E O R G A N I Z A T I O N S

N E W G O O G L E H A C K I N G T O O L S

27

Malware Diggity

MalwareDiggity

28

D I G G I T Y T O O L K I T

• 1. Leverages Bing’s linkfromdomain: search directive

to find off-site links of target applications/domains

• 2. Runs off-site links against Google’s Safe Browsing API

to determine if any are malware distribution sites

• 3. Return results that identify malware sites that your web

applications are directly linking to

Mass Injection Attacks

29

M A L W A R E G O N E W I L D

Malware Distribution Woes – WSJ.com – June2010

• Popular websites victimized, become malware distribution sites to their own

customers

Mass Injection Attacks

30

M A L W A R E G O N E W I L D

Malware Distribution Woes – LizaMoon – April2011

• Popular websites victimized, become malware distribution sites to their own

customers

Mass Injection Attacks

31

M A L W A R E G O N E W I L D

Malware Distribution Woes – willysy.com - August2011

• Popular websites victimized, become malware distribution sites to their own

customers

Malware Diggity

32

D I G G I T Y T O O L K I T

Malware Diggity

33

D I G G I T Y T O O L K I T

Malware Diggity

34

D I A G N O S T I C S I N R E S U L T S

N E W G O O G L E H A C K I N G T O O L S

35

DLP Diggity

DLP Diggity

36

L O T S O F F I L E S T O D A T A M I N E

DLP Diggity

37

M O R E D A T A S E A R C H A B L E E V E R Y Y E A R

2004 2007 2011 100,000,000 200,000,000 300,000,000 400,000,000 500,000,000 600,000,000 PDF DOC XLS TXT 10,900,000 2,100,000 969,000 1,720,000 260,000,000 42,000,000 16,100,000 30,100,000 513,000,000 84,500,000 17,300,000 46,400,000

Google Results for Common Docs

2004 2007 2011

DLP Diggity

38

D I G G I T Y T O O L K I T

N E W G O O G L E H A C K I N G T O O L S

39

FlashDiggity

Flash Diggity

40

D I G G I T Y T O O L K I T

• Google fo

for S r SWF WF files on target domains

• Example search: filetype:swf site:example.com
• Downlo

load ad SWF files to C:\DiggityDownloads\

• Disas

assemble mble SWF files and an analy alyze for Flash vulnerabilities

DEMO DEMO

N E W G O O G L E H A C K I N G T O O L S

41

GoogleScrape Diggity

42

GoogleScrape Diggity

• Uses Google mobile interface
• Light-weight, no advertisements
• Violates Terms of Service
• Bot detection avoidance
• Distributed via proxies
• Spoofs User-agent and Referer

headers

• Random &userip=

= value

• Across Google servers

D I G G I T Y T O O L K I T

N E W G O O G L E H A C K I N G T O O L S

43

Baidu Diggity

BaiduDiggity

44

C H I N A S E A R C H E N G I N E

• Fighting back

Advanced Defenses

45

P R O T E C T Y O N E C K

• “Google Hack yourself” organization
• Employ tools and techniques used by hackers
• Remove info leaks from Google cache
• Using Google Webmaster Tools
• Regularly update your robots.txt.
• Or robots meta tags for individual page exclusion
• Data Loss Prevention/Extrusion Prevention Systems
• Free Tools: OpenDLP, Senf
• Policy and Legal Restrictions

Traditional Defenses

46

G O O G L E H A C K I N G D E F E N S E S

Existing Defenses

47

“H A C K Y O U R S E L F”

Mul Multi-eng engine r ne results



Real eal-time u me updates es



Conveni enient ent



Hist storical ar archi hived dat d data

  Mul

Multi-do doma main s n searchi hing Tools e s exist st



Advanced Defenses

48

N E W H O T S I Z Z L E

Stach & Liu now proudly presents:

• Google an

and B d Bing Hac Hacking A Alerts

• SharePoint Hacking Alerts – 118 dorks
• SHODAN Hacking Alerts – 26 dorks
• Di

Diggity A y Alerts ts F FUNd Ndle Bund undles

• Consolidated alerts into 1 RSS feed
• Aler

lert Clien lient T Tools

• Alert Diggity – Windows systray notifications
• iDiggity Alerts – iPhone notification app

Google Hacking Alerts

49

Google Hacking Alerts

• All hacking database queries using
• Real-time vuln updates to >2400 hack queries via RSS
• Organized and available via importable file

A D V A N C E D D E F E N S E S

Google Hacking Alerts

50

A D V A N C E D D E F E N S E S

Bing Hacking Alerts

51

Bing Hacking Alerts

• Bing searches with regexs from BHDB
• Leverages http

ttp://api api.bi bing. g.co com/ m/rss.as aspx px

• Real-time vuln updates to >900 B

>900 Bing h g hack ack qu queries via RSS

A D V A N C E D D E F E N S E S

Bing/Google Alerts

52

L I V E V U L N E R A B I L I T Y F E E D S

World’s Largest Live Vulnerability Repository

• Daily updates of ~3

~3000 n new h hits pe per day day

A D V A N C E D D E F E N S E T O O L S

53

Diggity Alert Fundle Bundle

Diggity Alerts One Feed to Rule Them All

FUNdle Bundle

54

A D V A N C E D D E F E N S E S

FUNdle Bundle

55

A D V A N C E D D E F E N S E S

FUNdle Bundle

56

M O B I L E F R I E N D L Y

A D V A N C E D D E F E N S E T O O L S

57

SHODAN Alerts

SHODAN Alerts

58

F I N D I N G S C A D A S Y S T E M S

SHODAN Alerts

59

S H O D A N R S S F E E D S

Bing/Google Alerts

60

T H I C K C L I E N T S T O O L S

Google/Bing Hacking Alert Thick Clients

• Google/Bing Alerts RSS f

SS feeds a as i inp nput ut

• Allow user to set

et one o e or mo more e filt filter ers

• e.g. “yourcompany.com” in the URL
• Several thi

thick c client nts being released:

• Windows Systray App
• Droid app (coming soon)
• iPhone app

A D V A N C E D D E F E N S E T O O L S

61

Alert Diggity

Alerts Diggity

62

A D V A N C E D D E F E N S E S

A D V A N C E D D E F E N S E T O O L S

63

iDiggity Alerts

iDiggity Alerts

iDiggity Alerts

64

A D V A N C E D D E F E N S E S

iDiggity Alerts

65

A D V A N C E D D E F E N S E S

New Defenses

66

“G O O G L E / B I N G H A C K A L E R T S”

Mul Multi-eng engine r ne results



Real eal-time u me updates es



Conveni enient ent



Hist storical ar archi hived dat d data

 

Mul Multi-do doma main s n searchi hing Tools e s exist st



Future Direction

67

I S N O W

Diggity Alert DB

68

D A T A M I N I N G V U L N S

Diggity Alerts Database

Dictionary Updates

69

3RD P A R T Y I N T E G R A T I O N

New maintainers of the GHDB – 09 Nov 2010

• http://www.exploit-db.com/google-hacking-database-reborn/

Special Thanks

Oscar “The Bull” Salazar Brad “BeSickWittIt” Sickles Nick “King Luscious” Harbin Prajakta “The Flasher” Jagdale Ruihai “Ninja” Fang Jason “Blk-majik” Lash

Questions? Ask us something We’ll try to answer it.

For

• r m

mor

• re i

e info:

• :

Email: contact@stachliu.com Project: diggity@stachliu.com Stach & Liu, LLC www.stachliu.com

Thank You

72

Stach ach & & Li Liu G Google gle Hack acking g Diggi ggity Pr Proj

• ject i

info:

• :

http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/