Google hacking for penetration tester - part 13 doc
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (572.3 KB, 10 trang )
121
Document
Grinding and
Database Digging
Solutions in this chapter:
■
Configuration Files
■
Log Files
■
Office Documents
■
Database Information
■
Automated Grinding
■
Google Desktop
■
Links to Sites
Chapter 4
Summary
Solutions Fast Track
Frequently Asked Questions
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 121
Introduction
There’s no shortage of documents on the Internet. Good guys and bad guys alike can use
information found in documents to achieve their distinct purposes. In this chapter we take a
look at ways you can use Google to not only locate these documents but to search within
these documents to locate information.There are so many different types of documents and
we can’t cover them all, but we’ll look at the documents in distinct categories based on their
function. Specifically, we’ll take a look at configuration files, log files, and office documents.
Once we’ve looked at distinct file types, we’ll delve into the realm of database digging. We
won’t examine the details of the Structured Query Language (SQL) or database architecture
and interaction; rather, we’ll look at the many ways Google hackers can locate and abuse
database systems armed with nothing more than a search engine.
One important thing to remember about document digging is that Google will only
search the rendered, or visible, view of a document. For example, consider a Microsoft Word
document.This type of document can contain metadata, as shown in Figure 4.1.These fields
include such things as the subject, author, manager, company, and much more. Google will
not search these fields. If you’re interested in getting to the metadata within a file, you’ll
have to download the actual file and check the metadata yourself, as discussed in Chapter 5.
Figure 4.1 Microsoft Word Metadata
122 Chapter 4 • Document Grinding and Database Digging
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 122
Configuration Files
Configuration files store program settings.An attacker (or “security specialist”) can use these
files to glean insight into the way a program is used and perhaps, by extension, into how the
system or network it’s on is used or configured. As we’ve seen in previous chapters, even the
smallest tidbit of information can be of interest to a skilled attacker.
Consider the file shown in Figure 4.2.This file, found with a query such as filetype:ini
inurl:ws_ftp, is a configuration file used by the WS_FTP client program. When the WS_FTP
program is downloaded and installed, the configuration file contains nothing more than a list
of popular, public Internet FTP servers. However, over time, this configuration file can be
automatically updated to include the name, directory, username, and password of FTP servers
the user connects to.Although the password is encoded when it is stored, some free pro-
grams can crack these passwords with relative ease.
Figure 4.2 The WS_FTP.INI File Contains Hosts, Usernames, and Passwords
Document Grinding and Database Digging • Chapter 4 123
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 123
Underground Googling
Locating Files
To locate files, it’s best to try different types of queries. For example, intitle:index.of
ws_ftp.ini will return results, but so will filetype:ini inurl:ws_ftp.ini. The inurl search,
however, is often the better choice. First, the filetype search allows you to browse
right to a cached version of the page. Second, the directory listings found by the
index.of search might allow you to view a list of files but not allow you access to the
actual file. Third, directory listings are not overly common. The filetype search will
locate your file no matter how Google found it.
Regardless of the type of data in a configuration file, sometimes the mere existence of a
configuration file is significant. If a configuration file is located on a server, there’s a chance
that the accompanying program is installed somewhere on that server or on neighboring
machines on the network. Although this might not seem like a big deal in the case of FTP
client software, consider a search like filetype:conf inurl:firewall, which can locate generic fire-
wall configuration files.This example demonstrates one of the most generic naming conven-
tions for a configuration file, the use of the conf file extension. Other generic naming
conventions can be combined to locate other equally common naming conventions. One of
the most common base searches for locating configuration files is simply (inurl:conf OR
inurl:config OR inurl:cfg), which incorporates the three most common configuration file pre-
fixes.You may also opt to use the filetype operator.
If an attacker knows the name of a configuration file as it shipped from the software
author or vendor, he can simply create a search targeting that filename using the filetype and
inurl operators. However, most programs allow you to reference a configuration file of any
name, making a Google search slightly more difficult. In these cases, it helps to get an idea of
the contents of the configuration file, which could be used to extract unique strings for use in
an effective base search. Sometimes, combining a generic base search with the name (or
acronym) of a software product can have satisfactory results, as a search for (inurl:conf OR
inurl:config OR inurl:cfg) MRTG shows in Figure 4.3.
124 Chapter 4 • Document Grinding and Database Digging
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 124
Figure 4.3 Generic Configuration File Searching
Although this first search is not far off the mark, it’s fairly common for even the best
config file search to return page after page of sample or example files, like the sample
MRTG configuration file shown in Figure 4.4.
Figure 4.4 Sample Config Files Need Filtering
Document Grinding and Database Digging • Chapter 4 125
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 125
This brings us back, once again, to perhaps the most valuable weapon in a Google
hacker’s arsenal: effective search reduction. Here’s a list of the most common points a Google
hacker considers when trolling for configuration files:
■
Create a strong base search using unique words or phrases from live files.
■
Filter out the words sample, example, test, howto, and tutorial to narrow the obvious
example files.
■
Filter out CVS repositories, which often house default config files, with –cvs.
■
Filter out manpage or Manual if you’re searching for a UNIX program’s configura-
tion file.
■
Locate the one most commonly changed field in a sample configuration file and
perform a negative search on that field, reducing potentially “lame” or sample files.
To illustrate these points, consider the search filetype:cfg mrtg “target[*]” -sample -cvs
–example, which locates potentially live MRTG files.As shown in Figure 4.5, this query uses
a unique string “target[*]” (which is a bit ubiquitous to Google, but still a decent place to
start) and removes potential example and CVS files, returning decent results.
Figure 4.5 A Common Search Reduction Technique
Some of the results shown in Figure 4.5 might not be real, live MRTG configuration
files, but they all have potential, with the exception of the first hit, located in “/Squid-Book.”
126 Chapter 4 • Document Grinding and Database Digging
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 126
There’s a good chance that this is a sample file, but because of the reduction techniques we’ve
used, the other results are potentially live, production MRTG configuration files.
Table 4.1 lists a collection of searches that locate various configuration files.These
entries were gathered by the many contributors to the GHDB.This list highlights the var-
ious methods that can be used to target configuration files.You’ll see examples of CVS
reduction, sample reduction, unique word and phrase isolation, and more. Most of these
queries took imagination on the part of the creator and in many cases took several rounds of
reduction by several searchers to get to the query you see here. Learn from these queries,
and try them out for yourself. It might be helpful to remove some of the qualifiers, such as
–cvs or –sample, where applicable, to get an idea of what the “messy” version of the search
might look like.
Table 4.1 Configuration File Search Examples
Description Query
PHP configuration file intitle:index.of config.php
PHP configuration file inurl:config.php dbuname dbpass
CGIIRC configuration file intitle:index.of cgiirc.config
CGIIRG configuration file inurl:cgiirc.config
IPSEC configuration file inurl:ipsec.conf -intitle:manpage
ws_ftp configuration file intitle:index.of ws_ftp.ini
eggdrop configuration file eggdrop filetype:user user
samba configuration file inurl:”smb.conf” intext:”workgroup”
filetype:conf
firewall configuration file filetype:conf inurl:firewall -intitle:cvs
vtunnelD configuration file inurl:vtund.conf intext:pass -cvs
OpenLDAP configuration file filetype:conf slapd.conf
PHP configuration file inurl:php.ini filetype:ini
FTP configuration file filetype:conf inurl:proftpd.conf -sample
WV Dial configuration file inurl:”wvdial.conf” intext:”password”
OpenLDAP configuration file inurl:”slapd.conf” intext:”credentials” -
manpage -”Manual Page” -man: -
sample
OpenLDAP configuration file inurl:”slapd.conf” intext:”rootpw” -
manpage -”Manual Page” -man: -
sample
WS_FTP configuration file filetype:ini ws_ftp pwd
Document Grinding and Database Digging • Chapter 4 127
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 127
Table 4.1 continued Configuration File Search Examples
Description Query
MRTG configuration file filetype:cfg mrtg “target[*]” -sample -
cvs -example
WRQ Reflection configuration file filetype:r2w r2w
Prestige router configuration file “Welcome to the Prestige Web-Based
Configurator”
GNU Zebra configuration file inurl:zebra.conf intext:password -sample
-test -tutorial -download
GNU Zebra configuration file inurl:ospfd.conf intext:password -sample
-test -tutorial -download
YAST configuration file filetype:cfg ks intext:rootpw -sample -
test -howto
Netscape server configuration file allinurl:”.nsconfig” -sample -howto -
tutorial
UnrealIRCd configuration file filetype:conf inurl:unrealircd.conf -cvs -
gentoo
psyBNC configuration file filetype:conf inurl:psybnc.conf
“USER.PASS=”
SSL configuration file inurl:ssl.conf filetype:conf
LILO configuration file inurl:lilo.conf filetype:conf password -
tatercounter2000 -bootpwd -man
MySQL configuration file filetype:cnf my.cnf -cvs -example
oracle client configuration file filetype:ora ora
Mandrake configuration file filetype:cfg auto_inst.cfg
Oekakibss configuration file filetype:conf oekakibbs
LeapFTP client configuration file LeapFTP intitle:”index.of./” sites.ini
modified
a .Net Web Application filetype:config config intext:appSettings
configuration file “User ID”
WS_FTP configuration file “index of/” “ws_ftp.ini” “parent
directory”
ODBC client configuration files inurl:odbc.ini ext:ini -cvs
FlashFXP configuration file filetype:ini inurl:flashFXP.ini
Generic configuration file ext:ini intext:env.ini
Certificate Services configuration file filetype:inf inurl:capolicy.inf
NoCatAuth configuration file ext:conf NoCatAuth -cvs
128 Chapter 4 • Document Grinding and Database Digging
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 128
Table 4.1 continued Configuration File Search Examples
Description Query
Putty saved session data inurl:”putty.reg”
Icecast configuration file “liveice configuration file” ext:cfg -
site:sourceforge.net
SoftCart configuration file intitle:Configuration.File
inurl:softcart.exe
Cisco configuration data intext:”enable secret 5 $”
IIS Web.config file filetype:config web.config -CVS
VMWare configuration files ext:vmx vmx
Radiator Radius configuration file ext:cfg radius.cfg
Rsync configuration file ext:conf inurl:rsyncd.conf -cvs -man
Eudora configuration file ext:ini eudora.ini
emule configuration file inurl:preferences.ini “[emule]”
abyss webserver configuration file intitle:index.of abyss.conf
Frontpage Extensions for Unix filetype:cnf inurl:_vti_pvt access.cnf
configuration file
Shoutcast configuration file intitle:”Index of” sc_serv.conf sc_serv
content
HP Ethernet switch configuration file intitle:”DEFAULT_CONFIG - HP”
Oracle configuration files filetype:ora tnsnames
Counterstrike configuration file inurl:server.cfg rcon password
Steam configuration file intext:”SteamUserPassphrase=”
intext:”SteamAppUser=” -”username” -
”user”
CGI Calendar configuration file inurl:cgi-bin inurl:calendar.cfg
Cisco configuration file intext:”enable password 7”
YABB Forum administration file inurl:/yabb/Members/Admin.dat
FlashFXP site data file inurl:”Sites.dat”+”PASS=”
Ruby on Rails database connector file ext:yml database inurl:config
Cisco configuration file enable password | secret “current con-
figuration” -intext:the
Generic configuration file intitle:index.of.config
Document Grinding and Database Digging • Chapter 4 129
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 129
Log Files
Log files record information. Depending on the application, the information recorded in a
log file can include anything from timestamps and IP addresses to usernames and pass-
words—even incredibly sensitive data such as credit card numbers!
Like configuration files, log files often have a default name that can be used as part of a
base search.The most common file extension for a log file is simply log, making the sim-
plest base search for log files simply filetype:log inurl:log or the even simpler ext:log log.
Remember that the ext (filetype) operator requires at least one search argument. Log file
searches seem to return fewer samples and example files than configuration file searches,
but search reduction is still required in some cases. Refer to the rules for configuration file
reduction listed previously.
Table 4.2 lists a collection of log file searches collected from the GHDB.These searches
show the various techniques that are employed by Google hackers and serve as an excellent
learning tool for constructing your own searches during a penetration test.
Table 4.2 Log File Search Examples
Query Description
“ZoneAlarm Logging Client” ZoneAlarm log files
“admin account info” filetype:log Admin logs
“apricot - admin” 00h Apricot logs
“by Reimar Hoven. All Rights PHP Web Statistik logs
Reserved. Disclaimer” | inurl:
”log/logdb.dta”
“generated by wwwstat” www statistics
“Index of” / “chat/logs” Chat logs
“MacHTTP” filetype:log MacHTTP
inurl:machttp.log
“Most Submitted Forms and Scripts” www statistics
“this section”
“sets mode: +k” IRC logs, channel key set
“sets mode: +p” IRC chat logs
“sets mode: +s” IRC logs, secret channel set
“The statistics were last updated” Network activity logs
“Daily”-microsoft.com
“This report was generated by weblog-generated statistics
WebLog”
“your password is” filetype:log Password logs
130 Chapter 4 • Document Grinding and Database Digging
Continued
452_Google_2e_04.qxd 10/5/07 12:42 PM Page 130
