Google hacking for penetration tester - part 46 pptx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (885.84 KB, 10 trang )
This front-end was designed to put a new face on an older PBX product, but client secu-
rity seems to have been an afterthought. Notice that the interface asks the user to “Logout”
of the interface, indicating that the user is already logged in. Also, notice that cryptic button
labeled Start Managing the Device. After firing off a Google search, all a malicious hacker has to
do is figure out which button to press. What an unbelievably daunting task.
Power
I get a lot of raised eyebrows when I talk about using Google to hack power systems. Most
people think I’m talking about UPS systems like the one submitted by Yeseins in Figure
11.47.
Figure 11.47 Whazzups?
This is a clever Google query, but it’s only an uninterruptible power system (UPS)
monitoring page.This can be amusing, but as Jimmy Neutron shows in Figure 11.48,
there are more interesting power hacking opportunities available.
Google Hacking Showcase • Chapter 11 451
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 451
Figure 11.48 Bedroom Hacking For Dummies
AMX NetLinx systems are designed to allow control of power systems.The figure above
seems to suggest that a web visitor could control power in a theater, a family room and the
master bedroom of a residence.The problem is that the Google search turns up a scarce
number of results, most of which are password protected. As an alternative, Jimmy offers the
search shown in Figure 11.49.
Figure 11.49 Passwords Are Nifty, Especially Default Ones
452 Chapter 11 • Google Hacking Showcase
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 452
Although this query results in a long list of password-protected sites, many sites still
use the default password, providing access to the control panel shown in Figure 11.50.
Figure 11.50
Google Hacking Light Sockets? Uh oh.
This control panel lists power sockets alongside interesting buttons named Power and
Restart, which even the dimmest of hackers will undoubtedly be able to figure out.The
problem with this interface is that it’s just not much fun. A hacker will definitely get
bored flipping unnamed power switches—unless of course he also finds an open
webcam so he can watch the fun.The search shown in Figure 11.51 seems to address
this, naming each of the devices for easy reference.
Google Hacking Showcase • Chapter 11 453
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 453
Figure 11.51 Step Away From The Christmas Lights
Of course even the most vicious hackers would probably consider it rude to nail
someone’s Christmas lights, but no hacker in their right mind could resist the open
HomeSeer control panel shown in Figure 11.52.
Figure 11.52 Bong Hacking. BONG Hacking.
454 Chapter 11 • Google Hacking Showcase
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 454
The HomeSeer control panel puts the fun back into power hacking, listing descriptions
for each control, as well as an On, Off and slider switch for applicable elements. Some of the
elements in this list are quite interesting, including Lower Motion and Bathroom.The best
though is definitely Electric Bong. If you’re a member of the Secret Service looking to bust
the owner of this system, I would suggest a preemptive Google strike before barging into
the home. Start by dimming the lights, and then nail the motion sensors. Last but not least,
turn on the electric bong in case your other charges don’t stick.
Sensitive Info
Sensitive info is such a generic term, but that’s what this section includes: a hodgepodge of
sensitive info discovered while surfing Google. We’ll begin with the VCalendar search sub-
mitted by Jorokin as shown in Figure 11.53.
Figure 11.53 Let Me Check Their Calendar
There’s at least a decent possibility that these calendar files were made public on pur-
pose, but the Netscape history file submitted by Digital_Revolution in Figure 11.54
shouldn’t be public.
Google Hacking Showcase • Chapter 11 455
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 455
Figure 11.54 Hot Chicks at IBM? Nah.
For starters, the file contains the user’s POP email username and encoded password.
Then there’s the issue of his URL history, which contains not only the very respectable
IBM.com, but also the not-so-respectable hotchicks.com, which I’m pretty sure is NSFW.
Next up is an MSN contact list submitted by Harry-AAC, which is shown in Figure
11.55.
456 Chapter 11 • Google Hacking Showcase
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 456
Figure 11.55 Want To Steal My Friends?
This file lists the contact names and email addresses found in someone’s contact list. At
best, this file is spam fodder.There’s really no shortage of email address lists, phone number
lists and more on the Web, but what’s surprising is how many documents containing this
type of information were created with the express intention of sharing that information.
Consider the screen shown in Figure 11.56, which was submitted by CP.
Google Hacking Showcase • Chapter 11 457
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 457
Figure 11.56 Call and Email the Entire Staff and Wish Them Happy Birthday
This document is a staff directory, which was created for internal use only.The only
problem is that it was found on a public web site. While this doesn’t seem to constitute seri-
ously private information, the search shown in Figure 11.57 (submitted by Maerim) reveals
slightly more sensitive information: passwords.
458 Chapter 11 • Google Hacking Showcase
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 458
Figure 11.57 I Think This RCON Password is Written In Greek
This file lists the cleartext passwords for the Ghost Squad’s private Counterstrike remote
administration console. Ask any CS gamer how embarrassing this could be. But hacking a
game server is fairly tame. Consider, however, Figure 11.58 which was submitted by Barabas.
Figure 11.58 Encoded VPN Passwords
Google Hacking Showcase • Chapter 11 459
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 459
This file lists information and encoded passwords for a Cisco Virtual LAN (VLAN).
About the only thing worse than revealing your VLAN’s encoded passwords is revealing
your VLAN’s cleartext passwords. Ask and you shall receive. Check out Figure 11.59, again
from Barabas.
Figure 11.59 Plaintext VPN Passwords
Yup, that’s a cleartext password nestled inside a University’s configuration file. But
interesting passwords can be found in all sorts of places, such as inside Windows unat-
tended installation files, as shown in Figure 11.60, which was submitted by MBaldwin.
Figure 11.60
Owning a Windows Install before It’s Installed. Leet.
460 Chapter 11 • Google Hacking Showcase
452_Google_2e_11.qxd 10/5/07 1:19 PM Page 460
