Lord d of f the h Bing

Taking Back Search Engine Hacking From Google and Bing

30 July 2010

Presented by: Francis Brown and Rob Ragan Stach & Liu, LLC www.stachliu.com

A Agenda d
OVERVIEW

Introduction Advanced Attacks Google/Bing Hacking Other OSINT Attack Techniques Advanced Defenses Future Directions
2

G l Goals
DESIRED OUTCOME

To understand Google Hacking

Attacks and defenses Advanced tools and techniques

To think differently about exposures caused by publicly available sources To blow your mind!

Introduction/ B k Background d
GETTING UP TO SPEED

O Open Source S I Intelligence t lli

SEARCHING PUBLIC SOURCES

OSINT is a form of intelligence collection management that involves finding, selecting, and acquiring i f information ti from f publicly bli l available il bl sources and analyzing it to produce actionable intelligence.

Q i k History Quick Hi t
GOOGLE HACKING RECAP
Dates 2004 May2004 2005 J 2005 Jan. Feb.13,2005 Jan. 10,2005 Dec. 5,2006 Event Google g Hacking gDatabase(GHDB) ( )begins g Foundstone SiteDigger v1released GoogleHacking v1releasedbyJohnnyLong F Foundstone dt Sit Di SiteDigger v2 2released l d GoogleHackHoneypot firstrelease MSNPawn v1.0released GooglestopsissuingGoogleSOAPAPIkeys

Q i k History Quick Hi t
GOOGLE HACKING RECAP
Dates Mar. 2007 Nov.2,2007 Mar.2008 J June 3, 3 2009 Sept.7,2009 Nov.2009 Dec.1,2009 2010 Event Bing gdisablesinurl:link:andlinkdomain: GoogleHackingv2released cDc Goolag gui toolreleased Bi goesonline Bing li GoogleshutsdownSOAPSearchAPI Bingingtoolreleased FoundStone SiteDigger v3.0 released Googlag.orgdisappears

Th Threat A Areas
WHAT YOU SHOULD KNOW

G Google/Bing l /Bi H Hacking ki

SEARCH ENGINE ATTACKS

Our favorites are Google and Bing Crawl and Index Cache and RSS are forever Query modifiers site:target.com related:target.com filetype:xls yp ip:69.63.184.142

Att k T Attack Targets t

GOOGLE HACKING DATABASE
Advisories and Vulnerabilities (215) Error Messages (58) Files containing juicy info (230) Files containing passwords (135) Files containing usernames (15) Footholds (21) Pages containing login portals (232) Pages containing network or vulnerability y data (59) Sensitive Directories (61) Sensitive Online Shopping Info (9) Various Online Devices (201) Vulnerable Files (57) Vulnerable Servers (48) Web Server Detection (72)

1 0

Att k T Attack Targets t

GOOGLE HACKING DATABASE

Examples
E Error Messages M filetype:asp + "[ODBC SQL "Warning: mysql_query()" "invalid query Files containing passwords inurl:passlist.txt

11

G Google l H Hacking ki T Toolkit lkit

STATE OF THE ART

SiteDigger v3.0
Uses Google AJAX API
Not blocked by Google But restricted to 64 results/query

Binging Bi i
Uses Microsoft Bing search engine Limited domain/ip profiling utils

Gooscan, Goolag
Work still, but get blocked by Google bot detection Download sites no longer around
12

G Google l H Hacking ki T Toolkit lkit

FOUNDSTONE SITEDIGGER

13

G Google l H Hacking ki T Toolkit lkit

BINGING

14

NEW GOOGLE HACKING TOOLS

DEMO
15

N New T Toolkit lkit

STACH & LIU TOOLS

GoogleDiggity Uses Google AJAX API

Not blocked by Google bot detection

Can Leverage BingDiggity Company/Webapp Profiling

Enumerate: E URL URLs, IP-to-virtual IP l hosts, h etc.

Bing Hacking Database (BHDB)

Regexs in Bing format

16

N New T Toolkit lkit

GOOGLEDIGGITY

17

N New T Toolkit lkit

BINGDIGGITY

18

D f Defenses
GOOGLE/BING HACKING DEFENSES Google Hack yourself organization
Employ p y tools and techniques q used by y hackers

Policy and Legal Restrictions Regularly update your robots.txt robots txt Data Loss Prevention/Extrusion Prevention Systems
Free Tools: OpenDLP, Senf

Social Sentry
Service to monitor employee FaceBook and Twitter for $2-$8 per employee (MySpace, y p YouTube, and LinkedIn support pp by y summer)

19

G Google l Apps A E Explosion l i

SO MANY APPLICATIONS TO ABUSE

20

G Google l PhoneBook Ph B k
SPEAR PHISHING

21

G Google l Code C d S Search h

VULNS IN OPEN SOURCE CODE

Regex search for vulnerabilities in public code Example: SQL Injection in ASP querystring select.*from.*request\.QUERYSTRING

22

GOOGLE CODE SEARCH HACKING

DEMO
23

SHODAN
HACKER SEARCH ENGINE

SHODAN Computer Search Engine Scans S and d probes b the h Internet I for f open HTTP ports and indexes the headers returned in the response Profile a target without directly probing their systems Discover specific network appliances Easily y find vulnerable systems! y

24

Target NAS Appliances

25

Target SCADA
CRITICAL INFRASTRUCTURE SECURITY

S i d data d i ii Supervisory controll and acquisition

26

Target SCADA
CRITICAL INFRASTRUCTURE SECURITY

SHODAN: SHODAN T Target Aquired! A i d!

27

Black Hat SEO

SEARCH ENGINE OPTIMIZATION

Why use reall news events? Wh ? Black hats make their own fake news Faux celebrity sex tape anyone? Send to college students It works! O h scammers imitate what Other h works k

28

Google Trends
BLACK HAT SEO RECON

29

D f Defenses
BLACKHAT SEO DEFENSES

Google SafeBrowsing plugin Microsoft SmartScreen Filter No No-script script and Ad Ad-block block browser plugins Install software security updates Stick to reputable sites!
Google results arent safe.

30

M t d t Attacks Metadata Att k

DATA ABOUT DATA

Its everywhere!
In documents (doc, (doc xls, xls pdf) In images

What can be data mined?

Usernames, emails File paths Operating systems systems, software versions Printers Network information v information Device
31

FOCA
AUTO METADATA MINING Automated doc search via Google/Bing Specify domains to target Automated download and analysis of docs

32

D f Defenses
METADATA MINING DEFENSES

Implement a policy to review files for sensitive metadata before they theyre re released Run metadata extraction tools on your resources Utilize metadata cleaning tools Digital Rights Management (DRM) tools

33

Advanced D f Defenses
PROTECT YO NECK

34

E i ti D Existing Defenses f
H A C K Y O U R S E L F

Tools exist Convenient Real-time time updates Real Multi-engine results Historical archived data g Multi-domain searching
35

Ad Advanced d Defenses D f
NEW HOT SIZZLE

Stach & Liu now p proudly y presents: p

Google Hacking Alerts Bing Hacking Alerts

36

ADVANCED DEFENSE TOOLS

DEMO
37

Ad Advanced d Defenses D f
GOOGLE HACKING ALERTS

Google Hacking Alerts

All GHDB/FSDB regexs g using g Real-time vuln updates to 1623 hack queries via RSS Organized and available via importable file

38

Ad Advanced d Defenses D f
GOOGLE HACKING ALERTS

39

Ad Advanced d Defenses D f
BING HACKING ALERTS

Bing Hacking Alerts

Bing searches with regexs from BHDB Leverage L &f &format=rss directive d to turn into update d feeds f d

40

F Future Di Direction i
PREDICTIONS

41

F t Future Di Directions ti
PREDICTIONS

Data Explosion
More data indexed, searchable Real-time, streaming updates Faster Faster, more robust search interfaces

Renewed Tool Dev

Google Ajax API based Bing/Yahoo/other engines
Search engine aggregators

G Google l C Code d and d Other Oth O Open Source Repositories

MS CodePlex, SourceForge,

Google g Involvement
Filtering of search results Better GH detection and tool blocking

Mo More e automation au o a o in tools oo s

Real-time detection and exploitation Google worms

42

F t Future Di Directions ti
REALTIME UPDATES

43

Questions? Ask us something Well try W y to answer w it.

For more info: Email: contact@stachliu.com St h & Liu, Stach Li LLC www.stachliu.com

Thank You Yo

45