Pulp Google Hacking

The Next Generation Search Engine Hacking Arsenal

15 February 2012 – ISSA Los Angeles – Los Angeles, CA

Presented by:
Francis Brown
Stach & Liu, LLC
www.stachliu.com
Agenda
OVERVIEW

• Introduction/Background

• Advanced Attacks
• Google/Bing Hacking - Core Tools
• NEW Diggity Attack Tools

• Advanced Defenses
• Google/Bing Hacking Alert RSS Feeds
• NEW Diggity Alert Feeds and Updates
• NEW Diggity Alert RSS Feed Client Tools

• Future Directions

2
Introduction/
Background
GETTING UP TO SPEED

3
Open Source Intelligence
SEARCHING PUBLIC SOURCES

OSINT – is a form of intelligence

collection management that involves
finding, selecting, and acquiring
information from publicly available
sources and analyzing it to produce
actionable intelligence.

4
Google/Bing Hacking
SEARCH ENGINE ATTACKS

5
Google/Bing Hacking
SEARCH ENGINE ATTACKS

Bing's source leaked!

class Bing {
public static string Search(string
query)
{
return Google.Search(query);
}
}

6
Attack Targets
GOOGLE HACKING DATABASE

• Advisories and Vulnerabilities (215) • Pages containing network or

• Error Messages (58) vulnerability data (59)
• Files containing juicy info (230) • Sensitive Directories (61)
• Files containing passwords (135) • Sensitive Online Shopping Info (9)
• Files containing usernames (15) • Various Online Devices (201)
• Footholds (21) • Vulnerable Files (57)
• Pages containing login portals (232) • Vulnerable Servers (48)
• Web Server Detection (72)

7
Google Hacking = Lulz
REAL WORLD THREAT

LulzSec and Anonymous believed to use

Google Hacking as a primary means of
identifying vulnerable targets.

Their releases have nothing to do with their goals

or their lulz. It's purely based on whatever they
find with their "google hacking" queries and then
release it.
-- A-Team, 28 June 2011

8
Google Hacking = Lulz
REAL WORLD THREAT
22:14 <@kayla> Sooooo...using the link above and the google hack string.
!Host=*.* intext:enc_UserPassword=* ext:pcf Take your pick of VPNs you
want access too. Ugghh.. Aaron Barr CEO HBGary Federal Inc.
22:15 <@kayla> download the pcf file
22:16 <@kayla> then use http://www.unix-ag.uni-
kl.de/~massar/bin/cisco-decode?enc= to clear text it
22:16 <@kayla> = free VPN

9
Quick History
GOOGLE HACKING RECAP

Dates Event
2004 Google Hacking Database (GHDB) begins
May 2004 Foundstone SiteDigger v1 released
Jan 2005 Foundstone SiteDigger v2 released
Feb 13, 2005 Google Hack Honeypot first release
Feb 20, 2005 Google Hacking v1 released by Johnny Long
Jan 10, 2006 MSNPawn v1.0 released by NetSquare
Dec 5, 2006 Google stops issuing Google SOAP API keys
Mar 29, 2007 Bing disables inurl: link: and linkdomain:
Nov 2, 2007 Google Hacking v2 released

10
Quick History…cont.
GOOGLE HACKING RECAP

Dates Event
Mar 2008 cDc Goolag - gui tool released
Sept 7, 2009 Google shuts down SOAP Search API
Nov 2009 Binging tool released by Blueinfy
Dec 1, 2009 FoundStone SiteDigger v 3.0 released
2010 Googlag.org disappears
April 21, 2010 Google Hacking Diggity Project initial releases
Nov 1, 2010 Google AJAX API slated for retirement
Nov 9, 2010 GHDB Reborn Announced – Exploit-db.com
Jan 15, 2012 Google Code Search shuts down

11
Advanced Attacks
WHAT YOU SHOULD KNOW

12
Diggity Core Tools
STACH & LIU TOOLS

Google Diggity
• Uses Google JSON/ATOM API
• Not blocked by Google bot detection
• Does not violate Terms of Service
• Required to use

Bing Diggity
• Uses Bing 2.0 SOAP API
• Company/Webapp Profiling
• Enumerate: URLs, IP-to-virtual hosts, etc.
• Bing Hacking Database (BHDB)
• Vulnerability search queries in Bing format

13
New Features
DIGGITY CORE TOOLS

Google Diggity - New API

• Updated to use Google JSON/ATOM API
• Due to deprecated Google AJAX API

Misc. Feature Uprades

• Auto-update for dictionaries
• Output export formats
• Now also XLS and HTML
• Help File – chm file added

14
New Features
DOWNLOAD BUTTON

Download Buttons for Google/Bing Diggity

• Download actual files from Google/Bing search results
• Downloads to default: C:\DiggityDownloads\

• Used by other tools for file download/analysis:

• FlashDiggity, DLP Diggity, MalwareDiggity,…

15
New Features
AUTO-UPDATES

SLDB Updates in Progress

• Example: SharePoint Google Dictionary
• http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-
project/#SharePoint – GoogleDiggity Dictionary File

16
New Features
IP ADDRESS RANGES

GoogleDiggity can now search for IP Address Ranges

17
Dictionary Updates
3RD P A R T Y I N T E G R A T I O N

New maintainers of the GHDB – 09 Nov 2010

• http://www.exploit-db.com/google-hacking-database-reborn/

18
Google Diggity
DIGGITY CORE TOOLS

19
Bing Diggity
DIGGITY CORE TOOLS

20
 Bing Hacking Database
STACH & LIU TOOLS

BHDB – Bing Hacking Data Base Example - Bing vulnerability search:

• GHDB query
• First ever Bing hacking database • "allintitle:Netscape FastTrack Server Home Page"
• BHDB version
• Bing hacking limitations • intitle:”Netscape FastTrack Server Home Page"
• Disabled inurl:, link: and linkdomain:
directives in March 2007
• No support for ext:, allintitle:, allinurl:
• Limited filetype: functionality
• Only 12 extensions supported

21
Hacking CSE’s
ALL TOP LEVEL DOMAINS

22
NEW GOOGLE HACKING TOOLS

Code Search Diggity

23
Google Code Search
VULNS IN OPEN SOURCE CODE

• Regex search for vulnerabilities in indexed

public code, including popular open source
code repositories:

• Example: SQL Injection in ASP querystring

• select.*from.*request\.QUERYSTRING

24
CodeSearch Diggity
AMAZON CLOUD SECRET KEYS

25
Cloud Security
N O P R O M I S E S . . .N O N E

Amazon AWS Customer Agreement

• http://aws.amazon.com/agreement/#10

26
NEW GOOGLE HACKING TOOLS

Bing LinkFromDomainDiggity

27
Bing LinkFromDomain
DIGGITY TOOLKIT

28
Bing LinkFromDomain
FOOTPRINTING LARGE ORGANIZATIONS

29
NEW GOOGLE HACKING TOOLS

Malware Diggity

30
MalwareDiggity
DIGGITY TOOLKIT

1. Leverages Bing’s linkfromdomain: search directive

to find off-site links of target applications/domains

2. Runs off-site links against Google’s Safe Browsing API

to determine if any are malware distribution sites

3. Return results that identify malware sites that your web

applications are directly linking to

31
Mass Injection Attacks
MALWARE GONE WILD

Malware Distribution Woes – WSJ.com – June2010

• Popular websites victimized, become malware distribution sites to their own customers

32
Mass Injection Attacks
MALWARE GONE WILD

Malware Distribution Woes – LizaMoon – April2011

• Popular websites victimized, become malware distribution sites to their own customers

33
Mass Injection Attacks
MALWARE GONE WILD

Malware Distribution Woes – willysy.com - August2011

• Popular websites victimized, become malware distribution sites to their own customers

34
Mass Injection Attacks
MALWARE GONE WILD

Malware Distribution Woes – mysql.com - Sept2011

• Popular websites victimized, become malware distribution sites to their own customers

35
Malware Diggity
DIGGITY TOOLKIT

36
Malware Diggity
DIGGITY TOOLKIT

37
Malware Diggity
DIAGNOSTICS IN RESULTS

38
NEW GOOGLE HACKING TOOLS

DLP Diggity

39
DLP Diggity
LOTS OF FILES TO DATA MINE

40
DLP Diggity
MORE DATA SEARCHABLE EVERY YEAR
Google Results for Common Docs
1,030,000,000
1,200,000,000

1,000,000,000

800,000,000 513,000,000 2004

2007
600,000,000 2011
182,000,000 2012
260,000,000 173,000,000
400,000,000 29,200,000
84,500,000
17,300,000 46,400,000 2012
200,000,000 42,000,000
16,100,000 2011
10,900,000 30,100,000
2,100,000
0 969,000 2007
1,720,000
PDF 2004
DOC
XLS
TXT

41
DLP Diggity
DIGGITY TOOLKIT

42
NEW GOOGLE HACKING TOOLS

FlashDiggity

43
Flash Diggity
DIGGITY TOOLKIT

• Google for SWF files on target domains

• Example search: filetype:swf site:example.com
• Download SWF files to C:\DiggityDownloads\
• Disassemble SWF files and analyze for Flash vulnerabilities

44
NEW GOOGLE HACKING TOOLS

DEMO

45
GoogleScrape Diggity
DIGGITY TOOLKIT

GoogleScrape Diggity
• Uses Google mobile interface
• Light-weight, no advertisements
• Violates Terms of Service

• Bot detection avoidance

• Distributed via proxies
• Spoofs User-agent and Referer
headers
• Random &userip= value
• Across Google servers

46
NEW GOOGLE HACKING TOOLS

Baidu Diggity

47
BaiduDiggity
CHINA SEARCH ENGINE

• Fighting back

48
NON–DIGGITY ATTACK TOOLS

Other Search Hacking Tools

49
Maltego
INFORMATION GATHER TOOL

50
theHarvester
FOOTPRINTING TOOL

• Gathers e-mail accounts, user names and hostnames, and subdomains

51
theHarvester
FOOTPRINTING EXAMPLE

52
SHODAN
HACKER SEARCH ENGINE

• Indexed service banners for whole Internet for HTTP (Port 80), as well
as some FTP (23), SSH (22) and Telnet (21) services

53
DeepMagic DNS
FOOTPRINTING DNS SEARCH ENGINE

• DNS/IP Addr records hacker search engine

54
PasteBin Leaks
PASSWORDS IN PASTEBIN.COM POSTS

• Twitter feed tracking passwords leaked via PasteBin

55
Advanced Defenses
PROTECT YO NECK

56
Traditional Defenses
GOOGLE HACKING DEFENSES

• “Google Hack yourself” organization

• Employ tools and techniques used by hackers
• Remove info leaks from Google cache
• Using Google Webmaster Tools

• Regularly update your robots.txt.

• Or robots meta tags for individual page exclusion

• Data Loss Prevention/Extrusion Prevention Systems

• Free Tools: OpenDLP, Senf

• Policy and Legal Restrictions

57
Existing Defenses
“H A C K Y O U R S E L F”

 Tools exist
 Convenient
 Real-time updates
 Multi-engine results
 Historical archived data
 Multi-domain searching
58
Advanced Defenses
NEW HOT SIZZLE

Stach & Liu now proudly presents:

• Google and Bing Hacking Alerts
• SharePoint Hacking Alerts – 118 dorks
• SHODAN Hacking Alerts – 26 dorks
• Diggity Alerts FUNdle Bundles
• Consolidated alerts into 1 RSS feed
• Alert Client Tools
• Alert Diggity – Windows systray notifications
• iDiggity Alerts – iPhone notification app

59
Google Hacking Alerts
ADVANCED DEFENSES

Google Hacking Alerts

• All hacking database queries using
• Real-time vuln updates to >2400 hack queries via RSS
• Organized and available via importable file

60
Google Hacking Alerts
ADVANCED DEFENSES

61
Bing Hacking Alerts
ADVANCED DEFENSES

Bing Hacking Alerts

• Bing searches with regexs from BHDB
• Leverages http://api.bing.com/rss.aspx
• Real-time vuln updates to >900 Bing hack queries via RSS

62
Bing/Google Alerts
LIVE VULNERABILITY FEEDS

World’s Largest Live Vulnerability Repository

• Daily updates of ~3000 new hits per day

63
 Diggity Alerts
One Feed to Rule Them All

ADVANCED DEFENSE TOOLS

Diggity Alert Fundle Bundle

64
FUNdle Bundle
ADVANCED DEFENSES

65
FUNdle Bundle
ADVANCED DEFENSES

66
FUNdle Bundle
MOBILE FRIENDLY

67
ADVANCED DEFENSE TOOLS

SHODAN Alerts

68
SHODAN Alerts
FINDING SCADA SYSTEMS

69
SHODAN Alerts
SHODAN RSS FEEDS

70
Bing/Google Alerts
THICK CLIENTS TOOLS

Google/Bing Hacking Alert Thick Clients

• Google/Bing Alerts RSS feeds as input

• Allow user to set one or more filters

• e.g. “yourcompany.com” in the URL

• Several thick clients being released:

• Windows Systray App
• Droid app (coming soon)
• iPhone app

71
ADVANCED DEFENSE TOOLS

Alert Diggity

72
Alerts Diggity
ADVANCED DEFENSES

73
 iDiggity Alerts

ADVANCED DEFENSE TOOLS

iDiggity Alerts

74
iDiggity Alerts
ADVANCED DEFENSES

75
iDiggity Alerts
ADVANCED DEFENSES

76
New Defenses
“G O O G L E / B I N G H A C K A L E R T S”

 Tools exist
 Convenient
 Real-time updates
 Multi-engine results
 Historical archived data
 Multi-domain searching
77
Future Direction
IS NOW

78
Diggity Alert DB
DATA MINING VULNS Diggity Alerts
Database

79
Questions?
Ask us something
We’ll try to answer it.
For more info:
Email: [email protected]
Project: [email protected]
Stach & Liu, LLC
www.stachliu.com
Thank You

Stach & Liu Google Hacking Diggity Project info:

http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/

81