June 04, 2003

The Power of Google: A Hacker's Best Friend

Google is my favorite search engine. It's internal API has so many options its just nuts. Of course, we rarely use the real power of it, mostly because we are oblivious to it.

This morning I read a really good article on using google to do probes and gain access to files that you may otherwise not want. Wanna find all excel files that may be private, and put up on the wrong server by some sloppy sales guy? Try:

filtype:xls inurl:sales

Now comb through it. I found acouple of interesting spreadsheets that shouldn't be online.

Here is a thought that wasn't mentioned in the article, but has a SERIOUS impact on anyone configuring moveabletype, and does it incorrectly. If you were to do:

inurl:mt.cgi

every so often you will be bound to find someone who has installed it, but not yet configured it, giving you the ability to take over the site by using the default username of 'Melody' and the default password of 'Nelson'. Well, more to the point, you could use a specially crafted URL with that user/pass combo from the info from google and automate the whole thing.

I will leave the actual code to the imagination of the user, but I 'theoretically' got this down in a short perl script. It can extract the list from google, iterate through it and query every site with moveable type. Most mt.cgi entries on google actually come from usage stats thanks to webalizer. You can typically ignore these sites, because if they made it on the usage stats, chances are its in use. Want an example? Wanna know where Arc logs in to Moveable type for ufies.org?

site:ufies.org inurl:mt.cgi

It's right there for the pickings.

To be honest, this is kinda lame, because we all know that the mt.cgi will be around that location. But lets look at other implications. Bugtraq comes out with atleast one new vulnerable php script weekly. It would be nothing to put:

inurl:lame_php_script.php

and go to town exploiting the thing. Wanna hack a particular website? Use a perl script to iterate through a file of common vulnerable strings (which you could steal from Nessus or snort), combine it with the combo of inurl and site directives and go to town. I will leave it to the readers imagination just how far this can go.

Anyways, in case you didn't get it the first time, you really should read this article. A good read.

Posted by SilverStr at June 4, 2003 08:42 AM
Comments

What was your username again? clickety-click

Posted by: Arcterex at June 4, 2003 10:44 AM

Its r-a-s-k-a-l.

Posted by: SilverStr at June 4, 2003 11:16 AM

oh tee hee hee.

Posted by: raskal at June 4, 2003 11:54 AM

This actually helped in a non-hacky way today, as I searched for hiking maps & trail guides for Banff... ;)

Posted by: darren at June 5, 2003 03:11 PM

Hey kewl. Enjoy Banff. Its awesome up there. I used to mountain bike the Kananaska Country every weekend when I lived in Calgary. Was amazing trails up there.

Posted by: SilverStr at June 5, 2003 03:17 PM

Another twist on this might be to search Kazaa or Winmx for similiar strings... and see how many idiots are publicly sharing C:\ or c:\my documents....

Posted by: Wim at June 5, 2003 04:57 PM

Hey, just remember: hacking is to cleverly solve some problem...cracking is to obtain files or access on a machine. Knowing how to use Google doesn't make you an 31337 h4x0r, I'm sorry to tell you.

Posted by: anon at June 9, 2003 11:15 AM

Yep. Your so right. But then we are really debating the idiocies of the WORDS hacker vs cracker.

The point is that there is a lot of power in googles search API, and that we should look at it from time to time.

The weakest link is the human factor when it comes to security. Typically "people issues" is what causes so many insecurities on the WWW, as many people think it IS the Internet. And of course, this creates much higer risk. Google ends up being a good tool to expose a lot of this. (ie: A good use for ISP admins to check their domains that may be hosting things like MT)

Thanks for dropping by. Next time, why not post your info so I can check out your blog.

Posted by: SilverStr at June 9, 2003 02:05 PM