121 Document Grinding and Database Digging Solutions in this chapter: ■ Configuration Files ■ Log Files ■ Office Documents ■ Database Information ■ Automated Grinding ■ Google Desktop ■ Links to Sites Chapter 4  Summary  Solutions Fast Track  Frequently Asked Questions 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 121 Introduction There’s no shortage of documents on the Internet. Good guys and bad guys alike can use information found in documents to achieve their distinct purposes. In this chapter we take a look at ways you can use Google to not only locate these documents but to search within these documents to locate information.There are so many different types of documents and we can’t cover them all, but we’ll look at the documents in distinct categories based on their function. Specifically, we’ll take a look at configuration files, log files, and office documents. Once we’ve looked at distinct file types, we’ll delve into the realm of database digging. We won’t examine the details of the Structured Query Language (SQL) or database architecture and interaction; rather, we’ll look at the many ways Google hackers can locate and abuse database systems armed with nothing more than a search engine. One important thing to remember about document digging is that Google will only search the rendered, or visible, view of a document. For example, consider a Microsoft Word document.This type of document can contain metadata, as shown in Figure 4.1.These fields include such things as the subject, author, manager, company, and much more. Google will not search these fields. If you’re interested in getting to the metadata within a file, you’ll have to download the actual file and check the metadata yourself, as discussed in Chapter 5. Figure 4.1 Microsoft Word Metadata 122 Chapter 4 • Document Grinding and Database Digging 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 122 Configuration Files Configuration files store program settings.An attacker (or “security specialist”) can use these files to glean insight into the way a program is used and perhaps, by extension, into how the system or network it’s on is used or configured. As we’ve seen in previous chapters, even the smallest tidbit of information can be of interest to a skilled attacker. Consider the file shown in Figure 4.2.This file, found with a query such as filetype:ini inurl:ws_ftp, is a configuration file used by the WS_FTP client program. When the WS_FTP program is downloaded and installed, the configuration file contains nothing more than a list of popular, public Internet FTP servers. However, over time, this configuration file can be automatically updated to include the name, directory, username, and password of FTP servers the user connects to.Although the password is encoded when it is stored, some free pro- grams can crack these passwords with relative ease. Figure 4.2 The WS_FTP.INI File Contains Hosts, Usernames, and Passwords Document Grinding and Database Digging • Chapter 4 123 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 123 Underground Googling Locating Files To locate files, it’s best to try different types of queries. For example, intitle:index.of ws_ftp.ini will return results, but so will filetype:ini inurl:ws_ftp.ini. The inurl search, however, is often the better choice. First, the filetype search allows you to browse right to a cached version of the page. Second, the directory listings found by the index.of search might allow you to view a list of files but not allow you access to the actual file. Third, directory listings are not overly common. The filetype search will locate your file no matter how Google found it. Regardless of the type of data in a configuration file, sometimes the mere existence of a configuration file is significant. If a configuration file is located on a server, there’s a chance that the accompanying program is installed somewhere on that server or on neighboring machines on the network. Although this might not seem like a big deal in the case of FTP client software, consider a search like filetype:conf inurl:firewall, which can locate generic fire- wall configuration files.This example demonstrates one of the most generic naming conven- tions for a configuration file, the use of the conf file extension. Other generic naming conventions can be combined to locate other equally common naming conventions. One of the most common base searches for locating configuration files is simply (inurl:conf OR inurl:config OR inurl:cfg), which incorporates the three most common configuration file pre- fixes.You may also opt to use the filetype operator. If an attacker knows the name of a configuration file as it shipped from the software author or vendor, he can simply create a search targeting that filename using the filetype and inurl operators. However, most programs allow you to reference a configuration file of any name, making a Google search slightly more difficult. In these cases, it helps to get an idea of the contents of the configuration file, which could be used to extract unique strings for use in an effective base search. Sometimes, combining a generic base search with the name (or acronym) of a software product can have satisfactory results, as a search for (inurl:conf OR inurl:config OR inurl:cfg) MRTG shows in Figure 4.3. 124 Chapter 4 • Document Grinding and Database Digging 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 124 Figure 4.3 Generic Configuration File Searching Although this first search is not far off the mark, it’s fairly common for even the best config file search to return page after page of sample or example files, like the sample MRTG configuration file shown in Figure 4.4. Figure 4.4 Sample Config Files Need Filtering Document Grinding and Database Digging • Chapter 4 125 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 125 This brings us back, once again, to perhaps the most valuable weapon in a Google hacker’s arsenal: effective search reduction. Here’s a list of the most common points a Google hacker considers when trolling for configuration files: ■ Create a strong base search using unique words or phrases from live files. ■ Filter out the words sample, example, test, howto, and tutorial to narrow the obvious example files. ■ Filter out CVS repositories, which often house default config files, with –cvs. ■ Filter out manpage or Manual if you’re searching for a UNIX program’s configura- tion file. ■ Locate the one most commonly changed field in a sample configuration file and perform a negative search on that field, reducing potentially “lame” or sample files. To illustrate these points, consider the search filetype:cfg mrtg “target[*]” -sample -cvs –example, which locates potentially live MRTG files.As shown in Figure 4.5, this query uses a unique string “target[*]” (which is a bit ubiquitous to Google, but still a decent place to start) and removes potential example and CVS files, returning decent results. Figure 4.5 A Common Search Reduction Technique Some of the results shown in Figure 4.5 might not be real, live MRTG configuration files, but they all have potential, with the exception of the first hit, located in “/Squid-Book.” 126 Chapter 4 • Document Grinding and Database Digging 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 126 There’s a good chance that this is a sample file, but because of the reduction techniques we’ve used, the other results are potentially live, production MRTG configuration files. Table 4.1 lists a collection of searches that locate various configuration files.These entries were gathered by the many contributors to the GHDB.This list highlights the var- ious methods that can be used to target configuration files.You’ll see examples of CVS reduction, sample reduction, unique word and phrase isolation, and more. Most of these queries took imagination on the part of the creator and in many cases took several rounds of reduction by several searchers to get to the query you see here. Learn from these queries, and try them out for yourself. It might be helpful to remove some of the qualifiers, such as –cvs or –sample, where applicable, to get an idea of what the “messy” version of the search might look like. Table 4.1 Configuration File Search Examples Description Query PHP configuration file intitle:index.of config.php PHP configuration file inurl:config.php dbuname dbpass CGIIRC configuration file intitle:index.of cgiirc.config CGIIRG configuration file inurl:cgiirc.config IPSEC configuration file inurl:ipsec.conf -intitle:manpage ws_ftp configuration file intitle:index.of ws_ftp.ini eggdrop configuration file eggdrop filetype:user user samba configuration file inurl:”smb.conf” intext:”workgroup” filetype:conf firewall configuration file filetype:conf inurl:firewall -intitle:cvs vtunnelD configuration file inurl:vtund.conf intext:pass -cvs OpenLDAP configuration file filetype:conf slapd.conf PHP configuration file inurl:php.ini filetype:ini FTP configuration file filetype:conf inurl:proftpd.conf -sample WV Dial configuration file inurl:”wvdial.conf” intext:”password” OpenLDAP configuration file inurl:”slapd.conf” intext:”credentials” - manpage -”Manual Page” -man: - sample OpenLDAP configuration file inurl:”slapd.conf” intext:”rootpw” - manpage -”Manual Page” -man: - sample WS_FTP configuration file filetype:ini ws_ftp pwd Document Grinding and Database Digging • Chapter 4 127 Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 127 Table 4.1 continued Configuration File Search Examples Description Query MRTG configuration file filetype:cfg mrtg “target[*]” -sample - cvs -example WRQ Reflection configuration file filetype:r2w r2w Prestige router configuration file “Welcome to the Prestige Web-Based Configurator” GNU Zebra configuration file inurl:zebra.conf intext:password -sample -test -tutorial -download GNU Zebra configuration file inurl:ospfd.conf intext:password -sample -test -tutorial -download YAST configuration file filetype:cfg ks intext:rootpw -sample - test -howto Netscape server configuration file allinurl:”.nsconfig” -sample -howto - tutorial UnrealIRCd configuration file filetype:conf inurl:unrealircd.conf -cvs - gentoo psyBNC configuration file filetype:conf inurl:psybnc.conf “USER.PASS=” SSL configuration file inurl:ssl.conf filetype:conf LILO configuration file inurl:lilo.conf filetype:conf password - tatercounter2000 -bootpwd -man MySQL configuration file filetype:cnf my.cnf -cvs -example oracle client configuration file filetype:ora ora Mandrake configuration file filetype:cfg auto_inst.cfg Oekakibss configuration file filetype:conf oekakibbs LeapFTP client configuration file LeapFTP intitle:”index.of./” sites.ini modified a .Net Web Application filetype:config config intext:appSettings configuration file “User ID” WS_FTP configuration file “index of/” “ws_ftp.ini” “parent directory” ODBC client configuration files inurl:odbc.ini ext:ini -cvs FlashFXP configuration file filetype:ini inurl:flashFXP.ini Generic configuration file ext:ini intext:env.ini Certificate Services configuration file filetype:inf inurl:capolicy.inf NoCatAuth configuration file ext:conf NoCatAuth -cvs 128 Chapter 4 • Document Grinding and Database Digging Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 128 Table 4.1 continued Configuration File Search Examples Description Query Putty saved session data inurl:”putty.reg” Icecast configuration file “liveice configuration file” ext:cfg - site:sourceforge.net SoftCart configuration file intitle:Configuration.File inurl:softcart.exe Cisco configuration data intext:”enable secret 5 $” IIS Web.config file filetype:config web.config -CVS VMWare configuration files ext:vmx vmx Radiator Radius configuration file ext:cfg radius.cfg Rsync configuration file ext:conf inurl:rsyncd.conf -cvs -man Eudora configuration file ext:ini eudora.ini emule configuration file inurl:preferences.ini “[emule]” abyss webserver configuration file intitle:index.of abyss.conf Frontpage Extensions for Unix filetype:cnf inurl:_vti_pvt access.cnf configuration file Shoutcast configuration file intitle:”Index of” sc_serv.conf sc_serv content HP Ethernet switch configuration file intitle:”DEFAULT_CONFIG - HP” Oracle configuration files filetype:ora tnsnames Counterstrike configuration file inurl:server.cfg rcon password Steam configuration file intext:”SteamUserPassphrase=” intext:”SteamAppUser=” -”username” - ”user” CGI Calendar configuration file inurl:cgi-bin inurl:calendar.cfg Cisco configuration file intext:”enable password 7” YABB Forum administration file inurl:/yabb/Members/Admin.dat FlashFXP site data file inurl:”Sites.dat”+”PASS=” Ruby on Rails database connector file ext:yml database inurl:config Cisco configuration file enable password | secret “current con- figuration” -intext:the Generic configuration file intitle:index.of.config Document Grinding and Database Digging • Chapter 4 129 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 129 Log Files Log files record information. Depending on the application, the information recorded in a log file can include anything from timestamps and IP addresses to usernames and pass- words—even incredibly sensitive data such as credit card numbers! Like configuration files, log files often have a default name that can be used as part of a base search.The most common file extension for a log file is simply log, making the sim- plest base search for log files simply filetype:log inurl:log or the even simpler ext:log log. Remember that the ext (filetype) operator requires at least one search argument. Log file searches seem to return fewer samples and example files than configuration file searches, but search reduction is still required in some cases. Refer to the rules for configuration file reduction listed previously. Table 4.2 lists a collection of log file searches collected from the GHDB.These searches show the various techniques that are employed by Google hackers and serve as an excellent learning tool for constructing your own searches during a penetration test. Table 4.2 Log File Search Examples Query Description “ZoneAlarm Logging Client” ZoneAlarm log files “admin account info” filetype:log Admin logs “apricot - admin” 00h Apricot logs “by Reimar Hoven. All Rights PHP Web Statistik logs Reserved. Disclaimer” | inurl: ”log/logdb.dta” “generated by wwwstat” www statistics “Index of” / “chat/logs” Chat logs “MacHTTP” filetype:log MacHTTP inurl:machttp.log “Most Submitted Forms and Scripts” www statistics “this section” “sets mode: +k” IRC logs, channel key set “sets mode: +p” IRC chat logs “sets mode: +s” IRC logs, secret channel set “The statistics were last updated” Network activity logs “Daily”-microsoft.com “This report was generated by weblog-generated statistics WebLog” “your password is” filetype:log Password logs 130 Chapter 4 • Document Grinding and Database Digging Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 130 . intext:password -sample -test -tutorial -download GNU Zebra configuration file inurl:ospfd.conf intext:password -sample -test -tutorial -download YAST configuration file filetype:cfg ks intext:rootpw -sample - test. inurl:”slapd.conf” intext:”rootpw” - manpage - Manual Page” -man: - sample WS_FTP configuration file filetype:ini ws_ftp pwd Document Grinding and Database Digging • Chapter 4 127 Continued 452 _Google_ 2e_04.qxd 10/5/07. intext:rootpw -sample - test -howto Netscape server configuration file allinurl:”.nsconfig” -sample -howto - tutorial UnrealIRCd configuration file filetype:conf inurl:unrealircd.conf -cvs - gentoo psyBNC configuration