Table 4.2 Log File Search Examples Query Description QueryProgram “ZoneAlarm ZoneAlarm log files Logging Client” +htpasswd WS_FTP.LOG filetype:log WS_FTP client log files +intext:”webalizer” +intext: Webalizer statistics ”Total Usernames” +intext:”Usage Statistics for” ext:log “Software: Microsoft IIS server log files Internet Information Services *.*” ext:log password END_FILE Java password files filetype:cfg login “LoginServer=” Ultima Online log files filetype:log “PHP Parse error” | PHP error logs “PHP Warning” | “ filetype:log “See `ipsec —copyright” BARF log files filetype:log access.log –CVS HTTPD server access logs filetype:log cron.log UNIX cron logs filetype:log hijackthis “scan saved” Hijackthis scan log filetype:log inurl:”password.log” Password logs filetype:log inurl:access.log TCP_HIT Squid access log filetype:log inurl:cache.log Squid cache log filetype:log inurl:store.log RELEASE Squid disk store log filetype:log inurl:useragent.log Squid useragent log filetype:log iserror.log MS Install Shield logs filetype:log iserror.log MS Install Shield logs filetype:log iserror.log MS Install Shield logs filetype:log username putty Putty SSH client logs filetype:log username putty Putty SSH client logs intext:”Session Start ****:*:**” IRC/AIM log files filetype:log intitle:”HostMonitor log” | intitle: HostMonitor ”HostMonitor report” intitle:”Index Of” -inurl:maillog Mail log files maillog size intitle:”LOGREP - Log file Logrep reporting system” -site:itefix.no Document Grinding and Database Digging • Chapter 4 131 Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 131 Table 4.2 Log File Search Examples Query Description intitle:index.of .bash_history UNIX bash shell history file intitle:index.of .sh_history UNIX shell history file intitle:index.of cleanup.log Outlook Express cleanup logs inurl:access.log filetype:log –cvs Apache access log (Windows) inurl:error.log filetype:log -cvs Apache error log inurl:log.nsf -gov Lotus Domino log inurl:linklint filetype:txt Linklint logs -”checking” Squid cache server reports squid server cache reports Log files reveal various types of information, as shown in the search for filetype:log user- name putty in Figure 4.6.This log file lists machine names and associated usernames that could be reused in an attack against the machine. Figure 4.6 Putty Log Files Reveal Sensitive Data 132 Chapter 4 • Document Grinding and Database Digging 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 132 Office Documents The term office document generally refers to documents created by word processing software, spreadsheet software, and lightweight database programs. Common word processing software includes Microsoft Word, Corel WordPerfect, MacWrite, and Adobe Acrobat. Common spreadsheet programs include Microsoft Excel, Lotus 1-2-3, and Linux’s Gnumeric. Other documents that are generally lumped together under the office document category include Microsoft PowerPoint, Microsoft Works, and Microsoft Access documents.Table 4.3 lists some of the more common office document file types, organized roughly by their Internet popularity (based on number of Google hits). Table 4.3 Popular Office Document File Types File Type Extension Adobe Portable Document Format Pdf Adobe PostScript Ps Lotus 1-2-3 wk1, wk2, wk3, wk4, wk5, wki, wks, wku Lotus WordPro Lwp MacWrite Mw Microsoft Excel Xls Microsoft PowerPoint Ppt Microsoft Word Doc Microsoft Works wks, wps, wdb Microsoft Write Wri Rich Text Format Rtf Shockwave Flash Swf Text ans, txt In many cases, simply searching for these files with filetype is pointless without an addi- tional specific search. Google hackers have successfully uncovered all sorts of interesting files by simply throwing search terms such as private or password or admin onto the tail end of a filetype search. However, simple base searches such as (inurl:xls OR inurl:doc OR inurl:mdb) can be used as a broad search across many file types. Table 4.4 lists some searches from the GHDB that specifically target office documents. This list shows quite a few specific techniques that we can learn from. Some searches, such as filetype:xls inurl:password.xls, focus on a file with a specific name.The password.xls file does not necessarily belong to any specific software package, but it sounds interesting simply because of the name. Other searches, such as filetype:xls username password email, shift the focus from the file’s name to its contents.The reasoning here is that if an Excel spreadsheet Document Grinding and Database Digging • Chapter 4 133 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 133 contains the words username password and e-mail, there’s a good chance the spreadsheet con- tains sensitive data such as passwords.The heart and soul of a good Google search involves refining a generic search to uncover something extremely relevant. Google’s ability to search inside different types of documents is an extremely powerful tool in the hands of an advanced Google user. Table 4.4 Sample Queries That Locate Potentially Sensitive Office Documents Query Potential Exposure filetype:xls username Passwords password email filetype:xls inurl:”password.xls” Passwords filetype:xls private Private data (use as base search) Inurl:admin filetype:xls Administrative data filetype:xls inurl:contact Contact information, e-mail addresses filetype:xls inurl:”email.xls” E-mail addresses, names allinurl: admin mdb Administrative database filetype:mdb inurl:users.mdb User lists, e-mail addresses Inurl:email filetype:mdb User lists, e-mail addresses Data filetype:mdb Various data (use as base search) Inurl:backup filetype:mdb Backup databases Inurl:profiles filetype:mdb User profiles Inurl:*db filetype:mdb Various data (use as base search) Database Digging There has been intense focus recently on the security of Web-based database applications, specifically the front-end software that interfaces with a database. Within the security com- munity, talk of SQL injection has all but replaced talk of the once-common CGI vulnera- bility, indicating that databases have arguably become a greater target than the underlying operating system or Web server software. An attacker will not generally use Google to break into a database or muck with a database front-end application; rather, Google hackers troll the Internet looking for bits and pieces of database information leaked from potentially vulnerable servers.These bits and pieces of information can be used to first select a target and then to mount a more educated attack (as opposed to a ground-zero blind attack) against the target. Bearing this in mind, understand that here we do not discuss the actual mechanics of the attack itself, but rather 134 Chapter 4 • Document Grinding and Database Digging 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 134 the surprisingly invasive information-gathering phase an accomplished Google hacker will employ prior to attacking a target. Login Portals As we discussed in Chapter 8, a login portal is the “front door” of a Web-based application. Proudly displaying a username and password dialog, login portals generally bear the scrutiny of most Web attackers simply because they are the one part of an application that is most carefully secured.There are obvious exceptions to this rule, but as an analogy, if you’re going to secure your home, aren’t you going to first make sure your front door is secure? A typical database login portal is shown in Figure 4.7.This login page announces not only the existence of an SQL Server but also the Microsoft Web Data Administrator soft- ware package. Figure 4.7 A Typical Database Login Portal Regardless of its relative strength, the mere existence of a login portal provides a glimpse into the type of software and hardware that might be employed at a target. Put simply, a login portal is terrific for footprinting. In extreme cases, an unsecured login portal serves as a welcome mat for an attacker.To this end, let’s look at some queries that an attacker might use to locate database front ends on the Internet.Table 4.5 lists queries that locate database front ends or interfaces. Most entries are pulled from the GHDB. Document Grinding and Database Digging • Chapter 4 135 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 135 Table 4.5 Queries That Locate Database Interfaces Query Database Utility allinurl: admin mdb Administrative database Inurl:backup filetype:mdb Backup databases “ClearQuest Web Logon” ClearQuest (CQWEB) inurl:/admin/login.asp Common login page inurl:login.asp Common login page filetype:fp5 fp5 -”cvs log” FileMaker Pro filetype:fp3 fp3 FileMaker Pro filetype:fp7 fp7 FileMaker Pro “Select a database to view” intitle: FileMaker Pro ”filemaker pro” “Welcome to YourCo Financial” IBM Websphere “(C) Copyright IBM” “Welcome IBM Websphere to Websphere” inurl:names.nsf?opendatabase Lotus Domino inurl:”/catalog.nsf” intitle:catalog Lotus Domino intitle:”messaging login” Lotus Messaging “© Copyright IBM” intitle:”Web Data Administrator MS SQL login - Login” intitle:”Gateway Configuration Oracle Menu” inurl:/pls/sample/admin_/help/ Oracle default manuals inurl:1810 “Oracle Enterprise Oracle Enterprise Manager Manager” inurl:admin_/globalsettings.htm Oracle HTTP Listener intitle:”oracle http server index” Oracle HTTP Server “Copyright * Oracle Corporation.” inurl:pls/admin_/gateway.htm Oracle login portal inurl:orasso.wwsso_app_ Oracle Single Sign-On admin.ls_login “phpMyAdmin” “running on” phpMyAdmin inurl:”main.php” “Welcome to phpMyAdmin” phpMyAdmin “ Create new database” 136 Chapter 4 • Document Grinding and Database Digging Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 136 Table 4.5 continued Queries That Locate Database Interfaces Query Database Utility intitle:”index of /phpmyadmin” phpMyAdmin modified intitle:phpMyAdmin “Welcome to phpMyAdmin phpMyAdmin ***” “running on * as root@*” inurl:main.php phpMyAdmin phpMyAdmin intitle:”phpPgAdmin - Login” phpPgAdmin (PostgreSQL) Admin tool Language intext:SQLiteManager inurl:main.php SQLite Manager Data filetype:mdb Various data (use as base search) Underground Googling Login Portals One way to locate login portals is to focus on the word login. Another way is to focus on the copyright at the bottom of a page. Most big-name portals put a copyright notice at the bottom of the page. Combine this with the product name, and a wel- come or two, and you’re off to a good start. If you run out of ideas for new databases to try, go to http://labs.google.com/sets, enter oracle and mysql, and click Large Set for a list of databases. Support Files Another way an attacker can locate or gather information about a database is by querying for support files that are installed with, accompany, or are created by the database software. These can include configuration files, debugging scripts, and even sample database files.Table 4.6 lists some searches that locate specific support files that are included with or are created by popular database clients and servers. Document Grinding and Database Digging • Chapter 4 137 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 137 Table 4.6 Queries That Locate Database Support Files Query Description inurl:default_content.asp ClearQuest ClearQuest Web help files intitle:”index of” intext:globals.inc MySQL globals.inc file, lists connection and credential information filetype:inc intext:mysql_connect PHP MySQL Connect file, lists connection and credential information filetype:inc dbconn Database connection file, lists connection and credential information intitle:”index of” intext:connect.inc MySQL connection file, lists connection and credential information filetype:properties inurl:db db.properties file, lists connection intext:password information intitle:”index of” mysql.conf OR MySQL configuration file, lists port number, mysql_config version number, and path information to MySQL server inurl:php.ini filetype:ini PHP.INI file, lists connection and credential information filetype:ldb admin Microsoft Access lock files, list database and username inurl:config.php dbuname dbpass The old config.php script, lists user and password information intitle:index.of config.php The config.php script, lists user and pass- word information “phpinfo.php” -manual The output from phpinfo.php, lists a great deal of information intitle:”index of” +myd size The MySQL data directory filetype:cnf my.cnf -cvs -example The MySQL my.cnf file, can list information, ranging from paths and database names to passwords and usernames filetype:ora ora ORA configuration files, list Oracle database information filetype:pass pass intext:userid dbman files, list encoded passwords filetype:pdb pdb backup (Pilot | Palm database files, can list all sorts of Pluckerdb) personal information As an example of a support file, PHP scripts using the mysql_connect function reveal machine names, usernames, and cleartext passwords, as shown in Figure 4.8. Strictly 138 Chapter 4 • Document Grinding and Database Digging 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 138 speaking, this file contains PHP code, but the INC extension makes it an include file. It’s the content of this file that is of interest to a Google hacker. Figure 4.8 PHP Files Can Reveal Machine Names, Usernames, and Passwords Error Messages As we’ve discussed throughout this book, error messages can be used for all sorts of profiling and information-gathering purposes. Error messages also play a key role in the detection and profiling of database systems. As is the case with most error messages, database error messages can also be used to profile the operating system and Web server version. Conversely, oper- ating system and Web server error messages can be used to profile and detect database servers.Table 4.7 shows queries that leverage database error messages. Table 4.7 Queries That Locate Database Error Messages Description Query .NET error message reveals data “ASP.NET_SessionId” “data source=” sources, and even authentication credentials 500 “Internal Server Error” reveals “Internal Server Error” “server at” the server administrator’s email address, and Apache server banners Document Grinding and Database Digging • Chapter 4 139 Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 139 Table 4.7 continued Queries That Locate Database Error Messages Description Query 500 “Internal Server Error” reveals intitle:”500 Internal Server Error” “server the type of web server running on at” the site, and has the ability to show other information depending on how the message is internally formatted ASP error message reveals compiler filetype:asp “Custom Error Message” used, language used, line numbers, Category Source program names and partial source code Access error message can reveal “Syntax error in query expression “ -the path names, function names, filenames and partial code Apache Tomcat Error messages can intitle:”Apache Tomcat” “Error Report” reveal various kinds information depending on the type of error CGI error messages may reveal intext:”Error Message : Error loading partial code listings, PERL version, required libraries.” detailed server information, usernames, setup file names, form and query information, port and path information, and more Chatologica MetaSearch error “Chatologica MetaSearch” “stack tracking:” reveals Apache version, CGI environment vars, path names, stack dumps, process ID’s, PERL version, and more Cocoon XML reveals library “error found handling the request” cocoon functions, cocoon version number, filetype:xml and full and/or relative path names Cold fusion error messages trigger intitle:”Error Occurred While Processing on SQL SELECT or INSERT statements Request” +WHERE (SELECT|INSERT) which could help locate SQL filetype:cfm injection points. ColdFusion error message can intitle:”Error Occurred” “The error occurred reveal partial source code, full in” filetype:cfm pathnames, SQL query info, database name, SQL state info and local time info 140 Chapter 4 • Document Grinding and Database Digging Continued 452_Google_2e_04.qxd 10/5/07 12:42 PM Page 140 . front-end application; rather, Google hackers troll the Internet looking for bits and pieces of database information leaked from potentially vulnerable servers.These bits and pieces of information. and password information intitle:index.of config.php The config.php script, lists user and pass- word information “phpinfo.php” -manual The output from phpinfo.php, lists a great deal of information intitle:”index. Write Wri Rich Text Format Rtf Shockwave Flash Swf Text ans, txt In many cases, simply searching for these files with filetype is pointless without an addi- tional specific search. Google hackers have