Using these subtle differences to our advantage, we can use specific Google queries to locate servers with these default pages, indicating that they are most likely running a specific version of Apache.Table 8.4 shows queries that can be used to locate specific families of Apache running default pages. Table 8.4 Queries That Locate Default Apache Installations Apache Server Version Query Apache 1.2.6 intitle:”Test Page for Apache Installation” “You are free” Apache 1.3.0–1.3.9 intitle:”Test Page for Apache” “It worked!” “this Web site!” Apache 1.3.11–1.3.31 intitle:Test.Page.for.Apache seeing.this.instead Apache 2.0 intitle:Simple.page.for.Apache Apache.Hook.Functions Apache SSL/TLS intitle:test.page “Hey, it worked !” “SSL/TLS-aware” Apache on Red Hat “Test Page for the Apache Web Server on Red Hat Linux” Apache on Fedora intitle:”test page for the apache http server on fedora core” Apache on Debian intitle:”Welcome to Your New Home Page!” debian Apache on other Linux intitle:”Test Page **Apache Web Server on “ - red.hat -fedora IIS also displays a default Web page when first installed. A query such as intitle:“Welcome to IIS 4.0” can locate very specific versions of IIS, as shown in Figure 8.15. Table 8.5 Queries That Locate Specific IIS Server Versions IIS Server Version Query Many intitle:”welcome to” intitle:internet IIS Unknown intitle:”Under construction” “does not currently have” IIS 4.0 intitle:”welcome to IIS 4.0” IIS 4.0 allintitle:Welcome to Windows NT 4.0 Option Pack IIS 4.0 allintitle:Welcome to Internet Information Server IIS 5.0 allintitle:Welcome to Windows 2000 Internet Services IIS 6.0 allintitle:Welcome to Windows XP Server Internet Services Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 301 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 301 Figure 8.15 Locating Default Installations of IIS 4.0 on Windows NT 4.0/OP Although each version of IIS displays distinct default Web pages, in some cases service packs or hotfixes could alter the content of a default page. In these cases, the subtle page changes can be incorporated into the search to find not only the operating system version and Web server version, but also the service pack level and security patch level.This infor- mation is invaluable to an attacker bent on hacking not only the Web server, but hacking beyond the Web server and into the operating system itself. In most cases, an attacker with control of the operating system can wreak more havoc on a machine than a hacker who controls only the Web server. Netscape servers can also be located with simple queries such as allintitle:Netscape Enterprise Server Home Page, as shown in Figure 8.16. 302 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 302 Figure 8.16 Locating Netscape Web Servers Other Netscape servers can be found with simple allintitle searches, as shown in Table 8.6. Table 8.6 Queries That Locate Netscape Servers Netscape Server Type Query Enterprise Server allintitle:Netscape Enterprise Server Home Page FastTrack Server allintitle:Netscape FastTrack Server Home Page Many different types of Web server can be located by querying for default pages as well. Table 8.7 lists a sample of more esoteric Web servers that can be profiled with this technique. Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 303 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 303 Table 8.7 Queries That Locate More Esoteric Servers Server/Version Query Cisco Micro Webserver 200 “micro webserver home page” Generic Appliance “default web page” congratulations “hosting appli- ance” HP appliance sa1* intitle:”default domain page” “congratulations” “hp web” iPlanet/Many intitle:”web server, enterprise edition” Intel Netstructure “congratulations on choosing” intel netstructure JWS/1.0.3–2.0 allintitle:default home page java web server J2EE/Many intitle:”default j2ee home page” Jigsaw/2.2.3 intitle:”jigsaw overview” “this is your” Jigsaw/Many intitle:”jigsaw overview” KFSensor honeypot “KF Web Server Home Page” Kwiki “Congratulations! You’ve created a new Kwiki web- site.” Matrix Appliance “Welcome to your domain web page” matrix NetWare 6 intitle:”welcome to netware 6” Resin/Many allintitle:Resin Default Home Page Resin/Enterprise allintitle:Resin-Enterprise Default Home Page Sambar Server intitle:”sambar server” “1997 2004 Sambar” Sun AnswerBook Server inurl:”Answerbook2options” TivoConnect Server inurl:/TiVoConnect Default Documentation Web server software often ships with manuals and documentation that ends up in the Web directories. An attacker could use this documentation to either profile or locate Web soft- ware. For example, Apache Web servers ship with documentation in HTML format, as shown in Figure 8.17. 304 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 304 Figure 8.17 Apache Documentation Used for Profiling In most cases, default documentation does not as accurately portray the server version as well as error messages or default pages, but this information can certainly be used to locate targets and to gain an understanding of the potential security posture of the server. If the server administrator has forgotten to delete the default documentation, an attacker has every reason to believe that other details such as security have been overlooked as well. Other Web servers, such as IIS, ship with default documentation as well, as shown in Figure 8.18. In most cases, specialized programs such as CGI scanners or Web application assessment tools are better suited for finding these default pages and programs, but if Google has crawled the pages (from a link on a default main page for example), you’ll be able to locate these pages with Google queries. Some queries that can be used to locate default documen- tation are listed in Table 8.8. Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 305 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 305 Figure 8.18 IIS Server Profiled Via Default Manuals Table 8.8 Queries That Locate Default Documentation Query Apache 1.3 intitle:”Apache 1.3 documentation” Apache 2.0 intitle: “Apache 2.0 documentation” Apache Various intitle:”Apache HTTP Server” intitle:” documentation” \ ColdFusion inurl:cfdocs EAServer intitle:”Easerver” “Easerver Version * Documents” iPlanet Server 4.1/Enterprise inurl:”/manual/servlets/” intitle:”programmer” Server 4.0 IIS/Various inurl:iishelp core Lotus Domino 6 intext:/help/help6_client.nsf Novell Groupwise 6 inurl:/com/novell/gwmonitor Novell Groupwise WebAccess inurl:”/com/novell/webaccess” Novell Groupwise WebPublisher inurl:”/com/novell/webpublisher” 306 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 306 Sample Programs In addition to documentation and manuals that ship with Web software, it is fairly common for default applications to be included with a software package.These default applications, like default Web pages, help demonstrate the functionality of the software and serve as a starting point for developers, providing sample routines and code that could be used as learning tools. Unfortunately, these sample programs can be used to not only profile a Web server; often these sample programs contain flaws or functionality an attacker could use to compromise the server.The Microsoft Index Server simple content query page, shown in Figure 8.19, allows Web visitors to search through the content of a Web site. In some cases, this query page could locate pages that are not linked from any other page or that contain sensitive information. Figure 8.19 Microsoft Index Server Simple Content Query Page As with default pages, specialized programs designed to crawl a Web site in search of these default programs are much better suited for finding these pages. However, if a default page provided with a Web server contains links to demonstration pages and programs, Google will find them. In some cases, the cache of these pages will remain even after the main page has been updated and the links removed. And remember, you can use the cache Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 307 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 307 page, along with the &strip=1 option to view the page anonymously.This keeps the infor- mation gathering exercise away from the watchful eye of the server’s admin.Table 8.9 shows some queries that can be used to locate default-installed programs. Table 8.9 Queries That Locate Default Programs Software Query Apache Cocoon inurl:cocoon/samples/welcome Generic inurl:demo | inurl:demos Generic inurl:sample | inurl:samples IBM Websphere inurl:WebSphereSamples Lotus Domino 4.6 inurl: /sample/framew46 Lotus Domino 4.6 inurl:/sample/faqw46 Lotus Domino 4.6 inurl:/sample/pagesw46 Lotus Domino 4.6 inurl:/sample/siregw46 Lotus Domino 4.6 inurl:/sample/faqw46 Lotus Domino 4.6 inurl:/sample/faqw46 Lotus Domino 4.6 inurl:/sample/faqw46 Lotus Domino 4.6 inurl:/sample/faqw46 Microsoft Index Server inurl:samples/Search/queryhit Microsoft Site Server inurl:siteserver/docs Novell NetWare 5 inurl:/lcgi/sewse.nlm Novell GroupWise WebPublisher inurl:/servlet/webpub groupwise Netware WebSphere inurl:/servlet/SessionServlet OpenVMS! inurl:sys$common Oracle Demos inurl:/demo/sql/index.jsp Oracle JSP Demos inurl:demo/basic/info Oracle JSP Scripts inurl:ojspdemos Oracle 9i inurl:/pls/simpledad/admin_ IIS/Various inurl:iissamples IIS/Various inurl:/scripts/samples/search Sambar Server intitle:”Sambar Server Samples” 308 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 308 Locating Login Portals Login portal is a term I use to describe a Web page that serves as a “front door” to a Web site. Login portals are designed to allow access to specific features or functions after a user logs in. Google hackers search for login portals as a way to profile the software that’s in use on a target, and to locate links and documentation that might provide useful information for an attack. In addition, if an attacker has an exploit for a particular piece of software, and that soft- ware provides a login portal, the attacker can use Google queries to locate potential targets. Some login portals, like the one shown in Figure 8.20, captured with “microsoft outlook” “web access” version, are obviously default pages provided by the software manufacturer—in this case, Microsoft. Just as an attacker can get an idea of the potential security of a target by simply looking for default pages, a default login portal can indicate that the technical skill of the server’s administrators is generally low, revealing that the security of the site will most likely be poor as well.To make matters worse, default login portals like the one shown in Figure 8.20, indicate the software revision of the program—in this case, version 5.5 SP4. An attacker can use this information to search for known vulnerabilities in that software version. Figure 8.20 Outlook Web Access Default Portal By following links from the login portal, an attacker can often gain access to other infor- mation about the target.The Outlook Web Access portal is particularly renowned for this type of information leak, because it provides an anonymous public access area that can be Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 309 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 309 viewed without logging in to the mail system.This public access area sometimes provides access to a public directory or to broadcast e-mails that can be used to gather usernames or information, as shown in Figure 8.21. Figure 8.21 Public Access Areas Can Be Found from Login Portals Some login portals provide more details than others. As shown in Figure 8.22, the Novell Management Portal provides a great deal of information about the server, including server software version and revision, application software version and revision, software upgrade date, and server uptime.This type of information is very handy for an attacker staging an attack against the server. Figure 8.22 Novell Management Portal Reveals a Great Deal of Information 310 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 310 . an attacker can often gain access to other infor- mation about the target.The Outlook Web Access portal is particularly renowned for this type of information leak, because it provides an anonymous. the service pack level and security patch level.This infor- mation is invaluable to an attacker bent on hacking not only the Web server, but hacking beyond the Web server and into the operating. soft- ware. For example, Apache Web servers ship with documentation in HTML format, as shown in Figure 8.17. 304 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware 452 _Google_ 2e_08.qxd