Figure 8.31 Webcams Placed Outside a Facility Most network printers manufactured these days have some sort of Web-based interface installed. If these devices (or even the documentation or drivers supplied with these devices) are linked from a Web page, various Google queries can be used to locate them. Once located, network printers can provide an attacker with a wealth of information. As shown in Figure 8.32, it is very common for a network printer to list details about the sur- rounding network, naming conventions, and more. Many devices located through a Google search are still running a default, insecure configuration with no username or password needed to control the device. In a worst-case scenario, attackers can view print jobs and even coerce these printers to store files or even send network commands. Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 331 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 331 Figure 8.32 Networked Printers Provide Lots of Details Table 8.11 shows queries that can be used to locate various network devices. Table 8.11 Queries That Locate Various Network Devices Network Device Query AXIS 2400 inurl:indexFrame.shtml Axis PhaserLink Printers intitle:”View and Configure PhaserLink” Panasonic Network Cameras inurl:”ViewerFrame?Mode=” 332 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware Continued 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 332 Table 8.11 Queries That Locate Various Network Devices Network Device Query Sony NC RZ30 Camers SNC-RZ30 HOME Sony NC RZ20 Cameras intitle:snc-z20 inurl:home/ Mobotix netcams (intext:”MOBOTIX M1” | intext:”MOBOTIX M10”) intext:”Open Menu” Shift-Reload Panasonic WJ-NT104 intitle:”WJ-NT104 Main Page” XP PRO Webcams “powered by webcamXP” “Pro|Broadcast” AXIS Cameras intitle:”Live View / - AXIS” Phaser 6250N Printer “Phaser 6250” “Printer Neighborhood” “XEROX CORPORATION” Xerox Phaser Printer “Phaser740 Color Printer” “printer named: “ Phaser 8200 Printer “Phaser 8200” “Xerox” “refresh” “ Email Alerts” Xerox Phaser 840 “Phaser 840 Color Printer” “Current Status” Color Printer “printer named:” Canon “WebView LiveScope” intitle:liveapplet inurl:LvAppl Xerox Phaser 4500/6250/ intext:centreware inurl:status 8200/8400 Linux Dreamboxes intitle:”dreambox web” Axis Netcams intitle:”Live View / - AXIS” | inurl:view/view.sht Axis 200 intitle:”The AXIS 200 Home Page” Fiery WebTools (“Fiery WebTools” inurl:index2.html) | “WebTools enable **observe, *, ***flow * print jobs” Konica Network Printer intitle:”network administration” inurl:”nic” Ricoh Aficio 1022 inurl:sts_index.cgi Ricoh Afficio Printer intitle:RICOH intitle:”Network Administration” Canon ImageReady 3300, intitle:”remote ui:top page” 5000 & 60000. HP Printers. inurl:hp/device/this.LCDispatcher Webeye webcams. intitle:webeye inurl:login.ml AXIS StorPoint CD+. intitle:”axis storpoint CD” intitle:”ip address” Cisco Switches intitle:”switch home page” “cisco systems” “Telnet - to” HP switches intitle:”DEFAULT_CONFIG - HP” Linksys webcam camera linksys inurl:main.cgi My webcamXP server intitle:”my webcamXP server!” inurl:”:8080” Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 333 Continued 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 333 Table 8.11 continued Queries That Locate Various Network Devices Network Device Query Ricoh Aficio 2035 (inurl:webArch/mainFrame.cgi ) | (intitle:”web (fax/scanner) image monitor” -htm -solutions) Axis Network Camera inurl:netw_tcp.shtml Tivo Devices inurl:TiVoConnect?Command=QueryServer Embedded DVR intitle:”DVR Web client” Panasonic Network Camera site:.viewnetcam.com -www.viewnetcam.com Toshiba netcams intitle:”toshiba network camera - User Login” CCTV webcams “please visit” intitle:”i-Catcher Console” Copyright “iCode Systems” AMX Netlink WebControl intitle:”AMX NetLinx” XeroxDocuPrint printer. intitle:”Home” “Xerox Corporation” “Refresh Status” Xerox 860 and 8200 Printers. intext:”Ready with 10/100T Ethernet” Lexmark printers intext:”UAA (MSB)” Lexmark -ext:pdf Axis Netcams inurl:axis-cgi SiteZap webcam “Starting SiteZAP 6.0” EvoCam intitle:”EvoCam” inurl:”webcam.html” Tandberg video conferencing intext:”Videoconference Management System” appliances ext:htm Novell Iprint inurl:”ipp/pdisplay.htm” Phaser printers “Copyright (c) Tektronix, Inc.” “printer status” Xerox DocuPrint printer intext:”MaiLinX Alert (Notify)” -site:net- workprinters.com Brother HL Printers inurl:”printer/main.html” intext:”settings” Axis Storpoint axis storpoint “file view” inurl:/volumes/ Netsnap Online Cameras intitle:”Live NetSnap Cam-Server feed” V-Gear Bee Web Cameras intitle:”V-Gear BEE” Audio ReQuest home intitle:”AudioReQuest.web.server” CD/MP3 player CUPS Printers inurl:”:631/printers” -php -demo iVista Camera intitle:”iVISTA.Main.Page” Axis Video Cameras Linksys Wireless-G web cams. inurl:”next_file=main_fs.htm” inurl:img inurl:image.cgi 334 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware Continued 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 334 Table 8.11 continued Queries That Locate Various Network Devices Network Device Query SnapStream Digital filetype:cgi transcoder.cgi Video Recorder Axis Network Print Server intitle:”Network Print Server” filetype:shtm ( inurl:u_printjobs | inurl:u_server | inurl:a_server | inurl:u_generalhelp | u_printjobs ) Axis Network Print Server intitle:”Network Print Server” intext:”http://www.axis.com” filetype:shtm ActiveX webcam intitle:”Browser Launch Page” Sweex, Orite Web Cameras allinurl:index.htm?cus?audio EDSR video cameras intitle:”EverFocus.EDSR.applet” Epson Web Assist intitle:”EpsonNet WebAssist Rev” Brother printers intitle:”Brother” intext:”View Configuration” intext:”Brother Industries, Ltd.” Linksys webcams intitle:Linksys site:ourlinksys.com SupervisionCam intitle:”supervisioncam protocol” Vivotec webcams inurl:camctrl.cgi mmEye webcam allintitle:Brains, Corp. camera Dell ESW Printers intitle:”Dell Laser Printer” ews HomeSeer home intitle:HomeSeer.Web.Control | automation server Home.Status.Events.Log Samsung webthru cameras “Webthru User Login” Lexmark printers (4 models) intitle:”Lexmark *” inurl:port_0 Aficio printers inurl:/en/help.cgi “ID=*” HP Officejet help page. intitle:jdewshlp “Welcome to the Embedded Web Server!” Xerox Phaser printers. “display printer status” intitle:”Home” GeoHttpServer inurl:JPGLogin.htm Winamp Servers “About Winamp Web Interface” intitle:”Winamp Web Interface” NeroNet Servers intitle:”NeroNET - burning online” Xerox (*Centre) Printers ext:dhtml intitle:”document centre|(home)” OR intitle:”xerox” Lexmark and Dell Printers inurl:”port_255” -htm Adobe’s PrintGear intext:”Powered by: Adobe PrintGear” inurl:admin Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 335 Continued 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 335 Table 8.11 continued Queries That Locate Various Network Devices Network Device Query AVTech Video Web Server intitle:”—- VIDEO WEB SERVER —-” intext:”Video Web Server” “Any time & Any where” username password VPON (Video Picture On Net) inurl:start.htm?scrw= video surveillance system Dell Printers intitle:”Dell *” inurl:port_0 Kpix Java Based Traffic (cam1java)|(cam2java)|(cam3java)| Cameras (cam4java)|(cam5java)|(cam6java) -navy.mil -backflip -power.ne.jp Mobile Cameras inurl:”S=320x240” | inurl:”S=160x120” inurl:”Q=Mob Panasonic IP cameras inurl:”CgiStart?page=” Dell and Lexmark Printers intitle:”configuration” inurl:port_0 Dell Laser Printer M5200 intitle:”Dell Laser Printer M5200” port_0 AXIS 240 Camera Servers intitle:”AXIS 240 Camera Server” intext:”server push” -help Veo Observer Web Client intitle:”Veo Observer Web Client” Standalone Network Camera intitle:”Java Applet Page” inurl:ml DVR Systems intitle:”WEBDVR” -inurl:product -inurl:demo sensorProbe Environmental “Summary View of Sensors” | “sensorProbe8 v *” | Monitoring Device “ iDVR Camera intitle:iDVR -intitle:”com | net | shop” -inurl:”asp | htm | pdf | html | php | shtml | com | at | cgi | tv” INTELLINET IP camera intitle:”INTELLINET” intitle:”IP Camera Homepage” StarDot netcam intitle:”NetCam Live Image” edu gov - johnny.ihackstuff.com Netbotz devices intitle:”netbotz appliance” -inurl:.php -inurl:.asp - inurl:.pdf -inurl:securitypipeline -announces Phaser Network Printers Phaser numrange:100-100000 Name DNS IP “More Printers” index help filetype:html | filetype:shtml Orite 301 Netcams intitle:”Orite IC301” | intitle:”ORITE Audio IP- Camera IC-301” -the -a Brimsoft webcam intitle:”Biromsoft WebCam” -4.0 -serial -ask -crack - software -a -the -build -download -v4 -3.01 -num- range:1-10000 336 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware Continued 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 336 Table 8.11 continued Queries That Locate Various Network Devices Network Device Query VisionGS Webcam (intitle:”VisionGS Webcam Software”)|(intext:”Powered by VisionGS Webcam”) -showthread.php -showpost.php - ”Search Engine” -computersglobal.com -site:g IQeye netcam intitle:”IQeye302 | IQeye303 | IQeye601 | IQeye602 | IQeye603” intitle:”Live Images” Samsung printers “This page is for configuring Samsung Network Printer” | printerDetails.htm Intel Netport Express intitle:”SNOIE Intel Web Netport Manager” OR Print Server. intitle:”Intel Web Netport Manager Setup/Status” Express6 live video controller Display Cameras intitle:”Express6 Live Image” Sony SNT-V304 Video intitle:”Sony SNT-V304 Video Network Station” Network Station inurl:hsrindex.shtml Windows 2003 Remote inurl:Printers/ipp_0001.asp Printing Linksys wireless G Camera inurl:/img/vr.htm Sony DCS-950 Web Camera DCS inurl:”/web/login.asp” Dell laser printers intitle:”Dell Laser Printer *” port_0 -johnny.ihack- stuff INTELLINET IP Camera intitle:”::::: INTELLINET IP Camera Homepage ::::: Celestix Taurus Server intext:”Welcome to Taurus” “The Taurus Server Appliance” intitle:”The Taurus Server Appliance” Sharp printers intitle:”AR-*” “browser of frame dealing is neces- sary” Watchdogs WxGoos Camera intitle:”WxGoos-” (“Camera image”|”60 seconds” ) Nuvico DVR intitle:”DVR Client” -the -free -pdf -downloads - blog -download -dvrtop Hunt Electronics web cams “OK logout” inurl:vb.htm?logout=1 EverFocus DVR intitle:”Edr1680 remote viewer” IVC Security Cameras intitle:”IVC Control Panel” MOBOTIX Cameras (intitle:MOBOTIX intitle:PDAS) | (intitle:MOBOTIX intitle:Seiten) | (inurl:/pda/index.html +camera) Netbotz devices intitle:”Device Status Summary Page” -demo iGuard Fingerprint intitle:”iGuard Fingerprint Security System” Security System Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 337 Continued 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 337 Table 8.11 continued Queries That Locate Various Network Devices Network Device Query Veo Observer XT intitle:”Veo Observer XT” - inurl:shtml|pl|php|htm|asp|aspx|pdf|cfm - intext:observer EyeSpyFX or OptiCamFX (intitle:(EyeSpyFX|OptiCamFX) “go to Camera camera”)|(inurl:servlet/DetectBrowser) MOBOTIX cameras inurl:cgi-bin/guestimage.html Sony SNC-RZ30 IP camera intitle:”SNC-RZ30” -demo Everfocus EDSR400 allintitle: EverFocus | EDSR | EDSR400 Applet Everfocus EDR1680 allintitle:Edr1680 remote viewer Everfocus EDR1600 allintitle: EDR1600 login | Welcome Everfocus EDR400 allintitle: EDR400 login | Welcome Boshe/Divar Net Cameras intitle:”Divar Web Client” Axis Cameras intitle:”Live View / - AXIS” | inurl:view/view.shtml OR inurl:view/indexFrame.shtml | intitle:”MJPG Live Demo” | “intext:Select preset position” Axis Cameras 2XXX Series allintitle: Axis 2.10 OR 2.12 OR 2.30 OR 2.31 OR 2.32 OR 2.33 OR 2.34 OR 2.40 OR 2.42 OR 2.43 “Network Camera “ BlueNet Video Viewer intitle:”BlueNet Video Viewer” Stingray File Transfer Server intitle:”stingray fts login” | ( login.jsp intitle:StingRay ) Softwell Technology allintitle:”DVR login” “Wit-Eye” DVR WR Control Lite Multi- inurl:wrcontrollite Camera View Device Query Axis Video Server (CAM) inurl:indexFrame.shtml Axis AXIS Video Live Camera intitle:”Live View / - AXIS” AXIS Video Live View intitle:”Live View / - AXIS” | inurl:view/view.sht AXIS 200 Network Camera intitle:”The AXIS 200 Home Page” Canon Network Camera intitle:liveapplet inurl:LvAppl Mobotix Network Camera intext:”MOBOTIX M1” intext:”Open Menu” Panasonic Network Camera intitle:”WJ-NT104 Main Page” Panasonic Network Camera inurl:”ViewerFrame?Mode=” Sony Network Camera SNC-RZ30 HOME 338 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware Continued 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 338 Table 8.11 continued Queries That Locate Various Network Devices Network Device Query Seyeon FlexWATCH Camera intitle:flexwatch intext:”Home page ver” Sony Network Camera intitle:snc-z20 inurl:home/ webcamXP “powered by webcamXP” “Pro|Broadcast” Canon ImageReady intitle:”remote ui:top page” Fiery Printer Interface (“Fiery WebTools” inurl:index2.html) | “WebTools enable **observe, *, ***flow * print jobs” Konica Printers intitle:”network administration” inurl:”nic” RICOH Copier inurl:sts_index.cgi RICOH Printers intitle:RICOH intitle:”Network Administration” Tektronix Phaser Printer intitle:”View and Configure PhaserLink” Xerox Phaser (generic) inurl:live_status.html Xerox Phaser 6250 Printer “Phaser 6250” “Printer Neighborhood” “XEROX CORPORATION” Xerox Phaser 740 Printer “Phaser® 740 Color Printer” “printer named: “ phaserlink Xerox Phaser 8200 Printer “Phaser 8200” “© Xerox” “refresh” “ Email Alerts” Xerox Phaser 840 Printer Phaser® 840 Color Printer Xerox Centreware Printers intext:centreware inurl:status XEROX WorkCentre intitle:”XEROX WorkCentre PRO - Index” Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 339 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 339 Summary Attackers use Google for a variety of reasons. An attacker might have access to an exploit for a particular version of Web software and may be on the prowl for vulnerable targets. Other times the attacker might have decided on a target and is using Google to locate information about other devices on the network. In some cases, an attacker could simply be looking for Web devices that are poorly configured with default pages and programs, indicating that the security around the device is soft. Directory listings provide information about the software versions in use on a device. Server and application error messages can provide a wealth of information to an attacker and are perhaps the most underestimated of all information-gathering techniques. Default pages, programs, and documentation not only can be used to profile a target, but they serve as an indicator that the server is somewhat neglected and perhaps vulnerable to exploitation. Login portals, while serving as the “front door” of a Web server for regular users, can be used to profile a target, used to locate more information about services and procedures in use, and used as a virtual magnet for attackers armed with matching exploits. In some cases, login portals are set up by administrators to allow remote access to a server or network.This type of login portal, if compromised, can provide an entry point for an intruder as well. Google can be used to locate or augment Web-based networking tools like NQT, which enables remote execution of various network-querying applications. Using creative queries, Google may even locate Web-enabled network devices in use by the target or output from network statistical packages. Whatever your goal during a network-based assessment, there’s a good chance Google can be used to augment your existing tools and techniques. Solutions Fast Track Locating and Profiling Web Servers Directory listings and default server-generated error messages can provide details about the server. Even though this information could be obtained by connecting directly to the server, an attacker armed with an exploit for a particular version of software could find a target using a Google query designed to locate this information. Server and application error messages proved a great deal of information, ranging from software versions and patch level, to snippets of source code and information about system processes and programs. Error messages are one of the most underestimated forms of information leakage. 340 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 340 . intitle:”ORITE Audio IP- Camera IC-301” -the -a Brimsoft webcam intitle:”Biromsoft WebCam” -4 .0 -serial -ask -crack - software -a -the -build -download -v4 -3 .01 -num- range: 1-1 0000 336 Chapter 8. intitle:”AR-*” “browser of frame dealing is neces- sary” Watchdogs WxGoos Camera intitle:”WxGoos-” (“Camera image”|”60 seconds” ) Nuvico DVR intitle:”DVR Client” -the -free -pdf -downloads - blog -download. gov - johnny.ihackstuff.com Netbotz devices intitle:”netbotz appliance” -inurl:.php -inurl:.asp - inurl:.pdf -inurl:securitypipeline -announces Phaser Network Printers Phaser numrange:10 0-1 00000