Table 8.11Queries That Locate Various Network Devices Sony NC RZ30 Camers SNC-RZ30 HOME Sony NC RZ20 Cameras intitle:snc-z20 inurl:home/ Mobotix netcams intext:”MOBOTIX M1” | intext:”MOB
Trang 1Figure 8.31Webcams Placed Outside a Facility
Most network printers manufactured these days have some sort of Web-based interface installed If these devices (or even the documentation or drivers supplied with these devices)
are linked from a Web page, various Google queries can be used to locate them
Once located, network printers can provide an attacker with a wealth of information As shown in Figure 8.32, it is very common for a network printer to list details about the
sur-rounding network, naming conventions, and more Many devices located through a Google
search are still running a default, insecure configuration with no username or password
needed to control the device In a worst-case scenario, attackers can view print jobs and
even coerce these printers to store files or even send network commands
Trang 2Figure 8.32Networked Printers Provide Lots of Details
Table 8.11 shows queries that can be used to locate various network devices
Table 8.11Queries That Locate Various Network Devices
PhaserLink Printers intitle:”View and Configure PhaserLink”
Panasonic Network Cameras inurl:”ViewerFrame?Mode=”
Trang 3Table 8.11Queries That Locate Various Network Devices
Sony NC RZ30 Camers SNC-RZ30 HOME
Sony NC RZ20 Cameras intitle:snc-z20 inurl:home/
Mobotix netcams (intext:”MOBOTIX M1” | intext:”MOBOTIX M10”)
intext:”Open Menu” Shift-Reload Panasonic WJ-NT104 intitle:”WJ-NT104 Main Page”
AXIS Cameras intitle:”Live View / - AXIS”
Phaser 6250N Printer “Phaser 6250” “Printer Neighborhood” “XEROX
CORPORATION”
Xerox Phaser Printer “Phaser740 Color Printer” “printer named: “
Phaser 8200 Printer “Phaser 8200” “Xerox” “refresh” “ Email Alerts”
Xerox Phaser 840 “Phaser 840 Color Printer” “Current Status”
Canon “WebView LiveScope” intitle:liveapplet inurl:LvAppl
Xerox Phaser 4500/6250/ intext:centreware inurl:status
8200/8400
Linux Dreamboxes intitle:”dreambox web”
Axis Netcams intitle:”Live View / - AXIS” | inurl:view/view.sht
Fiery WebTools (“Fiery WebTools” inurl:index2.html) | “WebTools
enable * * observe, *, * * * flow * print jobs”
Konica Network Printer intitle:”network administration” inurl:”nic”
Ricoh Aficio 1022 inurl:sts_index.cgi
Ricoh Afficio Printer intitle:RICOH intitle:”Network Administration”
Canon ImageReady 3300, intitle:”remote ui:top page”
5000 & 60000
HP Printers inurl:hp/device/this.LCDispatcher
Webeye webcams intitle:webeye inurl:login.ml
AXIS StorPoint CD+ intitle:”axis storpoint CD” intitle:”ip address”
Cisco Switches intitle:”switch home page” “cisco systems” “Telnet
- to”
Linksys webcam camera linksys inurl:main.cgi
My webcamXP server intitle:”my webcamXP server!” inurl:”:8080”
Trang 4Table 8.11 continuedQueries That Locate Various Network Devices
Ricoh Aficio 2035 (inurl:webArch/mainFrame.cgi ) | (intitle:”web (fax/scanner) image monitor” -htm -solutions)
Axis Network Camera inurl:netw_tcp.shtml
Panasonic Network Camera site:.viewnetcam.com -www.viewnetcam.com Toshiba netcams intitle:”toshiba network camera - User Login” CCTV webcams “please visit” intitle:”i-Catcher Console” Copyright
“iCode Systems”
XeroxDocuPrint printer intitle:”Home” “Xerox Corporation” “Refresh
Status”
Xerox 860 and 8200 Printers intext:”Ready with 10/100T Ethernet”
Lexmark printers intext:”UAA (MSB)” Lexmark -ext:pdf
Tandberg video conferencing intext:”Videoconference Management System” appliances ext:htm
Phaser printers “Copyright (c) Tektronix, Inc.” “printer status” Xerox DocuPrint printer intext:”MaiLinX Alert (Notify)”
-site:net-workprinters.com Brother HL Printers inurl:”printer/main.html” intext:”settings”
Axis Storpoint axis storpoint “file view” inurl:/volumes/
Netsnap Online Cameras intitle:”Live NetSnap Cam-Server feed”
V-Gear Bee Web Cameras intitle:”V-Gear BEE”
Audio ReQuest home intitle:”AudioReQuest.web.server”
CD/MP3 player
CUPS Printers inurl:”:631/printers” -php -demo
Axis Video Cameras
Linksys Wireless-G web cams inurl:”next_file=main_fs.htm” inurl:img
inurl:image.cgi
Trang 5Table 8.11 continuedQueries That Locate Various Network Devices
SnapStream Digital filetype:cgi transcoder.cgi
Video Recorder
Axis Network Print Server intitle:”Network Print Server” filetype:shtm (
inurl:u_printjobs | inurl:u_server | inurl:a_server | inurl:u_generalhelp | u_printjobs )
Axis Network Print Server intitle:”Network Print Server”
intext:”http://www.axis.com” filetype:shtm
Sweex, Orite Web Cameras allinurl:index.htm?cus?audio
EDSR video cameras intitle:”EverFocus.EDSR.applet”
Epson Web Assist intitle:”EpsonNet WebAssist Rev”
Brother printers intitle:”Brother” intext:”View Configuration”
intext:”Brother Industries, Ltd.”
Linksys webcams intitle:Linksys site:ourlinksys.com
mmEye webcam allintitle:Brains, Corp camera
Dell ESW Printers intitle:”Dell Laser Printer” ews
HomeSeer home intitle:HomeSeer.Web.Control |
automation server Home.Status.Events.Log
Samsung webthru cameras “Webthru User Login”
Lexmark printers (4 models) intitle:”Lexmark *” inurl:port_0
Aficio printers inurl:/en/help.cgi “ID=*”
HP Officejet help page intitle:jdewshlp “Welcome to the Embedded Web
Server!”
Xerox Phaser printers “display printer status” intitle:”Home”
Winamp Servers “About Winamp Web Interface” intitle:”Winamp
Web Interface”
NeroNet Servers intitle:”NeroNET - burning online”
Xerox (*Centre) Printers ext:dhtml intitle:”document centre|(home)” OR
intitle:”xerox”
Lexmark and Dell Printers inurl:”port_255” -htm
Adobe’s PrintGear intext:”Powered by: Adobe PrintGear” inurl:admin
Trang 6Table 8.11 continuedQueries That Locate Various Network Devices
AVTech Video Web Server intitle:”—- VIDEO WEB SERVER —-” intext:”Video
Web Server” “Any time & Any where” username password
VPON (Video Picture On Net) inurl:start.htm?scrw=
video surveillance system
Dell Printers intitle:”Dell *” inurl:port_0
Kpix Java Based Traffic (cam1java)|(cam2java)|(cam3java)|
Cameras (cam4java)|(cam5java)|(cam6java) -navy.mil -backflip
-power.ne.jp Mobile Cameras inurl:”S=320x240” | inurl:”S=160x120”
inurl:”Q=Mob Panasonic IP cameras inurl:”CgiStart?page=”
Dell and Lexmark Printers intitle:”configuration” inurl:port_0
Dell Laser Printer M5200 intitle:”Dell Laser Printer M5200” port_0
AXIS 240 Camera Servers intitle:”AXIS 240 Camera Server” intext:”server
push” -help Veo Observer Web Client intitle:”Veo Observer Web Client”
Standalone Network Camera intitle:”Java Applet Page” inurl:ml
DVR Systems intitle:”WEBDVR” -inurl:product -inurl:demo
sensorProbe Environmental “Summary View of Sensors” | “sensorProbe8 v *” |
iDVR Camera intitle:iDVR -intitle:”com | net | shop” -inurl:”asp |
htm | pdf | html | php | shtml | com | at | cgi | tv” INTELLINET IP camera intitle:”INTELLINET” intitle:”IP Camera Homepage” StarDot netcam intitle:”NetCam Live Image” edu gov
-johnny.ihackstuff.com Netbotz devices intitle:”netbotz appliance” inurl:.php inurl:.asp
-inurl:.pdf -inurl:securitypipeline -announces Phaser Network Printers Phaser numrange:100-100000 Name DNS IP “More
Printers” index help filetype:html | filetype:shtml Orite 301 Netcams intitle:”Orite IC301” | intitle:”ORITE Audio
IP-Camera IC-301” -the -a Brimsoft webcam intitle:”Biromsoft WebCam” 4.0 serial ask crack
-software -a -the -build -download -v4 -3.01 -num-range:1-10000
Continued
Trang 7Table 8.11 continuedQueries That Locate Various Network Devices
VisionGS Webcam (intitle:”VisionGS Webcam
Software”)|(intext:”Powered by VisionGS Webcam”) showthread.php showpost.php
-”Search Engine” -computersglobal.com -site:g IQeye netcam intitle:”IQeye302 | IQeye303 | IQeye601 | IQeye602 |
IQeye603” intitle:”Live Images”
Samsung printers “This page is for configuring Samsung Network
Printer” | printerDetails.htm Intel Netport Express intitle:”SNOIE Intel Web Netport Manager” OR
Print Server intitle:”Intel Web Netport Manager Setup/Status”
Express6 live video controller Display Cameras intitle:”Express6 Live Image”
Sony SNT-V304 Video intitle:”Sony SNT-V304 Video Network Station”
Windows 2003 Remote inurl:Printers/ipp_0001.asp
Printing
Linksys wireless G Camera inurl:/img/vr.htm
Sony DCS-950 Web Camera DCS inurl:”/web/login.asp”
Dell laser printers intitle:”Dell Laser Printer *” port_0
-johnny.ihack-stuff INTELLINET IP Camera intitle:”::::: INTELLINET IP Camera Homepage :::::
Celestix Taurus Server intext:”Welcome to Taurus” “The Taurus Server
Appliance” intitle:”The Taurus Server Appliance”
Sharp printers intitle:”AR-*” “browser of frame dealing is
neces-sary”
Watchdogs WxGoos Camera intitle:”WxGoos-” (“Camera image”|”60 seconds” )
Nuvico DVR intitle:”DVR Client” the free pdf downloads
-blog -download -dvrtop Hunt Electronics web cams “OK logout” inurl:vb.htm?logout=1
IVC Security Cameras intitle:”IVC Control Panel”
MOBOTIX Cameras (intitle:MOBOTIX intitle:PDAS) | (intitle:MOBOTIX
intitle:Seiten) | (inurl:/pda/index.html +camera) Netbotz devices intitle:”Device Status Summary Page” -demo
iGuard Fingerprint intitle:”iGuard Fingerprint Security System”
Security System
Continued
Trang 8Table 8.11 continuedQueries That Locate Various Network Devices
Veo Observer XT intitle:”Veo Observer XT”
inurl:shtml|pl|php|htm|asp|aspx|pdf|cfm -intext:observer
EyeSpyFX or OptiCamFX (intitle:(EyeSpyFX|OptiCamFX) “go to
MOBOTIX cameras inurl:cgi-bin/guestimage.html
Sony SNC-RZ30 IP camera intitle:”SNC-RZ30” -demo
Everfocus EDSR400 allintitle: EverFocus | EDSR | EDSR400 Applet
Everfocus EDR1680 allintitle:Edr1680 remote viewer
Everfocus EDR1600 allintitle: EDR1600 login | Welcome
Everfocus EDR400 allintitle: EDR400 login | Welcome
Boshe/Divar Net Cameras intitle:”Divar Web Client”
Axis Cameras intitle:”Live View / - AXIS” | inurl:view/view.shtml
OR inurl:view/indexFrame.shtml | intitle:”MJPG Live Demo” | “intext:Select preset position”
Axis Cameras 2XXX Series allintitle: Axis 2.10 OR 2.12 OR 2.30 OR 2.31 OR
2.32 OR 2.33 OR 2.34 OR 2.40 OR 2.42 OR 2.43
“Network Camera “ BlueNet Video Viewer intitle:”BlueNet Video Viewer”
Stingray File Transfer Server intitle:”stingray fts login” | ( login.jsp
intitle:StingRay ) Softwell Technology allintitle:”DVR login”
“Wit-Eye” DVR
WR Control Lite Multi- inurl:wrcontrollite
Camera View
Axis Video Server (CAM) inurl:indexFrame.shtml Axis
AXIS Video Live Camera intitle:”Live View / - AXIS”
AXIS Video Live View intitle:”Live View / - AXIS” | inurl:view/view.sht
AXIS 200 Network Camera intitle:”The AXIS 200 Home Page”
Canon Network Camera intitle:liveapplet inurl:LvAppl
Mobotix Network Camera intext:”MOBOTIX M1” intext:”Open Menu”
Panasonic Network Camera intitle:”WJ-NT104 Main Page”
Panasonic Network Camera inurl:”ViewerFrame?Mode=”
Trang 9Table 8.11 continuedQueries That Locate Various Network Devices
Seyeon FlexWATCH Camera intitle:flexwatch intext:”Home page ver”
Sony Network Camera intitle:snc-z20 inurl:home/
Canon ImageReady intitle:”remote ui:top page”
Fiery Printer Interface (“Fiery WebTools” inurl:index2.html) | “WebTools
enable * * observe, *, * * * flow * print jobs”
Konica Printers intitle:”network administration” inurl:”nic”
RICOH Printers intitle:RICOH intitle:”Network Administration”
Tektronix Phaser Printer intitle:”View and Configure PhaserLink”
Xerox Phaser (generic) inurl:live_status.html
Xerox Phaser 6250 Printer “Phaser 6250” “Printer Neighborhood” “XEROX
CORPORATION”
Xerox Phaser 740 Printer “Phaser® 740 Color Printer” “printer named: “
phaserlink
Xerox Phaser 8200 Printer “Phaser 8200” “© Xerox” “refresh” “ Email Alerts”
Xerox Phaser 840 Printer Phaser® 840 Color Printer
Xerox Centreware Printers intext:centreware inurl:status
XEROX WorkCentre intitle:”XEROX WorkCentre PRO - Index”
Trang 10Attackers use Google for a variety of reasons An attacker might have access to an exploit for
a particular version of Web software and may be on the prowl for vulnerable targets Other times the attacker might have decided on a target and is using Google to locate information about other devices on the network In some cases, an attacker could simply be looking for Web devices that are poorly configured with default pages and programs, indicating that the security around the device is soft
Directory listings provide information about the software versions in use on a device Server and application error messages can provide a wealth of information to an attacker and are perhaps the most underestimated of all information-gathering techniques Default pages, programs, and documentation not only can be used to profile a target, but they serve as an indicator that the server is somewhat neglected and perhaps vulnerable to exploitation Login portals, while serving as the “front door” of a Web server for regular users, can be used to profile a target, used to locate more information about services and procedures in use, and used as a virtual magnet for attackers armed with matching exploits In some cases, login portals are set up by administrators to allow remote access to a server or network.This type of login portal, if compromised, can provide an entry point for an intruder as well Google can be used to locate or augment Web-based networking tools like NQT, which enables remote execution of various network-querying applications Using creative queries, Google may even locate Web-enabled network devices in use by the target or output from network statistical packages Whatever your goal during a network-based assessment, there’s a good chance Google can be used to augment your existing tools and techniques
Solutions Fast Track
Locating and Profiling Web Servers
Directory listings and default server-generated error messages can provide details about the server Even though this information could be obtained by connecting directly to the server, an attacker armed with an exploit for a particular version of software could find a target using a Google query designed to locate this
information
Server and application error messages proved a great deal of information, ranging from software versions and patch level, to snippets of source code and information about system processes and programs Error messages are one of the most
underestimated forms of information leakage