 Default pages, documentation, and programs speak volumes about the server that hosts them.They suggest that a server is not well maintained and is by extension vulnerable due to poor maintenance. Locating Login Portals  Login portals can draw attackers who are searching for specific types of software. In addition, they can serve as a starting point for information-gathering attacks, since most login portals are designed to be user friendly, providing links to help documents and procedures to aid new users. Administrative login portals and remote administration tools are sometimes even more dangerous, especially if they are poorly configured. Locating Network Hardware  All sorts of network devices can be located with Google queries.These devices are more than a passing technological curiosity for some attackers, since many devices linked from the Web are poorly configured, trusted devices often overlooked by typical security auditors. Web cameras are often overlooked devices that can provide insight for an attacker, even though an extremely small percentage of targets have Web cameras installed. Network printers, when compromised, can reveal a great deal of sensitive information, especially for an attacker capable of viewing print jobs and network information. Using and Locating Various Web Utilities  Web-enabled network devices can be located with simple Google queries.  The information from these devices can be used to help build a network map. Locating Various Network Reports  Network statistic reports can be located with simple Google queries.  The information from these reports can be used to help build a network map. Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 341 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 341 Q: I run an IIS 6.0 server, and I don’t like the idea of those static HTTP 1.1 error pages hanging around my site, luring potential malicious interest in my server. How can I enable the customized error messages? A: If you aren’t in the habit of just asking Google by now, you should be! Seriously, try a Google search for site:microsoft.com “Configuring Custom Error Messages” IIS 6.0. At the time of this writing, the article describing this procedure is the first hit.The procedure involves firing up the IIS Manager, double-clicking My Computer, right-clicking the Web Sites folder, and selecting Properties. See the Custom Errors tab. Q: I run an Apache server, and I don’t like the idea of those server tags on error messages and directory listings. How can I turn these off? A: To remove the tags, locate the section in your httpd.conf file (usually in /etc/httpd/conf/httpd.conf) that contains the following: # # Optionally add a line containing the server version and virtual host # name to server-generated pages (error documents, FTP directory listings, # mod_status and mod_info output etc., but not CGI generated documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail # ServerSignature On The ServerSignature setting can be changed to Off to remove the tag altogether or to Email, which presents an e-mail link with the ServerAdmin e-mail address as it appears in the httpd.conf file. Q: I’ve got an idea for a search that’s not listed here. If you’re so smart about Google, why isn’t my search listed in this book? A: This book serves as more of a primer than a reference book.There are so many possible Google searches out there that it’s impossible to include them all in one book. Most 342 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www. syngress.com/solutions and click on the “Ask the Author” form. 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 342 searches listed in this book are the result of a community of people working together to come up with as many effective searches as possible. Fortunately, this community of indi- viduals has created a unique and extensive database that is open to the public for the purposes of adequately defending against this unique threat.The Search Engine Hacking forum and the GHDB are both available at http://johnny.ihackstuff.com. If you’ve got a new search, first search the database to make sure it’s unique. If you think it is, submit it to the forums, and your search could be the newest addition to the database. But beware, Google searcher. Google hacking is fun and addictive. If you submit one search, I think you’ll find it’s hard to stop. Just ask any of the individuals on the Google Master’s list. Some of them found it hard to stop at 10 or 20 unique submitted searches! Check out the Acknowledgments page for a list of users who have made a significant contribution to the Google hacking community. Q: The NQT tool can only scan one port at a time. Could this behavior be modified? A: Without modifying the code on the remote NQT server, this task would require the coding of a PHP loop that feeds the requests one at a time to the NQT server. Remember, though, that even single ports can play a critical role when it comes time to perform an actual network port scan. For many different types of scans, it’s always advan- tageous to have a list of ports that are known to be open. Q: Aren’t there any Web-based tools besides NQT with a larger port scan range? A: If you’re interested in scanning lots of ports, you might be better off with a standard scanner like nmap. However, to flex those Google muscles, try a query like inurl:portscan.php (“from Port”|“Port Range”) suggested by Jimmy Neutron on the Google Hacking Forums. Although there aren’t many results, who knows what the future holds for this search! Q: So Web interfaces on network devices are a bad idea? A: They don’t have to be, but statistically they are for a few reasons. First, they are often excessive when you consider that the same task could be more securely accomplished via serial port connection or via a dedicated admin network connection. Second, small devices require small servers, so some exotic Web servers are used that are not as well tested as Apache, for example (consider the vulnerabilities on Axis cams at security focus).Third, as we’ve seen in this chapter, the pages can be found with (or submitted to) Google if the admins are not careful.This opens the floodgates for all the fledgling Google hackers out there. Q: Our network devices (routers) can’t be accessed by anyone from the outside. Does that mean we are safe? Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 343 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 343 A: Even though it is not accessible from the wide area network (WAN), it may be acces- sible from a compromised host on your LAN. Posting information about it on usenet or tech forums is a risk. For an example, try searching for intext:“enable secret 5 $” as sug- gested by hevnsnt on the Google Hacking Forums.Then try the same on Google Groups. It’s a good thing Cisco implemented strong encryption on those passwords, since these searches often reveal sensitive information about these devices. 344 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware 452_Google_2e_08.qxd 10/5/07 1:03 PM Page 344 345 Usernames, Passwords, and Secret Stuff, Oh My! Solutions in this chapter: ■ Searching for Usernames ■ Searching for Passwords ■ Searching for Credit Card Numbers, Social Security Numbers, and More ■ Searching for Other Juicy Info ■ List of Sites Chapter 9  Summary  Solutions Fast Track  Frequently Asked Questions 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 345 Introduction This chapter is not about finding sensitive data during an assessment as much as it is about what the “bad guys” might do to troll for the data.The examples presented in this chapter generally represent the lowest-hanging fruit on the security tree. Hackers target this infor- mation on a daily basis.To protect against this type of attacker, we need to be fairly candid about the worst-case possibilities. We won’t be overly candid, however. We don’t want to give the bad guys any ideas they don’t already have. We start by looking at some queries that can be used to uncover usernames, the less important half of most authentication systems.The value of a username is often overlooked, but as we’ve already discussed, an entire multimillion-dollar security system can be shattered through skillful crafting of even the smallest, most innocuous bit of information. Next, we will take a look at queries that are designed to uncover passwords. Some of the queries we look at reveal encrypted or encoded passwords, which will take a bit of work on the part of an attacker to use to his or her advantage. We also take a look at queries that can uncover cleartext passwords.These queries are some of the most dangerous in the hands of even the most novice attacker. What could make an attack easier than handing a username and cleartext password to an attacker? We wrap up this chapter by discussing the very real possibility of uncovering highly sen- sitive data such as credit card information and information used to commit identity theft, such as Social Security numbers. Our goal here is to explore ways of protecting against this very real threat.To that end, we don’t go into details about uncovering financial information and the like. If you’re a “dark side” hacker, you’ll need to figure these things out on your own, or make the wise decision to turn to the light side of the force. Searching for Usernames Most authentication mechanisms use a username and password to protect information.To get through the “front door” of this type of protection, you’ll need to determine usernames as well as passwords. Usernames also can be used for social engineering efforts, as we dis- cussed earlier. Many methods can be used to determine usernames. In the “Database Digging” chapter, we explored ways of gathering usernames via database error messages. In the “Tracking Down Web Servers” chapter, we explored Web server and application error messages that can reveal various information, including usernames.These indirect methods of locating usernames are helpful, but an attacker could target a usernames directory with a simple query like “your username is”. This phrase can locate help pages that describe the username creation process, as shown in Figure 9.1. 346 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 346 Figure 9.1 Help Documents Can Reveal Username Creation Processes An attacker could use this information to postulate a username based on information gleaned from other sources, such as Google Groups posts or phone listings.The usernames could then be recycled into various other phases of the attack, such as a worm-based spam campaign or a social-engineering attempt.An attacker can gather usernames from a variety of sources, as shown in the sample queries listed in Table 9.1. Table 9.1 Sample Queries That Locate Usernames Query Description inurl:admin inurl:userlist Generic userlist files inurl:admin filetype:asp inurl:userlist Generic userlist files inurl:php inurl:hlstats intext: Half-life statistics file, lists username and Server Username other information filetype:ctl inurl:haccess.ctl Basic Microsoft FrontPage equivalent(?)of htaccess shows Web user credentials filetype:reg reg intext:”internet Microsoft Internet Account Manager account manager” can reveal usernames and more Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 347 Continued 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 347 Table 9.1 continued Sample Queries That Locate Usernames Query Description filetype:wab wab Microsoft Outlook Express Mail address books filetype:mdb inurl:profiles Microsoft Access databases containing (user) profiles. index.of perform.ini mIRC IRC ini file can list IRC usernames and other information inurl:root.asp?acs=anon Outlook Mail Web Access directory can be used to discover usernames filetype:conf inurl:proftpd.conf –sample PROFTP FTP server configuration file reveals username and server information filetype:log username putty PUTTY SSH client logs can reveal user- names and server information filetype:rdp rdp Remote Desktop Connection files reveal user credentials intitle:index.of .bash_history UNIX bash shell history reveals com- mands typed at a bash command prompt; usernames are often typed as argument strings intitle:index.of .sh_history UNIX shell history reveals commands typed at a shell command prompt; user- names are often typed as argument strings “index of ” lck Various lock files list the user currently using a file +intext:webalizer +intext:Total Webalizer Web statistics page lists Web Usernames +intext:”Usage Statistics for” usernames and statistical information filetype:reg reg HKEY_CURRENT_ Windows Registry exports can reveal USER username usernames and other information 348 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 348 Underground Googling Searching for a Known Filename Remember that there are several ways to search for a known filename. One way relies on locating the file in a directory listing, like intitle:index.of install.log. Another, often better, method relies on the filetype operator, as in filetype:log inurl:install.log. Directory listings are not all that common. Google will crawl a link to a file in a direc- tory listing, meaning that the filetype method will find both directory listing entries as well as files crawled in other ways. In some cases, usernames can be gathered from Web-based statistical programs that check Web activity.The Webalizer program shows all sorts of information about a Web server’s usage. Output files for the Webalizer program can be located with a query such as +intext:webalizer +intext:”Total Usernames” +intext:”Usage Statistics for”. Among the informa- tion displayed is the username that was used to connect to the Web server, as shown in Figure 9.2. In some cases, however, the usernames displayed are not valid or current, but the “Visits” column lists the number of times a user account was used during the capture period.This enables an attacker to easily determine which accounts are more likely to be valid. Figure 9.2 The Webalizer Output Page Lists Web Usernames Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 349 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 349 The Windows registry holds all sorts of authentication information, including usernames and passwords.Though it is unlikely (and fairly uncommon) to locate live, exported Windows registry files on the Web, at the time of this writing there are nearly 200 hits on the query filetype:reg HKEY_CURRENT_USER username, which locates Windows registry files that contain the word username and in some cases passwords, as shown in Figure 9.3. Figure 9.3 Generic Windows Registry Files Can Reveal Usernames and Passwords As any talented attacker or security person will tell you, it’s rare to get information served to you on a silver platter. Most decent finds take a bit of persistence, creativity, intelli- gence, and just a bit of good luck. For example, consider the Microsoft Outlook Web Access portal, which can be located with a query like inurl:root.asp?acs=anon. There are few hits for this query, even though there lots of sites run the Microsoft Web-based mail portal. Regardless of how you might locate a site running this e-mail gateway, it’s not uncommon for the site to host a public directory (denoted “Find Names,” by default), as shown in Figure 9.4. 350 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My! 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 350 . on usenet or tech forums is a risk. For an example, try searching for intext:“enable secret 5 $” as sug- gested by hevnsnt on the Google Hacking Forums.Then try the same on Google Groups. It’s. especially for an attacker capable of viewing print jobs and network information. Using and Locating Various Web Utilities  Web-enabled network devices can be located with simple Google queries. . presents an e-mail link with the ServerAdmin e-mail address as it appears in the httpd.conf file. Q: I’ve got an idea for a search that’s not listed here. If you’re so smart about Google, why isn’t