Google hacking for penetration tester - part 40 pptx

Figure 10.12 reveals several scheduled telephone conferences. Notice that the conference phone number and access code are also listed. An attacker could easily join the telephone conference at the scheduled time and silently eavesdrop on the conference. Mission accomplished.There is a lot attackers can learn from the conversation, like corporate secrets, tech- nical details about systems in operations, etc. Of course we can try variations of the above quires and even space them up with more keywords so we can get a better picture. For example the query “username password” returns results about people who may stored sensitive login information within their calendar, as shown in Figure 10.13. Figure 10.13 Calendar Search for “username password” This is just the beginning though, how about looking for birthdays, pet’s names, etc. As you probably know, a lot of password reminder facilities have a secret question.The secrets answer is usually something that we choose from our daily life so there is no chance that we can forget. However, the Calendar application may also contain our daily activities. When we mash both, we might be able to crack into the targeted user account by simply reading their calendar. There are many different ways; the Calendar service can be abused.The main and most important security consideration that we, as users, need to make is whether the information that is enclosed within the Google’s shiny event cells is sensitive and can be used to harm us. Hacking Google Services • Chapter 10 391 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 391 Blogger and Google’s Blog Search Blogger is Google’s blogging software hosted at blogger.com and blogspot.com. Blogger is one of the most widely used blogging platforms. It allows almost instant creations of mul- tiple blogs and has some great features for collaborating with others and preventing com- ment and trackback spam. When speaking about blogs, there are a several points that we need to take into consideration.The first and most important one is that blogs are public and are meant to be read by the Internet community. Saying that, it is important that you do not publish information about yourself which later may have serious consequences on your life. What is born on the Web stays on the web. Blog feeds are aggregated by numerous online services. It is almost impossible to remove what you once have said.The information on your blog will most probably be used by your future employer as part of the standard background checks (See Figure 10.14), when applying for a job. We have already proved that a few simple queries can reveal a lot of interesting information. Google simplifies to a great extent the process of looking into interesting information in blogs. Meat Google’s Blog Search (see Figure 10.14). Figure 10.14 Google Blog Search Despite the fact that Google’s Blogger service effectively blocks content and trackback SPAM, there’s one loophole: what happens when SPAM originates from blogs posts them- selves? 392 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 392 Enter the SPLOG. Splogs, or Spam Blogs, are normal blogs that reflect content con- sumed/aggregated from external entities but also provide additional information to accom- modate their owner’s purpose. There are a number of reasons why splogs are interesting to malicious minds.The first reason is that attackers do not have to write the blog, a task that is very time consuming, and yet make people subscribe or attend their content.As a splog’s search engine ranking increases, it attracts more visitors. If an attacker stands up an exploit on the splog’s page targeted at popular web browsers he may be able to take over hundreds of machines in mere moments. In addition, splogs may contain ads which can generate income for the owner.The more popular the splog is, the more money it will make. If a single splog can make $20 a day, mul- tiple splogs can make much more. Splogging is a 24/7 business that earns big money. No matter whether malicious minds will use splogging techniques to attract victims or make money, it is interesting to see what’s behind the scenes. In the following section we are going to take a detailed look at how splogging works. We will examine a splog generation script which makes use of Google’s Blogger service. Google Splogger Google has excellent application programming interfaces (APIs). One of the most famous Google Services is known as GData, from Google Data. GData allows developers to perform programmatic operations on Google’s services. For example, GData can be used to programmatically update Google Calendar instances. GData can also be used to create, delete and manage Blogger entries and also manage our submissions to Google Base.The stage then seems to be set for Google’s blogging service to be used as a base for splogging. In this section we’ll show how this could be accomplished, but please note that we’re not in the business of educating criminals. If you intend to use this information for malicious purposes, be advised that Google has every right to block your access to their service.They may even have the right to pursue legal action if you persist in performing malicious actions using their services. In the following example we are going to make use of GData’s Blogger interface. The following script allows us to programmatically login into Blogger and submit a new post. Effectively we can use a similar approach to automatically harvest RSS feeds and then upload them to a particular Blogger account which could then be used for splogging purposes. # GoogleSplogger # Copyright (C) 2007 Petko D. Petkov (GNUCITIZEN) # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or Hacking Google Services • Chapter 10 393 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 393 # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA __version__ = '1.0' __author__ = 'Petko D. Petkov; pdp (architect)' __doc__ = """ GoogleSplogger (GNUCITIZEN) http://www.gnucitizen.org by Petko D. Petkov; pdp (arhictect) """ import atom import gdata.service class GoogleSplogger: """ GoogleSplogger The power of Blogger in a single object """ def __init__(self, email, password): self.client = gdata.service.GDataService(email, password) self.client.source = 'Splogger ' + __version__ self.client.service = 'blogger' self.client.server = 'www.blogger.com' self.client.ProgrammaticLogin() self.available_blogs = self.get_blogs() def get_blogs(self): """ 394 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 394 get_blogs -> Dict Get a dictionary of available blogs. """ blogs = {} feed = self.client.Get('/feeds/default/blogs') for i in feed.entry: title = i.title.text for a in i.link: if a.rel == 'self': blogs[title] = a.href.split('/')[-1] return blogs def post(self, blog_name, title, content, author_name): """ post(blog_name, title, content, author_name) -> ? Post a new entry to blog """ if blog_name not in self.available_blogs: raise 'blog name not found' entry = gdata.GDataEntry() entry.author.append(atom.Author(atom.Name(text=author_name))) entry.title = atom.Title('xhtml', title) entry.content = atom.Content('html', '', content) return self.client.Post(entry, '/feeds/' \ + self.available_blogs[blog_name] + '/posts/default') def usage(prog): print 'usage: ' + prog + ' -u username -p [password] -P blog ' \ '-t title -c [content] -a author' print ' ' + prog + ' -u username -p [password] -l' print '-u username username for the login' print '-p [password] password for the login' print '-P blog post to blog' Hacking Google Services • Chapter 10 395 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 395 print '-t title title for the new post' print '-c [content] content for the new post' print '-a author author for the new post' print '-l list available blogs' print '-h print this page' if __name__ == '__main__': import sys import getopt import getpass try: opts, args = getopt.gnu_getopt(sys.argv[1:], 'hlcpu:p:P:t:c:a:') except Exception, e: print e print usage(sys.argv[0]) sys.exit() username = None password = None action = None post_blog = None post_title = None post_author = None post_content = None for key, val in opts: if key == '-h': usage(sys.argv[0]); sys.exit(); elif key == '-l': action = 'list' elif key == '-P': action = 'post' 396 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 396 post_blog = val elif key == '-u': username = val elif key == '-p': password = val elif key == '-t': post_title = val elif key == '-a': post_author = val elif key == '-c': post_content = val if not action or not username: usage(sys.argv[0]) sys.exit() if action == 'post' and \ (not post_blog or not post_title or not post_author): usage(sys.argv[0]) sys.exit() if not password: password = getpass.getpass('password: ') try: gs = GoogleSplogger(username, password) except Exception, e: print e sys.exit() if action == 'post' and post_blog not in gs.available_blogs: print 'blog not found within the user profile' sys.exit() Hacking Google Services • Chapter 10 397 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 397 if action == 'post' and not post_content: post_content = sys.stdin.read() if action == 'list': for i in gs.available_blogs: print i elif action == 'post': gs.post(post_blog, post_title, post_content, post_author) NOTE GoogleSplogger.py requires the presence of Google’s GData API library for Python. The library can be obtained from the following URL: http://code.google.com/p/gdata-python-client/. Once the library is down- loaded, extract the content of the archive and enter into that folder via the command line. Make sure that you have the permissions required to install Python module and type: python setup.py. The setup.py script should install the rest of the API without any problems. There are several ways you can run the script that we’ve listed here. For example, in order to list the names of the blogs that are currently registered under our profile, type the following command: python GoogleSplogger.py -l -u username -p password Keep in mind that if you do not provide the value for the -p (password) flag, you will be asked to enter it at run time.This method is preferred since you may not want to leave traces of your password in the system and command log files. Sample output from the command is shown on Figure 10.15. 398 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 398 Figure 10.15 Enumerating Current Blogs Once we have the blog names, we can post to them. For example: python GoogleSplogger.py -u username -p -P blog_name_here -t title_for_the_post -a author –c After executing the command you will be asked to enter your password, followed by the post content. When you are done entering the post, simply terminate the input by pressing CTRL+Z within Windows or CTRL+D from within Unix. See Figure 10.16. Figure 10.16 Command line Posting to Blogger Hacking Google Services • Chapter 10 399 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 399 Figure 10.17 Result This is simple enough, but the process can be streamlined further. Here’s another way to post a new blog entry, this time with the password inline: python GoogleSplogger.py -u username -p password -P blog_name_here -t title_for_the_post -a author -c << EOF Once you are done writing the post type EOF on a new line. A post can also be sub- mitted from a file: python GoogleSplogger.py -u username -p password -P blog_name_here -t title_for_the_post -a author -c < file.txt Programmatically inserting new posts into Blogger is not that useful. But the following example shows how easy it is to grab someone else’s blog data and inject it into our blog. For that purpose, we are going to need another python utility which is based on a library called FeedParser from http://cheeseshop.python.org/pypi/FeedParser/4.1.The installation procedure for this package is the one used for all python packages. Start python from the command line and make sure that the GoogleSplogger.py script is within your current working directory.Type the following commands: import feedparser import GoogleSplogger 400 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 400 . prog + ' -u username -p [password] -P blog ' '-t title -c [content] -a author' print ' ' + prog + ' -u username -p [password] -l' print '-u username. inline: python GoogleSplogger.py -u username -p password -P blog_name_here -t title _for_ the_post -a author -c << EOF Once you are done writing the post type EOF on a new line. A post can also be sub- mitted. Blogs Once we have the blog names, we can post to them. For example: python GoogleSplogger.py -u username -p -P blog_name_here -t title _for_ the_post -a author –c After executing the command you will