Geek Stuff This section is about computer stuff. It’s about technical stuff, the stuff of geeks. We will take a look at some of the more interesting technical finds uncovered by Google hackers. We’ll begin by looking at various utilities that really have no business being online, unless of course your goal is to aid hackers.Then we’ll look at open network devices and open appli- cations, neither of which requires any real hacking to gain access to. Utilities Any self-respecting hacker has a war chest of tools at his disposal, but the thing that’s inter- esting about the tools in this section is that they are online—they run on a web server and allow an attacker to effectively bounce his reconnaissance efforts off of that hosting web server.To make matters worse, these application-hosting servers were each located with clever Google queries. We’ll begin with the handy PHP script shown in Figure 11.1 which allows a web visitor to ping any target on the Internet. A ping isn’t necessarily a bad thing, but why offer the service to anonymous visitors? Figure 11.1 Php-ping.cgi Provides Free Ping Bounces Unlike the ping tool, the finger tool has been out of commission for quite a long time. This annoying service allowed attackers to query users on a UNIX machine, allowing enu- meration of all sorts of information such as user connect times, home directory, full name and more. Enter the finger CGI script, an awkward attempt to “webify” this irritating service. As shown in Figure 11.2, a well-placed Google query locates installations of this script, pro- viding web visitors with a finger client that allows them to query the service on remote machines. Google Hacking Showcase • Chapter 11 421 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 421 Figure 11.2 Finger CGI Script Allows Remote Fingering Pings and finger lookups are relatively benign; most system administrators won’t even notice them traversing their networks. Port scans, on the other hand, are hardly ever consid- ered benign, and a paranoid administrator (or piece of defense software) will take note of the source of a port scan. Although most modern port scanners provide options which allow for covert operation, a little Google hacking can go a long way. Figure 11.3 reveals a Google search submitted by Jimmy Neutron which locates sites that will allow a web visitor to portscan a target. Remember, scans performed in this way will originate from the web server, not from the attacker. Even the most paranoid system administrator will struggle to trace a scan launched in this way. Of course, most attackers won’t stop at a portscan.They will most likely opt to continue probing the target with any number of network utilities which could reveal their true location. However, if an attacker locates a web page like the one shown in Figure 11.4 (submitted by Jimmy Neutron), he can channel various network probes through the WebUtil Perl script hosted on that remote server. Once again, the probes will appear to come from the web server, not from the attacker. 422 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 422 Figure 11.3 PHPPort Scanner- A Nifty Web-Based Portscanner Figure 11.4 WebUtil Lets An Attacker Do Just About Anything Google Hacking Showcase • Chapter 11 423 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 423 The web page listed in Figure 11.5 (submitted by Golfo) lists the name, address and device information for a school’s “student enrollment” systems. Clicking through the inter- face reveals more information about the architecture of the network, and the devices con- nected to it. Consolidated into one easy-to-read interface and located with a Google search, this page makes short work of an attacker’s reconnaissance run. Figure 11.5 WhatsUp Status Screen Provides Guests with a Wealth of Information Open Network Devices Why hack into a network server or device when you can just point and click your way into an open network device? Management devices, like the one submitted by Jimmy Neutron in Figure 11.6, often list all sorts of information about a variety of devices. 424 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 424 Figure 11.6 Open APC Management Device When m00d submitted the query shown in Figure 11.7, I honestly didn’t think much of it.The SpeedStream router is a decidedly lightweight device installed by home users, but I was startled to find them sitting wide-open on the Internet. I personally like the button in the point-to-point summary listing. Who do you want to disconnect today? Figure 11.7 Open SpeedStream DSL Router Allows Remote Disconnects Google Hacking Showcase • Chapter 11 425 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 425 Belkin is a household name in home network gear. With their easy-to-use web-based administrative interfaces, it makes sense that eventually pages like the one in Figure 11.8 would get crawled by Google. Even without login credentials, this page reveals a ton of information that could be interesting to a potential attacker. I got a real laugh out of the Features section of the page. The firewall is enabled, but the wireless interface is wide open and unencrypted. As a hacker with a social conscience, my first instinct is to enable encryp- tion on this access point—in an attempt to protect this poor home user from themselves. Figure 11.8 Belkin Router Needs Hacker Help Milkman brings us the query shown in Figure 11.9, which digs up the configuration interface for Smoothwall personal firewalls.There’s something just wrong about Google hacking someone’s firewall. 426 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 426 Figure 11.9 Smoothwall Firewall Needs Updating As Jimmy Neutron reveals in the next two figures, even big-name gear like Cisco shows up in the recesses of Google’s cache every now and again.Although it’s not much to look at, the switch interface shown in Figure 11.10 leaves little to the imagination—all the configu- ration and diagnostic tools are listed right on the main page. Figure 11.10 Open Cisco Switch Google Hacking Showcase • Chapter 11 427 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 427 This second Cisco screenshot should look familiar to Cisco geeks. I don’t know why, but the Cisco nomenclature reminds me of a bad Hollywood flick. I can almost hear the grating voice of an over-synthesized computer beckoning,“Welcome to Level 15.” Figure 11.11 Welcome to Cisco Level 15 The search shown in Figure 11.12 (submitted by Murfie) locates interfaces for an Axis network print server. Most printer interfaces are really boring, but this one in particular piqued my interest. First, there’s the button named configuration wizard, which I’m pretty sure launches a configuration wizard.Then there’s the handy link labeled Print Jobs, which lists the print jobs. In case you haven’t already guessed, Google hacking sometimes leaves little to the imagination. Printers aren’t entirely boring things. Consider the Web Image Monitor shown in Figure 11.13. I particularly like the document on Recent Religion Work. That’s quite an honorable pursuit, except when combined with the document about Aphrodisiacs. I really hope the two documents are unrelated.Then again, nothing surprises me these days. 428 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 428 Figure 11.12 Axis Print Server with Obscure Buttonage Figure 11.13 Ricoh Print Server Mixes Religion and Aphrodisiacs Google Hacking Showcase • Chapter 11 429 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 429 CP has a way of finding Google hacks that make me laugh, and Figure 11.14 is no exception.Yes, this is the web-based interface to a municipal water fountain. Figure 11.14 Hacking Water Fountains For Fun and Profit After watching the water temperature fluctuate for a few intensely boring seconds, it’s only logical to click on the Control link to see if it’s possible to actually control the munic- ipal water fountain. As Figure 11.15 reveals, yes it is possible to remotely control the munic- ipal water fountain. One bit of advice though—if you happen to bump into one of these, be nice. Don’t go rerouting the power into the water storage system. I think that would definitely constitute an act of terrorism. 430 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 430 . • Google Hacking Showcase 452 _Google_ 2e_11.qxd 10/5/07 1:19 PM Page 422 Figure 11.3 PHPPort Scanner- A Nifty Web-Based Portscanner Figure 11.4 WebUtil Lets An Attacker Do Just About Anything Google. through the inter- face reveals more information about the architecture of the network, and the devices con- nected to it. Consolidated into one easy-to-read interface and located with a Google search, this. Remote Disconnects Google Hacking Showcase • Chapter 11 425 452 _Google_ 2e_11.qxd 10/5/07 1:19 PM Page 425 Belkin is a household name in home network gear. With their easy-to-use web-based administrative