Figure 11.15 More Water Fountain Fun Moving along to a more traditional network fixture, consider the screenshot captured in Figure 11.16. Google Hacking Showcase • Chapter 11 431 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 431 Figure 11.16 An IDS Manager on Acid Now, I’ve been in the security business for a lot of years, and I’m not exactly brilliant in any one particular area of the industry. But I do know a little bit about a lot of different things, and one thing I know for sure is that security products are designed to protect stuff. It’s the way of things. But when I see something like the log shown in Figure 11.16, I get all confused. See, this is a web-based interfaced for the Snort intrusion detection system.The last time I checked, this data was supposed to be kept away from the eyes of an attacker, but I guess I missed an email or something. But I suppose there’s logic to this somewhere. Maybe if the attacker sees his screw-ups on a public webpage, he’ll be too ashamed to ever hack again, and he’ll go on to lead a normal productive life.Then again, maybe he and his hacker buddies will just get a good laugh out of his good fortune. It’s hard to tell. Open Applications Many mainstream web applications are relatively idiot-proof, designed for the point-and- click masses that know little about security. Even still, the Google hacking community has discovered hundreds of online apps that are wide open, just waiting for a point-and-click script kiddy to come along and own them.The first in this section was submitted by Shadowsliv and is shown in Figure 11.17. 432 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 432 Figure 11.17 Tricky Pivot Hack Requires Five Correct Field Fills The bad news is that if a hacker can figure out what to type in those confusing fields, he’ll have his very own Pivot web log. The good news is that most skilled attackers will leave this site alone, figuring that any software left this unprotected must be a honeypot. It’s really sad that hacking (not real hacking mind you) can be reduced to a point-and-click affair, but as Arrested’s search reveals in Figure 11.18, owning an entire website can be a relatively simple affair. Figure 11.18 PHP-Nuke Ownage in Four Correct Field Fills Google Hacking Showcase • Chapter 11 433 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 433 Sporting one less field than the open Pivot install, this configuration page will create a PHP-Nuke Administrator account, and allow any visitor to start uploading content to the page as if it were their own. Of course, this takes a bit of malicious intent on behalf of the web visitor.There’s no mistaking the fact that he or she is creating an Administrator account on a site that does not belong to them. However, the text of the page in Figure 11.19 is a bit more ambiguous. Figure 11.19 Hack This PHP-Nuke Install “For Security Reasons” The bold text in the middle of the page really cracks me up. I can just imagine some- body’s poor Grandma running into this page and reading it aloud.“For security reasons, the best idea is to create the Super User right NOW by clicking HERE.” I mean who in their right mind would avoid doing something that was for security reasons? For all Grandma knows, she may be saving the world from evil hackers… by hacking into some poor fool’s PHP-Nuke install. And as if owning a website isn’t cool enough, Figure 11.20 (submitted by Quadster) reveals a phpMyAdmin installation logged in as root, providing unfettered access to a MySQL database. 434 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 434 Figure 11.20 Open phpMyAdmin - MySQL Ownage for Dummies With a website install and an SQL database under his belt, it’s a natural progression for a Google hacker to want the ultimate control of a system. VNC installations provide remote control of a system’s keyboard and mouse. Figure 11.21, submitted by Lester, shows a query that locates RealVNC’s Java-based client. Figure 11.21 Hack A VNC, Grab A Remote Keyboard Google Hacking Showcase • Chapter 11 435 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 435 Locating a client is only part of the equation, however. An attacker will still need to know the address, port and (optional) password for a VNC server. As Figure 11.22 reveals, the Java client itself often provide two-thirds of that equation in a handy popup window. Figure 11.22 VNC Options Handed Up With a Side of Fries If the hacker really lucks out and stumbles on a server that’s not password protected, he’s faced with the daunting task of figuring out which of the four buttons to click in the above connection window. Here’s a hint for the script kiddie looking to make his way in the world: it’s not the Cancel button. Of course running without a password is just plain silly. But passwords can be so difficult to remember and software vendors obviously realize this as evidenced by the password prompt shown in Figure 11.23. Figure 11.23 Handy Password Reminder, In Case The Hacker Forgot Posting the default username/password combination on a login popup is just craziness. Unfortunately it’s not an isolated event. Check out Figure 11.24, submitted by Jimmy Neutron. Can you guess the default password? 436 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 436 Figure 11.24 You Suck If You Can’t Guess This Default Password Graduating to the next level of hacker leetness requires a bit of work. Check out the user screen shown in Figure 11.25, which was submitted by Dan Kaminsky. Figure 11.25 Welcome To Guest Access If you look carefully, you’ll notice that the URL contains a special field called ADMIN, which is set to False.Think like a hacker for a moment and imagine how you might gain administrative access to the page.The spoiler is listed in Figure 11.26. Google Hacking Showcase • Chapter 11 437 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 437 Figure 11.26 Admin Access through URL Tinkering Check out the shiny new Exit Administrative Access button. By Changing the ADMIN field to True, the application drops us into Administrative access mode. Hacking really is hard, I promise. Cameras I’ve got to be honest and admit that like printer queries, I’m really sick of webcam queries. For a while there, every other addition to the GHDB was a webcam query. Still, some webcam finds are pretty interesting and worth mentioning in the showcase. I’ll start with a cell phone camera dump, submitted by Vipsta as shown in Figure 11.27. Not only is this an interesting photo of some pretty serious-looking vehicular carnage, but the idea that Google trolls camera phone picture sites is interesting. Who knows what kind of blackmail fodder lurks in the world’s camera phones. Not that anyone would ever use that kind of information for sensationalistic or economically lucrative purposes. Ahem. 438 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 438 Figure 11.27 Google Crawled Vehicular Carnage Moving on, check out the office-mounted open web camera submitted by Klouw as shown in Figure 11.28. Figure 11.28 Remote Shoulder Surfing 101 Google Hacking Showcase • Chapter 11 439 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 439 This is really an interesting web cam. Not only does it reveal all the activity in the office, but it seems especially designed to allow remote shoulder surfing. Hackers used to have to get out of the house to participate in this classic sport.These days all they have to do is fire off a few Google searches. Figure 11.29, submitted by Jimmy Neutron, shows the I.T. infrastructure of a tactical US nuclear submarine. Figure 11.29 Not Really A Tactical US Nuclear Submarine OK, so not really. It’s probably just a nuclear reactor or power grid control center or even a drug lord’s warehouse in Columbia (Maryland). Or maybe I’ve been reading too many Stealing The Network books. Either way, it’s a cool find none the less. Figure 11.30, however (submitted by JBrashars) is unmistakable. It’s definitely a parking lot camera. I’m not sure why, exactly, a camera is pointed at a handicapped parking space, but my guess is that there have been reports of handicapped parking spot abuse. Imagine the joy of being the guard that gets to witness the CIO parking in the spot, leaping out of his con- vertible and running into the building.Those are the stories of security guard legends. 440 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 440 . that kind of information for sensationalistic or economically lucrative purposes. Ahem. 438 Chapter 11 • Google Hacking Showcase 452 _Google_ 2e_11.qxd 10/5/07 1:19 PM Page 438 Figure 11.27 Google Crawled. of his con- vertible and running into the building.Those are the stories of security guard legends. 440 Chapter 11 • Google Hacking Showcase 452 _Google_ 2e_11.qxd 10/5/07 1:19 PM Page 440 . to a MySQL database. 434 Chapter 11 • Google Hacking Showcase 452 _Google_ 2e_11.qxd 10/5/07 1:19 PM Page 434 Figure 11.20 Open phpMyAdmin - MySQL Ownage for Dummies With a website install and