This front-end was designed to put a new face on an older PBX product, but client secu- rity seems to have been an afterthought. Notice that the interface asks the user to “Logout” of the interface, indicating that the user is already logged in. Also, notice that cryptic button labeled Start Managing the Device. After firing off a Google search, all a malicious hacker has to do is figure out which button to press. What an unbelievably daunting task. Power I get a lot of raised eyebrows when I talk about using Google to hack power systems. Most people think I’m talking about UPS systems like the one submitted by Yeseins in Figure 11.47. Figure 11.47 Whazzups? This is a clever Google query, but it’s only an uninterruptible power system (UPS) monitoring page.This can be amusing, but as Jimmy Neutron shows in Figure 11.48, there are more interesting power hacking opportunities available. Google Hacking Showcase • Chapter 11 451 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 451 Figure 11.48 Bedroom Hacking For Dummies AMX NetLinx systems are designed to allow control of power systems.The figure above seems to suggest that a web visitor could control power in a theater, a family room and the master bedroom of a residence.The problem is that the Google search turns up a scarce number of results, most of which are password protected. As an alternative, Jimmy offers the search shown in Figure 11.49. Figure 11.49 Passwords Are Nifty, Especially Default Ones 452 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 452 Although this query results in a long list of password-protected sites, many sites still use the default password, providing access to the control panel shown in Figure 11.50. Figure 11.50 Google Hacking Light Sockets? Uh oh. This control panel lists power sockets alongside interesting buttons named Power and Restart, which even the dimmest of hackers will undoubtedly be able to figure out.The problem with this interface is that it’s just not much fun. A hacker will definitely get bored flipping unnamed power switches—unless of course he also finds an open webcam so he can watch the fun.The search shown in Figure 11.51 seems to address this, naming each of the devices for easy reference. Google Hacking Showcase • Chapter 11 453 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 453 Figure 11.51 Step Away From The Christmas Lights Of course even the most vicious hackers would probably consider it rude to nail someone’s Christmas lights, but no hacker in their right mind could resist the open HomeSeer control panel shown in Figure 11.52. Figure 11.52 Bong Hacking. BONG Hacking. 454 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 454 The HomeSeer control panel puts the fun back into power hacking, listing descriptions for each control, as well as an On, Off and slider switch for applicable elements. Some of the elements in this list are quite interesting, including Lower Motion and Bathroom.The best though is definitely Electric Bong. If you’re a member of the Secret Service looking to bust the owner of this system, I would suggest a preemptive Google strike before barging into the home. Start by dimming the lights, and then nail the motion sensors. Last but not least, turn on the electric bong in case your other charges don’t stick. Sensitive Info Sensitive info is such a generic term, but that’s what this section includes: a hodgepodge of sensitive info discovered while surfing Google. We’ll begin with the VCalendar search sub- mitted by Jorokin as shown in Figure 11.53. Figure 11.53 Let Me Check Their Calendar There’s at least a decent possibility that these calendar files were made public on pur- pose, but the Netscape history file submitted by Digital_Revolution in Figure 11.54 shouldn’t be public. Google Hacking Showcase • Chapter 11 455 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 455 Figure 11.54 Hot Chicks at IBM? Nah. For starters, the file contains the user’s POP email username and encoded password. Then there’s the issue of his URL history, which contains not only the very respectable IBM.com, but also the not-so-respectable hotchicks.com, which I’m pretty sure is NSFW. Next up is an MSN contact list submitted by Harry-AAC, which is shown in Figure 11.55. 456 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 456 Figure 11.55 Want To Steal My Friends? This file lists the contact names and email addresses found in someone’s contact list. At best, this file is spam fodder.There’s really no shortage of email address lists, phone number lists and more on the Web, but what’s surprising is how many documents containing this type of information were created with the express intention of sharing that information. Consider the screen shown in Figure 11.56, which was submitted by CP. Google Hacking Showcase • Chapter 11 457 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 457 Figure 11.56 Call and Email the Entire Staff and Wish Them Happy Birthday This document is a staff directory, which was created for internal use only.The only problem is that it was found on a public web site. While this doesn’t seem to constitute seri- ously private information, the search shown in Figure 11.57 (submitted by Maerim) reveals slightly more sensitive information: passwords. 458 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 458 Figure 11.57 I Think This RCON Password is Written In Greek This file lists the cleartext passwords for the Ghost Squad’s private Counterstrike remote administration console. Ask any CS gamer how embarrassing this could be. But hacking a game server is fairly tame. Consider, however, Figure 11.58 which was submitted by Barabas. Figure 11.58 Encoded VPN Passwords Google Hacking Showcase • Chapter 11 459 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 459 This file lists information and encoded passwords for a Cisco Virtual LAN (VLAN). About the only thing worse than revealing your VLAN’s encoded passwords is revealing your VLAN’s cleartext passwords. Ask and you shall receive. Check out Figure 11.59, again from Barabas. Figure 11.59 Plaintext VPN Passwords Yup, that’s a cleartext password nestled inside a University’s configuration file. But interesting passwords can be found in all sorts of places, such as inside Windows unat- tended installation files, as shown in Figure 11.60, which was submitted by MBaldwin. Figure 11.60 Owning a Windows Install before It’s Installed. Leet. 460 Chapter 11 • Google Hacking Showcase 452_Google_2e_11.qxd 10/5/07 1:19 PM Page 460 . 11.52. Figure 11.52 Bong Hacking. BONG Hacking. 454 Chapter 11 • Google Hacking Showcase 452 _Google_ 2e_11.qxd 10/5/07 1:19 PM Page 454 The HomeSeer control panel puts the fun back into power hacking, listing. seri- ously private information, the search shown in Figure 11.57 (submitted by Maerim) reveals slightly more sensitive information: passwords. 458 Chapter 11 • Google Hacking Showcase 452 _Google_ 2e_11.qxd. also the not-so-respectable hotchicks.com, which I’m pretty sure is NSFW. Next up is an MSN contact list submitted by Harry-AAC, which is shown in Figure 11.55. 456 Chapter 11 • Google Hacking Showcase 452 _Google_ 2e_11.qxd