Friday, February 27, 2015

Penetration Testing with Google


As we know, there are plenty of search engines.  We have Bing, Yahoo, DuckDuckGo, Dogpile, lxquick, etc but the most popular is Google.  We also should know that we can only find information about websites which are indexed by these search engines.  This means that websites which are not indexed will not be shown as "results" for these search engines. In this topic, we will only focus on the most popular search engine:  Google.


For example, in Google whenever you do a search, you are not actually searching the web but the Google's index of the web.  Google fetches the information with the help of small pieces of software called Spiders. They do not only fetch the websites but also the links of those websites making the database bigger and bigger. When you type a keyword or keywords, Google searches its index and by asking 200+ questions in a matter of seconds. These questions could be something like: "how many times does this page contains your keywords?" "where do these keywords appear: title, url, header?", determines its rank (how many links and how many times were those links were clicked), does it come from a high or low quality website. Google works all these factors (and many more) combining them into a formula in which Google determines where in the result page that website will be in.  This helps the user find exactly what she wants with little or no hassle. Google crawlers (Googlebot is the most popular),then starts to fetch more pages by analyzing every single website's outside link and does all the process again. That is how Google works in terms of crawling, and spidering data. Now, the funny thing here is that Google's robots are simply robots. They cannot discern if they are crawling websites which are helpful, or harmful ones.  They also are not aware if you put your backup system online and now they are crawling it for the world to access and see it.  Not to mention if you have your system's backup files, your baby's monitor, personal or home cameras, digital toaster, refrigerator, home heater, or whole NAS storage exposed to the Internet and Google bots already crawled it. 


Taken from: http://smartdatacollective.com




This is where the fun begins.  It takes research, countless hours of experimenting and several sodas to be awake the whole night!  But this is nothing new or illegal. It is called "The IoT (Internet of Things)."  According with TechTarget (whatis.techtarget.com/definition/Internet-of-Things
) The Internet of Things is a scenario in which objects, animals or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. Simply put it's the encouraging act of placing every device which makes your life to the Internet (attaching an IP address) and be accessed with the commodity and comfort of your couch anywhere you might be.  This, of course posses a huge risk because there are things you wouldn't want to be accessible by the whole world, for example your thermostat or other critical form which composes part of your "private" life.  


By the time we are willingly accepting the fact of exposing our lives to the world, the IoT idea is to have a "controlled" centralized way of communicating with no privacy at all.  We all know that there are not enough secure controls which will prevent someone from changing our cooling system from our refrigerator or simply intercepting and talk over our baby's monitor.  If you think I am being paranoid, it actually happened -- several times.


But freaking out families and checking someone's thermostat is not the only use (or misuse) that can be done through Google or other search engines.  You can actually have some fun and do some passive (and not so passive) reconnaissance penetration testing :)

Introduce by 2010 by Johnny Long, Google Dork is the term of using Google search keywords (queries) in a smart way to get exactly what you want.  Needless to say that whatever you want to look for 1) Needs to be indexed by Google, 2) It is legal, since it is available in the Internet, therefore is public and 3) You should note that breaking into anything without the user's or owner's consent and approval is illegal and punishable by the law.

DISCLAIMER: THIS TUTORIAL IS MEANT FOR ETHICAL PURPOSES ONLY.  PLEASE REFRAIN FROM USING THESE QUERIES FOR UNLAWFUL MEANS

After this small disclaimer, let's dive to some interesting stuff. I will use microsoft.com as an example and use your logic to replace the examples with the like of your choice.  If, for example you need to know the indexed  subdomains of microsoft.com you can simply search for: 

site:microsoft

To only find all indexed links of PDF documents within the site of microsoft.com, you search for:

site:microsoft.com filetype:pdf


You can go ahead and search for more interesting stuff.  For example, if you know the host is using
Wordpress , you can find out the service version:


"Powered by WordPress" -html filetype:php -demo -wordpress.org -bugtraq  

You can also find out and tweak this a little to find out services such as IIS, Telnet and more (equivalent of nmap -sV) but done passively.


We can also find out information about users by performing the following query:


inurl:finger.cgi

Also, you can find out what files the host has:

site:microsoft.com.com ext:listing


Additionally, we can even find vulnerabilities in a system. How so?  Well, by reading the up to date CVEs, we can perform a fast audit to our client's host.  For example, if our client's host is:


totallyowned.com


and we know (via white box) that this host contains an out-of-date version of PHP-Fusion 6.x.x, we can try to do this: 


site: totallyowned.com "Powered by PHP-Fusion v6.00.110" | "Powered by PHP-Fusion v6.00.2.." | "Powered by PHP-Fusion v6.00.3.." -v6.00.400

So, now it is a matter of time of understanding the PoC from the CVE and we successfully took advantage of the vulnerability.


This is one of the thousands of examples out there and this topic is so vast it would take me hundreds of blog posts to cover them all (and yet they will not suffice).  The point here is to make you aware of the risks associated with the Internet of Things.  Be careful what you put up on the Internet. It will certainly come back and bite you.  To conclude this section, I would like to share some interesting "dorks" for you:

Public Cameras: 



inurl:"ViewerFrame?Mode=" Panasonic Network Camera webcams
inurl:indexFrame.shtml Axis Axis webcams
SNC-RZ30 HOME Sony SNC-RZ30 webcams
intitle:"my webcamXP server!" inurl:":8080" Webcams accessible via WebcamXP Server
intitle:liveapplet inurl:LvAppl Canon Webview webcams


Printers:

"Copyright (c) Tektronix, Inc." "printer status" PhaserLink printers
inurl:"printer/main.html" intext:"settings" Brother HL printers
intitle:"Dell Laser Printer" ews Dell printers with EWS technology
intext:centreware inurl:status Xerox Phaser 4500/6250/8200/8400 printers
inurl:hp/device/this.LCDispatcher HP printers

Web Servers:

"Apache/1.3.28 Server at" intitle:index.of Apache 1.3.28
"Microsoft-IIS/4.0 Server at" intitle:index.of Microsoft Internet Information Services 4.0
"Oracle HTTP Server/* Server at" intitle:index.of Any version of Oracle HTTP Server
"IBM _ HTTP _ Server/* * Server at" intitle:index.of Any version of IBM HTTP Server
"Red Hat Secure/*" intitle:index.of Any version of the Red Hat Secure server

Advisories and Vulnerabilities:

intitle:PhpMyAdmin inurl:error.php
inurl:"index.php?option=com_storedirectory"
inurl:"?act=phpinfo"
"powered by tikiwiki"
inurl:imageview5

SQL Database :

inurl:gallery.php?id=
inurl:forum_bds.php?num=
inurl:product-item.php?id=
inurl:index.php?id=
inurl:productinfo.php?id=

Logs:

inurl:log.txt ext:txt
filetype:cfg mrtg "target
/WebShop/logs
/Admin_files/order.log
"Index of" / "chat/logs"

Interesting confidential (but public) documents:

inurl:/wp-content/uploads/
"not for distribution" Confidential documents
intitle:”curriculum vitae” “phone * * *” “address *” “e-mail”
filetype:xls inurl:”email.xls”
intitle:index.of appointments.xls


What about non-index content?


It does not work with every site, but with most of them. To tell Google (and other search engines) not to index certain paths of the website, a robots.txt file is used to state what NOT to list.  Unfortunately, this file needs to be also public in order to let the search engines know what NOT to index, so you can have access to their "non-indexed" path really easy:

http://host.com/robots.txt


For example, we try this with the city of Oak Brook, IL:

http://www.oak-brook.org/robots.txt

user-agent: Baiduspider
Disallow: /
User-agent: Yandex
Disallow: /
User-agent: *
Disallow: /activedit
Disallow: /admin
Disallow: /common/admin/
Disallow: /OJA
Disallow: /support
Disallow: /currenteventsview.asp
Disallow: /search.asp
Disallow: /currenteventsview.aspx
Disallow: /search.aspx
Disallow: /currentevents.aspx
Disallow: /Support
Disallow: /CurrentEventsView.asp
Disallow: /Search.asp
Disallow: /CurrentEventsView.aspx
Disallow: /Search.aspx
Disallow: /Search
Disallow: /CurrentEvents.aspx
Disallow: /Currentevents.aspx
Disallow: /map.aspx
Disallow: /map.asp
Disallow: /Map.aspx
Disallow: /Map.asp

This tells us to disallow * (every relative path) from the paths above from the Baidu search engine's spider (Baidu Spider) as well as Yandex and all other user agents (user-agent: *) to apply to the whole list. Simply, you can try one by one of them after the .org/  and it simply goes and tries. This is useful for finding login portal entrances during your pentesting (note the /admin) which can be vulnerable to some flaws.


Please, feel free to drop your comments and don't forget to keep on investigating.  Happy lurking!!



References: 

How Google Works:  www.google.com/howgoogleworks
Baby Monitor Hack 1:
https://www.yahoo.com/parenting/nanny-freaks-as-baby-monitor-is-hacked-109405425022.html
Baby Monitor Hack 2: 
http://www.nbcnews.com/tech/security/man-hacks-monitor-screams-baby-girl-n91546
Baby Monitor Hack 3: 
http://www.cbsnews.com/news/baby-monitor-hacked-spies-on-texas-child/
Johnny Long PDF: https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf
Johnny Long DefCon Presentation: https://www.youtube.com/watch?v=N3dzVl40lQA
Some Google Dorks (use it under your own discretion): https://blackmoreops.wordpress.com/2014/07/08/useful-google-hacks/



Friday, February 20, 2015

February 2015 Latest Vulnerabilities

Hello All,

First an announcement. I would like to let you know that I will be publishing weekly security news and updates as well as what I am doing in my Security Lab.  This will include new exploits, vulnerabilities, work-arounds and other tips and techniques within the security realm.

For this week, I would like to talk about what has been new since the last update of my Blog. The emerge of the GHOST vulnerability on some Linux distributions, the discovery of SuperFish and MacOS X's latest vulnerability: Thunderstrike.


As we know today, this world is full of running software appliances, machines, motors, pacers, backbone systems, transportation systems, hospitals, scientific, politics, rural oil refineries and almost everything is controlled with some sort of a software-coded chip.  It is very hard not to find nowadays something we rely on every-day that is not programmable. This also means that everything that is programmable, it is also hackable. I am not talking about criminal activities, I am also talking about the pure essence of hacking. Something that can be explored, learned, twisted and modified.  Unfortunately, not all of us use hacking as a good, knowledge nourishing method of opportunities, but there are also people who likes it to exploit it, sabotage, cause terrorism, steal money, trade secrets and disrupt activities.

There are no good news about this, because Software is here to stay and we will always face flaws, vulnerabilities and bugs in code.  The only way to mitigate these risks is to write good code, stay up with news, learn about the vulnerability and patch it.  This month was full of name-calling (a new media convenient way) vulnerabilities for three very known Operating Systems. Linux, Windows and MacOS X.

At end of January, Red Hat has released the detailed information of GHOST (CVE-2015-0235), a critical vulnerability residing on the glibc library affecting two function calls:

gethostbyname()
gethostbyname2()

The attacker could take advantage of it by conducting a buffer overflow attack by supplying an invalid hostname argument to an application that performs a DNS resolution.

Glibc 2.2 and below is vulnerable and the affected distributions are:

RedHat
Debian
Ubuntu


This vulnerability can be easily patched by updating both the glib and nscd packages. Also, Red Hat recommends restarting the affected machine because many applications are dependent to these two packages. Later this week, I will provide a video in how to patch this critical vulnerability.

By about the same time, MACOS X was publishing an update to fixes to 54 CVEs (Common Vulnerability and Exposures). Among those, the ever-lasting 0-day Thunderstrike patch (CVE-2014-4498) was released as well. Apple has improved the MacOS version up to 10.10.2 with these updates, making it a bit secure.

It is strange how people still think that by obtaining a MAC computer they are still immune of getting their computers, identity and data compromised.

The other patches include Intel graphics card driver patches, Bluetooth driver, Bash's Shellshock, Safari browser, and OpenSSL libraries.


Not only UNIX-like Operating Systems are subject to vulnerabilities this month but also Microsoft Windows.  On Patch Tuesday (February 11,2015), Microsoft released 9 updates, which 3 are critical which involve remote execution(MS15-009, MS15-010, and MS15-011). Even though, Microsoft released  an important patch updates but left one (MS15-011) unpatched for Windows Server 2003 and since its support ends on July 14 of this year, it is still unsure Microsoft will release a patch for it. Also, Microsoft has fixed a very important Cisco AnyConnect VPN application which caused it to crash but they will not have the update ready for users until March 10.

The last news is perhaps the most serious one since it brings up a series of arguments about other governmental dirty work across nations.  It is the emerge of Superfish. Some security researchers have discovered an Adware stored in Chinese's manufactured pre-built Lenovo's laptops which caused to spy on customer's web traffic and users behaviors to inject third party advertisement. It is believed SuperFish has been around since October 2014 and the affected browsers are Internet Explorer and Google Chrome. The security researchers also recommend to immediately make a fresh build of their Operating Systems (Windows) for those who bought their Lenovo Laptops before January 2015.


Superfish does not only spy for advertisement purposes, in order to be successful on that, Chinese thought it would be a great idea to also disrupt HTTPS connections.  This poses a huge security risk for obvious reasons. If data is being processed over an unencrypted website, data could be and will be compromised. But that is not all, Superfish also threats for MiM (man-in-the-middle) attacks by impersonating to be legitimate website's certificates in order to monitor users' behaviors on "protected" sites. This caused a lot of concern since SuperFish poses an imminent threat and should be removed as soon as possible.


Late this week, an article has been written in LifeHack stating how to remove SuperFish from your systems, which you can find it on the sources. Even though Firefox users are not affected it is always good to double-check.



Sources:

https://access.redhat.com/articles/1332213
http://www.eweek.com/security/apple-os-x-10.10.2-bashes-bugs.html
http://www.zdnet.com/article/february-2015-patch-tuesday/
http://windowsitpro.com/patch-tuesday/patch-tuesday-microsoft-makes-fix-it-available-repair-cisco-anyconnect
http://lifehacker.com/how-to-test-your-pc-for-the-new-superfish-security-vu-1686788663

Thunderstrike
Thunderstrike