Course about Information Gathering for Hacking

Agenda day 1 Introduction about Information Gathering Why information are useful Using free tool Let’s start: gather information !

Agenda day 2 Tools & Techniques Browser power Using DNS Using Google Free tools: Maltego Foca Summarizing all information

Agenda day 3 Ready for attack Decide how to attack Live demo ! Question ?

Introduction about Information Gathering Through reconnaissance, an attacker can gather a large amount of information about a site, domain or IP address This information can be used to plan an attack It can be obtained with freely available tools … or using the browser

Where Does This Information Come From? Web 2.0…How I <3 thee… Public data and records. Information that is mandatory for the Internet (DNS, whois, MX). Private data we pay for i.e. Lexis Nexis/Choice Point/Find a Friend/Spoke/Zoominfo. Data placed there by the target. Data placed there by the target's users.

Why information are useful: How to link the real world and the digital world Real World s Persons Phone numbers Address Documents Patents / Projects Sentences / Words... Habits / Hobbies Social affinities … Digital World IP, hosts, netblocks, AS Whois records / rWhois Forward and reverse DNS Google Document metadata Twitter, Facebook,... XFN, vCards, hCards Face detection,... ip2geo, Google

Types of Information Gathering Passive Semi-Passive Active

Passive Information Gathering Great care is taken to ensure that the target organization does not detect the profiling. This means that no packets can ever be sent to the target. This type of profiling is typically time intensive. NO TRAFFIC

Semi-Passive Information Gathering Profiling the target with methods that would appear to the target as normal Internet traffic and behavior. NORMAL TRAFFIC

Active Information Gathering This type of profiling should be detected by the target organization. Actively seeking out new/unpublished servers, directories, files, documents along with full network visibility scans. ABNORMAL TRAFFIC

Google Hacking Web Hacking: Pick a site, find the vulnerability Google Hacking : Pick a vulnerability, find the site.

How Google Works Googlebot, a web crawler that finds and fetches web pages. The indexer that sorts every word on every page and stores the resulting index of words in a huge database. The query processor which compares your search query to the index and recommends the documents that it considers most relevant.

How Googlebot Works Googlebot finds pages in two ways through an add URL form, through finding links by crawling the web.

Indexer and Query Processor Indexer Googlebot gives the indexer the full text of the pages it finds. These pages are stored in Google’s index database in alphabetic order. each index entry store a list of documents in which the term appears and the location within the text where it occurs. Query Processor Page Ranking puts more important pages at high rank. Intelligent Technique for learning relationships and associations within the stored data Spelling Correcting System

The Basics Some important things to keep in mind Google queries are not case sensitive. The * wildcard represents any word Example: “* insurance quote” Google stems words automatically Example: “automobile insurance quote” brings up sites with “auto … “.

The Basics The + symbol forces inclusion of a certain word. “auto insurance +progressive” The - symbol forces exclusion of a certain word. (Site:progressive.com – site: The | symbol provides boolean OR logic. “auto insurance + inurl:(progressive | geico)”

Information Disclosure with Google Advanced Search Operators site: (.edu,.gov, foundstone.com, usc.edu) filetype: (txt, xls, mdb, pdf,.log) Daterange: (julian date format) Intitle / allintitle Inurl / allinurl

Advanced Operators link:URL = lists other pages that link to the URL. related:URL = lists other pages that are related to the URL. site:domain.com “search term” = restricts search results to the given domain. allinurl:WORDS = shows only pages with all search terms in the url. inurl:WORD = like allinurl: but filters the URL based on the first term only. allintitle:WORD = shows only results with terms in title. intitle:WORD = similar to allintitle, but only for the next word. cache:URL = will show the Google cached version of the URL.

The Basics There are many more advanced operators. Combining these creatively is the key to Google Hacking. s_reference.html BUT DO YOU REALLY NEED TO REMEMBER IT

Advanced Search with Google

INTERESTING SEARCHES… Now that we’ve gotten this boring stuff out of the way, let’s introduce some Google hacks.

Google and Proxy Use to by-pass Internet Browser Security Settings. Find a proxy that works, and enter in the URL inurl:”nph-proxy.cgi” “start using cgiproxy” inurl:”nph-proxy.cgi” “Start browsing through this CGI- based proxy”

Gaining auth bypass on an admin account There is a large number of google dork for basic sql injection "inurl:admin.asp" "inurl:login/admin.asp" "inurl:admin/login.asp" "inurl:adminlogin.asp" "inurl:adminhome.asp" "inurl:admin_login.asp" "inurl:administratorlogin.asp" "inurl:login/administrator.asp" "inurl:administrator_login.asp"

SQL Injection Keep the username as "Admin“ and for password type one of the following ' or '1'='1 ' or 'x'='x ' or 0=0 -- " or 0=0 -- or 0=0 -- ' or 0=0 # " or 0=0 # or 0=0 # ' or 'x'='x " or "x"="x ') or ('x'='x ' or 1=1-- " or 1=1-- or 1=1-- ' or a=a-- " or "a"="a ') or ('a'='a ") or ("a"="a hi" or "a"="a hi" or 1=1 -- hi' or 1=1 – blah’ 'or'1=1'

Few more interesting Searches Browsing images of the site Site: xxxxxxx in Google image Browse Live Video Cameras inurl:”viewerframe?mode=motion” ( Intitle:”Live View / - AXIS” Browse Open Webcams Worldwide Axis Webcams : inurl:/view.shtml or inurl:view/index.shtmlinurl:/view.shtmlinurl:view/index.shtml Cannon Webcams: sample/LvAppl/sample/LvAppl/ Server versioning intitle:index.of “server at”

GOOGLE HACK Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services You can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches You can also use this program to use google as a proxy

GOOGLE Hack screen shot

Screenshot of GOOLAG SCANNER

Using Tools Some important things to keep in mind Google queries are not case sensitive. The * wildcard represents any word Example: “* insurance quote” Google stems words automatically Example: “automobile insurance quote” brings up sites with “auto … “.

FOCA: metadata “Secret” relationships Government & companies Companies & providers Piracy Reputation Social engineering attacks Targeting Malware

FOCA: File types supported Office documents: – Open Office documents. – MS Office documents. – PDF Documents. XMP. – EPS Documents. – Graphic documents. EXIF. XMP. – Adobe Indesign, SVG, SVGZ

What can be found? Users: – Creators. – Modifiers. – Users in paths. C:\Documents and settings\jfoo\myfile /home/johnnyf Operating systems. Printers. – Local and remote. Paths. – Local and remote. Network info. – Shared Printers. – Shared Folders. – ACLS. Internal Servers. – NetBIOS Name. – Domain Name. – IP Address. Database structures. – Table names. – Colum names. Devices info. – Mobiles. – Photo cameras. Private Info. – Personal data. History of use. Software versions.

Sample: FBI.gov Total: 4841 files

DNS Search Panel

Huge domains case

Digital Certificates

FOCA & Shodan

FOCA URL Analysis

.listing

Unsecure http Methods

Search & Upload

Searching for Server-Side Technologies

RDP & ICA Files Analysis

Squid Proxies

DNS Records

Netrange Scan

Easy Bugs search

Task List

Plugins

Maltego Paterva Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

Maltego: which information People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure such as: Domains DNS names Netblocks IP addresses Phrases Affiliations Documents and files These entities are linked using open source intelligence. Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections. Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away. Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

Maltego Paterva

Maltego ce: web site

Maltego ce: twitter

Few interesting Websites Archive of websites (Time Machine) Find out when your gets read, Retract, Certify, Track & much more (provides you with disposable addresses which expire after 15 Minutes. Marketing solutions that allows you to Send, Track and Confirm delivery of s, Newsletters, Events etc.

Open source: some links DNS, Whois,