Professional Documents
Culture Documents
Presented by: Francis Brown & Rob Ragan Stach & Liu, LLC www.stachliu.com
Agenda
OVERVIEW
Introduction/Background
G E T T I N G UP T O S P E E D
3
OSINT is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.
Google/Bing Hacking
SEARCH ENGINE ATTACKS
Attack Targets
GOOGLE HACKING DATABASE
Advisories and Vulnerabilities (215) Error Messages (58) Files containing juicy info (230) Files containing passwords (135) Files containing usernames (15) Footholds (21) Pages containing login portals (232) Pages containing network or vulnerability data (59) Sensitive Directories (61) Sensitive Online Shopping Info (9) Various Online Devices (201) Vulnerable Files (57) Vulnerable Servers (48) Web Server Detection (72)
LulzSec and Anonymous believed to use Google Hacking as a primary means of identifying vulnerable targets.
Their releases have nothing to do with their goals or their lulz. It's purely based on whatever they find with their "google hacking" queries and then release it. -- A-Team, 28 June 2011
8
Diggity Tools
PROJECT OVERVIEW
10
Diggity Tools
ATTACK TOOLS
Tool Description
Traditional Google hacking tool Bing equivalent of traditional Google hacking tool Adobe Flash security scanning tool Data loss prevention scanning tool Bing footprinting tool based on off-site links Malware link detection tool for off-site links
11
Diggity Tools
NEW ATTACK TOOLS
Tool Description
Passive port scanning via Google Easily find your info in 3rd party sites New Bing Hacking DB now as affective as Google Find malware via Bings indexing of executables Easy interface to SHODAN search engine
12
Diggity Scraping
NEW ACROSS ALL ATTACK TOOLS
13
Diggity Scraping
PROXIES SPECIFICATION
14
Diggity Scraping
MANUAL PROXIES SPECIFICATION
15
Advanced Attacks
WHAT YOU SHOULD KNOW
16
Google Diggity
Required to use
Not blocked by Google bot detection Does not violate Terms of Service Max 100 results per query Max 10k queries per day. $5 per 1000 queries
Bing Diggity
Enumerate: URLs, IP-to-virtual hosts, etc. Vulnerability search queries in Bing format
17
New Features
DIGGITY CORE TOOLS
Updated to use Google JSON/ATOM API Due to deprecated Google AJAX API
Auto-update for dictionaries Output export formats Now also XLS and HTML Help File chm file added
18
New Features
DOWNLOAD BUTTON
Download Buttons for Google/Bing Diggity
Download actual files from Google/Bing search results
Downloads to default: C:\DiggityDownloads\
19
New Features
AUTO-UPDATES
20
New Features
IP ADDRESS RANGES
21
New Features
TARGETING HTTP ADMIN CONSOLES
22
Dictionary Updates
3RD P A R T Y I N T E G R A T I O N
23
Google Diggity
DIGGITY CORE TOOLS
24
Hacking CSEs
ALL TOP LEVEL DOMAINS
25
26
Bing Diggity
DIGGITY CORE TOOLS
27
UPDATES (2012)
NotInMyBackYard
30
Data Leaks on
rd 3
Party Sites
31
32
33
34
35
36
NotInMyBackYard
L O C A T I O N, L O C A T I O N, L O C A T I O N
Cloud storage: Google Docs, DropBox, Microsoft SkyDrive, Amazon S3 Social networking sites: Facebook, Twitter, LinkedIn Public document sharing sites: scribd.com, 4shared.com, issuu.com, docstoc.com, PasteBin and text sharing sites: pastebin.com, pastie.org, Public presentations sharing sites: slideshare.net, prezi.com, present.me, authorstream.com Public charts and graphs sharing sites: ratemynetworkdiagram.com, gliffy.com, ManyEyes, lucidchart.com Video sharing sites: vimeo.com, dailymotion.com, metacafe.com, youtube.com
37
NotInMyBackYard
PASTEBIN EXAMPLE
38
NotInMyBackYard
XLS IN CLOUD EXAMPLE
39
40
NotInMyBackYard
PERSONAL USE
41
PortScan Diggity
42
PortScanning
TARGETING HTTP ADMIN CONSOLES
43
PortScanning
TARGETING PORT RANGES
44
PortScanning
TARGETING VULNERABILITY
45
PortScan Diggity
TARGETING HTTP ADMIN CONSOLES
46
CodeSearch Diggity
47
48
CodeSearch Diggity
AMAZON CLOUD SECRET KEYS
49
Cloud Security
N O P R O M I S E S . . .N O N E
http://aws.amazon.com/agreement/#10
50
Cloud Crawling
CREATE YOUR OWN SEARCH ENGINES
51
52
53
SHODAN Diggity
54
SHODAN
HACKER SEARCH ENGINE Indexed service banners for whole Internet for HTTP (Port 80), as well as some FTP (23), SSH (22) and Telnet (21) services
55
SHODAN
FINDING SCADA SYSTEMS
56
SHODAN
FINDING SCADA SYSTEMS
57
SHODAN Diggity
FINDING SCADA SYSTEMS
58
Bing LinkFromDomainDiggity
59
Bing LinkFromDomain
DIGGITY TOOLKIT
60
Bing LinkFromDomain
FOOTPRINTING LARGE ORGANIZATIONS
61
DLP Diggity
62
DLP Diggity
LOTS OF FILES TO DATA MINE
63
DLP Diggity
MORE DATA SEARCHABLE EVERY YEAR
Google Results for Common Docs
1,030,000,000 1,200,000,000 1,000,000,000 800,000,000 600,000,000 400,000,000 200,000,000 10,900,000 0 PDF 260,000,000 84,500,000 42,000,000 2,100,000 DOC 29,200,000 17,300,000 16,100,000 46,400,000 2012 2011 2007 2004 2004 2007 2011 182,000,000 173,000,000 2012
513,000,000
969,000 XLS
64
65
66
DLP Diggity
DIGGITY TOOLKIT
67
DLP Reporting
PRACTICAL EXAMPLES
68
DLP Reporting
PRACTICAL EXAMPLES
69
FlashDiggity
70
FlashDiggity
DIGGITY TOOLKIT
Google/Bing for SWF files on target domains
Example search: filetype:swf site:example.com Download SWF files to C:\DiggityDownloads\
71
Download Non-SWF files to C:\DiggityDownloads\ Use DLPDiggity to analyze for non-SWF Flash vulnerabilities, such as:
Crossdomain.xml Insecure Settings Secure flag set to false Open * wildcard used Unsafe Flash HTML Embed Settings: AllowScriptAccess always AllowNetworking all AllowFullScreen true
72
Baidu Diggity
73
BaiduDiggity
CHINA SEARCH ENGINE
Fighting back
74
Rise of Malware
NO SITES ARE SAFE
Popular websites victimized, become malware distribution sites to their own customers
76
Popular websites victimized, become malware distribution sites to their own customers
77
Popular websites victimized, become malware distribution sites to their own customers
78
Popular websites victimized, become malware distribution sites to their own customers
79
Popular websites victimized, become malware distribution sites to their own customers
80
Popular websites victimized, become malware distribution sites to their own customers
81
82
Inconvenient Truth
D***HEAD ALERT SYSTEM
Average web administrator has no idea when their site gets black listed
83
84
Malware Diggity
85
MalwareDiggity
DIGGITY TOOLKIT
1. Leverages Bings linkfromdomain: search operator to find off-site links of target applications/domains 2. Runs off-site links against Googles Safe Browsing API to determine if any are malware distribution sites
3. Return results that identify malware sites that your web applications are directly linking to
86
Malware Diggity
DIGGITY TOOLKIT
87
Malware Diggity
DIGGITY TOOLKIT
88
Malware Diggity
DIAGNOSTICS IN RESULTS
89
BingBinaryMalwareSearch (BBMS)
90
91
Use popular search topics du jour Pollute results with links to badware Increase chances of a successful attack
92
Google Trends
BLACK HAT SEO RECON
93
Google Trends
PREDICTING ELECTIONS
94
Malvertisements
MALWARE ADS IN SEARCH ENGINES
95
96
Profit
Competition PageRank is 0
Malware Defenses
P RO T E CT YO N E CK
98
Anti-virus is Dead
MALWARE DEFENSES
99
Malware Defenses
BLACKHAT SEO DEFENSES
Sandbox Software
Sandboxie (sandboxie.com) Dell KACE - Secure Browser Office 2010 (Protected Mode) SharePoint 2010 (Sandboxed Solutions) Adobe Reader Sandbox (Protected Mode) Adobe Flash Sandbox (Protected Mode) NEW May2012
Browser Filters
MALWARE DEFENSES
Joint effort to protect customers from known malware and phishing links
101
MalwareDiggity Alerts
MONITORING FOR INFECTIONS
Alert
Detect Infections
Monitoring Malware
MALWARE DEFENSES
103
Monitoring Malware
MALWARE DEFENSES
104
Disable Java
DOMINANT THREAT
In the Cisco 2013 Annual Security Report, Java accounted for 87% of exploits reported in the survey, dwarfing the number of PDF, Flash and ActiveX attacks. If at all possible, disable Java in your browsers
87%
105
Disable Java
MALWARE DEFENSES
106
107
Maltego
INFORMATION GATHERING TOOL
109
Maltego
INFORMATION GATHERING TOOL
110
Maltego
INFORMATION GATHERING TOOL
111
theHarvester
FOOTPRINTING TOOL
Gathers e-mail accounts, user names and hostnames, and subdomains
112
theHarvester
FOOTPRINTING EXAMPLE
113
Metagoofil
FOOTPRINTING TOOL
114
SpiderFoot 2.0
FOOTPRINTING TOOL
115
FOCA
INFO GATHERING AND METADATA
116
SHODAN
HACKER SEARCH ENGINE Indexed service banners for whole Internet for HTTP (Port 80), as well as some FTP (23), SSH (22) and Telnet (21) services
117
DeepMagic DNS
FOOTPRINTING DNS SEARCH ENGINE
118
PasteBin Leaks
PASSWORDS IN PASTEBIN.COM POSTS
119
120
Advanced Defenses
PROTECT YO NECK
121
Traditional Defenses
GOOGLE HACKING DEFENSES Google Hack yourself organization
Employ tools and techniques used by hackers Remove info leaks from Google cache http://www.google.com/remove.html
122
Existing Defenses
H A C K Y O U R S E L F
Tools exist Convenient Real-time updates Multi-engine results Historical archived data Multi-domain searching
123
Advanced Defenses
NEW HOT SIZZLE
124
125
126
Bing searches with regexs from BHDB Leverages http://api.bing.com/rss.aspx Real-time vuln updates to >900 Bing hack queries via RSS
127
Bing/Google Alerts
LIVE VULNERABILITY FEEDS
128
Diggity Alerts
FUNdle Bundle
ADVANCED DEFENSES
130
FUNdle Bundle
ADVANCED DEFENSES
131
FUNdle Bundle
MOBILE FRIENDLY
132
SHODAN Alerts
133
SHODAN Alerts
FINDING SCADA SYSTEMS
134
SHODAN Alerts
FINDING SCADA SYSTEMS
135
SHODAN Alerts
SHODAN RSS FEEDS
136
Bing/Google Alerts
THICK CLIENTS TOOLS
137
Alert Diggity
138
Alerts Diggity
ADVANCED DEFENSES
139
iDiggity Alerts
iDiggity Alerts
140
iDiggity Alerts
ADVANCED DEFENSES
141
iDiggity Alerts
ADVANCED DEFENSES
142
New Defenses
G O O G L E / B I N G H A C K A L E R T S
Tools exist Convenient Real-time updates Multi-engine results Historical archived data Multi-domain searching
143
Diggity Alert DB
DATA MINING VULNS
Diggity Alerts Database
144
Future Direction
IS NOW
145
Diggity Dashboards
COMING SOON
Google Charts
Mobile BI Apps
146
Thank You
http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
148