Professional Documents
Culture Documents
Presented by:
Francis Brown & Rob Ragan
Stach & Liu, LLC
www.stachliu.com
Agenda
OVERVIEW
• Introduction/Background
• Advanced Attacks
• NEW Diggity Attack Tools
• Malware and Search Engines
• Non-Diggity Tools
• Advanced Defenses
• NEW AlertDiggity Cloud Database
• Future Directions
2
Introduction/Background
G E T T I N G UP T O S P E E D
3
Open Source Intelligence
SEARCHING PUBLIC SOURCES
4
Google/Bing Hacking
SEARCH ENGINE ATTACKS
5
Google vs Bing Size
MORE BANG FOR YOUR SEARCH
6
Attack Targets
GOOGLE HACKING DATABASE
7
Google Hacking = Lulz
REAL WORLD THREAT
8
Google Hacking = Lulz
REAL WORLD THREAT
22:14 <@kayla> Sooooo...using the link above and the google hack string.
!Host=*.* intext:enc_UserPassword=* ext:pcf Take your pick of VPNs you
want access too. Ugghh.. Aaron Barr CEO HBGary Federal Inc.
22:15 <@kayla> download the pcf file
22:16 <@kayla> then use http://www.unix-ag.uni-
kl.de/~massar/bin/cisco-decode?enc= to clear text it
22:16 <@kayla> = free VPN
9
Diggity Tools
PROJECT OVERVIEW
10
Diggity Tools
ATTACK TOOLS
Tool Description
GoogleDiggity Traditional Google hacking tool
BingDiggity Bing equivalent of traditional Google hacking tool
FlashDiggity Adobe Flash security scanning tool
DLPDiggity Data loss prevention scanning tool
LinkFromDomain Bing footprinting tool based on off-site links
CodeSearch Diggity Open-source code vulnerability scanning tool
MalwareDiggity Malware link detection tool for off-site links
11
Diggity Tools
NEW ATTACK TOOLS
Tool Description
PortScan Diggity Passive port scanning via Google
NotInMyBackYard Easily find your info in third-party sites
BHDB 2.0 New Bing Hacking DB now as effective as Google
Bing BinaryMalware Find malware via Bing’s indexing of executables
CodeSearch REBORN Brought back from the dead
SHODAN Diggity Easy interface to SHODAN search engine
12
Diggity Scraping
NEW ACROSS ALL ATTACK TOOLS
13
Diggity Scraping
PROXIES SPECIFICATION
14
Diggity Scraping
MANUAL PROXIES SPECIFICATION
15
Advanced Attacks
WHAT YOU SHOULD KNOW
16
Diggity Core Tools
STACH & LIU TOOLS
Google Diggity
• Uses Google JSON/ATOM API
• Not blocked by Google bot detection
• Does not violate Terms of Service
• Max 100 results per query
• Max 10k queries per day. $5 per 1000 queries
• Required to use
Bing Diggity
• Uses Bing Search API (Azure Marketplace)
• 5,000 queries per month for free
• Max 50 results per query
• Company/Webapp Profiling
• Enumerate: URLs, IP-to-virtual hosts, etc.
• Bing Hacking Database (BHDBv2)
• Vulnerability search queries in Bing format
17
New Features
DIGGITY CORE TOOLS
18
New Features
DOWNLOAD BUTTON
19
New Features
AUTO-UPDATES
20
New Features
IP ADDRESS RANGES
21
New Features
TARGETING HTTP ADMIN CONSOLES
22
Dictionary Updates
THIRD-PARTY INTEGRATION
23 tht
Google Diggity
DIGGITY CORE TOOLS
24
Hacking CSE’s
ALL TOP LEVEL DOMAINS
25
Bypass Google CSE’s
FULL WEB SEARCH RESULTS
26
Bing Diggity
DIGGITY CORE TOOLS
27
NEW GOOGLE HACKING TOOLS
28
Bing Hacking Database v2.0
STACH & LIU TOOLS
• UPDATES (2012)
• ext: functionality now added
• inurl: work around by using
instreamset:url:
• New BHDB 2.0
• Several thousand more Bing dorks!
29
NEW GOOGLE HACKING TOOLS
NotInMyBackYard
30
Data Leaks on Third-Party Sites
SENSITIVE INFO EVERYWHERE
31
PasteBin Twitter Leaks
PASSWORDS IN PASTEBIN.COM POSTS
32
Cloud Docs Exposures
PUBLIC CLOUD SEARCHING
33
Cloud Docs Exposures
ROBOTS.TXT IS DEAD
34
Data Loss In The News
MAJOR DATA LEAKS
35
Data Loss In The News
MAJOR DATA LEAKS
36
NotInMyBackYard
L O C A T I O N, L O C A T I O N, L O C A T I O N
37
NotInMyBackYard
PASTEBIN EXAMPLE
38
NotInMyBackYard
XLS IN CLOUD EXAMPLE
39
Cloud Docs Exposures
PUBLIC CLOUD SEARCHING
40
NotInMyBackYard
PERSONAL USE
41
NEW GOOGLE HACKING TOOLS
PortScan Diggity
42
PortScanning
TARGETING HTTP ADMIN CONSOLES
43
PortScanning
TARGETING PORT RANGES
44
PortScanning
TARGETING VULNERABILITY
45
PortScan Diggity
TARGETING HTTP ADMIN CONSOLES
46
NEW GOOGLE HACKING TOOLS
CodeSearch Diggity
47
Google Code Search
VULNS IN OPEN SOURCE CODE
48
CodeSearch Diggity
AMAZON CLOUD SECRET KEYS
49
Cloud Security
N O P R O M I S E S . . .N O N E
50
Cloud Crawling
CREATE YOUR OWN SEARCH ENGINES
51
Google Code Search
VULNS IN OPEN SOURCE CODE
52
Google Code Search
VULNS IN OPEN SOURCE CODE
53
NEW GOOGLE HACKING TOOLS
SHODAN Diggity
54
SHODAN
HACKER SEARCH ENGINE
• Indexed service banners for whole Internet for HTTP (Port 80), as well
as some FTP (23), SSH (22) and Telnet (21) services
55
SHODAN
FINDING SCADA SYSTEMS
56
SHODAN
FINDING SCADA SYSTEMS
57
SHODAN Diggity
FINDING SCADA SYSTEMS
58
NEW GOOGLE HACKING TOOLS
Bing LinkFromDomainDiggity
59
Bing LinkFromDomain
DIGGITY TOOLKIT
60
Bing LinkFromDomain
FOOTPRINTING LARGE ORGANIZATIONS
61
NEW GOOGLE HACKING TOOLS
DLP Diggity
62
DLP Diggity
LOTS OF FILES TO DATA MINE
63
DLP Diggity
MORE DATA SEARCHABLE EVERY YEAR
Google Results for Common Docs
1,030,000,000
1,200,000,000
1,000,000,000
64
Data Loss In The News
MAJOR DATA LEAKS
65
Data Loss In The News
MAJOR DATA LEAKS
66
DLP Diggity
DIGGITY TOOLKIT
67
DLP Reporting
PRACTICAL EXAMPLES
68
DLP Reporting
PRACTICAL EXAMPLES
69
NEW GOOGLE HACKING TOOLS
FlashDiggity
70
FlashDiggity
DIGGITY TOOLKIT
71
Flash Non-SWF Hacking
OTHER FLASH HACKING
• Google/Bing for Non-SWF files on target domains, but related to Flash. Example queries:
• inurl:crossdomain.xml ext:xml intext:"secure" intext:"false“
• intext:"swf" intext:"param name" intext:"allowNetworking * all“
• Download Non-SWF files to C:\DiggityDownloads\
• Use DLPDiggity to analyze for non-SWF Flash vulnerabilities, such as:
• Crossdomain.xml Insecure Settings
• Secure flag set to false
• Open * wildcard used
• Unsafe Flash HTML Embed Settings:
• AllowScriptAccess always
• AllowNetworking all
• AllowFullScreen true
72
NEW GOOGLE HACKING TOOLS
Baidu Diggity
73
BaiduDiggity
CHINA SEARCH ENGINE
• Fighting back
74
Malware and Search Engines
U N H O LY UN I O N
75
Rise of Malware
NO SITES ARE SAFE
76
Mass Injection Attacks
MALWARE GONE WILD
77
Mass Injection Attacks
MALWARE GONE WILD
78
Mass Injection Attacks
MALWARE GONE WILD
79
Watering Hole Attacks
MALWARE GONE WILD
80
Watering Hole Attacks
MALWARE GONE WILD
81
Watering Hole Attacks
MALWARE GONE WILD
82
Inconvenient Truth
D***HEAD ALERT SYSTEM
83
Malware SaaS Services
CRIMINAL THIRD-PARTY SOLUTIONS
84
NEW GOOGLE HACKING TOOLS
Malware Diggity
85
MalwareDiggity
DIGGITY TOOLKIT
86
Malware Diggity
DIGGITY TOOLKIT
87
Malware Diggity
DIGGITY TOOLKIT
88
Malware Diggity
DIAGNOSTICS IN RESULTS
89
NEW GOOGLE HACKING TOOLS
BingBinaryMalwareSearch (BBMS)
90
Bing Malware Search
TARGETING MALWARE
91
Black Hat SEO
SEARCH ENGINE OPTIMIZATION
92
Google Trends
BLACK HAT SEO RECON
93
Google Trends
PREDICTING ELECTIONS
94
Malvertisements
MALWARE ADS IN SEARCH ENGINES
95
Google Vanity Alerts
SPEAR PHISHING VIA GOOGLE
96
Search Engine deOptimization
BLACK LIST YOUR FOES
Identify
Malware Links
Mass Inject
Profit Competition
Competition Competition
PageRank is 0 Black Listed
97
Malware Defenses
P RO T E CT YO N E CK
98
Anti-virus is Dead
MALWARE DEFENSES
99
Malware Defenses
BLACKHAT SEO DEFENSES
• Sandbox Software
• Sandboxie (sandboxie.com)
• Dell KACE - Secure Browser
• Office 2010 (Protected Mode)
• SharePoint 2010 (Sandboxed Solutions)
• Adobe Reader Sandbox (Protected Mode)
• Adobe Flash Sandbox (Protected Mode) – NEW May2012
101
MalwareDiggity Alerts
MONITORING FOR INFECTIONS
Identify
External Links
Identify
Alert Incoming Links
Detect Compare to
Infections Black List
102
Monitoring Malware
MALWARE DEFENSES
103
Monitoring Malware
MALWARE DEFENSES
104
Disable Java
DOMINANT THREAT
87% 105
Disable Java
MALWARE DEFENSES
106
Help from Google
MALWARE DEFENSES
107
NON–DIGGITY ATTACK TOOLS
108
Maltego
INFORMATION GATHERING TOOL
109
Maltego
INFORMATION GATHERING TOOL
110
Maltego
INFORMATION GATHERING TOOL
111
theHarvester
FOOTPRINTING TOOL
112
theHarvester
FOOTPRINTING EXAMPLE
113
Metagoofil
FOOTPRINTING TOOL
114
SpiderFoot 2.0
FOOTPRINTING TOOL
115
FOCA
INFO GATHERING AND METADATA
116
SHODAN
HACKER SEARCH ENGINE
• Indexed service banners for whole Internet for HTTP (Port 80), as well
as some FTP (23), SSH (22) and Telnet (21) services
117
DeepMagic DNS
FOOTPRINTING DNS SEARCH ENGINE
118
PasteBin Leaks
PASSWORDS IN PASTEBIN.COM POSTS
119
Internet Census 2012
NMAP OF ENTIRE INTERNET
• ~420k botnet used to perform NMAP against entire IPv4 addr space!
• ICMP sweeps, SYN scans, Reverse DNS, and Service probes of 662 ports
• Free torrent of 568GB of NMAP results (9TB decompressed NMAP results)
120
Advanced Defenses
PROTECT YO NECK
121
Traditional Defenses
GOOGLE HACKING DEFENSES
122
Existing Defenses
“H A C K Y O U R S E L F”
Tools exist
Convenient
Real-time updates
Multi-engine results
Historical archived data
Multi-domain searching
123
Advanced Defenses
NEW HOT SIZZLE
124
Google Hacking Alerts
ADVANCED DEFENSES
125
Google Hacking Alerts
ADVANCED DEFENSES
126
Bing Hacking Alerts
ADVANCED DEFENSES
127
Bing/Google Alerts
LIVE VULNERABILITY FEEDS
128
Diggity Alerts
One Feed to Rule Them All
129
FUNdle Bundle
ADVANCED DEFENSES
130
FUNdle Bundle
ADVANCED DEFENSES
131
FUNdle Bundle
MOBILE FRIENDLY
132
ADVANCED DEFENSE TOOLS
SHODAN Alerts
133
SHODAN Alerts
FINDING SCADA SYSTEMS
134
SHODAN Alerts
FINDING SCADA SYSTEMS
135
SHODAN Alerts
SHODAN RSS FEEDS
136
Bing/Google Alerts
THICK CLIENTS TOOLS
137
ADVANCED DEFENSE TOOLS
Alert Diggity
138
Alerts Diggity
ADVANCED DEFENSES
139
iDiggity Alerts
iDiggity Alerts
140
iDiggity Alerts
ADVANCED DEFENSES
141
iDiggity Alerts
ADVANCED DEFENSES
142
New Defenses
“G O O G L E / B I N G H A C K A L E R T S”
Tools exist
Convenient
Real-time updates
Multi-engine results
Historical archived data
Multi-domain searching
143
Diggity Alert DB Diggity Alerts
DATA MINING VULNS Database
144
Future Direction
IS NOW
145
Diggity Dashboards
COMING SOON
Google Charts
Mobile BI Apps
146
Questions?
Ask us something
We’ll try to answer it.
For more info:
Fran Brown
Rob Ragan (@sweepthatleg)
Email: contact@stachliu.com
Project: diggity@stachliu.com
Stach & Liu, LLC
www.stachliu.com
Thank You
148