During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the team’s resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the Internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior. Not anymore - our demonstration-heavy presentation picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. We will then reveal several new search engine hacking techniques that have resulted in remarkable breakthroughs against both Google and Bing. Come ready to engage with us as we release two new tools, GoogleDiggity and BingDiggity, which take full advantage of the new hacking techniques. We’ll also be releasing the first ever “live vulnerability feed”, which will quickly become the new standard on how to detect and protect yourself against these types of attacks. This presentation will change the way you've previously thought about search engine hacking, so put on your helmets. We don't want a mess when we blow your minds.
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Lord of the Bing - Black Hat USA 2010
1. Lord of the Bing
d f h
Taking Back Search Engine Hacking From Google and Bing
29 July 2010
Presented by:
Francis Brown and Rob Ragan
Stach & Liu, LLC
www.stachliu.com
2.
3. Goals
G l
DESIRED OUTCOME
• To improve Google Hacking
• Attacks and defenses
• Advanced tools and techniques
• To think differently about exposures in
publicly available sources
• To blow your mind!
3
5. Attack Targets
Att k T t
GOOGLE HACKING DATABASE
• Advisories and Vulnerabilities (215) • Pages containing network or
• Error Messages (58) vulnerability data (59)
y
• Files containing juicy info (230) • Sensitive Directories (61)
• Files containing passwords (135) • Sensitive Online Shopping Info (9)
• Files containing usernames (15) • Various Online Devices (201)
• Footholds (21) • Vulnerable Files (57)
• Pages containing login portals (232) • Vulnerable Servers (48)
• Web Server Detection (72)
5
6. Attack Targets
Att k T t
GOOGLE HACKING DATABASE
Old School Examples
• E
Error Messages
M
• filetype:asp + "[ODBC SQL“
• "Warning: mysql_query()" "invalid query“
• Files containing passwords
• inurl:passlist.txt
6
7. New Toolkit
N T lkit
STACH & LIU TOOLS
Google Diggity
• Uses Google AJAX API
g J
• Not blocked by Google bot detection
• Does not violate Terms of Service
• Can leverage
Bing Diggity
• Uses Bing SOAP API
• Company/Webapp Profiling
• Enumerate: URLs, IP-to-virtual hosts, etc.
• Bing Hacking Database (BHDB)
• V l
Vulnerability search queries in Bing format
bilit h i i Bi f t
7
8. New Toolkit
N T lkit
STACH & LIU TOOLS
GoogleScrape Diggity
• Uses Google mobile
interface
• Light-weight, no
advertisements or extras
• V l
Violates T
Terms of S
f Service
• Automatically leverages
valid open proxies
• Spoofs User agent and
User-agent
Referer headers
• Random &userip= value
8
9. New Hack Databases
N H kD t b
ATTACK QUERIES
BHDB – Bing Hacking Data Base Example - Bing vulnerability search:
• First ever Bing Hacking database • GHDB query
• "allintitle:Netscape FastTrack Server Home Page"
allintitle:Netscape Page
• Bing has limitations that make it • BHDB version
• "intitle:Netscape FastTrack Server Home Page"
difficult to create vuln search queries
• Bing disabled the link: and
linkdomain: directives to combat
abuse in March 2007
• Does not support ext: or inurl:
• The filetype: functionality is limited
9
10. New Hack Databases
N H kD t b
ATTACK QUERIES
SLDB - Stach & Liu Data Base
• New Google/Bing hacking searches in active development by the
S&L team
SLDB Examples
• ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps |
xml) (intext:confidential salary | intext:"budget approved")
inurl:confidential
• ( filetype:mail | filetype:eml | filetype:mbox | filetype:mbx )
intext:password|subject
• filetype:sql "insert into" (pass|passwd|password)
• !Host=*.* intext:enc_UserPassword=* ext:pcf
• "your password is" filetype:log
10
12. Traditional D f
T diti l Defenses
GOOGLE HACKING DEFENSES
• “Google Hack yourself” organization
• Employ tools and techniques used by hackers
p y q y
• Remove info leaks from Google cache
• Using Google Webmaster Tools
• Regularly update your robots.txt.
• Or robots meta tags for individual page exclusion
• Data Loss Prevention/Extrusion Prevention Systems
• Free Tools: OpenDLP, Senf
OpenDLP
• Policy and Legal Restrictions
12
13. Traditional D f
T diti l Defenses
GOOGLE HACKING DEFENSES
• “Google Hack yourself” organization
• Employ tools and techniques used by hackers
p y q y
• Remove info leaks from Google cache
• Using Google Webmaster Tools
• Regularly update your robots.txt.
• Or robots meta tags for individual page exclusion
• Data Loss Prevention/Extrusion Prevention Systems
• Free Tools: OpenDLP, Senf
OpenDLP
• Policy and Legal Restrictions
13
15. Existing D f
E i ti Defenses
“H A C K Y O U R S E L F”
Tools exist
Convenient
Real-time updates
Real time
Multi-engine results
Historical archived data
Multi-domain searchingg
15
16. Advanced Defenses
Ad dD f
NEW HOT SIZZLE
Stach & Liu now proudly presents:
p yp
• Google Hacking Alerts
• Bing Hacking Alerts
16
17. Google H ki Alerts
G l Hacking Al t
ADVANCED DEFENSES
Google Hacking Alerts
• All hacking database queries using
• Real-time vuln updates to >2400 hack queries via RSS
• Organized and available via importable file
17
18. Google H ki Alerts
G l Hacking Al t
ADVANCED DEFENSES
18
19. Bing H ki Al t
Bi Hacking Alerts
ADVANCED DEFENSES
Bing Hacking Alerts
• Bing searches with regexs from BHDB
• Leverage &format rss directive to turn into update feeds
&format=rss
19
20. Alert Cli t Tools
Al t Client T l
GOOGLE/BING ALERT CLIENTS
Google/Bing Hacking Alert Thick Clients
• Take in Google/Bing Alert RSS feeds as input
• Allow user to set one or more filters to generate alerts when one of the RSS
alert entries matches something they are interested in (e.g.
“yourcompany.com” in the URL)
• Several thick clients being released by Stach & Liu:
• Windows app
• iPhone app (coming soon)
• Droid app (coming soon)
20
22. New Defenses
N D f
“G O O G L E / B I N G H A C K A L E R T S”
Tools exist
Convenient
Real-time updates
Real time
Multi-engine results
Historical archived data
Multi-domain searchingg
22
23. Google A
G l Apps E l i
Explosion
SO MANY APPLICATIONS TO ABUSE
23
25. Google C d S
G l Code Search
h
VULNS IN OPEN SOURCE CODE
• Regex search for vulnerabilities in public code
• Example: SQL Injection in ASP querystring
• select.*from.*request.QUERYSTRING
25
27. Google C d S
G l Code Search
h
VULNS IN OPEN SOURCE CODE
27
28. Google C d S
G l Code Search
h
VULNS IN OPEN SOURCE CODE
28
29. Black Hat SEO
SEARCH ENGINE OPTIMIZATION
• Use popular search
topics d jour
du
• Pollute results with links
to badware
• Increase chances of a
successful attack
29
32. Defenses
D f
BLACKHAT SEO DEFENSES
• Malware Warning Filters
• Google Safe Browsing
g g
• Microsoft SmartScreen Filter
• Yahoo Search Scan
• Sandbox Software
• Sandboxie (sandboxie.com)
• Dell KACE - Secure Browser
• Adobe Reader Sandbox (Protected Mode)
• No-script and Ad-block browser plugins
32
33. Mass I j ti Att k
M Injection Attacks
MALWARE GONE WILD
Malware Distribution Woes
• Popular websites victimized, become malware distribution sites to their own
customers
33
34. Malware B
M l Browser Fil
Filters
URL BLACK LIST
Protecting users from known threats
• Joint effort to protect customers from known malware and phishing links
34
35. Inconvenient T th
I i t Truth
DICKHEAD ALERTS
Malware Black List Woes
• Average web administrator has no idea when their site gets black listed
35
37. Malware Di it
M l Diggity
ADVANCED DEFENSES
Malware Diggity
• Uses Bing’s linkfromdomain: directive to identify off-site links of the domain(s)
g y ()
you wish to monitor
• Compares to known malware sites/domains
• Alerts if site is compromised and now distributing malware
• Monitors new Google Trends links
Malware Diggity Alerts
• L
Leverages the Bing ‘&f
h B ’ directive, to actively monitor new off-site
‘&format=rss’ d l ff
links of your site as they appear
• Immediately lets you know if you have been compromised by one of these
mass injection attacks or if your site has been black listed
37
41. Malware M i i
M l Monitoring
INFECTION DETECTION
Identify
External Links
Identify
Alert Incoming Links
Detect Compare to
Infected Links Black List
41
42. Search Engine deOptimization
BLACK LIST YOUR FOES
Identify
Malware Links
Mass Inject
Profit Competition
Competition Competition
PageRank is 0 Black Listed
42
44. Predictions
P di ti
FUTURE DIRECTIONS
Data Explosion Renewed Tool Dev
• More data indexed, • Google Ajax API based
searchable • Bing/Yahoo/other engines
• Real-time, streaming updates • Search engine aggregators
• Faster more robust search
Faster, • G
Google C d and Oth O
l Code d Other Open
interfaces Source Repositories
• MS CodePlex, SourceForge, …
Google Involvement
g • More automation in tools
Mo e au o a o oo s
• Filtering of search results • Real-time detection and
• Better GH detection and exploitation
tool blocking • Google worms
44
46. Questions?
Ask us something
W
We’ll try to answer it.
y w
For more info:
Email: contact@stachliu.com
Project: diggity@stachliu.com
Stach Liu,
St h & Li LLC
www.stachliu.com
47. Thank Yo
You
Stach & Liu Project info:
http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
htt //www t hli /i d h / /t l / l h ki di it j t/
47