Symantec ThreatCon
Nov 15 2005 12:30AM
Symantec ThreatCon
Search: Home Bugtraq Vulnerabilities Mailing Lists Security Jobs Tools
(page 5 of 8 ) previous  next 
Google Hacking for Penetration Testers


By Johnny Long
Published by Syngress
ISBN: 1931836361   Buy Now!
Published:December 1, 2004
Pages:528

 About the author
 Buy the book

Application Software Error Messages

The error messages we’ve looked at so far have all been generated by the Web server itself. In many cases, applications running on the Web server can generate errors that reveal information about the server as well. There are untold thousands of Web applications on the Internet, each of which can generate any number of error messages. Dedicated Web assessment tools such as SPI Dynamic’s WebInspect excel at performing detailed Web application assessments, making it seem a bit pointless to troll Google for application error messages. However, we search for error message output throughout this book simply because the data contained in error messages should not be overlooked.

We’ve looked at various error messages in previous chapters, and we’ll see more error messages in later chapters, but let’s take a quick look at how error messages can help profile a Web server and its applications. Admittedly, we will hardly scratch the surface of this topic, but we’ll make an effort to stimulate your thinking about Google’s ability to locate these sometimes very telling error messages.

One query, "Fatal error: Call to undefined function" -reply -the –next, will locate Active Server Page (ASP) error messages. These messages often reveal information about the database software in use on the server as well as information about the application that caused the error (see Figure 8.9).

Figure 8.9 ASP Custom Error Messages

Although this ASP message is fairly benign, some ASP error messages are much more revealing. Consider the query "ASP.NET_SessionId" "data source=", which locates unique strings found in ASP.NET application state dumps, as shown in Figure 8.10. These dumps reveal all sorts of information about the running application and the Web server that hosts that application. An advanced attacker could use encrypted password data and variable information in these stack traces to subvert the security of the application and perhaps the Web server itself.

Figure 8.10 ASP Dumps Provide Dangerous Details

PHP application errors are fairly commonplace. They can reveal all sorts of information that an attacker can use to profile a server. One very common error can be found with a query such as intext:"Warning: Failed opening" include_path, as shown in Figure 8.11.

Figure 8.11 Many Errors Reveal Pathnames and Filenames

CGI programs often reveal information about the Web server and its applications in the form of environment variable dumps. A typical environmental variable output page is shown in Figure 8.12.

Figure 8.12 CGI Environment Listings Reveal Lots of Information

This screen shows information about the Web server and the client that connected to the page when the data was produced. Since Google’s bot crawls pages for us, one way to find these CGI environment pages is to focus on the trail left by the bot, reflected in these pages as the "HTTP_FROM=googlebot” line. We can search for pages like this with a query such as "HTTP_FROM=googlebot" googlebot.com "Server_Software”. These pages are dynamically generated, which means that you must look at Google’s cache to see the document as it was crawled.

To locate good base searches for a particular application, it’s best to look at the source code of that application. Using the techniques we’ve explored so far, it’s simple to create these searches.

Default Pages

Another way to locate specific types of servers or Web software is to search for default Web pages. Most Web software, including the Web server software itself, ships with one or more default or test pages. These pages can make it easy for a site administrator to test the installation of a Web server or application. By providing a simple page to test, the administrator can simply connect to his own Web server with a browser to validate that the Web software was installed correctly. Some operating systems even come with Web server software already installed. In this case, the owner of the machine might not even realize that a Web server is running on his machine. This type of casual behavior on the part of the owner will lead an attacker to rightly assume that the Web software is not well maintained and is, by extension, insecure. By further extension, the attacker can also assume that the entire operating system of the server might be vulnerable by virtue of poor maintenance.

In some cases, Google crawls a Web server while it is in its earliest stages of installation, still displaying a set of default pages. In these cases there’s generally a short window of time between the moment when Google crawls the site and when the intended content is actually placed on the server. This means that there could be a disparity between what the live page is displaying and what Google’s cache displays. This makes little difference from a Google hacker’s perspective, since even the past existence of a default page is enough for profiling purposes. Remember, we’re essentially searching Google’s cached version of a page when we submit a query. Regardless of the reason a server has default pages installed, there’s an attacker somewhere who will eventually show interest in a machine displaying default pages found with a Google search.

A classic example of a default page is the Apache Web server default page, shown in Figure 8.13.

Figure 8.13 A Typical Apache Default Web Page

Notice that the administrator’s e-mail is generic as well, indicating that not a lot of attention was paid to detail during the installation of this server. These default pages do not list the version number of the server, which is a required piece of information for a successful attack. It is possible, however, that an attacker could search for specific variations in these default pages to find specific ranges of server versions. As shown in Figure 8.14, an Apache server running versions 1.3.11 through 1.3.26 shows a slightly different page than the Apache server version 1.3.11 through 1.3.26, shown in Figure 8.13.

Figure 8.14 Subtle Differences in Apache Default Pages

Using these subtle differences to our advantage, we can use specific Google queries to locate servers with these default pages, indicating that they are most likely running a specific version of Apache. Table 8.4 shows queries that can be used to locate specific families of Apache running default pages.

Table 8.4 Queries That Locate Default Apache Installations

Apache Server Version

Query

Apache 1.2.6

intitle:”Test Page for Apache Installation” “You are free”

Apache 1.3.0–1.3.9

intitle:”Test Page for Apache” “It worked!” “this Web site!”

Apache 1.3.11–1.3.31

intitle:Test.Page.for.Apache seeing.this.instead

Apache 2.0

intitle:Simple.page.for.Apache Apache.Hook.Functions

Apache SSL/TLS

intitle:test.page "Hey, it worked !" "SSL/TLS-aware"

Apache on Red Hat

"Test Page for the Apache Web Server on Red Hat Linux"

Apache on Fedora

intitle:"test page for the apache http server on fedora core"

Apache on Debian

intitle:"Welcome to Your New Home Page!" debian

Apache on other Linux

intitle:"Test Page * * Apache Web Server on " -red.hat -fedora

IIS also displays a default Web page when first installed. A query such as intitle:"Welcome to IIS 4.0" can locate very specific versions of IIS, as shown in Figure 8.15.

Figure 8.15 Locating Default Installations of IIS 4.0 on Windows NT 4.0/OP

Table 8.5 Queries That Locate Specific IIS Server Versions

IIS Server Version

Query

Many

intitle:”welcome to” intitle:internet IIS

Unknown

intitle:"Under construction" "does not currently have"

IIS 4.0

intitle:”welcome to IIS 4.0”

IIS 4.0

allintitle:Welcome to Windows NT 4.0 Option Pack

IIS 4.0

allintitle:Welcome to Internet Information Server

IIS 5.0

allintitle:Welcome to Windows 2000 Internet Services

IIS 6.0

allintitle:Welcome to Windows XP Server Internet Services

Although each version of IIS displays distinct default Web pages, in some cases service packs or hotfixes could alter the content of a default page. In these cases, the subtle page changes can be incorporated into the search to find not only the operating system version and Web server version but also the service pack level and security patch level. This information is invaluable to an attacker bent on hacking not only the Web server, but hacking beyond the Web server and into the operating system itself. In most cases, an attacker with control of the operating system can wreak more havoc on a machine than a hacker who controls only the Web server.

Netscape servers can also be located with simple queries such as allintitle:Netscape Enterprise Server Home Page, as shown in Figure 8.16.

Figure 8.16 Locating Netscape Web Servers

Other Netscape servers can be found with simple allintitle searches, as shown in Table 8.6.

Table 8.6 Queries That Locate Netscape Servers

Netscape Server Type

Query

Enterprise Server

allintitle:Netscape Enterprise Server Home Page

FastTrack Server

allintitle:Netscape FastTrack Server Home Page

Many different types of Web server can be located by querying for default pages as well. Table 8.7 lists a sample of more esoteric Web servers that can be profiled with this technique.

Table 8.7 Queries That Locate More Esoteric Servers

Server/Version

Query

Cisco Micro Webserver 200

"micro webserver home page"

Generic Appliance

"default web page" congratulations "hosting appliance"

HP appliance sa1*

intitle:"default domain page" "congratulations" "hp web"

iPlanet/Many

intitle:"web server, enterprise edition"

Intel Netstructure

"congratulations on choosing" intel netstructure

JWS/1.0.3–2.0

allintitle:default home page java web server

J2EE/Many

intitle:"default j2ee home page"

Jigsaw/2.2.3

intitle:"jigsaw overview" "this is your"

Jigsaw/Many

intitle:”jigsaw overview”

KFSensor honeypot

"KF Web Server Home Page"

Kwiki

"Congratulations! You've created a new Kwiki website."

Matrix Appliance

"Welcome to your domain web page" matrix

NetWare 6

intitle:"welcome to netware 6"

Resin/Many

allintitle:Resin Default Home Page

Resin/Enterprise

allintitle:Resin-Enterprise Default Home Page

Sambar Server

intitle:"sambar server" "1997..2004 Sambar"

Sun AnswerBook Server

inurl:"Answerbook2options"

TivoConnect Server

inurl:/TiVoConnect


Excerpt continued on Page 6 

About the author
Johnny Long has spoken on network security and Google hacking at several computer security conferences around the world including SANS, Defcon, and the Black Hat Briefings. During his recent career with Computer Sciences Corporation (CSC), a leading global IT services company, he has performed active network and physical security assessments for hundreds of government and commercial clients. His website, currently the Internet's largest repository of Google hacking techniques, can be found at http://johnny.ihackstuff.com. Johnny is also co-author of the forthcoming books Aggressive Network Self-Defense, InfoSec Career Hacking: Sell Your Skillz, Not Your Soul, and Stealing the Network: How to Own an Identity from Syngress Publishing.
(page 5 of 8 ) previous  next 







 

Privacy Statement
Copyright 2005, SecurityFocus