|
||
|
Google Hacking for Penetration Testers |
||
 By Johnny Long Published by Syngress ISBN: 1931836361 Buy Now! Published:December 1, 2004 Pages:528 |
|
|
Default Documentation
Web server software often ships with manuals and documentation that ends up in the Web directories. An attacker could use this documentation to either profile or locate Web software. For example, Apache Web servers ship with documentation in HTML format, as shown in Figure 8.17.
Figure 8.17 Apache Documentation Used for Profiling
In most cases, default documentation does not as accurately portray the server version as well as error messages or default pages, but this information can certainly be used to locate targets and to gain an understanding of the potential security posture of the server. If the server administrator has forgotten to delete the default documentation, an attacker has every reason to believe that other details such as security have been overlooked as well. Other Web servers, such as IIS, ship with default documentation as well, as shown in Figure 8.18.
Figure 8.18 IIS Server Profiled Via Default Manuals
In most cases, specialized programs such as CGI scanners or Web application assessment tools are better suited for finding these default pages and programs, but if Google has crawled the pages (from a link on a default main page for example), you’ll be able to locate these pages with Google queries. Some queries that can be used to locate default documentation are listed in Table 8.8.
Table 8.8 Queries That Locate Default Documentation
Query |
|
Apache 1.3 |
intitle:"Apache 1.3 documentation" |
Apache 2.0 |
intitle: "Apache 2.0 documentation” |
Apache Various |
intitle:"Apache HTTP Server" intitle:"documentation" \ |
ColdFusion |
inurl:cfdocs |
EAServer |
intitle:"Easerver" "Easerver Version * Documents" |
iPlanet Server 4.1/Enterprise Server 4.0 |
inurl:"/manual/servlets/" intitle:"programmer" |
IIS/Various |
inurl:iishelp core |
Lotus Domino 6 |
intext:/help/help6_client.nsf |
Novell Groupwise 6 |
inurl:/com/novell/gwmonitor |
Novell Groupwise WebAccess |
inurl:"/com/novell/webaccess" |
Novell Groupwise WebPublisher |
inurl:"/com/novell/webpublisher" |
Sample Programs
In addition to documentation and manuals that ship with Web software, it is fairly common for default applications to be included with a software package. These default applications, like default Web pages, help demonstrate the functionality of the software and serve as a starting point for developers, providing sample routines and code that could be used as learning tools. Unfortunately, these sample programs can be used to not only profile a Web server; often these sample programs contain flaws or functionality an attacker could use to compromise the server. The Microsoft Index Server simple content query page, shown in Figure 8.19, allows Web visitors to search through the content of a Web site. In some cases, this query page could locate pages that are not linked from any other page or that contain sensitive information.
Figure 8.19 Microsoft Index Server Simple Content Query Page
As with default pages, specialized programs designed to crawl a Web site in search of these default programs are much better suited for finding these pages. However, if a default page provided with a Web server contains links to demonstration pages and programs, Google will find them. In some cases, the cache of these pages will remain even after the main page has been updated and the links removed. Table 8.9 shows some queries that can be used to locate default-installed programs.
Table 8.9 Queries That Locate Default Programs
Software |
Query |
Apache Cocoon |
inurl:cocoon/samples/welcome |
Generic |
inurl:demo | inurl:demos |
Generic |
inurl:sample | inurl:samples |
IBM Websphere |
inurl:WebSphereSamples |
Lotus Domino 4.6 |
inurl: /sample/framew46 |
Lotus Domino 4.6 |
inurl:/sample/faqw46 |
Lotus Domino 4.6 |
inurl:/sample/pagesw46 |
Lotus Domino 4.6 |
inurl:/sample/siregw46 |
Lotus Domino 4.6 |
inurl:/sample/faqw46 |
Lotus Domino 4.6 |
inurl:/sample/faqw46 |
Lotus Domino 4.6 |
inurl:/sample/faqw46 |
Lotus Domino 4.6 |
inurl:/sample/faqw46 |
Microsoft Index Server |
inurl:samples/Search/queryhit |
Microsoft Site Server |
inurl:siteserver/docs |
Novell NetWare 5 |
inurl:/lcgi/sewse.nlm |
Novell GroupWise WebPublisher |
inurl:/servlet/webpub groupwise |
Netware WebSphere |
inurl:/servlet/SessionServlet |
OpenVMS! |
inurl:sys$common |
Oracle Demos |
inurl:/demo/sql/index.jsp |
Oracle JSP Demos |
inurl:demo/basic/info |
Oracle JSP Scripts |
inurl:ojspdemos |
Oracle 9i |
inurl:/pls/simpledad/admin_ |
IIS/Various |
inurl:iissamples |
IIS/Various |
inurl:/scripts/samples/search |
Sambar Server |
intitle:"Sambar Server Samples" |
Locating Login Portals
The term login portal describes a Web page that serves as a “front door” to a Web site. Login portals are designed to allow access to specific features or functions after a user logs in. Google hackers search for login portals as a way to profile the software that’s in use on a target and to locate links and documentation that might provide useful information for an attack. In addition, if an attacker has an exploit for a particular piece of software, and that software provides a login portal, the attacker can use Google queries to locate potential targets.
Some login portals, like the one shown in Figure 8.20, captured with allinurl:"exchange/logon.asp", are obviously default pages provided by the software manufacturer—in this case, Microsoft. Just as an attacker can get an idea of the potential security of a target by simply looking for default pages, a default login portal can indicate that the technical skill of the server’s administrators is generally low, revealing that the security of the site will most likely be poor as well. To make matters worse, default login portals like the one shown in Figure 8.20 indicate the software revision of the program—in this case, version 5.5 SP4. An attacker can use this information to search for known vulnerabilities in that software version.
Figure 8.20 Outlook Web Access Default Portal
By following links from the login portal, an attacker can often gain access to other information about the target. The Outlook Web Access portal is particularly renowned for this type of information leak because it provides an anonymous public access area that can be viewed without logging in to the mail system. This public access area sometimes provides access to a public directory or to broadcast e-mails that can be used to gather usernames or information, as shown in Figure 8.21.
Figure 8.21 Public Access Areas Can Be Found from Login Portals
Some login portals provide more details than others. As shown in Figure 8.22, the Novell Management Portal provides a great deal of information about the server, including server software version and revision, application software version and revision, software upgrade date, and server uptime. This type of information is very handy for an attacker staging an attack against the server.
Figure 8.22 Novell Management Portal Reveals a Great Deal of Information
Table 8.9 shows some queries that can be used to locate various login portals. Refer to Chapter 4 for more information about login portals and the information they reveal.
Table 8.9 Queries That Locate Login Portals
Login Portal |
Query |
4Images GMS |
"4images Administration Control Panel" |
Apache Tomcat Admin |
intitle:"Tomcat Server Administration" |
ASP.NET |
inurl:ASP.login_aspx |
Citrix Metaframe |
inurl:/Citrix/Nfuse17/ |
Citrix Metaframe |
inurl:citrix/metaframexp/default/login.asp |
ColdFusion Admin |
intitle:"ColdFusion Administrator Login" |
ColdFusion Generic |
inurl:login.cfm |
Compaq Insight Manager |
inurl:cpqlogin.htm |
CuteNews |
"powered by CuteNews *.* © * CutePHP |
Easy File Sharing |
intitle:"Login - powered by Easy File Sharing Web |
Emule |
"Web Control Panel" "Enter your password here" |
Ensim Enterprise |
intitle:"Welcome Site/User Administrator" "Please |
Generic Admin |
inurl:/admin/login.asp |
Generic User |
inurl:login.asp |
Generic |
"please log in" |
GradeSpeed |
inurl:"gs/adminlogin.aspx" |
Infopop UBB |
inurl:cgi-bin/ultimatebb.cgi?ubb=login |
Jetbox CMS |
Login ("Powered by Jetbox One CMS ™" | "Powered by Jetstream © *") |
Lotus Domino Admin |
inurl:"webadmin" filetype:nsf |
Lotus Domino |
inurl:names.nsf?opendatabase |
Mambo CMS Admin |
inurl:administrator "welcome to mambo" |
Microsoft Certificate Server |
intitle:"microsoft certificate services" inurl:certsrv |
Microsoft Outlook Web Access |
allinurl:"exchange/logon.asp" |
Microsoft Outlook Web Access |
inurl:"exchange/logon.asp" or intitle:"Microsoft Outlook Web Access – Logon” |
Microsoft Remote Desktop |
intitle:Remote.Desktop.Web.Connection inurl:tsweb |
Network Appliance Admin |
inurl:na_admin |
Novell Groupwise Web Access |
inurl:/servlet/webacc Novell |
Novell Groupwise |
intitle:Novell intitle:WebAccess "Copyright *-* Novell, Inc" |
Novell Management Portal |
Novell NetWare intext:"netware management portal version" |
OpenExchange Admin |
filetype:pl "Download: SuSE Linux Openexchange Server CA" |
phpMySearch Admin |
inurl:search/admin.php |
PhpWebMail |
filetype:php login inurl:phpWebMail (intitle:phpWe |
Remedy Action Request |
(inurl:"ars/cgi-bin/arweb?O=0" | inurl:arweb.jsp) |
SAP ITS |
intitle:"ITS System Information" "Please log on to the SAP System" |
Shockwave Flash Login |
inurl:login filetype:swf swf |
SilkRoad Eprise |
inurl:/eprise/ |
SQWebmail |
inurl:/cgi-bin/sqwebmail?noframes=1 |
Synchronet BBS |
intitle:Node.List Win32.Version.3.11 |
Tarantella |
"ttawlogin.cgi/?action=" |
TeamSpeak Admin |
intitle:"teamspeak server-administration |
Tivoli Server Administration |
intitle:"Server Administration" "Tivoli * * power" |
TUTOS |
intitle:"TUTOS Login" |
TYPO3 CMS |
inurl:"typo3/index.php?u=" -demo |
Ultima Online Servers |
filetype:cfg login "LoginServer=" |
Usermin |
"Login to Usermin" inurl:20000 |
UtiliPro Workforce Management |
inurl:"utilities/TreeView.asp" |
Virtual Network Computing (VNC) |
"VNC Desktop" inurl:5800 |
WebAdmin |
filetype:php inurl:"webeditor.php" |
Webmail |
intitle:Login 1&1 Webmailer |
Webmin Admin |
inurl:":10000" intext:webmin |
WebSTAR Mail |
"WebSTAR Mail - Please Log In" |
Login portals provide great information for use during a vulnerability assessment. Chapter 4 provides more details on getting the most from these pages.
About the author
|
Johnny Long has spoken on network security and Google hacking at several computer security conferences around the world including SANS, Defcon, and the Black Hat Briefings. During his recent career with Computer Sciences Corporation (CSC), a leading global IT services company, he has performed active network and physical security assessments for hundreds of government and commercial clients. His website, currently the Internet's largest repository of Google hacking techniques, can be found at http://johnny.ihackstuff.com. Johnny is also co-author of the forthcoming books Aggressive Network Self-Defense, InfoSec Career Hacking: Sell Your Skillz, Not Your Soul, and Stealing the Network: How to Own an Identity from Syngress Publishing. |
