Stealing Passwords And Other Juicy Googlebits
Disclaimer: Before we even start, I'd like to let my readers
know that I am a full-time information security professional. I
do not condone the theft of anyone's personal information
including passwords, social security numbers, credit card
numbers, etc. Moreover, I condemn such acts as morally and
ethically wrong. The purpose and goal of this article is not to
assist people with criminal or nefarious intentions, but rather
to educate about the type of information that can be easily
found with a web browser and a search engine, and by extension,
the type of information that should and should not be submitted
to web sites.
By now we all know of Google's dominance in the search industry.
Although Yahoo and Microsoft remain competitors, neither one of
their search engines are as mature as Google's. And beyond the
"big three", you're hard pressed to find any search engine worth
using anymore. GYM (Google, Yahoo, and Microsoft) have all but
eliminated the smaller players in search--including former
giants like Altavista, Lycos, and Excite. But even amongst the
big three, Google is far ahead of the pack. In fact, Google's
indexing prowess and relevancy ratings have become so good that
many information security professionals now use Google as a key
part to their vulnerability assessment and penetration testing
services. Security professionals know that the first step in
performing a successful assessment is to gather intelligence
about the target. This is known as the "footprinting" or
"profiling" phase of the security engagement. And what better
way to profile your target than to leverage the power of the
world's greatest search engine? By simply using search queries
(aka Just Google
It, one can quickly locate sensitive and quasi-sensitive
company information including domain names, subdomains, network
address ranges, mail servers, FTP servers, whois contact
information, even e-mail addresses. And the kicker is that all
of the above can potentially be found about a target without
sending even a single packet to the target's network. In an
effort to better automate the footprinting phase using Google,
some in the security industry have even written software that
will go out and perform various search queries on the target
inan effort to obtain an accurate profile. Of particular
interest is Foundstone's SiteDigger and BiDiBLAH by Sensepost.
SiteDigger will look for vulnerabilities, configuration
problems, and other "interesting security nuggets" by searching
Google's cache. Like SiteDigger, BiDiBLAH also uses a Google API
license key to query the search engine for various keywords in
an effort to determine a target's subdomains. Incidentally,
BiDiBLAH is an all-around excellent free tool for professional
penetration testers.
Now finding company web sites, domain names, and even e-mail
addresses is one thing. But stealing people's eBay passwords?
Credit card numbers? All by doing a few Google searches? Yes.
And unfortunately not only is this possible, it's often simple
to carry out. "But how can you search for someone's password if
you don't know what it is"? Good question! The answer, of
course, is you do not. Since the unique element is unknown, you
need to search on a known, common element. Allow me to further
explain.
By its very nature, software contains fingerprints--bits of
information that uniquely identify and differentiate that
software. For example, when you connect to a Microsoft IIS
server, that web server will reply with its server string
("Microsoft-IIS/6.0", for example). Even tiny components of a
software application will leave fingerprints. For example,
McAfee VirusScan 8.0.0 has a small component called Access
Protection which acts as a very simple firewall. But the log
file for this component can be easily spotted because of a
common, known element that is shared across all instances of
that log. Now because this log file does not contain highly
sensitive information such as passwords (it actually does
contain disk path information though), the risk is not
substantial if someone's log file found its away into the wrong
hands. But what about other application log files that have
common, known elements? How about configuration files?
Spreadsheets? Accounting software? I think you get the point.
Searching Google for these known application fingerprints will
inevitably bring up "interesting" results. By the way, there are
entire web sites devoted to sole purpose of sharing Google
queries that will result in juicy googlebits such as passwords,
social security numbersand yes, credit card numbers. And
although I won't list any of those sites here, they are not hard
to find (hint: use Google!).
Incidentally, one of the things that makes these queries
possible is Google's support of advanced operators. Google
supports a growing number of these operators which help narrow
down the output and generally provide a more specific result
set. Using Google's advanced operators, you can even limit a
searches to a specific domain or even filetype. For example, the
following query searches registry files looking specifically for
a text string beginning with "Username" and the word "putty"
(PuTTY is a free implementation of telnet and SSH for the
Windows and Unix platforms):
ext:reg "username=*" putty
If successful, the query would result in a list of username to
machine mappings for folks who use puTTY. Armed with this useful
information, an attacker could then possibly launch a
brute-force password guessing attack against the target
(assuming the. target's firewall allowed for inbound SSH
connectivity). As you can see, coming up with searches that
reveal Googlebits is mostly an excercise of the imagination.
As stated on their corporate website, Google's mission is to
"organize the world's information and make it universally
accessible and useful". So far, I'd say Google is doing an
excellent job in fulfilling their mission statement. Are you
upset that Google's database contains sensitive personal
information such as credit card numbers? Me too. And though I
won't give Google a complete pass, the primary parties at fault
here are web site operators and web users (you and me). If you
operate a Web site, please don't leave config files, log files,
and other files that contain sensitive information sitting on
your web server! And if you enjoy the many services the web has
to offer, please understand that any information you send to a
web site has the potential to show up in a Google search. I
can't tell you how many forum posts I've stumbled on during a
Google search that contained things like cell phone numbers,
driver's license numbers, and even social security numbers.
You have been warned.