120 likes | 314 Views
Exercise 4: Google for Penetration Testing. Overview. Hacking Anatomy What is a search engine? Why is this a hacking/ pentest tool? What can you find? Threats Exercise 1 : Insecure Web Cams Exercise 2 : Insecure Information The Proper Defenses Conclusion. Hacking Anatomy.
E N D
Overview • Hacking Anatomy • What is a search engine? • Why is this a hacking/pentest tool? • What can you find? • Threats • Exercise 1: Insecure Web Cams • Exercise 2: Insecure Information • The Proper Defenses • Conclusion
Hacking Anatomy • Targeting/Footprinting • Scanning • Enumeration/Testing/Planning • System Hacks • Attack • Cover Up/Misinformation
What is a search engine? • A search engine is an information retrieval system designed to help people find information • If you know how to use it correctly you can find all kinds of things…
Why is this a Pen Test tool? • Part 1 – of Hacking exposed begins with a case study – Googling your Way to Insecurity • “VNC Desktop” inurl:5800 • Shows VNC servers, and can hope that some have default or no passwords • filetype:pwd service • Improperly secured MS Front Page Extensions • filetype:propertiesinurl:dbintext:password • Reveals database passwords in clear text
This doesn’t still work, does it? • 92,900 results on 2 Sep 2012
So, what can you find? • Straight to confidential documents • “not for distribution” confidential site:edu • Prior penetration test results • This file was generated by Nessus • Password files as show before • If you know what you are looking for and how look then Google can be your best friend
Exercise - Insecure Webcams • Open a browser, and navigate to google.com • Search for this specifically • inurl:\view\index.shtml
Exercise: Insecure File Systems • In your browser go back to Google • Search for the following • “parent directory” (name of file you want to search for) –xxx –html –htm –php –shtml –md5 –md5sums • You can also try searching for specific file names • Inurl:(htm|html|php) intitle:”index of” + (exam_1)
The Proper Defense • Patch • Keep the system up to date • Follow the proper configuration guidelines
Conclusion • Hacking Anatomy • What is a search engine? • Why is this a hacking/pentest tool? • What can you find? • Threats • Search 1: Insecure Web Cams • Search 2: Insecure Information • The Proper Defenses • Conclusion