Last year's Lord of the Bing presentation stabbed Google Hacking in the heart with a syringe full of adrenaline and injected life back into a dying art form. New attack tools and modern defensive techniques redefined the way people thought about Google Hacking. Among these were the first ever Bing Hacking tool and the Google/Bing Hacking Alert RSS feeds, which have grown to become the world's single largest repository of live vulnerabilities on the web. And it was only the beginning…
This year, we once again tear down the basic assumptions about what Google/Bing Hacking is and the extent to which it can be exploited to target organizations and even governments. In our secret underground laboratory, we've been busy creating an entirely new arsenal of Diggity Hacking tools that we'll be unveiling for the first time and releasing for free at Black Hat USA 2011. Just a few highlights of new tools to be unveiled are:
BaiduDiggity:first ever Baidu hacking tool, which targets vulnerabilities disclosed by China's dominant search engine. DEMO: Live targeting of vulnerabilities in Chinese government websites exposed via Baidu.
DroidDiggity:fully functional GoogleDiggity and BingDiggity application for Android phones.
GoogleCodeSearchDiggity:identifying vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 40 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more.
FlashDiggity:automated Google searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and info disclosures.
SHODAN Hacking Alerts:new live vulnerability RSS feeds based on results from the popular SHODAN hacking search engine.
MalwareDiggity and MalwareDiggity Alerts:leveraging Bing API and the Google SafeBrowsing API together to provide an answer to a simple question, "Am I being used as a platform to distribute malware to people who visit my website?"
AlertDiggity:Windows systray application that filters the results of the various Google/Bing/Shodan Hacking Alerts RSS feeds and notifies the user if any new alerts match a domain belong to them.
DiggityDLP:Data loss prevention tool that leverages Google/Bing to identify exposures of sensitive info (e.g. SSNs, credit card numbers, etc.) via common document formats such as .doc, .xls, and .pdf. Also utilizes Google APIs for searching across Google Docs/Spreadsheets for data leaks.
That is just a taste of the new tools that will be explored in this DEMO rich presentation. So come ready to engage us as we re-define Google Hacking once again.
http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
A Business-Centric Approach to Design System Strategy
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacking Arsenal
1. Pulp Google Hacking
The Next Generation Search Engine Hacking Arsenal
3 August 2011 – Black Hat 2011 – Las Vegas, NV
Presented by:
Francis Brown
Rob Ragan
Stach & Liu, LLC
www.stachliu.com
4. Open Source Intelligence
SEARCHING PUBLIC SOURCES
OSINT – is a form of intelligence
collection management that involves
finding, selecting, and acquiring
information from publicly available
sources and analyzing it to produce
actionable intelligence.
4
7. Attack Targets
GOOGLE HACKING DATABASE
• Advisories and Vulnerabilities (215) • Pages containing network or
• Error Messages (58) vulnerability data (59)
• Files containing juicy info (230) • Sensitive Directories (61)
• Files containing passwords (135) • Sensitive Online Shopping Info (9)
• Files containing usernames (15) • Various Online Devices (201)
• Footholds (21) • Vulnerable Files (57)
• Pages containing login portals (232) • Vulnerable Servers (48)
• Web Server Detection (72)
7
8. Google Hacking = Lulz
REAL WORLD THREAT
LulzSec and Anonymous believed to use
Google Hacking as a primary means of
identifying vulnerable targets.
Their releases have nothing to do with their goals
or their lulz. It's purely based on whatever they
find with their "google hacking" queries and then
release it.
-- A-Team, 28 June 2011
8
9. Google Hacking = Lulz
REAL WORLD THREAT
22:14 <@kayla> Sooooo...using the link above and the google hack string.
!Host=*.* intext:enc_UserPassword=* ext:pcf Take your pick of VPNs you
want access too. Ugghh.. Aaron Barr CEO HBGary Federal Inc.
22:15 <@kayla> download the pcf file
22:16 <@kayla> then use http://www.unix-ag.uni-
kl.de/~massar/bin/cisco-decode?enc= to clear text it
22:16 <@kayla> = free VPN
9
10. Quick History
GOOGLE HACKING RECAP
Dates Event
2004 Google Hacking Database (GHDB) begins
May 2004 Foundstone SiteDigger v1 released
Jan 2005 Foundstone SiteDigger v2 released
Feb 13, 2005 Google Hack Honeypot first release
Feb 20, 2005 Google Hacking v1 released by Johnny Long
Jan 10, 2006 MSNPawn v1.0 released by NetSquare
Dec 5, 2006 Google stops issuing Google SOAP API keys
Mar 2007 Bing disables inurl: link: and linkdomain:
Nov 2, 2007 Google Hacking v2 released
10
11. Quick History…cont.
GOOGLE HACKING RECAP
Dates Event
Mar 2008 cDc Goolag - gui tool released
Sept 7, 2009 Google shuts down SOAP Search API
Nov 2009 Binging tool released by Blueinfy
Dec 1, 2009 FoundStone SiteDigger v 3.0 released
2010 Googlag.org disappears
April 21, 2010 Google Hacking Diggity Project initial releases
Nov 1, 2010 Google AJAX API slated for retirement
Nov 9, 2010 GHDB Reborn Announced – Exploit-db.com
July 2011 Bing ceases ‘&format=rss’ support
11
13. Diggity Core Tools
STACH & LIU TOOLS
Google Diggity
• Uses Google JSON/ATOM API
• Not blocked by Google bot detection
• Does not violate Terms of Service
• Required to use
Bing Diggity
• Uses Bing 2.0 SOAP API
• Company/Webapp Profiling
• Enumerate: URLs, IP-to-virtual hosts, etc.
• Bing Hacking Database (BHDB)
• Vulnerability search queries in Bing format
13
14. New Features
DIGGITY CORE TOOLS
Google Diggity - New API
• Updated to use Google JSON/ATOM API
• Due to deprecated Google AJAX API
Misc. Feature Uprades
• Auto-update for dictionaries
• Output export formats
• Now also XLS and HTML
• Help File – chm file added
14
15. New Features
DOWNLOAD BUTTON
Download Buttons for Google/Bing Diggity
• Download actual files from Google/Bing search results
• Downloads to default: C:DiggityDownloads
• Used by other tools for file download/analysis:
• FlashDiggity, DLP Diggity, MalwareDiggity,…
15
16. New Features
AUTO-UPDATES
SLDB Updates in Progress
• Example: SharePoint Google Dictionary
• http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-
project/#SharePoint – GoogleDiggity Dictionary File
16
19. Bing Hacking Database
STACH & LIU TOOLS
BHDB – Bing Hacking Data Base Example - Bing vulnerability search:
• GHDB query
• First ever Bing hacking database • "allintitle:Netscape FastTrack Server Home Page"
• BHDB version
• Bing hacking limitations • intitle:”Netscape FastTrack Server Home Page"
• Disabled inurl:, link: and linkdomain:
directives in March 2007
• No support for ext:, allintitle:, allinurl:
• Limited filetype: functionality
• Only 12 extensions supported
19
22. Google Code Search
VULNS IN OPEN SOURCE CODE
• Regex search for vulnerabilities in indexed
public code, including popular open source
code repositories:
• Example: SQL Injection in ASP querystring
• select.*from.*request.QUERYSTRING
22
28. MalwareDiggity
DIGGITY TOOLKIT
1. Leverages Bing’s linkfromdomain: search directive
to find off-site links of target applications/domains
2. Runs off-site links against Google’s Safe Browsing API
to determine if any are malware distribution sites
3. Return results that identify malware sites that your web
applications are directly linking to
28
29. Mass Injection Attacks
MALWARE GONE WILD
Malware Distribution Woes – WSJ.com – June2010
• Popular websites victimized, become malware distribution sites to their own
customers
29
30. Mass Injection Attacks
MALWARE GONE WILD
Malware Distribution Woes – LizaMoon – April2011
• Popular websites victimized, become malware distribution sites to their own
customers
30
31. Mass Injection Attacks
MALWARE GONE WILD
Malware Distribution Woes – willysy.com - August2011
• Popular websites victimized, become malware distribution sites to their own
customers
31
40. Flash Diggity
DIGGITY TOOLKIT
• Google for SWF files on target domains
• Example search: filetype:swf site:example.com
• Download SWF files to C:DiggityDownloads
• Disassemble SWF files and analyze for Flash vulnerabilities
40
42. GoogleScrape Diggity
DIGGITY TOOLKIT
GoogleScrape Diggity
• Uses Google mobile interface
• Light-weight, no advertisements
• Violates Terms of Service
• Bot detection avoidance
• Distributed via proxies
• Spoofs User-agent and Referer
headers
• Random &userip= value
• Across Google servers
42
46. Traditional Defenses
GOOGLE HACKING DEFENSES
• “Google Hack yourself” organization
• Employ tools and techniques used by hackers
• Remove info leaks from Google cache
• Using Google Webmaster Tools
• Regularly update your robots.txt.
• Or robots meta tags for individual page exclusion
• Data Loss Prevention/Extrusion Prevention Systems
• Free Tools: OpenDLP, Senf
• Policy and Legal Restrictions
46
47. Existing Defenses
“H A C K Y O U R S E L F”
Tools exist
Convenient
Real-time updates
Multi-engine results
Historical archived data
Multi-domain searching
47
48. Advanced Defenses
NEW HOT SIZZLE
Stach & Liu now proudly presents:
• Google and Bing Hacking Alerts
• SharePoint Hacking Alerts – 118 dorks
• SHODAN Hacking Alerts – 26 dorks
• Diggity Alerts FUNdle Bundles
• Consolidated alerts into 1 RSS feed
• Alert Client Tools
• Alert Diggity – Windows systray notifications
• iDiggity Alerts – iPhone notification app
48
49. Google Hacking Alerts
ADVANCED DEFENSES
Google Hacking Alerts
• All hacking database queries using
• Real-time vuln updates to >2400 hack queries via RSS
• Organized and available via importable file
49
60. Bing/Google Alerts
THICK CLIENTS TOOLS
Google/Bing Hacking Alert Thick Clients
• Google/Bing Alerts RSS feeds as input
• Allow user to set one or more filters
• e.g. “yourcompany.com” in the URL
• Several thick clients being released:
• Windows Systray App
• Droid app (coming soon)
• iPhone app
60
66. New Defenses
“G O O G L E / B I N G H A C K A L E R T S”
Tools exist
Convenient
Real-time updates
Multi-engine results
Historical archived data
Multi-domain searching
66
69. Dictionary Updates
3RD P A R T Y I N T E G R A T I O N
New maintainers of the GHDB – 09 Nov 2010
• http://www.exploit-db.com/google-hacking-database-reborn/
69
70. Special Thanks
Oscar “The Bull” Salazar
Brad “BeSickWittIt” Sickles
Nick “King Luscious” Harbin
Prajakta “The Flasher” Jagdale
Ruihai “Ninja” Fang
Jason “Blk-majik” Lash
71. Questions?
Ask us something
We’ll try to answer it.
For more info:
Email: contact@stachliu.com
Project: diggity@stachliu.com
Stach & Liu, LLC
www.stachliu.com
72. Thank You
Stach & Liu Google Hacking Diggity Project info:
http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
72