The Objective ad verbatim:
“Just as Google can be used to locate almost anything stored on Web servers, it can also be used by attackers in order to uncover unprotected information or information that can be used in an attack. This is sometimes called “Google Reconnaissance”. In this project you will perform Google reconnaissance.” (Ciampa, 2009)
Process:
1. I first opened up Firefox, and entered my homepage, “Google”.
2. Clicking ‘Advanced Search’ then brought me to a page where I could enter in a more in depth set of Search Strings and Parameters. Entering “login:*” “password=*” into the ‘All these words” field and selecting the .xls format from the drop-down menu, I then allowed the search to run.
3. The results were astounding. There were over 19,800 results generated within 0.23 seconds all containing the fields. Most of them duds but some of them contained actual credential details, a treasure trove for attackers!
4. One .xls file even contained other sensitive information besides a login and password.
5. Continuing with my investigation, I returned to Google’s Advanced Search and revised my Search Arguments.
6. Again, a multitude of possible security breaches popped up within the second.
7. Although this time, Google seemed to have filtered out documents with sensitive material. Instead, I received many websites with the string “index.of passlist” detailing the methods attackers use when perform Google Reconnaissance. I then took a look at a blog post which shows readers the Google Search Commands one can use to discern passwords all over the Internet. (Password World, 2009)
Reflection:
Google Reconnaissance is an example of a double-edged sword. It has the ability to be used for great things when used in a benign manner but in the hands of a malicious attacker, it is a key to inner workings of your property. With login and password credentials in the clear accessible with such ease, it is a definite security threat.
However, a solution to the problem of attackers being able to simply search their way into someone’s private servers would be to develop smarter search engines. Methods that would provide security and at the same time, not compromising the power it can provide. Google for example, has shown that searching for “index.of passlist” will turn up rather interesting reads while revealing nothing of tangible value to the malicious attacker.
Sine cera,
Jeremy Heng
“Quis custodiet ipsos custodes?”
No comments:
Post a Comment