Saturday, December 6, 2008

Stealing Passwords And Other Juicy Googlebits

by: David Andrew

Disclaimer: Before we even start, I'd like to let my readers know that I am a full-time information security professional. I do not condone the theft of anyone's personal information including passwords, social security numbers, credit card numbers, etc. Moreover, I condemn such acts as morally and ethically wrong. The purpose and goal of this article is not to assist people with criminal or nefarious intentions, but rather to educate about the type of information that can be easily found with a web browser and a search engine, and by extension, the type of information that should and should not be submitted to web sites.

By now we all know of Google's dominance in the search industry. Although Yahoo and Microsoft remain competitors, neither one of their search engines are as mature as Google's. And beyond the "big three", you're hard pressed to find any search engine worth using anymore. GYM (Google, Yahoo, and Microsoft) have all but eliminated the smaller players in search--including former giants like Altavista, Lycos, and Excite. But even amongst the big three, Google is far ahead of the pack. In fact, Google's indexing prowess and relevancy ratings have become so good that many information security professionals now use Google as a key part to their vulnerability assessment and penetration testing services. Security professionals know that the first step in performing a successful assessment is to gather intelligence about the target. This is known as the "footprinting" or "profiling" phase of the security engagement. And what better way to profile your target than to leverage the power of the world's greatest search engine? By simply using search queries (aka Just Google It, one can quickly locate sensitive and quasi-sensitive company information including domain names, subdomains, network address ranges, mail servers, FTP servers, whois contact information, even e-mail addresses. And the kicker is that all of the above can potentially be found about a target without sending even a single packet to the target's network. In an effort to better automate the footprinting phase using Google, some in the security industry have even written software that will go out and perform various search queries on the target inan effort to obtain an accurate profile. Of particular interest is Foundstone's SiteDigger and BiDiBLAH by Sensepost. SiteDigger will look for vulnerabilities, configuration problems, and other "interesting security nuggets" by searching Google's cache. Like SiteDigger, BiDiBLAH also uses a Google API license key to query the search engine for various keywords in an effort to determine a target's subdomains. Incidentally, BiDiBLAH is an all-around excellent free tool for professional penetration testers.

Now finding company web sites, domain names, and even e-mail addresses is one thing. But stealing people's eBay passwords? Credit card numbers? All by doing a few Google searches? Yes. And unfortunately not only is this possible, it's often simple to carry out. "But how can you search for someone's password if you don't know what it is"? Good question! The answer, of course, is you do not. Since the unique element is unknown, you need to search on a known, common element. Allow me to further explain.

By its very nature, software contains fingerprints--bits of information that uniquely identify and differentiate that software. For example, when you connect to a Microsoft IIS server, that web server will reply with its server string ("Microsoft-IIS/6.0", for example). Even tiny components of a software application will leave fingerprints. For example, McAfee VirusScan 8.0.0 has a small component called Access Protection which acts as a very simple firewall. But the log file for this component can be easily spotted because of a common, known element that is shared across all instances of that log. Now because this log file does not contain highly sensitive information such as passwords (it actually does contain disk path information though), the risk is not substantial if someone's log file found its away into the wrong hands. But what about other application log files that have common, known elements? How about configuration files? Spreadsheets? Accounting software? I think you get the point. Searching Google for these known application fingerprints will inevitably bring up "interesting" results. By the way, there are entire web sites devoted to sole purpose of sharing Google queries that will result in juicy googlebits such as passwords, social security numbersand yes, credit card numbers. And although I won't list any of those sites here, they are not hard to find (hint: use Google!).

Incidentally, one of the things that makes these queries possible is Google's support of advanced operators. Google supports a growing number of these operators which help narrow down the output and generally provide a more specific result set. Using Google's advanced operators, you can even limit a searches to a specific domain or even filetype. For example, the following query searches registry files looking specifically for a text string beginning with "Username" and the word "putty" (PuTTY is a free implementation of telnet and SSH for the Windows and Unix platforms):

ext:reg "username=*" putty

If successful, the query would result in a list of username to machine mappings for folks who use puTTY. Armed with this useful information, an attacker could then possibly launch a brute-force password guessing attack against the target (assuming the. target's firewall allowed for inbound SSH connectivity). As you can see, coming up with searches that reveal Googlebits is mostly an excercise of the imagination.

As stated on their corporate website, Google's mission is to "organize the world's information and make it universally accessible and useful". So far, I'd say Google is doing an excellent job in fulfilling their mission statement. Are you upset that Google's database contains sensitive personal information such as credit card numbers? Me too. And though I won't give Google a complete pass, the primary parties at fault here are web site operators and web users (you and me). If you operate a Web site, please don't leave config files, log files, and other files that contain sensitive information sitting on your web server! And if you enjoy the many services the web has to offer, please understand that any information you send to a web site has the potential to show up in a Google search. I can't tell you how many forum posts I've stumbled on during a Google search that contained things like cell phone numbers, driver's license numbers, and even social security numbers.

You have been warned.