• No results found

presentation2006searchengineworkshophackingthebox pdf

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "presentation2006searchengineworkshophackingthebox pdf"

Copied!
44
0
0

Loading.... (view fulltext now)

Download now ( 44 Page )

Full text

(1)

Playing The Search Engines

or Hacking The Box

(2)
(3)

Google Hacking

Search engines make it easier for

everyone to gain information, hackers

included.

Danny Sullivan

(4)

Google Hacking

Database with more than

9 Billion documents

Personal data

Passwords

User accounts

Webcams

Databases

Password Secured Areas

Customer Data

Security Bugs

(5)

Google Hacking

Database with

over 9 Billion Documents

++

??

powerful

Search Functionality

(6)

Google Hacking

Google Hacking is a special search technique used to

find hidden information, break into sites, and access

supposedly secure information. Using search engines

such as Google, "search engine hackers" can easily find

(7)
(8)

Google Advanced Search

Overview

You can do a lot more with Google search than just typing

in search terms. With Advanced Search, you can search for

pages:

• that contain ALL the search terms you type in

• that contain the exact phrase you type in

• that contain at least one of the words you type in

• that do NOT contain any of the words you type in

• written in a certain language

• created in a certain file format

• that have been updated within a certain period of time

• that contain numbers within a certain range

(9)

Advanced Search Functionality

(10)

Advanced Search Functionality

The Beatles - Octopus's Garden

"I'd ask my friends to come and see"

(11)

Advanced Search Functionality

(12)

User Account Hacking

(13)

HIT JAMMER 1.0 - CMS

Search String: POWERED BY HIT JAMMER 1.0!

(14)

Password Security

(15)

Password Security

(16)

Password Security

Search String: ronboy51

(17)

Password Security

Don't use the same passwords for different services.

Username or

Realname or

E-Mail

Password

(18)

Password Security

Don't use the same passwords for different services.

(19)
(20)

WS FTP – FTP Passwords

(21)

WS FTP – FTP Passwords

Search String: intitle:index.of ws_ftp.ini

[GAUSS]

HOST=gauss.xxx.edu

UID=ssaperst

P W D =V B C 76D E 5F 7E 25A 74422C 7E 21… 9C

(22)

WS FTP – FTP Passwords

(23)

Other Examples

profiles!Host=*.*

intext:enc_UserPassword=* ext:pcf

VPN Profiles

ext:ini eudora.ini

Eudora Mailclient Configuration Files

"parent directory" +proftpdpasswd

ProFTPd. Password

ext:ini Version=4.0.0.4 password

servU FTP Server Configuration File

intitle:index.of trillian.ini

Trillian Messenger Password File

filetype:inf sysprep

MS Windows Configuration File

(24)
(25)

phpMyAdmin

Search String: "phpMyAdmin" "running on" inurl:"main.php"

(26)

phpMyAdmin

(27)
(28)

Linksys Webcam

Search String: vr intitle:"Linksys wireless-G Internet Video Camera"

(29)

Search Engine Market Analysis

(30)

5.9%

Search Engine Market

comScore. March 2006 (USA)

O

THERS

(31)

Search Engine Market

WebHits. March 2006 (Germany)

O

THERS

4.4 %

4.4 %

4.8 %

2.4 %

Lycos

0.6%

Altavista

0.5%

T-Online

0.5%

WEB.DE

0.4%

suche.freenet.de 0.4%

Meta.Ger

0.3%

AllesKlar

0.3%

arcor.de

0.3%

Web.de directory0.2%

search.com

0.2%

fireball.de

0.2%

(32)

Statistics - Search Engine Market

Introduction

Different technologies and methodologies have

resulted in different measurement standards

and indicators.

Statistical problems, including active and latent

errors, different target groups, samples, sample

sizes and objectives lead to different results.

(33)

Statistics - Search Engine Market

1

Miuse, Bias, and Intentional Errors

2

Environment and Conditions

3

Methods, Procedures, and Processing

4

Indicators and Understanding Data

5

Data, Sample, and Sample Size

(34)

Statistics - Search Engine Market

Search Engines

Search Engines

(Bias and Business Secrets)

Examples: Google, MSN, Yahoo, Ask Jeeves)

User Surveys/Proxies

User Surveys/Proxies

(Procedure, Reliability, Market, Sample, Sample Size)

Example. Nielsen.

Logfile Analyzer

Logfile Analyzer

(Real Time, Source, Completeness, Focus, Sample, Sample Size)

Examples. Analog, AWStats

(35)

Statistics - Search Engine Market

Web Tracker

Web Tracker -- Tracking Software/Counter

Tracking Software/Counter

installed on every Page

installed on every Page

(Real Time, Source, Completeness, Market, Focus,

Sample, Sample Size)

Examples. Google Analytics, Webposition

Web Analytics Software

Web Analytics Software -- Logfile Analyzer

Logfile Analyzer

(Based on Logfiles, Source, Focus, Sample Size, Focus, Resources)

Examples. Sawmill

(36)

Searching for Logfiles

(37)

Searching for Logfiles

(38)

Searching for Logfiles

(39)

Regular Expression

A regular expression (abbreviated as regexp or regex,

with plural forms regexps, regexes, or regexen) is a

string that describes or matches a set of strings,

according to certain syntax rules. Regular expressions

are used by many text editors and utilities to search and

manipulate bodies of text based on certain patterns.

(40)

Searching for Logfiles

Different Search Queries

in title:"statistics of" "ad v an ced w eb statistics“

allinurl:awstats.pl?month=

allinurl:?output=refererse

80.000

294.000

(41)

Searching for Logfiles

Different Search Queries

"Estatísticas de acesso ao servidor WEB"

site:.br "Estatísticas de acesso ao servidor WEB"

(42)

Searching for Logfiles

Different Search Queries

site:.cn ....

Chinese

Taiwanese

British

(43)

Searching for Logfiles

Functional Overview

1.

search engine query

2.

parsing search engine result

pages

(regex)

5.

parsing data sets

(regex)

6.

data computing, consolidation

and analysis

(ip2dns)

7.

database

8.

filtering and dataset creation

(44)

Questions?

References

Download now ( PDF - 44 Page - 2.82 MB )

Related documents

TABLE OF CONTENTS. County Grades

Grade Criteria – To obtain the Overall Tobacco Control grade, the city or county is given point values for each of its grades in the three categories (Smokefree Outdoor Air,

Modeling Tidal Marsh Distribution with Sea-Level Rise: Evaluating the Role of Vegetation, Sediment, and Upland Habitat in Marsh Resiliency

The hybrid modeling approach used in this study builds upon the work of Stralberg et al. Using a one-dimension accretion model, Marsh98 [7,47,48], and regionally applied fixed

Bachelor of Laws (LLB)

Problem solving, in respect of which a learner is able to demonstrate the ability to use a range of specialised skills to identify, analyse and address complex or abstract problems

REVIEW Real-time RT-PCR normalisation; strategies and considerations. Introduction. Normalisation; sample size

These strategies are not mutually exclusive and we recommend attempting to match sample size, ensuring good quality RNA is extracted and similar quantity used for the

International technology transfer (ITT) and corporate social responsibility (CSR) : A study in the interaction of two business functions within the Norwegian petroleum company Statoil

I hypothesise that Statoil will either have or be in the process of formulating explicit strategies for the combined use of ITT and CSR; that Statoil‟s recent history as a technology

Baltimore Ski Club Grand ****4 Star Tour of Poland September 18-28, 2014

Gdansk, on the Baltic Sea, is among the finest cities of northern Europe, distinguished by beautiful buildings and a history that stretches back more than 1,000 years..

TeachingEnglish Lesson plans. Much Ado About Nothing: Worksheet A

© BBC | British Council 2010 Hero is jilted at the alter by Claudio.. Benedick and Beatrice

193832 the Paper Doctor a Vibrational Medicine Cabinet

The patterns in this book are graphic representations of energy field patterns of vibrational remedies. They represent a symbolic form of bioinformation that is integrated by the