Google HoneyPots

Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.
Post Reply
User avatar
gohcht
Corporal
Posts: 125
Joined: Tue Jul 18, 2006 9:50 pm
Location: right next to the pacific to be specific

Google HoneyPots

Post by gohcht » Wed Sep 06, 2006 1:58 pm

I just thought this was a cool read, for those new to searching it has a few interesting nuggets, otherwise its just a interesting 2 minute read.

I noticed these a while back when reading old docs and techniques and trying my hand @ JTR thought I was actually still finding valid c|c|b|i|l|l passfiles, ha ha ha, silly rabbit, trix are for kids....

An introduction to Google Hack Honeypots
Brien M. Posey
01.04.2005
Rating: --- (out of 5)


Although stories in the mainstream media about Google hacking just started last year, Google hacks have been around for almost as long as Google itself. The idea behind a Google hack is that the hacker can use the Google search engine in a way that reveals confidential data by exploiting a poorly written Web application. Fortunately, there is a new type of Web application called a Google Hack Honeypot that allows you to monitor Google hack activity directed at your Web site.

The anatomy of a Google hack

Right now you are probably wondering how Google can possibly be used to hack a Web site. The technique behind a Google hack is frighteningly simple. It's so simple, in fact, that it has long been regarded as an urban legend.


Google hacking resources

Step-by-step guide: Google hacking to test your security
Make sure your Web site is not vulnerable to Google hacking. Let contributor and Microsoft MVP Brien Posey guide you through a Google hack of your Web site.
How to Google hack Windows servers
You should Google your public-facing Windows servers before a bad guy thinks to Google them first. Kevin Beaver offers Google tools and queries to help you find vulnerabilities.




A Google hack is possible because Google offers a number of query tools that searchers use while performing a Google search. Most people don't even know that these query tools exist, but they can be combined with keywords during a Google search.

A classic example of a Google hack is to use the range tool (a double period) to hunt for credit card numbers. Rumor has it that Google now blocks this particular exploit, but the technique can be applied to other types of hacks.

Hackers look at the first four digits on your credit card. Suppose for instance that the numbers are 4052 (this is a random number, not a number off of my credit card). Hackers know that credit card account numbers are typically 16 digits long. They also know that the first four digits in a card's number tell a lot about the type of card. Therefore, there are lots of cards that share the same first four digits. A hacker can then use the range tool to hunt for other credit card numbers that start with 4052. To do so, a hacker would simply enter 4052000000000000..4052999999999999 into the Google search engine. This tells Google to search for Web sites containing any 16-digit number starting with 4052.

Of course there are lots of Web sites that contain 16-digit numbers other than credit card numbers. Keep in mind, though, that the more numbers in this range that Google finds, the higher the page ranking will be. This means that a page full of credit card numbers containing 4052 would likely be toward the very top of the list.

See how easy that was? Right now you may be wondering who in their right mind would publish a page full of credit card numbers on the Internet? The answer is nobody. Poorly constructed Web applications that sell products on the Internet are the problem. The Google spider can index Web sites by indexing pages that use "invisible links." Some poorly constructed Web sites have invisible links to backend data, such as customer lists. A consumer would never see these links, but a search engine does, and therefore indexes the content.

Google Hack Honeypot to the rescue

This is where the Google Hack Honeypot comes in. The idea behind a Google Hack Honeypot is that it places an invisible link onto your Web site. Just like the case with a poorly constructed application, visitors to your site will never see this link, but Google will. However, instead of providing access to backend data, the link directs would-be hackers to a PHP script that logs their activity. Your site's real backend is never exposed through this link.

The best part is that you can get the Google Hack Honeypot for free. It is available and downloadable through GNU public license. http://ghh.sourceforge.net/index.php

Protecting your Web server against Google hacks

The Google Hack Honeypot will not stop anyone from performing a Google hack against you. All it does is log potentially malicious activity against the honeypot. You can, however, use the log's contents to protect your server.

For example, since the log contains things like the IP address or the domain name from which the hack originated, you could plug this information into your firewall and block Web traffic from those sources. Likewise, Internet Information Server contains filters that you could use in conjunction with the information from your honeypot to block malicious traffic.

Conclusion

In this article, I have explained that Google can be a dangerous hacking tool. You can use a Google Hack Honeypot to detect malicious activity against your Web server and enter information from your honeypot logs into your firewall to block sources of malicious Web traffic. Remember, though, that a Google Hack Honeypot will only detect malicious Web traffic against the honeypot. It does nothing to detect malicious traffic against your Web site or to protect you from such traffic. It is therefore important to make sure your Web site is securely constructed.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at http://www.brienposey.com.
I am Just like a SUPERHERO, just with no powers or motivation, and when I am not off saving the world, I like to get drunk and screw.

drummermandan02
n00b
Posts: 7
Joined: Mon Jan 01, 2007 1:30 pm

Post by drummermandan02 » Mon Jan 01, 2007 1:43 pm

nice post!

User avatar
B-Con
Challenge Winner [1x]
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Location: UC Davis
Contact:

Post by B-Con » Mon Jan 01, 2007 11:24 pm

Moved to Tutorial Submission.
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?

Genocide
n00b
Posts: 28
Joined: Mon Feb 19, 2007 3:37 pm
Location: Notepad/Cmd.exe
Contact:

Post by Genocide » Mon Feb 19, 2007 4:01 pm

Haha, I tried searching on credit cards after I read this, really nice post, I learned alot!

Post Reply