By Pierluigi Paganini, Editor-in-Chief, CDM
May 10, 2013, 11:30 am EST
A Webroot blog post announced that a new version of DIY Google Dorks based hacking tool has been released in the wild and it could be used for mass website analysis, the power of the popular search engine could be exploited for information gathering during the reconnaissance phase of an attack. Similar tools could be used to acquire information on target environments by an attacker or by the pen tester to evaluate the architecture is starting to test. The availability of the DIY Google Dorks based hacking tool allows to ill-intentioned to acquire precious information on remotely exploitable websites, data that could be collected to compromise them for example deploying a malicious exploit kit or exploiting known vulnerabilities. The tool relies on Google Dorks the tools to allow a target evaluation, in particular the DIY Google Dorks based hacking tool has built-in features that can be used to evaluate the possibility to perform a SQL injection attack or to discover all the targets that aren’t protected by a CAPTCHA challenge mechanism. As usual the project appears under continuous development and the authors are still working on it to improve its capabilities with new features such as the possibility to evaluate the vulnerability to a custom malicious exploits. Composing specifically crafted queries in Google it is possible to reveal sensitive information essential for the success of an attack, thanks to the use of the advanced operator, the dorking, is possible to retrieve a huge quantity of information on a target such as:
- User’s credentials.
- Sensitive documents.
- Admin login page.
- Email lists.
The syntax for using advanced operator in Google is
Operator_name:keyword
Following some sample of keyword/advance operator:
Allintext | Searches for occurrences of all the keywords given |
Intext | Searches for the occurrences of keywords all at once or one at a time |
Inurl | Searches for a URL matching one of the keywords |
Allinurl | Searches for a URL matching all the keywords in the query |
Intitle | Searches for occurrences of keywords in URL all or one |
Allintitle | Searches for occurrences of keywords all at a time |
Site | Specifically searches that particular site and lists all the results for that site |
filetype | Searches for a particular filetype mentioned in the query |
Link | Searches for external links to pages |
Numrange | Used to locate specific numbers in your searches |
Daterange | Used to search within a particular date range |
Using more complex queries an attacker could obtain a series of information on the status of the target, for example to discover if it has been already “backdoored” and discovery which are the vulnerability that can potentially affect the system. The Google hacking database provides various examples of queries that can help a hacker to find vulnerable servers, to gain information on the target, to explore sensitive directories finding vulnerable files, to find password files or to find sensitive online shopping info.
inurl:”r00t.php” – This dork finds websites that were hacked, backdoored and contains their system information allintext:”fs-admin.php” – A foothold using allintext:”fs-admin.php” shows the world readable directories of a plug-in that enables WordPress to be used as a forum. Many of the results of the search also show error logs which give an attacker the server side paths including the home directory name. This name is often also used for the login to ftp and shell access, which exposes the system to attack. There is also an undisclosed flaw in version 1.3 of the software, as the author has mentioned in version 1.4 as a security fix, but does not tell us what it is that was patched. filetype:config inurl:web.config inurl:ftp – This google dork to find sensitive information of MySqlServer , “uid, and password” in web.config through ftp..filetype:config inurl:web.config inurl:ftp
The above dorks are just simple examples of the power of these search strings, just after 10 minutes playing with them user has the perception of the infinite possibilities that Google provides to an attacker. Now imagine a single DIY Google Dorks based hacking tool that allows to automatize all this queries, without having particular knowledge on Google dorks … it’s the hacker heaven, what do you think about? The DIY Google Dorks based hacking tool proposed by Dancho Danchev offers a complete suite to automate the process of remote inspection of targets and their exploit, the instrument works on desktop and could be also integrated with popular browsers to fool the search engines into thinking that generated traffic is legitimate traffic.
The price for the DIY Google Dorks based hacking tool is very cheap compared to the advantage deriving from its use, one license costs $10 to pay using the Liberty Reserve currency, or $11 to pay using Western Union transfer. The licenses are linked to specific host due a hardware-based ID restriction, but the authors also offers an unlimited license for $20 in Liberty Reserve, or $20 in Western Union transfer.
Cyber criminals can exploit hundreds of thousands of legitimate Web sites is various ways and tools such as the DIY Google Dorks based hacking tool facilitate attacks. Dancho Danchev in his interesting post described the principal techniques used to compromise website:
- Use of search engine reconnaissance through DIY SQL/RFI (Remote File Inclusion) tools or botnets, the category includes a wide range of application that automatically exploit improper configured websites such as blogging platforms or well known CMS.
- Use of data mined or purchased stolen accounting data, cyber criminals could gather information on malware infected machine, looking for login credentials to be automatically abused with malicious scripts and actual executables getting hosted on legitimate websites in an attempt to trick a security solution’s IP reputation process.
- Active exploitation of server farms – criminals try to infect the larger number of low profile websites as possible, a common practice observed by security researchers is the exploiting of servers that host large number of domains, for example using commercially available Apache backdoors.
Cybercrime underground is in offering all necessary to organize a fraud without having particular knowledge of various technological platforms (e.g. Mobile) and proposing a new efficient model of sales such as the FaaS… it is crucial to follow the black market evolution to avoid shocking surprises.
(Source: CDM & Security Affairs – Cybercrime)