Security Student

I did a little bit of google hacking last night just to hone my skills with search term ninjutsu. There are a lot of very wonderful programs out there that will do this for you (Maltego, goolag scanner, etc) and give you results that you wouldn’t normally find by just doing a normal search. And while I have a particular love for Maltego and how easy it is to link a name, with an email address, and find all sorts of interesting things out about a person or organization. There’s definitely a special magic to google hacking that satisfies the soul.

So there I was, minding my own business, performing recon on a friends site. When lo and behold jack pot. “ADMIN CONTROL PANEL| OLD”. I click it, and it’s dead. I could have sworn that I would have had something with that result. But wait! Google in it’s superior wisdom caches the internets. Located in this cache was exactly what I should not have been able to find. User names, passwords, e-mail addresses, dates that the accounts were created, all sorts of very fun and interesting things. Sure the data was old, but it gave me a starting point to explore further. I had an idea of the user name assignment policy, and the password policy. As an attacker this gives me a vital starting point. Of course being a white hat security job seeking student I stopped there and notified the admin.

What if I hadn’t? I don’t need to run nmap yet as the search results also included a very nice file which let me know exactly what was running, the current patch level (at time of the caching) and if any ports were re-mapped. So let’s just say the site is running a version of SQL that has some interesting injection features available to it. I’ve already seen the listing of user names and passwords, I have an idea of what data is kept in the database, and I know how it’s formatted. Let’s see if I can get the site to tell me what’s currently in the database at this moment. Or, lets see if I can telnet in with one of the already discovered user names and passwords. Or, let’s see how much fun it is to embed a javascript that makes any users browser report back to me what their gmail password is if they are logged in.

I spoke with the admin of the site I tested. He was pretty amazed to find that he was broadcasting such information. We discussed an incident that occurred a few weeks ago and here’s what his response to the attack was:

“I’ve done a lot of ip blocking by country though. both attacks from jack and wherever were from 125. (gualamaula) I just blocked the whole country. 125.0.0.0 and haven’t had an issue since”

Well sir, if you are an actual target for these individuals then be ready for another attack. A proxy can easily get around that. Security isn’t just putting up a firewall, installing a virus scanner, and turning off telnet. A steel door on a white picket fence doesn’t do anything other than make the attacker step over the fence. So how does one protect themselves in this world of “evil hackers” and thieves? Simple, absolute protection from all threats is as easy as never leaving your room, and having no connections to the out side world. Just please shower when you decide to be realistic and join the rest of us.

There is no one method. Attackers will always be thinking of new ways to get around the system, and defenders will always be finding new ways to prevent them from doing so. A good security professional keeps up to date on what’s going on. Other than that follow best practices, listen to pauldotcom security weekly, and keep your head down.