OSTG | ThinkGeekSlashdotIT Manager's JournalLinux.comSourceForge.netfreshmeatNewslettersTechJobsBroadband
August 25, 2004

News and Trends

Top Story

Google hacks are for real

Friday August 06, 2004 (01:00 PM GMT)
By: Joe Barr

  Printer-friendly   Email story  

Google hacks are for real, regardless of what some uber-hackers may think or say. They can produce passwords, user IDs, credit card numbers, Social Security numbers, bank account numbers and routing codes, and more. They can also be used to troll for vulnerabilities. One quick example: using one of the simplest Google advanced operators in combination with another operator, I quickly found a number of Microsoft IIS 6.0 Authentication Manager pages exposed to the Internet on Army, Navy, state, and federal agency sites. In fact, finding the sites proved to be much easier than alerting them to the vulnerability.

Click Here
of the slides in Google hacking guru Johnny Long's presentation at the recent Black Hat Briefings used the following search criteria to locate IIS 6.0 Authentication Management pages: inurl:iisadmpwd. I ran that query adding first .mil, and later .gov, to restrict the results to those top-level domains. That's all it took to locate one Army site, two Navy sites, one from the National Institutes of Health, another from the Treasury, and two others from Argonne National Lab.

Is it really a vulnerability just because you can see the pages?

I asked Russ Cooper of NTBugtraq fame that very question. Cooper noted, "The box may be secured, yet that page is exposed for some particular reason. It's not likely; it's more likely that it is an unsecured IIS box. If you are able to get that page, that means that that port is not being restricted. And that port should definitely be restricted."

According to both SecurityFocus and InfoHacking.com, there are multiple vulnerabilities with IIS 6.0 Web-based administration beyond the obvious ability to attempt brute-force password cracks.

A Microsoft spokesperson told NewsForge:

The administration pages you referred to are the password change scripts. These pages are not enabled with IIS 6.0 by default, and enabling this functionality requires additional configuration on the part of the machine administrator. Even when enabled, administrators have the option to choose a secure URL. Microsoft has tested the code extensively for cross-site script vulnerabilities and is not aware of any existing XSS issues.

Brute force attacks are not unique to Microsoft's password change scripts; they're common to any Web-based login application including many Web-based mail systems, e-commerce Web sites and intranet applications. In this specific instance, the account lock-out policy, which locks an account after a specified number of unsuccessful login attempts, is the most straightforward mitigation strategy.

ANL thumbnail
Click to enlarge
Reporting the vulnerability

After finding the sites mentioned above, I spent considerable time and effort trying to get someone to pay attention to them. Over the past two days I've spoken to the Navy, the National Security Agency, the office of an Undersecretary of the Army, the Department of Defense, and others closer to the actual sites involved. As a result of these calls, the Army site is no longer visible in Google search results, the most vulnerable Navy page has been taken down or moved, and the NIH page -- which it turns out was connected to a test machine -- is also gone. Argonne National Lab told me that its page was deliberately exposed to the Internet, although I noticed afterwards that it has begun protecting the site with a JavaScript warning banner.

It turns out I was going about the process of vulnerability notification all wrong. I should have gone to the United States Computer Emergency Readiness Team to report them.

The US-CERT home page provides an email address for reporting vulnerabilities. If you use it, you will receive more detailed instructions on how to complete this form.

More on Google hacking

As Johnny Long promised during Black Hat and Defcon, he made the latest version of his slide presentation on Google hacking available on his site this week. Unfortunately, it looks as if his site got defaced in response.

  Printer-friendly   Email story  


  Related Links      

Will DB2 and Oracle databases go open source? | Why people weren't talking about The SCO Group at LinuxWorld  >


Top  |  3 comments  |  Search Discussion  |  

Hmm.. (Score:1)
By ThoreauHD (183344) on 2004.08.07 12:14 (#96973)
You write about hacking as if it's a bad thing. Information wants to be free except when it's on your grandmother's port 443/80? No, I don't think so. And if you think google is datamining us into oblivion, then you'd probably drop a load if you knew what the G7 government's are doing now. Sorry, but if I put my shit on the net, I EXPECT it to be on the net. A big ass peer to peer packet bouncer. If some kid in Chicago has a DVD full of every piece of info on half the citizens in the US- In the grand scheme of things, it may be a good thing. And trust me, it ain't the first time this has happened, And, wow, our heads haven't exploded. Anyhow, my lame opinion. Your gayness may vary.
[ Reply to This ]
    Any hacking tool is a security tool (Score:0)
    By Anonymous Reader on 2004.08.07 12:53 (#96975)
    Any hacking tool is an effective security tool.
    If you find a way to get into something you shouldn't there is a problem.

    I remember the stink with "satan" a utility for discovering vunerabilitys. It was created for system admin but obveously it could be used by hackers instead (who no douipt already had similar tools allready)

    So go google yourself for security defects and fix em...

    Also google security defects of your nations servers and alert them... Assuming your nation is on the Internet.
    If it isn't then google my nations servers becouse we have quite a few 1d10ts running things.
    [ Reply to This ]
      Google Hacking Tool (Score:0)
      By Anonymous Reader on 2004.08.10 3:23 (#97087)
      How can you write an article on Google Hacks without mentioning the latest free Foundstone tool, SiteDigger, which communicates directly with Google through the API and does the "hacking" for you? You type in your subject and SiteDigger does the rest, courtesy Google's vast search engine.
      [ Reply to This ]
        Click Here
        Click Here


        Sign up for the weekly newsletter.
        Email Address:

          Special Offers      

        Get news and special offers on:
        Internet Security

        Click Here

        © Copyright 2004 - OSTG, Inc., All Rights Reserved
        About NewsForge  •  Privacy Statement  •  Terms of Use  •  Advertise  •  Contact Us
        Add our feed to your site