|
|
|
|
Steal This Computer Book 4.0
Last Updated 2/3/2009 3:43:05 PM
There will always be some hacker with a reason for breaking into any particular system, including yours. This chapter of Steal This Computer Book 4.0 describes why hackers choose their target computers to break into, how they find target computers, and detailed steps they use to enter systems illegally.
'
Like car thieves, hackers usually target the first computer they find with weak
defenses. If a computer is too hard to break into, hackers will usually go off in The streets are safe in
search of easier prey. The reason is simple. Unless hackers have a specific reason for breaking into a particular computer, they can accomplish their goals on any people who make them
undefended machine and don't need to waste time trying to break into one that's unsafe.
well-protected.
On the other hand, if a hacker really wants to break into your computer
because it contains files the hacker wants or because your computer provides the
least well-guarded path into a more heavily protected computer network, you can't
do anything to stop that hacker from trying. The only safe computer is one that's
never turned on.
WHY HACKERS CHOOSE THEIR TARGETS
Sometimes hackers break into computers for fun, just to see if they can do it, or to
practice their skills. Hackers often target corporate computers to gain access to their
large storage space, which can be perfect for stashing pirated programs or movies.
By storing large collections of illegal material on someone else's computer, hackers
shift liability from themselves to an unsuspecting stranger.
Sometimes hackers target corporate computers for the information contained
in them. In his book Friendly Spies, Peter Schweizer claims that Germany financed
hackers in an effort called Project Rahab, which mapped out the structure and flaws
of computer networks belonging to the governments of France, Japan, England,
and the United States. Likewise, China has been accused of using hackers to probe
for weaknesses in the computer networks of other countries, and it's likely that the
United States and Russia have also developed this capability.
Even if your computer doesn't belong to a top-secret government network or a
major corporation, hackers might still target your computer for fun, but increasingly,
they're doing it for profit. Few hackers care to see which web pages someone visits,
but many would be very interested in seeing the credit card numbers someone types
into a particular web page. To snare this type of information, hackers will often install
remote-access Trojan horses (see Chapter 5 for more information about RATs) that can
capture keystrokes or screen images and send them to the hacker later.
Hackers also break into computers owned by individuals in order to install pro
grams called "bots," which let them control that computer remotely. Unlike RATs, which
allow a hacker to gain complete control over an infected computer, bots are much smaller
programs that accept and perform a more limited range of commands. By linking bot-
infected computers together, a hacker can create an army of "zombies" or "drones." With
a single command, they can be instructed to send a flood of data to another computer
that will shut it down (a denial of service attack), or send out massive amounts of junk
email (spam). (Individual computers connected to high-speed Internet connections, such
as DSL or cable modems, are especially prized because they're always available and can
blast out information like spam at high speeds.)
There will always be some hacker with a reason to break into any particular sys
tem, including yours, whether you're in charge of a corporate computer installation or just
your own personal computer.
FINDING A TARGET
When an army needs to find a target, they send out scouts who attempt to infiltrate
enemy territory and report back on what they've found. Likewise, when hackers want to
break into a computer, they need to scout out possible targets to determine which ones
to attack. If hackers don't have a specific computer they want to attack, they'll often
scout for targets of opportunity using war dialing, port scanning, and war driving.
War dialing
Before the growth of the Internet, war dialing was the best way to find a computer to
attack. Even with today's heavy reliance on the Internet, many companies still use
telephone modems to allow salespeople to remotely connect to and control an office
computer using programs such as pcAnywhere or LapLink. If a computer happens to be
connected to both a network and an outside telephone line, hackers can often sneak in
through the telephone line, bypassing defenses deployed on the network. (If a computer
is only accessible to the outside through a phone line, war dialing might be the only way
to get in at all.) Phone lines typically don't have firewalls or intrusion detection systems.
Many companies get a false sense of security from knowing that a modem's
phone number is not listed publicly. But just because a hacker doesn't know the spe
cific phone number to a computer doesn't mean he can't find it. That's what war dialing
is all about.
Most company phone numbers all use the same prefix. For example, internal
phone lines for a company with the 239 prefix could all have numbers like 239-1029 or
239-8953. A hacker could spend all night dialing different telephone numbers until he
reaches one with a modem on the other end, or simply let a computer do this tedious
work by running a war dialer (see Chapter 2).
A war dialer can automatically dial a range of phone numbers, such as those from
239-1000 to 239-9999. For each number it tries, it listens for the telltale squeak of an
answering modem and, if it hears it, records the telephone number. A hacker can let a
war dialer run overnight and wake up the next morning with a list of phone numbers, both
listed and unlisted, that are each connected to a modem.
He can then dial each telephone number individually. Before a computer will allow
access through a telephone line, it usually asks for a password. All the hacker needs to
do is guess the correct password and the computer will throw opens its doors to let the
hacker inside.
One of the simplest defenses against war dialing is a callback device. The moment
someone (a valid user or an intruder) calls the computer, the callback device hangs
up and dials a pre-arranged telephone number that only a valid user would answer. Of
course, a really determined hacker could somehow find out the phone number used by
the callback device and then use call forwarding on that number to reroute the call to the
hacker's phone number.
Port scanning
Port scanning works much like war dialing, but instead of dialing multiple phone numbers
to find a way into a computer, scanners probe a range of Internet Protocol (IP) addresses,
as shown in Figure 8-1.
Every computer connected to the Internet uses ports, opening up countless doors
that hackers can use to access a computer. Table 8-1 lists the more common ports, but
keep in mind that a computer may have several hundred ports open at any given time.
Computers can communicate over the Internet using two protocols, TCP and
UDP. Normally when one computer wants to communicate with another through a port
using the TCP protocol, the first computer sends a synchronize (SYN) message to the
second computer, which essentially tells it, "I'm ready to connect to your port." The type
of communication the first computer wants to initiate determines which port number the
computer uses, such as port 110 to send email or port 80 to send a web page. When the
target computer receives this message, it sends back a synchronize/acknowledgment
(SYN/ACK) message, which says, "Okay, I'm ready too." Now the first computer can send
data to this particular open port of the second computer.
The TCP protocol is often used when reliability is more important than speed, since
constantly acknowledging the other computer can slow down communication. That's why
sending email or transferring files is usually done using TCP.
The UDP protocol is most often used for streaming video or Internet telephony
where speed is more crucial. The UDP protocol saves time because it doesn't go through
the "handshaking" process that the TCP protocol requires, but like TCP, UDP can still be
100 exploited.
In legitimate interactions, receiving TCP synchronization messages on a port is no
cause for alarm, but receiving them unexpectedly and abundantly can be a telltale sign
of an attempt to probe a computer's defenses, like a burglar loudly jiggling the handle of
every door on a building, trying to see which ones are locked.
So to mask their probing attempts, port scanners use a variety of evasive techniques. While none of these techniques will work all the time, the combination of these
tactics can help identify different ways to get into a computer, such as the following:
TCP connect scanning Connects to a port by sending a synchronize (SYN)
packet, waits for a return acknowledgment packet (SYN/ACK), and then sends
another acknowledgment packet to connect (ACK). This type of scanning is what
normally happens when two computers communicate through a port. This is easily
recognized and often logged by target computers to alert system administrators of
a possible hacker attack.
TCP SYN scanning Connects to a port by sending a SYN packet and waits for a
return acknowledgment packet (SYN/ACK), which indicates that the port is listening, but never sends an acknowledging ACK packet back to the target computer.
Known as half-scanning, this technique is less likely to be logged and detected
than ordinary TCP connect scanning, although now many security programs specifically look for this type of scanning simply because it's more likely to be used by
hackers hiding their probing attempts.
TCP FIN scanning Connects to a port by sending a "No more data from sender"
(FIN) packet to a port. A closed port responds with a Reset (RST) message, while
an open port simply ignores the FIN packet, thereby revealing its existence as an
open port.
Fragmentation scanning Breaks up the initial SYN packet into smaller pieces to
mask its existence from any packet filter or firewall protecting the target computer.
Used in conjunction with other scanning techniques such as TCP connect, TCP
SYN, or TCP FIN scanning.
FTP bounce attack Requests a file from an FTP server on the target system
using the IP address and port number of another computer, thus masking the
source of the attack (the hacker's computer). A successful file transfer indicates
an open port on the target computer without revealing the hacker's IP address.
UDP (User Datagram Protocol) scanning Uses UDP instead of TCP. When
a closed UDP port receives a probe, its send an ICMP_PORT_UNREACH error
message. Ports that don't send back an ICMP_PORT_UNREACH error message
are open.
Once port scanning has determined that a computer on a specific IP address has
ports open to attack, the next step is to determine what type of operating system and
server software the target computer is using. To make this determination, hackers send
data to different ports and analyze the way the computer responds, as shown in the port
scanner screenshot in Figure 8-2.
Port scanners use a variety of platform-probing techniques, including the following:
FIN probing Sends a FIN ("No more data from sender") packet to a port and
waits for a response. Windows responds to FIN packets with Reset (RST) messages, so if a RST message comes back, the computer is likely running Windows.
FIN/SYN probing Sends a FIN/SYN packet to a port and waits for a response.
Linux systems respond with a FIN/SYN/ACK packet.
TCP initial window checking Checks the window size on packets returned from
the target computer. The window size from the AIX operating system is 0x3F25
and the window size from OpenBSD or FreeBSD is 0x402E.
ICMP message quoting Sends data to a closed port and waits to receive an
error message. All computers should send back the initial IP header of the data
with an additional eight bytes tacked on. Solaris and Linux systems, however,
return more than eight bytes.
Once a hacker knows the IP address of a target computer, the open ports available
on that target computer, and the type of operating system used by the target computer,
the hacker can plan his strategy for breaking in, much like a burglar might case a house
before trying to break into it in order to determine the best route.
If you want to see how a port scanner works, you can try Angry IP Scanner (www
.angryziber.com/ipscan); Nessus (www.nessus.org); iNetTools (www.wildpackets.com);
N-Stealth (www.nstalker.com/eng/products/nstealth); Nmap (www.insecure.org/nmap);
SAINT (www.saintcorporation.com); or SARA (http://www-arc.com/sara).
Nmap is considered the premier port scanning tool, which offers a variety of
scanning and evasion techniques. Since most networks now use firewalls and intru
sion detection systems (IDS) to detect port scanners, Nmap breaks its data packets into
smaller fragments, which can fool a firewall or IDS from recognizing that a port scan is
even taking place.
Nmap also lets you spoof where data is coming from. If a firewall or IDS detects
a flood of data coming from one computer, it might rightly conclude a hacker is probing
its defenses. But by using Nmap, a hacker can still probe a computer, but each probe
appears to come from a different computer (when it's really coming from a single com
puter). No matter how good a firewall or IDS may be, it can never be 100 percent reliable,
and port scanners like Nmap constantly evolve to take advantage of the latest tricks.
War driving
Rather than physically connecting computers with cables to form a network, many companies and individuals are turning to wireless networks instead. The idea is simple. You
plug in a device known as a router or access point, which relays signals to and from
any computer with a wireless network interface card (NIC). Those computers can then
access the resulting wireless network as if they were physically connected to one another
through cables.
Any computer with a wireless card within range of the wireless access point can
access a wireless network. Unfortunately, it also means that a wireless card plugged into
a hacker's laptop across the street could access that same network too. When you set
up a wireless network, it's like having a normal wired network with cables sticking out
of every window in the building, which anyone can plug into their computer and use to
access your network, at any time, without you necessarily knowing about it.
With so many corporations and individuals going wireless these days, hackers
can locate wireless networks simply by driving around a neighborhood with a laptop
computer, a wireless network interface card, and a scanning program. Sometimes hackers also include a global positioning system (GPS) for mapping out the exact location of
the wireless networks they find. The process of driving around and scanning for wireless
networks is called war driving. (There is also war strolling, war flying, and war boating, but
the main idea in each case is the same: cruise a neighborhood and search for wireless
networks.)
Once you have a laptop or handheld computer with wireless capability, you can
just saunter over near an unguarded wireless "hotspot" (an area where wireless access is
available) and use it to connect directly to the Internet.
While coffeehouses and public libraries offer free wireless Internet access as an
attractive service to their customers, many individuals and businesses unwittingly offer
free wireless Internet access as well. When people set up a wireless network, they usually just plug their wireless router into their Internet connection (such as a cable or DSL
modem) and right away, they have wireless access. Unfortunately, these people don't
realize that the range of Internet access often extends beyond the physical boundaries of
their home or office and spills out into the streets and sidewalks. Anyone can access the
Internet through these unintentional wireless hotspots.
As mentioned, to find a wireless (WiFi) hotspot, you can drag your laptop or handheld computer around with you, or you can just use a handy WiFi locator device, such
as the ones made by WiFi Seeker (www.wifiseeker.com) or by Intego (www.intego.com/
wiFiLocator), shown in Figure 8-3.
In a surprising number of cases, people will set up a wireless network with no
thought to security, which means you can access that WiFi network just by turning on
your wireless-enabled computer. To prevent this, some people will turn on WiFi encryption, known as Wired Equivalent Privacy (WEP).
WEP encryption scrambles any data sent across a WiFi network, which essentially
blocks strangers from accessing a WiFi network. The original WEP encryption standard
only used 40-bit encryption keys, but newer, more secure WEP encryption uses 128-bit
keys. The longer the keys used to encrypt data, the harder the encryption is to crack. It's
a bit like trying to guess a number between 1 and 10 versus guessing a number between
1 and 999,999,999.
To defeat WEP encryption, hackers use special sniffer programs that snare data
from the WiFi network for cryptanalysis. The more data the sniffer program grabs, the
better its chances of figuring out how the WiFi network is encrypting its data. Given
enough time, most sniffer programs will eventually be able to crack WEP encryption,
letting the hacker on to the network.
Newer wireless networks now use WiFi Protected Access (WPA), which is a
stronger encryption standard. However, even this isn't invulnerable to attack, since
hackers have developed a program dubbed coWPAtty, which snares enough data from
the wireless network and then uses a dictionary attack (see Chapter 9 for more informa
tion about cracking passwords using a dictionary attack) to find the password needed to
access the wireless network.
Hackers have developed sniffer programs for all types of computers and operating
systems including Windows, Linux, Macintosh, and even Palm and PocketPC handheld
computers. To find a sniffer program, visit WarDriving.com (www.wardriving.com). For a
specialized operating system designed just to sniff out WiFi networks, download and run
a unique Linux distribution dubbed WarLinux (http://sourceforge.net/projects/warlinux).
To defeat sniffers, some corporate networks rely on client-side certificates, which
verify that a particular computer is allowed access to a network. If a computer tries to
access a network without the proper client-side certificate, the network cuts it off. Client-
side certificates make accessing a wireless network harder, but if a hacker hijacks a
computer that is allowed to access the network, the hacker can access the network
through a "trusted" computer, which proves that there really is no such thing as a "trusted" computer.
The steps to accessing a WiFi network
The first step to accessing a WiFi network is to find a WiFi signal, either by using a WiFi
locator device or by letting your WiFi-equipped computer scan the airwaves. Since two
WiFi networks may overlap each other, each one identifies itself with a service set identifier (SSID), which is a unique, descriptive name for a network. A computer must know the
WiFi network's SSID to connect to it.
There are two ways hackers can retrieve this information. First, they can use a
sniffer program to snare data packets out of the air and examine them to piece together
the SSID. Second, they can anticipate that the network administrator will have left the
WiFi network's default manufacturer settings in place including the default SSID, which
is often just the name of the company that makes the WiFi router, such as LinkSys or
NetGear. So when prowling the airwaves, hackers will first try all the various default
passwords used by different WiFi manufacturers.
Some WiFi networks may require a user name and a password for access. As
with SSID settings, however, nearly all WiFi equipment comes with a default user name
and password, and few people bother to change this. So hackers first try feeding a WiFi
network a known default password and user name for that particular WiFi manufacturer.
If this doesn't work, the hacker can use the sniffer program to study data packets used
by the WiFi network and steal a legitimate user's user name and password. In their quest
to thwart intruders, some WiFi networks will only grant access to network interfaces
with specific (MAC) addresses, which uniquely identify computers on a WiFi network.
However, to find a valid MAC address, hackers can do the same basic thing that they do
to steal user names and passwords.
If you have a WiFi network, consider it vulnerable to attack. Someone can always
attempt to access it from next door, down the street, or from a car parked outside your
window. (Quick! Take a look now!)
Finding a WiFi network
If you want to find a WiFi network that openly accepts users (for free or for a fee), visit
a WiFi hotspot search engine such as HotSpot Haven (www.hotspothaven.com) or
WiFiMaps.com (www.wifimaps.com). By planning ahead, you can always be near a WiFi
hotspot, whether you're in Pittsburgh or Pasadena.
However, if you want to find a WiFi network that isn't open to the public, you can
visit the Wireless Geographic Logging Engine (www.wigle.net), which lists known WiFi
hotspots in different parts of the world, as shown in Figure 8-4.
To make finding a WiFi network even easier, hackers have adopted the techniques
of late 19th- and early 20th-century hobos who used to carve or draw marks on trees
and buildings to warn other hobos of unfriendly towns, sympathetic households, or good
places to hop on a passing train. Likewise, war chalking today (visit www.warchalking.org)
involves drawing marks around a neighborhood to identify the location and features of a
particular wireless network, as shown in Figure 8-5.
Once that first hacker discovers a WiFi network and leaves behind a war-chalking
mark, other hackers will likely explore that wireless network. Although many companies
make wireless equipment, many wireless hacking tools like Kismet (www.kismetwireless
.net), contain a database of default wireless configurations for each manufacturer. Since
most people never change these default settings, a hacker using Kismet (or a similar
wireless hacking tool) can often access a wireless network right away.
With so many unwanted intruders poking around a network, it's only a matter of
time before one of them accidentally or purposely disrupts, deletes, or alters some important files.
Protecting a WiFi network
It's easy to protect a WiFi network from intruders: Just turn it off. Of course, it's not practical to turn it off when you're using it, so here are some simple tips to help protect your
WiFi network from an unwanted intruder.
First, try lowering the signal strength from your wireless network's access point. By
lowering the signal, you can limit its range from extending beyond the area in which you
need it. Next, change all the default settings of your WiFi equipment, such as its SSID
identifier and user name and password. Next, turn on MAC address filtering so that your
WiFi network only allows computers with network interfaces with specific MAC addresses
to access the network. Finally, turn on WEP encryption. While WEP encryption can't pro
tect your network from a determined hacker, it can discourage the opportunistic hacker
looking for an easy WiFi network to access. New WiFi equipment supports an improved
encryption standard known as WiFi Protected Access (WPA). Given a choice, use WPA
instead of WEP encryption.
For those who like to take a proactive stance in defending against hackers, try run
ning a program called Fake AP, created by Black Alchemy (www.blackalchemy.to). The
Fake AP program floods the airwaves with phony SSIDs. Now if a hacker tries to find your
WiFi network, he'll have to wade through this flood of bogus SSIDs, which decreases the
chances that he'll actually find, let alone break into, your WiFi network.
Probing sites by Google hacking
The key to breaking into any computer is to learn what type of software it runs. While it's
possible to obtain this information by connecting directly to a target computer and running
one of many hacker programs that probe a computer's security perimeter, this is much
like a prowler peeking through the windows of a house that he plans to burglarize. It may
work, but it risks alerting the target that it's being cased, and also leaves a trail that could
potentially lead back to the intruder.
So rather than take this risk, hackers simply let Google find this information for
them. Not only does this keep the hacker's identity hidden, but it also prevents the target
from knowing it's being probed.
Finding specific webserver software using Google
Hackers often specialize in breaking into specific webserver programs, and they can use
Google to help them find more vulnerable computers to attack. To search for websites
that run specific webserver programs, just type in the name of the server software you
want to find, such as Microsoft IIS 5.0 or Red Hat Server 3.0, using the following query
format:
intitle:index.of "Software name"
|
intitle |
Searches for web pages that contain a particular word or
phrase in their titles |
|
index.of |
Specifies the directory listing of a website, which often has the
title "Index of" near the top of the page |
|
"Software name" |
Specifies a particular webserver program name, such as
Microsoft IIS 6.0 or Apache 2.2 |
This type of Google query examines a website's directory listing to reveal both the
way the website organizes its files and the name and version of the webserver software
running it, as shown in Figure 8-6.
Searching specific websites
Another powerful Google search tool is the site operator, which narrows your search to a
specific website domain. It has the following format:
site:"Domain name" "Search term"
| site |
Searches for web pages stored on sites in a specific domain |
| "Domain name" |
Specifies the domain, such as .edu or army.mil |
| "Search term" |
Specifies a search word or phrase |
While this query can be useful to find specific types of information on specific
types of websites, such as looking for information about "terrorism" on all ".gov" website domains, the real power of the site operator appears when it is combined with the
intitle operator. This combination can search websites in specific domains running
specific webserver programs.
So if you know how to break into an Apache webserver and you want to know
which US Army websites might be running it, you could use the following query, which
would display a listing as shown in Figure 8-7:
site:army.mil intitle:index.of apache
Once you know which of your targeted websites run specific versions of a web-
server program (such as Apache 1.3), you can use Google once more to search for
Apache vulnerabilities or a similar string to view information about known flaws in that
particular webserver program.
| NOTE: Rather than use Google to search for software flaws, you can also browse
through computer security sites such as Packetstormsecurity.org and CERT.org that list
the latest software vulnerabilities found in webservers.
|
Security bulletins are meant to alert system administrators to flaws that they should
patch immediately. However, many system administrators either never see these bulletins
or don't implement them right away. As a result, hackers can also use security bulletins to
find vulnerable websites (and many do).
For example, suppose you find a security bulletin that identifies a flaw in Apache
and recommends that users upgrade to Apache version 1.3.27. Armed with this information, you just have to search for any website running an earlier version of Apache, and
you'll know that it is likely to be vulnerable to the specific flaw described in the security
bulletin. In many cases, security bulletins can be just as helpful to hackers as they are to
system administrators.
Probing a website's defenses
Many system administrators run security scanners to probe for holes on their sites. This
typically generates a report of its findings for the system administrators to study. Not surprisingly, many system administrators never delete these security scanner reports, and
you can use a Google query using the intitle operator to look for them once you know
the heading the security scanner always stores on its reports.
For example, one popular security scanner is Nessus (www.nessus.org), whose
reports you can search for using the following query format:
intitle:"Scanner header"
To look for Nessus security scanner reports, the scanner header search string is
"Nessus Scan Report":
intitle:"Nessus Scan Report" "This file was generated by Nessus"
This will help you find security scanner reports on other websites, as shown in
Figure 8-8.
Even if the vulnerabilities reported by a security scanner report have been closed,
a security scanner report can help hackers understand the defenses of a target computer
better. Since security scanners can't detect every possible vulnerability, they can give
lazy system administrators a false sense of security. If a knowledgeable hacker knows
of a security flaw that a scanner doesn't detect, the system administrator may not have
detected that flaw either, and there's a good chance that the hacker can exploit the flaw.
Besides security scanners, many system administrators rely on intrusion detection
tools, such as the popular open-source Snort (www.snort.org). To create reports, Snort
users often run a program called SnorfSnarf. Once again, if system administrators don't
delete the SnortSnarf files from their systems, hackers can find them by simply searching
with Google for "SnortSnarf alert page." Not only can this alert hackers that a particular
website is running the Snort intrusion-detection system, but the retrieved SnortSnarf
reports will also show the types of attacks that other hackers have tried (and that have,
presumably, failed), as shown in Figure 8-9.
Combine the "SnortSnart alert page" query with the site operator, and you can find
out which websites are running the Snort intrusion-detection program using a query such
as this one:
site:edu snortsnarf alert page
The above query tells Google to search for all educational websites (.edu) that
have used the SnortSnarf program to create a report.
Finding and copying files using Google
Rather than break into a website (and risk getting caught), hackers can often retrieve
the site files they want through Google. Many system administrators store user names,
addresses, telephone numbers, and even Social Security numbers in a Microsoft Access
database file, often called admin.mdb. To search for these types of files, you just need to
use the allinurl operator. The format of this query is as follows:
allinurl:"Filename"
| allinurl |
Searches for web pages that contain "Filename" in the web page
locator string |
| "Filename" |
Specifies the file to find |
So to find the admin.mbd file, which often contains sensitive information, you would
just use this query:
allinurl:admin.mdb
After finding this file using Google, you can download it through Google and view it,
as shown in Figure 8-10, all in the privacy of your own computer.
Figure 8-10: After finding a file with a Google query, you can download it from the website.
Another Google search operator that comes in handy for finding specific types of
files is the filetype operator. Its format is as follows:
filetype:"File extension" "Search term"
| filetype |
Searches for files having the extension identified by "File
extension" |
| "File extension" |
Specifies the type of file to search for, such as PDF (Adobe
Acrobat files) or DOC (Microsoft Word files) |
| "Search term" |
Specifies a word or phrase to find in these files |
So if you wanted to find Microsoft Word documents that contain the phrase for
internal use only, you could use this query:
filetype:doc "for internal use only"
Combine the filetype operator with the site operator and you can search for
all Microsoft Word documents that contain for internal use only in military websites, as
shown below:
site:mil filetype:doc "for internal use only"
The filetype operator isn't likely to uncover any files containing top-secret docu
ments or evidence of conspiracy, but it can be one more way to probe the inner workings
of a website. In addition, the filetype operator demonstrates just how invasive Google is
in indexing information that most website administrators don't even know have thereby
been exposed to the world.
Guarding against Google hackers
To defend against Google hackers, keep any sensitive files off your webserver. Just
because a file can't be accessed through your web pages doesn't mean that a hacker
can't find that file anyway. Even if a sensitive file is only on your website temporarily, you
are not safe.
Then try Google hacking your own webserver and see what you find. You may be
surprised at how much information Google may already know about your server and how
vulnerable your computer might really be.
Search engines like Google constantly troll different websites and store the files
they find in a storage area called the cache. Once your website's files have been stored
in Google's (or some other search engine's) cache, anyone can view them by using the
cache operator. For example, if you want to view pages that were previously displayed
by a website, you can use the cache operator followed by the website address, as shown
below:
cache:cnn.com
This Google query will show you the web pages currently stored on Google for the
CNN.com website. These pages will remain in Google's cache until the next time Google
refreshes its cache by visiting the CNN.com website, even if CNN.com has removed or
altered the pages in the meantime.
Google, like most search engines that regularly "crawl" the Internet to find websites
to index, follows certain rules when visiting websites. One of those rules is that website
administrators can create a special robots.txt file that specifies which parts of the website
the search engine should not explore and store in its cache. So if there are sensitive files
that on your computer that you don't want others to see, you can create a robots.txt file to
tell Google not to index them. (Of course, it's much safer not to put sensitive files on your
webserver computer in the first place.) To learn more about how the robots.txt file works,
visit www.robotstxt.org. Just be aware that hackers can also peek at your robots.txt file to
see what type of information you want to protect, and then they'll know exactly what type
of information to look for in your computer.
Another alternative is to request that search engines (for example, Google) ignore
your website altogether. However, while this can prevent hackers from scanning your
site using the search engine, it can also keep legitimate users from finding it that way
too. To request that Google remove your site from its index, follow the steps listed at
www.google.com/remove.html.
Finally, visit the Google Hacking Database (GHDB)'http://johnny.ihackstuff.com'
to see how Google has exposed other websites to attack. You can (hopefully) thus learn
how not to fall victim to the same tricks.
Every tool on the Internet can be used for good or for bad, and Google is no exception. If you run a website, you must learn about Google hacking in order to lock down your
system's defenses. If you're just a curious and non-malicious individual, have fun experimenting with Google. You may find more than you ever imagined.
THE NEXT STEP
With war dialing, port scanning, war driving, and Google hacking, hackers can locate
nearly any computer connected to a phone line or the Internet. Unfortunately, once
hackers find such a computer, they often can't resist the temptation to break in to it and
explore it. And once a hacker has broken into a computer, the results could range from
the hacker simply browsing around but altering nothing to his trashing the entire system
and wrecking everything in sight. If you're in charge of a system's security, have fun trying to guard against the many ways someone can spy on your system. If you're a hacker,
take your pick on which tactics to try first to peek past a computer's security defenses.
No matter which method you use, there's a good chance one of them will work and help
you circumvent even the most expensive computer security system in the world.
|
Page:
1 |
|
|
|