"Google" the Backdoor Into Your Company

[5]


For those uninitiated, Google crawls and indexes everything that is attached to the internet.  It's repositories of indexes are mind boggling.

The thing you that you might be unaware of is that your confidential stuff is being indexed as well.  I wrote a bit about indexing in a previous article.  

*The article you are reading is for education purposes*

If you are wondering what kind of confidential stuff can be indexed, the answer is that anything that is exposed to the public internet.  This might lead the reader to think that "anything" pertains to assets (webservers) that were intentionally placed on the internet.  However any network connection that is exposed, even internal connections!

A resourceful bad actor can pull together information from a variety of resources across the internet and it's easy to see (after the fact) how they were able to gain access.

How does it work?

There is a concept that all hackers are familiar with, "Google Dorks."  A colloquial for a collection of curated google searches that search indexes for VERY interesting results.

The master list can be found here[3].  

Seriously there is so much information revealed using Google in this way.  Let's go through a few examples that are particularly alarming.

inurl:admin.login.php

Searching google for admin.login.php comes back with login pages for services and companies.  These can be public facing services, but to a resourceful hacker these look more like doorways in.  Truth be told very easy door ways in. For example I recently was talking with someone (identity withheld), that recently broke their own personal record for discovery and compromise(authentication) of a website.  From the moment of googling(discovery) and accessing the login page of a university, submitting SQL injection (compromise [authentication]), the entire process took under 30 seconds.  What's most scary about this story is that this person definitely was not the only person who had done this.

inurl:/intranet/login.php

Kind of in the same vein as the previous one but this one should cause alarm just by looking at it.  The word intranet implies that there is a web service that is being provided for users of an organization.  A Very popular way to dissipate information for internal users.  Even wikipedia defines intranet and specifies "...sharing information...and other computing services within an organization, usually to the exclusion of access by outsiders."[4]

This means that for the majority of scenarios the data provided in an intranet was not meant for outside eyes.  Not the case with Google.

intitle:"index of" "apache.log" | "apache.logs"

Are you kind of getting how easy this is?  Apache is a webserver.  Like all services it produces logs.  For most these logs are mundane and provide little data of value.  However for a resourceful hacker this is not the case.  In fact logs can provide deep knowledge of your infrastructure.  Sometimes you can find exactly the information you need to gain access to a target, more often then not log files packaged together with other freely available information (just visiting your website) can piece together a full picture of how to compromise your organization.

inurl:pastebin "<WHATEVER_YOU_WANT>"

Pastebin is a popular way to share information, good and bad.  It's kind of a place you can throw information and have it be accessible to the masses very fast.  With little to no effort you can access and lists of harvested email/passwords, credit card numbers, confidential information that has been "pasted" about your organization.

So What Now?

The information shared here is not new to hackers or malicious actors.  Google is powerful and brings a world of knowledge to our fingertips, what we don't realize is that it is also providing information to people who are better off not having it.

Protect Your Organization

1. Be intentional about what your robots.txt file is allowing and disallowing.

2.  Audit your DNS.  You should be doing this regularly anyways.

3.  Put appropriate company assets in DMZ.

4.  Look at the breadth of your index with "site:your_domain.com"  This method will quickly tell you how much of your domain has been indexed by google.  For some, myself included, I want all of my blog domain to be indexed because I get more foot traffic this way.  However I do have internal servers that I would not want external people to have access too.

5.  Audit yourself/organization/team with OSINT tools.  This topic is huge and requires a lot of effort.  OSINT (Open Source Information) is fascinating and can easily bring you down the rabbit hole.

Thanks for reading.

Reference:

[1]https://gbhackers.com/latest-google-dorks-list/

[2]http://worldsmostdisturbing.blogspot.com/p/google-hacks.html

[3]https://www.exploit-db.com/google-hacking-database

[4]https://en.wikipedia.org/wiki/Intranet

[5]https://slate.com/technology/2018/10/australia-u-s-encryption-backdoor-law.html

Popular Posts