O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Google Dorks: Analysis,
Creation, and new Defenses
Flavio Toffalini, University of Verona, IT, flavio.toffalini@gmail.com
...
2
GOOGLE DORKS
3
MOTIVATION
● Attackers use Dorks to quickly locate targets
● After a new vulnerability is disclosed, one Google query is...
4
MOTIVATION
● Attackers use Dorks to quickly locate targets
● After a new vulnerability is disclosed, one Google query is...
5
GOALS
● Current practices
● Understand which information is used by existing dorks
● Design simple solutions to defeat t...
6
GOOGLE DORKS
7
TAXONOMY
● The Exploit-DB database contains over 5143 dorks
● Automated/manual analysis
URL Patterns (44%)
File Extensio...
8
● The Exploit-DB database contains over 5143 dorks
● Automated/manual analysis
URL Patterns (44%)
File Extensions (6%)
C...
10
DORKS EVOLUTION BY CATEGORY
URL Patterns
Banner
Common words
Misconfiguration
11
KNOWN DEFENSES
URL Patterns
File Extensions
Content-Based
Banners remove banners
Misconfigurations improve system confi...
12
CONTRIBUTION
URL Patterns ??
File Extensions
Content-Based
Banners remove banners
Misconfigurations improve system conf...
13
● Force search engines to index “randomized” URLs
● Let the users navigate and share using cleartext URLs
http://www.we...
14
● XOR (part of) URLs with random seed kept in the server
a = resource a
O(a) = obfuscated resource a
● Redirect 301 to ...
15
OBFUSCATION PROTOCOL - CRAWLERS
Crawler URL Obfuscator Web Site
a
a
resp. of a
Redir. 301 to O(a)
O(a)
resp. of a + can...
16
OBFUSCATION PROTOCOL - BROWSER
Browser URL Obfuscator Web Site
O(a)
a
resp. of a
resp. of a
b
resp. of b resp. of b
b
17
URL Patterns
File Extensions
Content-Based
Banners remove banners
Misconfigurations improve system configuration
Error ...
18
WORD-BASED DORKS
● Goal
● Using words left by CMSs to create a Google Dork
● Greedy search algorithm to maximizes
● Hit...
19
WORD-BASED DORKS: CREATION
Joomla!
20
“Category” +
“Submit” +
“....”
Vanilla
installation
WORD-BASED DORKS: CREATION
Categories
SubmitRegister
Contact
Buy
Re...
22
WORD-BASED DORKS: CREATION
● Gradient Ascent algorithm
● How to add a new word?
● At each step, we add the word that pr...
24
Common Words Ground Truth
WordPress 938/1000 967/1000 Hit rank
47.1 M 83.6 M Coverage
Joomla! 878/1000 887/1000 Hit ran...
25
Common Words Ground Truth
WordPress 938/1000 967/1000 Hit rank
47.1 M 83.6 M Coverage
Joomla! 878/1000 887/1000 Hit ran...
26
Common Words Ground Truth
WordPress 938/1000 967/1000 Hit rank
47.1 M 83.6 M Coverage
Joomla! 878/1000 887/1000 Hit ran...
29
Idea: add invisible characters to break words and
prevent them to be indexed.
WORD-BASED DORKS: DEFENSES
Powered by Wor...
30
DORKS DEFENSES
URL Patterns
File Extensions
Content-Based
Banners remove banners
Misconfigurations improve system confi...
31
CONCLUSION
1) Dork classification
2) URL Pattern Dork Defense
3) New type of Dork using common words
4) Defense against...
Próximos SlideShares
Carregando em…5
×
Próximos SlideShares
Advanced Information Gathering AKA Google Hacking
Avançar
Transfira para ler offline e ver em ecrã inteiro.

1

Compartilhar

Baixar para ler offline

Google Dorks: Analysis, Creation, and new Defenses

Baixar para ler offline

Presentation brought to DIMVA 2016

Livros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo

Google Dorks: Analysis, Creation, and new Defenses

  1. 1. Google Dorks: Analysis, Creation, and new Defenses Flavio Toffalini, University of Verona, IT, flavio.toffalini@gmail.com Maurizio Abbà, LastLine, UK, mabba@lastline.com Damiano Carra, University of Verona, IT, damiano.carra@univr.it Davide Balzarotti, Eurecom, FR, davide.balzarotti@eurecom.fr
  2. 2. 2 GOOGLE DORKS
  3. 3. 3 MOTIVATION ● Attackers use Dorks to quickly locate targets ● After a new vulnerability is disclosed, one Google query is sufficient to identify a large amount of vulnerable installations ● No time for sysadmins to apply patches !!
  4. 4. 4 MOTIVATION ● Attackers use Dorks to quickly locate targets ● After a new vulnerability is disclosed, one Google query is sufficient to identify a large amount of vulnerable installations ● No time for sysadmins to apply patches !! ● If we could prevent dorks, attackers would need to resort to Internet scanning … which is several orders of magnitude slower
  5. 5. 5 GOALS ● Current practices ● Understand which information is used by existing dorks ● Design simple solutions to defeat those dorks ● Future threats ● Test if attackers could move towards new styles of dorks ● Design simple solutions to prevent it
  6. 6. 6 GOOGLE DORKS
  7. 7. 7 TAXONOMY ● The Exploit-DB database contains over 5143 dorks ● Automated/manual analysis URL Patterns (44%) File Extensions (6%) Content-Based (74%)
  8. 8. 8 ● The Exploit-DB database contains over 5143 dorks ● Automated/manual analysis URL Patterns (44%) File Extensions (6%) Content-Based Banners (54%) Misconfigurations (8%) Error messages (1%) Common words (11%) TAXONOMY
  9. 9. 10 DORKS EVOLUTION BY CATEGORY URL Patterns Banner Common words Misconfiguration
  10. 10. 11 KNOWN DEFENSES URL Patterns File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words
  11. 11. 12 CONTRIBUTION URL Patterns ?? File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words ??
  12. 12. 13 ● Force search engines to index “randomized” URLs ● Let the users navigate and share using cleartext URLs http://www.web-site.com/wp-content/dimva.html http://www.web-site.com/HD12DAF35TR/dimva.html URL-DORKS
  13. 13. 14 ● XOR (part of) URLs with random seed kept in the server a = resource a O(a) = obfuscated resource a ● Redirect 301 to inform search engine that the page is moved ● Canonical URL Tag to delete plain URLs in the results ● Intercept and replace SiteMap URL-DORKS
  14. 14. 15 OBFUSCATION PROTOCOL - CRAWLERS Crawler URL Obfuscator Web Site a a resp. of a Redir. 301 to O(a) O(a) resp. of a + canonical tag
  15. 15. 16 OBFUSCATION PROTOCOL - BROWSER Browser URL Obfuscator Web Site O(a) a resp. of a resp. of a b resp. of b resp. of b b
  16. 16. 17 URL Patterns File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words ??
  17. 17. 18 WORD-BASED DORKS ● Goal ● Using words left by CMSs to create a Google Dork ● Greedy search algorithm to maximizes ● Hit-rank: percentage of web site made by a target technology ● Coverage: number of entries extracted by the Dork
  18. 18. 19 WORD-BASED DORKS: CREATION Joomla!
  19. 19. 20 “Category” + “Submit” + “....” Vanilla installation WORD-BASED DORKS: CREATION Categories SubmitRegister Contact Buy Recent Users List Registration Compute hit rank & coverage
  20. 20. 22 WORD-BASED DORKS: CREATION ● Gradient Ascent algorithm ● How to add a new word? ● At each step, we add the word that provides the highest hit rank between the ones that have a coverage above the median of all candidate words (more details in the paper)
  21. 21. 24 Common Words Ground Truth WordPress 938/1000 967/1000 Hit rank 47.1 M 83.6 M Coverage Joomla! 878/1000 887/1000 Hit rank 7.24 M 3.73 M Coverage Drupal 827/1000 997/1000 Hit rank 7.87 M 3.27 M Coverage Magento 871/1000 852/1000 Hit rank 0.39 M 0.68 M Coverage OpenCart 891/1000 998/1000 Hit rank 0.59 M 1.42 M Coverage WORD-BASED DORKS:
  22. 22. 25 Common Words Ground Truth WordPress 938/1000 967/1000 Hit rank 47.1 M 83.6 M Coverage Joomla! 878/1000 887/1000 Hit rank 7.24 M 3.73 M Coverage Drupal 827/1000 997/1000 Hit rank 7.87 M 3.27 M Coverage Magento 871/1000 852/1000 Hit rank 0.39 M 0.68 M Coverage OpenCart 891/1000 998/1000 Hit rank 0.59 M 1.42 M Coverage WORD-BASED DORKS:
  23. 23. 26 Common Words Ground Truth WordPress 938/1000 967/1000 Hit rank 47.1 M 83.6 M Coverage Joomla! 878/1000 887/1000 Hit rank 7.24 M 3.73 M Coverage Drupal 827/1000 997/1000 Hit rank 7.87 M 3.27 M Coverage Magento 871/1000 852/1000 Hit rank 0.39 M 0.68 M Coverage OpenCart 891/1000 998/1000 Hit rank 0.59 M 1.42 M Coverage WORD-BASED DORKS:
  24. 24. 29 Idea: add invisible characters to break words and prevent them to be indexed. WORD-BASED DORKS: DEFENSES Powered by WordPress Power⁣ed b⁣y Wor⁣dPress
  25. 25. 30 DORKS DEFENSES URL Patterns File Extensions Content-Based Banners remove banners Misconfigurations improve system configuration Error messages proper error handling Common words
  26. 26. 31 CONCLUSION 1) Dork classification 2) URL Pattern Dork Defense 3) New type of Dork using common words 4) Defense against common word dorks
  • KyawGyi5

    Oct. 29, 2016

Presentation brought to DIMVA 2016

Vistos

Vistos totais

284

No Slideshare

0

De incorporações

0

Número de incorporações

1

Ações

Baixados

5

Compartilhados

0

Comentários

0

Curtir

1

×