Apache Security - Ivan Ristic [168]
Publicly available information on a web site or information that was available before.
Information that is not intended for public consumption but that is nevertheless available unprotected (and the search engine picked it up).
Posts from employees to newsgroups and mailing lists. Post headers reveal information about the infrastructure. Even message content can reveal bits about the infrastructure. If you find a member of the development team asking questions about a particular database engine, chances are that engine is used in-house.
Links to other organizations, possibly those that have done work for the organization being targeted.
Look at some example Google queries. If you want to find a list of PDF documents available on a site, type a Google search query such as the following:
site:www.modsecurity.org filetype:pdf
To see if a site contains Apache directory listings, type something like this:
site:www.modsecurity.org intitle:"Index of /" "Parent Directory"
To see if it contains any WS_FTP log files, type something like this:
site:www.modsecurity.org inurl:ws_ftp.log
Anyone can register with Google and receive a key that will support up to 1,000 automated searches per day. To learn more about Google APIs, see the following:
Google Web APIs (http://www.google.com/apis/)
Google Web API Reference (http://www.google.com/apis/reference.html)
* * *
Tip
Google Hacking Database (http://johnny.ihackstuff.com) is a categorized database of security-related Google queries. You can use it directly from a browser or via an automated tool such as Wikto (http://www.sensepost.com/research/wikto/).
* * *
Social engineering
Social engineering is arguably the oldest hacking technique, having been used hundreds of years before computers were invented. With social engineering, a small effort can go a long way. Kevin Mitnick (http://en.wikipedia.org/wiki/Kevin_Mitnick) is the most well-known practitioner. Here are some social-engineering approaches:
Direct contact
Just visit the company and have a look around. Get some company documentation from their sales people.
Email contact
Follow up on a visit with a thank-you email and a question. You will get an email back (which you will use to extract headers from).
Establish a relationship
Open an account. Inquire about partnership and distributor opportunities. The sign-up procedure may give out interesting information about the security of the company's extranet system. For example, you may be told that you must have a static IP address to connect, that a custom client is required, or that you can connect from wherever you want provided you use a privately issued client certificate.
Message boards
Message boards are places where you can meet a company's employees. Developers will often want to explain how they have designed the best system there is, revealing information they feel is harmless but which can be useful for the assessment.
Cases in which current employees disclose company secrets are rare but you can find former (often disgruntled) employees who will not hesitate to disclose a secret or two. Even in an innocent conversation, people may give examples from where they used to work. Talking to people who have designed a system will help you get a feeling for what you are up against.
For more information on social engineering (and funny real-life stories), see:
"Social Engineering Fundamentals, Part I: Hacker Tactics" by Sarah Granger (http://www.securityfocus.com/printable/infocus/1527)
"Social Engineering Fundamentals, Part II: Combat Strategies" by Sarah Granger (http://www.securityfocus.com/printable/infocus/1533)
Connectivity
For each domain name or IP address you acquire, perform a connectivity check using traceroute . Again, I use O'Reilly as an example.
$ traceroute www.oreilly.com
traceroute: Warning: