Conference PaperPDF Available

Google Reveals Cryptographic Secrets

Authors:

Abstract

Google hacking is a term to describe the search queries that find out security and privacy flaws. Finding vulnerable servers and web applications, server fingerprinting, accessing to admin and user login pages and revealing username-passwords are all possible in Google with a single click. Google can also reveal secrets of cryptography applications, i.e., clear text and hashed passwords, secret and private keys, encrypted messages, signed messages etc. In this paper, advanced search techniques in Google and the search queries that reveal cryptographic secrets are explained with examples in details.
Google Reveals Cryptographic Secrets
Emin Islam Tatlı
Department of Computer Science, University of Mannheim
tatli@th.informatik.uni-mannheim.de
http://th.informatik.uni-mannheim.de/people/tatli.shtml
Google hacking is a term to describe the search queries that find out security and privacy flaws.
Finding vulnerable servers and web applications, server fingerprinting, accessing to admin and user
login pages and revealing username-passwords are all possible in Google with a single click. Google
can also reveal secrets of cryptography applications, i.e., clear text and hashed passwords, secret and
private keys, encrypted messages, signed messages etc. In this paper, advanced search techniques
in Google and the search queries that reveal cryptographic secrets are explained with examples in
details.
1 Motivation
Having an index with over 25 billion entries, Google is the most popular web search engine. It
indexes any information from web servers thanks to its hardworking web crawlers. But many
sensitive data that should be kept secret and confidential are indexed by Google, too. Vulnerable
servers and web applications, username-passwords for login sites, admin interfaces of database
servers and online devices like web cameras without any access control, reports of security scanners
and many more private information are available to hackers via Google.
This paper focuses on the advanced search queries that enable users to search different cryp-
tographic values which are expected to stay private and safe. The paper is organized as follows:
Section 2 summarizes the useful parameters for the advanced search in Google. In Section 3, ex-
amples of search queries for each type of cryptographic secret are illustrated. Finally, Section 4
explains possible security measures against Google hacking.
2 Advanced Parameters
Google supports many parameters for the advanced search and filters its results according to the
parameters given by the user.
The [all]inurl parameter is used to filter out the results according to if the url contains a certain
keyword or not. If more keywords are needed, the allinurl parameter should be used. [all]intitle
filters the results according to the title of web pages. [all]intext searches keywords in the body of
web pages. With the parameter site you can do host-specific search. filetype and ext parameters
have the same functionality and are needed to filter out the results based on the file extensions like
html, php, asp etc. The minus sign (-) can be put before any advanced parameter and reverses its
behavior. As an example, a search containing the parameter -site:www.example.com will not list
the results from www.example.com. The sign "|" stands for the logical OR operation.
1
3 Google Search for Cryptographic Values
From the cryptographic perspective, Google reveals also cryptographic secrets. Google can find out
hashed passwords, secret keys, public and private keys, encrypted and signed files. What you need
to do is only to enter the relevant search terms as explained in the following sections and click the
search button.
3.1 Hashed Passwords
Database structures and contents can be backed up in dump files. The following query searches
for SQL clauses that may contain usernames and passwords in cleartext or in hashed values within
dump files. Hash and encryption relevant keywords can also be searched within files.
"create table" "insert into""pass|passwd|password"(ext:sql | | ext:dump | ext:dmp)
intext:"password|pass|passwd" intext:"md5|sha1|crypt" (ext:sql | ext:dump | ext:dmp)
3.2 Secret Keys
Since the secret keys are generated mostly as session keys and destroyed after the session is closed,
they are not stored on disks permanently. But there are still some applications that need to store
secret keys, e.g., Kerberos [9] shares a secret key with each registered principal for authentication
purposes.
The following query lists the configuration files of a key distribution center (KDC) in Kerberos.
Within the configuration files, the path of principal databases which contain principal ids and their
secret keys is specified.
inurl:"kdc.conf" ext:conf
To find dumped Kerberos principal databases:
inurl:"slave datatrans" OR inurl:"from master"
Java provides a tool named keytool to create and manage secret keys in keystores. The exten-
sion of such keystores is ks. The following query searches for java keystores that may contain secret
keys. Note that keytool can also manage private keys and certificate chains.
keystore ext:ks
3.3 Public Keys
Public keys, as the name implies, are public information and not secret. But for the sake of com-
pleteness, the search queries that list public keys are also written in this section.
To list PGP public key files:
2
"BEGIN PGP PUBLIC KEY BLOCK" (ext:txt | ext:asc | ext:key)
To list public keys in certificate files:
"Certificate:Data:Version" "BEGIN CERTIFICATE" (ext:crt | ext:asc | ext:txt)
3.4 Private Keys
Private keys should be kept secret for personal use but the following search queries show that people
do not care about it and make it publicly accessible.
"BEGIN (DSA|RSA)" ext:key
"BEGIN PGP PRIVATE KEY BLOCK" inurl:txt|asc
Gnupg [5] encodes the private key in secring.gpg. The following search reveals secring.gpg files:
"index of" "secring.gpg"
3.5 Encrypted Files
For confidentiality, cryptography provides encryption of data. By encrypting, one can store sensitive
files and emails securely on local storage devices. The following queries search for encrypted files
and emails. It is sure that you need to know the relevant keys to decrypt but as shown in the
previous examples, it is also possible to find secret keys and private keys. Besides, other crypto
analysis techniques can help to decrypt the encrypted files.
The files that are encrypted with Gnupg get the extension gpg for binary encoding and the
extension asc for ASCII encoding. The following first query searches files with gpg extension and
tries to eliminate signed and public key files from the results. The second query lists ASCII encoded
encrypted files. But note that signed files have also the same pattern and can be returned with the
second query:
-"public|pubring|pubkey|signature|pgp|and|or|release" ext:gpg
-"BEGIN PGP MESSAGE" ext:asc
Many encryption applications use the extension enc for the encrypted files. There are some ex-
ceptions like AxCrypt File Encryption Software [6] which uses the extension axx for encrypted files:
-intext:"and" (ext:enc | ext:axx)
In XML Security, the encrypted parts of messages are encoded under CipherValue element:
"ciphervalue" ext:xml
3
3.6 Signed Messages
Digital signatures provide integrity, authenticity and non-repudiation in cryptography. The follow-
ing searches list some signed messages, signed emails and file signatures.
To list pgp signed messages (emails excluded):
"BEGIN PGP SIGNED MESSAGE" -"From" (ext:txt | ext:asc | ext:xml)
To list signed emails:
"BEGIN PGP SIGNED MESSAGE" "From" "Date" "Subject" (ext:eml | ext:txt | ext:asc)
To list file signatures:
-"and|or" "BEGIN PGP SIGNATURE" ext:asc
4 Countermeasures
Google hacking can be very harmful and therefore the required security measures should be taken
against it. One method is using automatic scan tools [2, 3, 4] that search possible Google hacks
for a given host. You can use the tools to search for the available flaws and risks in your system.
The tools mostly use the hack database [1] when they do scan. Another solution is integration of
robots.txt (robots exclusion standard) [7] files in your system. Web crawlers (hopefully ) respect
the directives specified in robots.txt. Providing this, you can prevent the crawlers from indexing
your sensitive files and directories. The last and the most advanced suggestion is installing and
managing Google honeypots [8] in your system and trying to figure out the behaviour of attackers
before they deal with your real system.
References
[1] Google Hacking Database.
http://johnny.ihackstuff.com/index.php?module=prodreviews.
[2] GooLink- Google Hacking Scanner.
http://www.ghacks.net/2005/11/23/goolink-scanner-beta-preview/.
[3] SiteDigger v2.0 - Information Gathering Tool.
http://www.foundstone.com.
[4] Johnny Long. Gooscan: Google Security Scanner.
http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads
&file=index&req=getit&lid=33.
[5] The GNU Privacy Guard. http://www.gnupg.org/(en)/index.html
[6] AxCrypt File Encryption Software for Windows. http://axcrypt.axantum.com
[7] Robots Exclusion Standard. http://en.wikipedia.org/wiki/Robots.txt
[8] Google Hack Honeypot Project. http://ghh.sourceforge.net
[9] Kerberos:The Network Authentication Protocol. http://web.mit.edu/kerberos/
4
... The term "Google Hack" refers to using Google to retrieve certain information by hackers [12]. Since Google provides an extensive list of search options through basic and advanced search operators, an experienced hacker can make use of these search operators to retrieve sensitive information such as what type of server is being used, administrator passwords, and server side programming language [8]. Although research has been done for Google hacking, there is no known study that investigates the effect of Google hacking techniques on private information of users or companies. ...
... Sahito et al. [28] show how dorks can be used to retrieve private information from the Web (e.g., credit card numbers, private addresses, and telephone numbers). Similarly, Tath et al. [29,30] show how to use Google hacking in order to find hashed password, private keys or private information. ...
Conference Paper
With the advent of Web 2.0, many users started to maintain personal web pages to show information about themselves, their businesses, or to run simple e-commerce applications. This transition has been facilitated by a large number of frameworks and applications that can be easily installed and customized. Unfortunately, attackers have taken advantage of the widespread use of these technologies – for example by crafting special search engines queries to fingerprint an application framework and automatically locate possible targets. This approach, usually called Google Dorking, is at the core of many automated exploitation bots. In this paper we tackle this problem in three steps. We first perform a large-scale study of existing dorks, to understand their typology and the information attackers use to identify their target applications. We then propose a defense technique to render URL-based dorks ineffective. Finally we study the effectiveness of building dorks by using only combinations of generic words, and we propose a simple but effective way to protect web applications against this type of fingerprinting.
... We are currently implementing such a tool which will search Google mainly for the privacy risks mentioned in this paper for a specific person and a specific host. Besides, the tool will have a support of finding cryptographic secrets as explained in [9] in details. ...
Conference Paper
Full-text available
Google facilitates our lives by finding any searched information within a single-click time. On the other hand, Google threatens our privacy by revealing our personal data to others. In this paper, we give examples of Google hacking against user privacy and discuss the countermeasures to protect our privacy from Google or in general from the search engines.
... Several methods and sources exist to search for unintentionally leaked private data in public resources. Examples include recovery of sensitive data from second-hand harddrives [28], or "Google hacking" [16,46] which allows to query the Google search engine to find private information in its indices, e.g., private keys, hashed passwords, or private information about a person. ...
Conference Paper
Cloud Computing is an emerging technology promising new business opportunities and easy deployment of web services. Much has been written about the risks and benefits of cloud computing in the last years. The literature on clouds often points out security and privacy challenges as the main obstacles, and proposes solutions and guidelines to avoid them. However, most of these works deal with either malicious cloud providers or customers, but ignore the severe threats caused by unaware users. In this paper we consider security and privacy aspects of real-life cloud deployments, independently from malicious cloud providers or customers. We focus on the popular Amazon Elastic Compute Cloud (EC2) and give a detailed and systematic analysis of various crucial vulnerabilities in publicly available and widely used Amazon Machine Images (AMIs) and show how to eliminate them. Our Amazon Image Attacks (AmazonIA) deploy an automated tool that uses only publicly available interfaces and makes no assumptions on the underlying cloud infrastructure. We were able to extract highly sensitive information (including passwords, keys, and credentials) from a variety of publicly available AMIs. The extracted information allows to (i) start (botnet) instances worth thousands of dollars per day, (ii) provide backdoors into the running machines, (iii) launch impersonation attacks, or (iv) access the source code of the entire web service. Our attacks can be used to completely compromise several real web services offered by companies (including IT-security companies), e.g., for website statistics/user tracking, two-factor authentication, or price comparison. Further, we show mechanisms to identify the AMI of certain running instances. Following the maxim "security and privacy by design" we show how our automated tools together with changes to the user interface can be used to mitigate our attacks.
... We have already implemented such a tool namely TrackingDog [17] which searches Google mainly for the privacy exploits mentioned in this paper for a given person and/or a given host. Besides, the tool has the support of finding cryptographic secrets as explained in [19] in details. TrackingDog helps the individuals to detect if any of their confidential data have become public over the Internet via Google. ...
Article
Full-text available
Protection of personal data is a requirement from both ethical and legal perspectives. In the Internet, search engines facilitate our lives by finding any searched information within a single-click time. On the other hand, they threaten our privacy by revealing our personal data to others. In this paper, we give concrete examples of Google personal data exploits against user privacy, discuss the countermeasures to protect our privacy and introduce a penetration testing tool called TrackingDog checking and reporting privacy exploits over Google. Full Text at Springer, may require registration or fee
Conference Paper
The popularity of search engines has grown exponentially, as Internet users are relying more on search engines in order to filter relevant piece of search results out of Information Sea within a single-click time. However, due to the publicly accessible nature of web space these search engines threatens our privacy by revealing our personal data to others that may otherwise be hidden. This paper identifies that how serious the threat of search engine hacking is and how its advanced search queries facilitates potential attackers that further causes application and identity fraud to collect financial and personal data. It further explains the ways to counteract it and discusses the challenges and problem of this crime that may have direct and indirect impacts on the internet security.
http://www.ghacks.net
  • Goolink-Google Hacking
  • Scanner
GooLink-Google Hacking Scanner. http://www.ghacks.net/2005/11/23/goolink-scanner-beta-preview/.
The Network Authentication Protocol
  • Kerberos
Kerberos:The Network Authentication Protocol. http://web.mit.edu/kerberos/
Google Security Scanner
  • Johnny Long
  • Gooscan
Johnny Long. Gooscan: Google Security Scanner. http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads &file=index&req=getit&lid=33.