In my quest to put a spotlight on the threat, I began speaking on the topic of Google hacking at security conferences like Blackhat and Defcon. In addition, I was approached to write my first book, the first edition of the book that you’re holding. After months of writing, I assumed our cause would finally catch the eye of the community at large and that change would be on the horizon. I just knew people would be talking about Google hacking and that awareness about the problem would increase.

Google Hacking, first edition, has made a difference. But nothing made waves like the “Google Hacking Showcase,” the fun part of my infamous Google hacking conference talks. The showcase wasn’t a big deal to me – it consisted of nothing more than screenshots of wild Google hacks I had witnessed. Borrowing from the pool of interesting Google queries I had created, along with scores of queries from the community; I snagged screenshots and presented them one at a time, making smarmy comments along the way. Every time I presented the showcase, I managed to whip the audience into a frenzy of laughter at the absurd effectiveness of a hacker armed only with a browser and a search engine. It was fun, and it was effective. People talked about those screenshots for months after each talk. They were, after all, the fruits of a Google hacker’s labor. Those photos represented the white-hot center of the Google hacking threat.

It made sense then to include the showcase in this edition of Google Hacking. In keeping with the original format of the showcase, this chapter will be heavy on photos and light on gab because the photos speak for themselves. Some of the screenshots in this chapter are dated, and some no longer exist on the Web, but this is great news. It means that somewhere in the world, someone (perhaps inadvertently) graduated from the level of googledork and has taken a step closer to a better security posture. Regardless, I left in many outdated photos as a stark reminder to those charged with protecting online resources. They serve as proof that this threat is pervasive – it can happen to anyone, and history has shown that it has happened to just about everyone.

So without further ado, enjoy this print version of the Google Hacking Showcase, brought to you by Johnny Long and the contributions of the Google Hacking community.

When m00d submitted the query shown in Figure 11.7, I honestly didn’t think much of it. The SpeedStream router is a decidedly lightweight device installed by home users, but I was startled to find them sitting wide-open on the Internet. I personally like the button in the point-to-point summary listing. Who do you want to disconnect today?

Belkin is a household name in home network gear. With their easy-to-use Web-based administrative interfaces, it makes sense that eventually pages like the one in Figure 11.8 would get crawled by Google. Even without login credentials, this page reveals a ton of information that could be interesting to a potential attacker. I got a real laugh out of the Features section of the page. The firewall is enabled, but the wireless interface is wide open and unencrypted. As a hacker with a social conscience, my first instinct is to enable encryption on this access point – in an attempt to protect this poor home user from themselves.

Milkman brings us the query shown in Figure 11.9, which digs up the configuration interface for Smoothwall personal firewalls. There’s something just wrong about Google hacking someone’s firewall.

As Jimmy Neutron reveals in the next two figures, even big-name gear like Cisco shows up in the recesses of Google’s cache every now and again. Although it’s not much to look at, the switch interface shown in Figure 11.10 leaves little to the imagination – all the configuration and diagnostic tools are listed right on the main page.

This second Cisco screenshot as seen in Figure 11.11 should look familiar to Cisco geeks. I don’t know why, but the Cisco nomenclature reminds me of a bad Hollywood flick. I can almost hear the grating voice of an oversynthesized computer beckoning, “Welcome to Level 15.”

The search shown in Figure 11.12 (submitted by Murfie) locates interfaces for an Axis network print server. Most printer interfaces are really boring, but this one in particular piqued my interest. First, there’s the button named configuration wizard, which I’m pretty sure launches a configuration wizard. Then there’s the handy link labeled Print Jobs, which lists the print jobs. In case you haven’t already guessed, Google hacking sometimes leaves little to the imagination.

Printers aren’t entirely boring things. Consider the Web Image Monitor shown in Figure 11.13. I particularly like the document on Recent Religion Work. That’s quite an honorable pursuit, except when combined with the document about Aphrodisiacs. I really hope the two documents are unrelated. Then again, nothing surprises me these days.

CP has a way of finding Google hacks that make me laugh, and Figure 11.14 is no exception. Yes, this is the Web-based interface to a municipal water fountain.

After watching the water temperature fluctuate for a few intensely boring seconds, it’s only logical to click on the Control link to see if it’s possible to actually control the municipal water fountain. As Figure 11.15 reveals, yes it is possible to remotely control the municipal water fountain.

One bit of advice though – if you happen to bump into one of these, be nice. Don’t go rerouting the power into the water storage system. I think that would definitely constitute an act of terrorism.

Moving along to a more traditional network fixture, consider the screenshot captured in Figure 11.16.

Now, I’ve been in the security business for many years, and I’m not exactly brilliant in any one particular area of the industry. But I do know a little bit about a lot of different things, and one thing I know for sure is that security products are designed to protect stuff. It’s the way of things. But when I see something like the log shown in Figure 11.16, I get all confused. See, this is a Web-based interface for the Snort intrusion detection system. The last time I checked, this data was supposed to be kept away from the eyes of an attacker, but I guess I missed an email or something. Yet, I suppose there’s logic to this somewhere. Maybe if the attacker sees his mistakes on a public Web page, he’ll be too ashamed to ever hack again, and he’ll go on to lead a normal productive life. Then again, maybe he and his hacker buddies will just get a good laugh out of his good fortune. It’s hard to tell.

The bad news is that if a hacker can figure out what to type in those confusing fields, he’ll have his very own Pivot Web log. The good news is that most skilled attackers will leave this site alone, figuring that any software left this unprotected must be a honey pot. It’s really sad that hacking (not real hacking mind you) can be reduced to a point-and-click affair, but as Arrested’s search reveals in Figure 11.18, owning an entire Web site can be a relatively simple affair.

Sporting one less field than the open Pivot install, this configuration page will create a PHP-Nuke Administrator account, and allow any visitor to start uploading content to the page as if it were their own. Of course, this takes a bit of malicious intent on behalf of the Web visitor. There’s no mistaking the fact that he or she is creating an Administrator account on a site that does not belong to them. However, the text of the page in Figure 11.19 is a bit more ambiguous.

The bold text in the middle of the page really cracks me up. I can just imagine somebody’s poor Grandma running into this page and reading it aloud. “For security reasons, the best idea is to create the Super User right NOW by clicking HERE.” I mean who in their right mind would avoid doing something that was for security reasons? For all Grandma knows, she may be saving the world from evil hackers... by hacking into some poor fool’s PHP-Nuke install.

And as if owning a Web site isn’t cool enough, Figure 11.20 (submitted by Quadster) reveals a phpMyAdmin installation logged in as root, providing unfettered access to a MySQL database.

With a Web site install and an SQL database under his belt, it’s a natural progression for a Google hacker to want the ultimate control of a system. VNC installations provide remote control of a system’s keyboard and mouse. Figure 11.21, submitted by Lester, shows a query that locates RealVNC’s Java-based client.

Locating a client is only part of the equation, however. An attacker will still need to know the address, port and (optional) password for a VNC server. As Figure 11.22 reveals, the Java client itself often provides two-thirds of that equation in a handy popup window.

If the hacker is luckyenough to stumble on a server that’s not password protected, he’s faced with the daunting task of figuring out which of the four buttons to click in the above connection window. Here’s a hint for the script novice looking to make his way in the world: it’s not the Cancel button.

Of course running without a password is just plain silly. But passwords can be so difficult to remember and software vendors obviously realize this as evidenced by the password prompt shown in Figure 11.23.

Posting the default username/password combination on a login popup is just craziness. Unfortunately it’s not an isolated event. Check out Figure 11.24, submitted by Jimmy Neutron. Can you guess the default password?

Graduating to the next level of hacker leetness requires a bit of work. Check out the user screen shown in Figure 11.25, which was submitted by Dan Kaminsky.

If you look carefully, you’ll notice that the URL contains a special field called ADMIN, which is set to False. Think like a hacker for a moment and imagine how you might gain administrative access to the page. The spoiler is listed in Figures 11.26 and 11.27.

Check out the shiny new Exit Administrative Access button. By Changing the ADMIN field to True, the application drops us into Administrative access mode. Hacking really is hard, I promise.

Not only is this an interesting photo of some pretty serious-looking vehicular carnage but the idea that Google trolls camera phone picture sites is interesting. Who knows what kind of blackmail fodder lurks in the world’s camera phones. Not that anyone would ever use that kind of information for sensationalistic or economically lucrative purposes. Ahem.

Moving on, check out the office-mounted open Web camera submitted by Klouw as shown in Figures 11.30 and 11.31.

This is really an interesting Web cam. Not only does it reveal all the activity in the office, but also it seems especially designed to allow remote shoulder surfing. Hackers had to get out of the house to participate in this classic sport earlier. These days all they have to do is fire off a few Google searches.

Figure 11.32, however (submitted by JBrashars) is unmistakable. It’s definitely a parking lot camera. I’m not sure why, exactly, a camera is pointed at a handicapped parking space, but my guess is that there have been reports of handicapped parking spot abuse. Imagine the joy of being the guard that gets to witness the CIO parking in the spot, leaping out of his convertible and running into the building. Those are the stories of security guard legends.

I can’t be the only one that thinks it’s insane to put open security camera feeds on the Internet. Of course it happens in Hollywood movies all the time. It seems the first job for the hired hacker is to tap into the video surveillance feeds. But the movies make it look all complicated and technical. I’ve never once seen a Hollywood hacker use Google to hack the security system. Then again, that wouldn’t look nearly as cool as using fiber optic cameras, wire cutters and alligator clips.

Moving on, the search shown in Figure 11.33 (submitted by JBrashars) returns quite a few hits for open Everfocus EDSR applets.

The Everfocus EDSR is a multichannel digital video recording system with a Web-based interface. It’s a decent surveillance product, and as such it is password protected by default, as shown in Figure 11.34.

Unfortunately, as revealed by an anonymous contributor, the factory-default administrative username and password provides access to many of these systems, as shown in Figure 11.35.

Once inside, the EDSR applet provides access to multiple live video feeds and a historic record of any previously recorded activity. Again, just like the magic of Hollywood without all the hacker smarts.

The EDSR isn’t the only multichannel video system that is targeted by Google hackers. As Murfie reveals, a search for I-catcher CCTV returns many systems like the one shown in Figure 11.36.

Although the interface may look simple, it provides access to multiple live camera views, including one called “Woodie,” which I was, personally, afraid to click on.

These cameras are all interesting, but I’ve saved my favorite for last. Check out Figure 11.37.

This camera provides open access to Web visitors. Located in a computer lab, the camera’s remote control capability allows anonymous visitors to peer around, panning and zooming to their hearts content. Not only does this allow for some great shoulder surfing, but also the sticker in the screen capture had me practically falling out of my chair. It lists a username and password for the lab’s online FTP server. Stickers listing usernames and passwords are bad enough, but I wonder whose bright idea it was to point an open Web cam at them?

It’s interesting to me that by just using Google, an attacker could get phone history information such as last called number and last caller number. Normally, the Sipura SPA software does a better job of protecting this information, but this particular installation is improperly configured. Other, more technical information can also be uncovered by clicking through the links on the Web interface, as shown in Figure 11.39.

There are so many VOIP devices that it’s impossible to cover them all, but the new kid on the VOIP server block is definitely Asterisk. After checking out the documentation for the Asterisk management portal, Jimmy Neutron uncovered the interesting search shown in Figure 11.40.

From this opening, an attacker can make changes to the Asterisk server, including forwarding incoming calls, as shown in Figure 11.41.

Unfortunately, a hacker’s fun wouldn’t necessarily stop there. It’s simple to reroute extensions, monitor or reroute voicemail, enable or disable digital receptionists and even upload disturbing on-hold music. But Jimmy’s Asterisk VOIP digging didn’t stop there; he later submitted the search shown in Figure 11.42.

This flash-based operator panel provides access to similar capabilities, and once again, the interface was found open to any Internet visitor.

Moving along, Yeseins serves up the interesting search shown in Figure 11.43, which locates videoconferencing management systems.

This management system allows a Web visitor to connect, disconnect, and monitor conference calls, take snapshots of conference participants, and even change line settings as shown in Figure 11.44.

A malicious hacker could even change the system name and password, locking legitimate administrators out of their own system, as shown in Figure 11.45.

Despite all the new-fangled Web interfaces we’ve looked at, Google hacking bridges the gap to older systems as well, as shown in Figure 11.46.

This front-end was designed to put a new face on an older PBX product, but client security seems to have been an afterthought. Notice that the interface asks the user to “Logout” of the interface, indicating that the user is already logged in. Also, notice that cryptic button labeled Start Managing the Device. After firing off a Google search, all a malicious hacker has to do is figure out which button to press. What an unbelievably daunting task.

This is a clever Google query, but it’s only an uninterruptible power system (UPS)-monitoring page. This can be amusing, but as Jimmy Neutron shows in Figure 11.48, there are more interesting power hacking opportunities available.

AMX NetLinx systems are designed to allow control of power systems. Figure 11.48 seems to suggest that a Web visitor could control power in a theater, a family room and the master bedroom of a residence. The problem is that the Google search turns up a scarce number of results, most of which are password protected. As an alternative, Jimmy offers the search shown in Figure 11.49.

Although this query results in a long list of password-protected sites, many sites still use the default password, providing access to the control panel shown in Figure 11.50.

This control panel lists power sockets alongside interesting buttons named Power and Restart, which even the dimmest of hackers will undoubtedly be able to figure out. The problem with this interface is that it’s just not much fun. A hacker will definitely get bored flipping unnamed power switches – unless of course he also finds an open Web cam so he can watch the fun. The search shown in Figure 11.51 seems to address this, naming each of the devices for easy reference.

Of course even the most vicious hackers would probably consider it rude to nail someone’s Christmas lights, but no hacker in their right mind could resist the open HomeSeer control panel shown in Figure 11.52.

The HomeSeer control panel puts the fun back into power hacking, listing descriptions for each control, as well as an On, Off and slider switch for applicable elements. Some of the elements in this list are quite interesting, including Lower Motion and Bathroom. The best though is definitely Electric Bong. If you’re a member of the Secret Service looking to bust the owner of this system, I would suggest a preemptive Google strike before barging into the home. Start by dimming the lights, and then nail the motion sensors. Last but not least, turn on the electric bong in case your other charges don’t stick.

There’s at least a decent possibility that these calendar files were made public on purpose For starters, the file contains the user’s POP email username and encoded password. Then there’s the issue of his URL history, which contains not only the very respectable IBM.com, but also the not-so-respectable hotchicks.com, which I’m pretty sure is NSFW.

This file lists the contact names and email addresses found in someone’s contact list. At best, this file is Spam fodder. There’s really no shortage of email address lists, phone number lists and more on the Web, but what’s surprising is how many documents containing this type of information were created with the express intention of sharing that information. Consider the screen shown in Figure 11.53, which was submitted by CP.