Chapter 10
Hacking Google Services
Abstract
Google Calendar is powerful calendar management application, which supports features like calendar sharing, creation of invitations, search and calendar publishing. The service is also integrated with Google Mail (GMail) and can be accessed via a Mobile device. All in all, Google Calendar is very useful addition to our day-to-day work.
Keywords
Calendar
signaling alerts
passcode
Google Co-op
Google Custom Search Engine
Calendar
Google Calendar is powerful calendar management application, which supports features like calendar sharing, creation of invitations, search and calendar publishing. The service is also integrated with Google Mail (GMail) and can be accessed via a Mobile device. All in all, Google Calendar is very useful addition to our day-to-day work.
Calendar sharing in particular is a very useful feature since individual users can maintain event lists and calendars to which others may be interested in as well. Usually in order to share a calendar you have to explicitly do so from the calendar management interface.
Once the calendar is shared, everyone will be able to look at it or even subscribe to the events that are inside. This can be done via the Calendar application or any RSS feed reader.
As a security expert, these shared calendars are especially interesting. Very often, even when performing the most basic searches, it is entirely possible to stumble across sensitive information that can be used for malicious purposes. For example, logging into Calendar and searching for the term “password” returns many results.
As you can see, there are several calendar entries that meet our search criteria. Among them, there are a few that are quite interesting and worth our attention. Another interesting query that brings a lot of juicy information is “passcode”, as shown in Figure 10.1.
Figure 10.1
Figure 10.1 reveals several scheduled telephone conferences. Notice that the conference phone number and access code are also listed. An attacker could easily join the telephone conference at the scheduled time and silently eavesdrop on the conference. Mission accomplished. There is a lot attackers can learn from the conversation, like corporate secrets, technical details about systems in operations, etc.
Of course we can try variations of the above queries and even space them up with more keywords so we can get a better picture. For example the query “username password” returns results about people who may store sensitive login information within their calendar.
This is just the beginning though, how about looking for birthdays, pet’s names, etc. As you probably know, a lot of password reminder facilities have a secret question. The secrets answer is usually something that we choose from our daily life so there is no chance that we can forget. However, the Calendar application may also contain our daily activities. When we mash both, we might be able to crack into the targeted user account by simply reading their calendar.
There are many different ways; the Calendar service can be abused. The main and most important security consideration that we, as users, need to make is whether the information that is enclosed within the Google’s shiny event cells is sensitive and can be used to harm us.
Signaling alerts
Very often we need to track changes in Google’s result set. For example, let’s say that we want to monitor a certain site for vulnerabilities. How can we do that? We can simply run scanners every once in a while but this is a noisy exercise and will definitely take loads of time. Instead, being dedicated Google hackers, we can use Google itself and use a few powerful Google dorks to locate the things that we are interested in without the need for automated scanning software. Then we can setup a cron task to monitor the results returned by Google and when a change is detected email us the result.
Then again, we could simply use Google Alerts. Google Alerts is a powerful system that detects when a query’s result set changes. The system can be modified to send updates once a day, once a week, or as they happen. Keep in mind that only the first 10 entries (the first page) are taken into consideration. Nevertheless, the Alert system does a good job when optimized.
This is a great tool, but it can be used for more interesting purposes. Let’s say that we know that a target is using MsSQL as database backend. We could use Google alerts to poll the target, searching for error messages as they pop up. That search might look something like this:
“[SQL Server Driver][SQL Server]Line 1: Incorrect syntax near” -forum -thread - showthread site: example.com
For the type of alert select Web, usually default option. Select the frequency of the alert, and your email address and click Create Alert.
Notice that the query that we use for this alert is domain restricted (site: example.com). Also pay attention to the actual Google dork. Obviously we look for messages that look like generated failures in the SQL queries sent to backend. These types of messages are sign for SQL Injection vulnerable resources.
A malicious user can use this service to alert whenever a vulnerability or interesting message appears on a target site. This is very low profile, and does not alert the target; the transaction happens between the user and Google. An attacker could even enter alerts for every entry in the Google Hacking Database. Although this would be overkill, some of the entries in the database reveal extremely sensitive information, which could be harvested with very little further effort.
Google Co-op
Google Co-op (www.google.com/coop) is a powerful service that allows you to create powerful custom search engines. You do not need to be registered Google user in order to use the service but if you want to create an engine, it is required. In the following section, we’ll guide you through some of the most interesting features of this service and we’ll show you how to create your own search engines.
Let’s start with the simplest of search engines. Browse the Google Co-op page and click Create a Custom Search Engine, or simply browse to www.google.com/coop/cse. From the Custom Engine configuration page we need to define the characteristics we need.
First enter a search engine name. We’ll call ours the “Google Hacking Database Search.” Enter a description and some basic search keywords, both of which are optional. The keywords are primarily used by Google to find the most relevant results. This means that our query will be mingled with these keywords. For now, we’ll leave this alone. Moving forward, to the field titled What do you want to search, we will define the scope of the search queries. For this example, we are going to use the default option entitled Only sites that I select.
Now, the interesting part, we need to supply the URLs Google will look into when performing the queries. Since our search engine will do stuff around the Google Hacking Database located at https://www.exploit-db.com/google-hacking-database/, we’ll simply drop that URL into this field. We’ll customize this entry option further with the use of wildcards, in order to search URLs that match a specific syntax. Here are a few examples taken from Co-op’s documentation:
The rest of the options from the Co-op Custom engine creation page are irrelevant at this point. Agree to Google’s terms of service and click on the next button.
No we’ll test how the search engine works. Type a few queries like “index” or “secret,” and you’ll see some sample results. If everything works as expected, click finish, and the custom search engine will be displayed.
Google’s Custom Search Engine
The GNUCITIZEN group http://www.gnucitizen.org has discovered that Google’s Custom Search Engine platform can be used for many other useful things such as fingerprinting and enumerating hidden Web servers. It is well known fact that not all Web resources are exposed to the Internet. We call that part of the network the hidden Web. By using Custom Search Engines we can recover them and enumerate their content. Among the gathered information, we may find Intranet interfaces, administrative panels and other types of sensitive information.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.