How to Hack Your Way in a Comedy Show
9:53PM Jul 27, 2020
Hi, welcome back to
coming all the way from the continent with this show how to hack your way in a comedy show.
Alright, so we're gonna take it right now. Hi everyone.
Today we're going to talk about how to hack your way in command show. So first of all, my name is Ronnie Cara. I'm a bachelor graduate and in 2016 Sandra a member. And as you may some of you may hear, I'm French. I also go as looping. I've been back bounty hunting for a year and I'm an ethical hacker.
So in that
talk, we're going to do another review of passive reconnaissance and the world of Google doting. So passive reconnaissance is a way of information gathering target without actively poking the system. In order to do so as I said, we're going to use Google Dorking, which is a way to do advanced research over the internet by using filters, but before we do anything you need to know the three worlds of the ad targeting. First you need to know your target, which means you need to know the domains that they own. You need to know what they are doing have a basic idea of who is your target. Then you need to get an idea of what you're looking for. docking will be different if you want to search a confidential PDF file or if you want to search a vulnerable web server, so you need to have that mine too. And last but not least, you need to find signatures on the target for when I say signatures I mean a static repetition over different assets. For example, a trademark bought by or the same login page on each domain, we need to find something that is statically repeating.
you got everything in mind, you need to pick the right search engine. So don't get fooled by the name Google Dorking. There is different searches laid out way more interesting that Google because using a different index, indexation methods method are also they did they got a different algorithm to retrieve data So we got being the go yo yo index. And once you pick the right search engine you need to know about operators. So here is a cheat sheet that I've made about all the different operators on all the different Angel lines.
So we are going to take
a look at not all of them of course because there is many, but for example, the easy the two is one that are in your well and x. So when you're doing in your well WP content, you'll get everything that matched WP content inside the URL here you can see WP content and x 60 which mean I won't find a txt files. For example there we can find plus WordPress plugins and stuff like that. But if we want we can change that to PDF, and we got different PDFs. Different one that not a lot of people are using is in anchor. So in anchor is, is pretty great, because basically you are going to check all the a tag inside the HTML code that is linking to your terms in your search. For example, here I got dot SQL. And if I go
and I see in a source code, I got an href going to dot SQL. So yeah, it's all the terms that will match there will be terms that is linked on the page. We got also in title which, literally inside the title, it's pretty basic, but yeah And then we got one, there's pretty cool. And that is your index specific is our host. so here we can retrieve subdomains of an OST. For example, we got blog where we've our own stuff like that, and it's pretty cool.
Um, now that
you know about operators and you got this magnificient cheat sheet, you can use logical operators. So those are lagging programming. For example, you got double the double quotes. If you put something in double quotes, you get an exact match on all the different inside the body inside the title. You'll just get an exact match of what you're looking for. We got the minus operator, let's say the exact same dog that we did. But, you know, I, I've seen the report too much time. So I want to remove a week. And now I got Never gonna give you up from very light, which is pretty cool. You can just remove terms from the search. But that is also useful to find subdomains. For example, if I take, okay, yeah, sometimes we'll get into captures that I need to solve every time. Yep. And now I can get subdomain so I remove everything that is www. And now I got different subdomains, but that will remove every match inside the body inside the title. So you can play
Remove operators, like,
you can just remove and put on operators. And now we got
something more specific, you know?
Then we've got
the OR operator,
So the operators is free, cool because it's just like, hey, I want that match or that match. If now I removed come, I can see that I'm matching for all gufw.fr. So, yeah, that's pretty cool. I got also the parentheses so it's to regroup operators together. So now for example, if I do a new URL Fred inside of Fred and I want Everything that matches dos to inside, like with PHP, so I got everything matching PHP. So that is pretty cool. We can like group operators together. Also, we got the little star there. It's like matching everything between two terms. For example, if you don't remember the name, the middle name of JFK, you got it there. JOHN fijo. Kennedy, you got something pretty similar there is around. So you want to match something between two terms around the X number of words. So for example, if I take john lennon and again, I want his middle name, I say around two and I got john Winston. Oh no Lennon. So this is like a good match.
when you are Google Dorking, how you need to keep in mind that your location will change the lows that is active on the internet. For example, if I'm in Europe, the GDP are low, we restrict certain content over the internet. So I might want to change my location with a VPN. And then that I don't have the little, some result may have been removed, I got clear results and which means more results. So you might want to change your location, while your Google Dorking and also location might also change the first results that you'll get. So if you are in Russia, and you are like writing America, you will get completely different views. All that if you were in America and you were writing America
so I will
give you small examples of cool stuff that we can find with Google Dorking. For example. If you want to decode a, a Amazon bucket, you can use that dog so an Amazon bucket will always finish by Amazon aws.com. And then you put the company name, your target name just there and you can scroll a bit, search more results and how I got much
it is pretty useful if you want to see if there is a lack of restriction inside s3 buckets. Also, I've got a dog find special vulnerabilities for example, if you want to find open redirect PHP code, you do like all the extension with PHP in your Well, we want something like redirect the PHP or go PHP, we don't care. And we want matching with URL and an HTTP because we want to do open redirect. So there we can see that we got stuff like that, that might be vulnerable to open redirects. Also, you can do that. For example, if you won't find a parameter is most often vulnerable to access, you might want to do in your Well, the parameter, the extension, everything. So that's what I said about signatures that is a static repetition of different acids.
you might want to understand a certain type of subdomains imagine you gathered information about subdomains, you go Like a whole list, and there is some subdomains is doing something like that, for example, loading for three hours and then giving you an empty response. So at that moment, like, my first guess, is, I want to go to google.com. And check for, again, the captcha, sorry.
You might want to check and then you got like some stuff in support your scan, but I don't have any information of that. So I might just come to that, right. And then, oh, I got a result on a swagger UI. And from there, I can check the API and poke around and like find vulnerable stuff. So yeah, Google Dorking is really powerful at understanding domains that you Not understanding directly.
also in the world of Google Dorking, we got the Google hacked database. So the Google hacked database is currently hosted on expert db.com by offensive security, but was popularized by Jimmy long in the early 2000, something like that. And he's a legend. But basically, he collected a lot of different google doc and put it online for everyone to use. So he been canceling useful dogs from open IP cameras over the Internet to vulnerable servers and directory. So there is different categories like there is error messages to vulnerabilities to CVE is, so it's pretty complete,
but you might
want to keep in mind that the Google hacking database is not an exhaustive Dog, which means those are just templates. You don't need like to copy pass blindly. You need to tweak a bit Alito for example,
if I go
to the Google hack database, and I take that dork, I will get much on all in your XML RPC rz annex session. php. It's just like we want to find XML RPC files and we got around the those results, right. The problem is, by doing so, were restricting the XML RPC signatures to just
I got like a similar dork but for like finding the same file but with a different signature. So I know that XML RPC often come with That that message on a get request, like, hey, check a POST request to make a working. And so here I got seven results, but
the reality is that I got more result.
So now in instead of, like 100,000 results, we got one and 50 100,000 results. So, like adding more results by tweaking the dork and like to use the same templates, but to just change the signatures a little bit. So that's why you should then copy pass blindly from the GH DB to to Google.
So now I'm going to talk about Some massive Dorking Angel. That's what I called them. So most especially show them in your scan.io. So shodhan is basically assumptions on the way to find computers connected to the internet or IoT adwares and stuff, everything that is connected and show that like everything is on show then you can use different filters which show them like filter by country by organization or by city. Basically, you might want like for example, if there is a new CV, you check on show then all the different AdWords or web pages that are is indexed and what is cool we show them is that it's port scanning and also showing the CV for each post you click so it's really useful. I won't talk about Sheldon that much because this is a really well well well known tool from 2009. If I recall, I,
I would talk about his little brother
But we can that be used that
also that there is a lot of different docking techniques. I won't do an overview on all of them because their documentation is very complete and very good. You should take a look.
But yeah, so
um, for example
I will take some example your scalp because it is not well known. If I go to that yours kind of i o page and I search for Kickstarters I see directly that I can abuse the system because some people did scans over like their tokens there so every scan of all the people are indexed like I can see other people's scans like seven days ago 10 days ago and everything so that is pretty useful because that's the the whole meaning of Dorking Dorking, we come from the English dork being a dork. And it means that the error is coming from someone if we go Google Dorking that will come from the pages for index, letting Google index, wrong pages and here, it's Dorking because It's the user that giving data publicly and blindly. So here I've saved the result of kickstart token, that is,
Daddy's resurrecting there. And if we keep that there, this is a private preview. So I'm not supposed to see that. But since I got the right token, I can see that and your scan is magnificent because I can read it with that opening. Right? And I can check the DOM. For example, if there is I don't know users names inside the DOM, because it's referring to token or something like that. I got CSRF token
that there is a lot of stuff
that could happen here. And that is really interesting. Also, we can check on URLs can firebase.io for those who don't know, via bizarre IO, fibers io.com sorry. This is a service provided by Google to index the salt of the database.
And it here if you scroll a little,
you can find some shady stuff. For example, there. You got Ferber that IO, we got dot Jason and Jason is just giving everything that is inside the database. So this is really powerful, and it's a big problem. And the scary thing and the strangest is this one. It's basically page domain drive google.com.
And there, we can
see like, Google drive's of all the people. They might be public, they might be private, but still we got like tokens with Got the DOM again and everything. So this is like really scary and really useful for anything hunting because we are like abusing from the US can that I do surface.
now I will tell you some stories I had with Dorking. First was the committee show. So I was sitting at that very same desk at midnight. I will I was doing some recon on on targets. And we'll were doing recon. I was listening to a podcast former French comedian called Ken karandi.
And the French comedian
at the end of the video said like each week, and I never went that find the video that was like the second week of the third week of the podcast. And it says at the end at the end of the video He's saying like, we've, I've done some stuff inside the video, like it's a challenge. And if you find some strange thing, it might be q that will redirect you to a domain. And on that domain, you can claim rewards.
And I was like, Oh, that's interesting.
Like we might take a look at the challenge, but in a hacky way, you know, so
I was hooked
by it and directly put my mind in a hack way I wanted to find information on the challenge. And I said they got a discord like a discord where they talk about the change where the like, giving clues and it's like a collaboration they team up, but they take the take days for finding the challenge and their work is astonishing gathering steganography duping each frame of the video of a two hour video to check if there is like Difference are some stuff hidden. This is an enormous work that during that is amazing. So I wanted to discord and each week they were giving like the domain only if someone found it. And for the first week I see that domain is flame flame d dot Ninja, which is a flame words like in French. It's not that important. And I go to page and I see that page. I say okay, that's interesting when I can I get from that. I take the second week, winning page, and I open it and with that's the exact same page, like the one that you're seeing now. So now if you listen it, listen closely to my talk. You You're hacking Mine, my app trigger. in red, you can see a static reputation. And in blue, this is a dynamic reputation. So in blue, there is a count of all the people that are viewed the page,
you know, but in red,
we got our static reputation that is the same on each page. Hmm.
What could I do with that? So then I simply,
say the index operator, which search or every damage everything inside the text, and I got one result. And I was like, No, no way that's like a domain that I've already been fun. And I'm just a fool thinking that
I've missed it. No.
And then I take five seconds to say, Okay, I could keep going. I got in And I won't. I won't I was the first one. And I'm like, No, there. There is no way. I couldn't realize but at the same time that was really happy really freaked out
like, I felt like a hacker
boy. That was amazing. But I was freaking out. And then the guilt, you know, all those people that was taking Howard's doing the researches
and I was like,
I had to five seconds also to do it. And I felt I felt really guilty. So I went to the comedian and I said, Okay, can I warn and say Congrats, but I cheated. What? And I said, What do we do now? And he told me we are going to give you a reward only if you tell us how did you cheat? So I've been redirected to Tim Carey, which is an hour Amazing and heartwarming person. He was super understanding refund guy and we work together how to protect the domain from doing or things like that. And from hacking. He did a talk actually about that. And really kudos to him and all Ken's team that was amazing. So here the second story about the mall.
a friend of mine, Griff come at me and
say, Hey, I
got a private bug bounty invite on them Mo. And you won't like to help me with that. And I say yes, of course. I always wanted to ask more. And that could be cool.
There was the web service right
and then we taught, we found some stuff
on brute forcing some recon.
We found a lot of stuff.
And then an idea. Hey, we are trying to hack. The web servers have a mole, right? Yeah. But a more. It's like it's physically there, right? Yeah.
So there is maybe cameras.
Oh my Yeah, there is cameras. So what if, what if their cameras are unprotected over the internet and we could find them exploit them and get remote access? That could be amazing, right. So the first thing, we wanted to gather all the information possible on the cameras, so I was searching for article on the internet. So I So in your article, I want a perfect match of cameras or civilians, and I put the mall name. And there was like matching of COVID cams like they were installing a special cam for the corona viewers to detect. And that was interesting because in the article, they were showing a picture of the IT guy with the login page of the camera. And we use a technique called shoulder surfing which is basically you, you hand over like the shoulder of someone and you look
confidential data without their knowing is like,
very subtle. So we'd show this move the page, and we wanted to find signatures like everything that could be that that we extract from that page, which Did it and we found out with the IP camera name like on the login page, we want to manual to see how they are working, what is the exact model and I felt like the logging in the password like every I've seen on the login page and
I got a match for IP cameras on a PDF file.
And I got at that moment I got the name of the camera, I got the CD of the mole, the country of the mole and I got the internet provider from the from Reagan that I did earlier. And I also got vulnerabilities on the camera.
So I take everything, I put it straight away and show them and I got 37 results exactly in the same CD of the more exact same camera. And you know what the article was saying? Hey, those cameras are coming from a A private, like contract between the camera vendor and the mall. So the 37 result might be the only result of the city. So which means it might be all of the mall and 37 might be okay for more, right. So yeah, I don't want to tweet, we found the camera over the internet completely open vulnerable and we might want to get remote access right now. Right.
So I really loved working
and since beginning the go with docking The only problem I had is that it's not automated and it's really cool to make it manually but sometimes like when you got a dummy docking you just want all the targets and not to click on next page every time. So I've created a tool called called dork dork right? That tool is abusing a Google service called the spreadsheet. And I'm like querying spreadsheet to do queries on Google. And so by doing so, I'm like using the Google both spreadsheets. And I'm not getting the capture on all these different search engines that I've indexed in my tool. And I sent that to the Google bug bounty program. And they told me Yeah, that's not vulnerability. That's a feature. So I was like, Hey, man,
I'm going to make an open source.
GitHub repo of my tool and put it online for everyone to get access. And here is like,
they'll give. Yeah, so here's the GIF
simply like docking for being such enjoying, we want to the two first pages on Wikipedia. And
I got, I got results
and it's working I got a proof of concept. So of course there is room for improvement. And if people want to have me be that project, I will be
soon that will be super cool.
So thank you everyone to listen to my talk. That was really cool. Thank you. HOPE Conference to let me do a talk. And many thanks to all the people that supported me.
You are amazing.
Hi, welcome back
to hope 2020. We're here with Lupin. We just watched your video thank you very much for sharing that with us. That was really, really
easy. They match and
we'd like to we have one point Question for you, from the team from our attendees. And the question is, is the definition of Dorking? Like, is it like self doxing? By being a dork? I mean, did you self Doc's yourself or
so when you are, when you have a website and you put it on Google,
you will have some Google bots that we crawl the website. And to restrict the bots to get some parts of the website, you will need to set up a robots dot txt file at the root of your domain. The thing is, is that most of the people are not doing it properly, or not like just forgetting about it. And it was like Johnny long. The inventor or the legacy man that did all the Google Dorking stuff. That's a dork because it's not the Google problem. And then websites i doing that is the problem of the people that he called dogs, because they just don't care about their own security, or they just forgot.
No, that makes a very good point, you know, the robots. txt file is is critical for your security. And I agree with you, you know, people should pay more attention to that. Are there other security things that you find that you know, more people should be paying attention to?
So, first of all, the robots. txt one is pretty great one because there is like the lack of restriction, that is also people that giving too much information inside the robot that Cixi like, Hey, don't look at that part of our website because we don't want you to see stuff. And that's the first thing that hunter would go like, Hey, what are they hiding and sometimes, like In robots txt, you can find stuff like WP dash config dot php, which is in WordPress, where is the database password stored. So now you can identify the web root you can do a lot of stuff. And there is like a lot of securities issued that website don't care about. For example, there is reverse that nabbing I don't know if you know about it. It's but basically when you forget to put an inside the href, the a tag in HTML, I forget to put no ref some like refer and no something like that. And when you click, it will open a tab but which is we'll open it up, but with a crafted payload, you can. When you open a new tab, you can Adit the legacy top like the opener and doing so you can create phishing and stuff like that. Imagine that when you are on the forum on a community forum, you're just linking a website. And when people will open a new tab, it will rewrite the tab of the community forum. And now you can steal data. And people just don't care about going to programs or website don't care about that.
You know, it's a very interesting points. Um, I like to call these people a citizen developers know, because they want to do something with their computer and they don't have the knowledge or the expertise or the people to help them so they just take a stab at it and ones of course, causing more problems than that. Yeah. Do you have some favorite examples, you know, things that you found that are completely out of hand.
Um, I think that the most of them Use Case is a cross site scripting. So that's one of my favorite bug. I've been studying and doing most of my research about it. And most people just forgot it forget like a one liner, just, you know, sanitize the input of the user. And we can like, elevate that, that bug to a lot of different stuff to account takeover to remote code execution. And just by doing a small sensitization, you can provide remote code execution, so your domain and I think that's something that social engineers need to take care of before putting production something.
I agree and, you know, people are they go to GoDaddy or whatever, and it's like build your own website in five minutes. They start loading it up with content And they don't realize the security implication. So in your talk, and so, since we don't have any more questions, is there something that you'd like to leave us with in terms of what's your next project that you're going to be working on besides this?
I'm doing a lot of reverse engineer on PHP and WordPress, actually trying to pull out some zero days. And that's like my main research been doing that 18 hours a day. That's like, why it's a lot, but I really like it. I really enjoy it.
Yeah, that's that sounds like a lot of fun. On
behalf of everybody here, all the attendees, the volunteers and the staff here at hope 2020 We really appreciate you coming on and sharing good work with us. We hope to see you at the next hopes on behalf hope. 2020 Thank you. Right, and now we're going to go take a look To our next interstitial. Thank you guys and see you in a few minutes.