Slashdot Mirror
The "Google Hack" Honeypot
An anonymous reader writes "On the heels of Google Hacking for Penetration Testers, and Johnny Long's talks at Blackhat/Defcon over the weekend, comes the "Google Hack" Honeypot, a honeypot designed to lure in malicious search engine activity. They had a second release of their tools on monday, according to their site."
Comment removed based on user account deletion
Are they trying to trap the search engine or the people using the search engine to find open doors?
From TFA:
GHH implements honeypot theory to provide additional security to your web presence.
Any enlightenment on what the honeypot theory is?
So is this thing designed to prove Google is doing nasty things? I'm really confused.
"Mess with Google, and you're gonna get stung."
Being funny is my sig nature.
Wait, they used their tools for penetration testing? And a honeypot? I am going to search google images for penetration, honeypot and tool and see if I can add anything to the discussion
And All I Ask is a Tall Ship And a Star to Steer Her By
Why do I feel so damn inadequate reading this article?
;-)
Because when you read "honey pot" you immediately thought of catching hackers instead of what you should have thought of.
Sad isn't it?
can someone please explain what this is. Neither the description, nor the linked article/page actually define what this is.
The Digital Couture Collection
GHDB Signature #1013 ("SquirrelMail version 1.4.4" inurl:src ext:php)
How is that a problem? Look at their demo page. Whoopdeedoo. Now I can stare at a SquirrelMail login screen. Still haven't gotten access to much of anything that I'm not supposed to. Heck, there are plenty of websites offering e-mail through SquirrelMail. Whatever...
WASTE - The Secure P2P
Ahh, there's nothing as useless as a "first post" post except a "first post" post that isn't actually the first post.
You just need to make sure you do not put any items on your webserver you do not want to get viewed.
And if you make invisible links to them. That is just plain stupid.
Also, if Google can find those files so can any other web-crawler.
Wimp_org
when you read "honey pot" you immediately thought of catching hackers instead of what you should have thought of
Winnie the Pooh?
seriously, what good does this serve society? If you can prove that google hacking makes information more free, or that tearing down the barriers helps, well, fine.
If you want to see if you can secure data so it doesn't get google hacked - ok.
If you just want to show how nifty you are at using commonly available tools - there never has been any such thing as total privacy and there never will be.
-- Tigger warning: This post may contain tiggers! --
I dunno. I had an 8" floppy. Mabel may have been plain, but she never complained.
Then one year it was 5.25" floppy, a few years later it was 3.5" and kinda stiff, and nowadays it's all about these little compact flash thingies.
Must be something Google's putting in the water.
If I'm understanding it correctly, this is a system to keep out the users that are using google hacks. If someone finds your site because of a search string that matches a certain signature, I'm guessing that you could ban them. So if they find your site by searching for "top secret alien government technology", you can ban that user.
Here is a FAQ question from their site:
What is a honeypot?
A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:
"An information system resource whose value lies in unauthorized or illicit use of that resource."
Simply put a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers.
GHH allows administrators to track malicious hosts: observe who is perpetrating the attack and how it is being executed via the log. The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.
At the Risk of Pointing out the Obvious: If someone is not smart enough to keep stuff off the web they don't want on the web, how exactly are they going to be able to download, complile from source, run and configure Google Hack Honeypot?
Just askin'
How do you honeypot Google? I'm fairly sure the nice folks at GoogleCorp aren't going to let you stick your honeypot in the way of the real thing. If the hacks in question are just malicious queries, how do you get the 1334 hax0rs to use your oh-so-attractive honeypot when every schmoe can type "www.google.com" into their attack script?
Where's the flaw in my thinking? If you're not honeypotting the search, what's left?
Welcome to the Panopticon. Used to be a prison, now it's your home.
Or does this seem a little... Strange? I mean, it's all well and good to leave a honeypot out, but I think this is a bad move by Google. What about all those bees?
Screw the rules, I have green hair!
He's talking about...err...I get it now.
Google hacking is the process of reconnaisance with a target, through the use of google.
What this means, is that an attacker has a target, he can use google to find information/vulnerabilities of this target without actually ever touching the target at all, thereby giving no warning.
It's a much "safer" way of reconnaisance than directly going to a page and attempting trial and error attacks... The attacked has no idea there is any reconnaisance taking place, yet the attacker is finding more and more information about exploiting their target.
"HONEYPOTS"
Honeypots are designed to be in a controlled vulnerable state. You set up a server with known vulernabilities and put it in a controlled area of your network. Depending on the software used, there are various levels of interaction the honeypot will allow. Complicated honeypots can replicate a large network, recording all activities of the attacker and keeping their interest for longer. Simple honeypots only allow basic actions, and the attacker will become bored more quickly and you will get less information./P.
Overclockers
Between this article and the duped article mentioning Johnny Long's book, I think the editors just like the words like "penetration" and "long".
Ok, there's my dirty post for the day.
Slackware
and are they ok about an unconnected third party using Google's trademark (its name or otherwise known as "brand") in connection with this service ?
or is this just an attempt to link a major brand name with an otherwise unknown software project ?
seems the latter in this case,
iam looking forward to the Nike attack-trainer project or the Mcdonalds healthy software initiative.
--AJ
There seems to be a lot of confusion about how this works. You need to understand two things to understand the GHH - first what a 'Google Hack' is in the first place, and second how to create a honeypot to record malicious behavior.
First, a quick summary of Google hacking: Google obviously has a huge cache of URLs. If a vulnerability is published that can be identified by a URI string, then you can simple Google that URI to identify vulnerable hosts. The GHH main page has a list of the current vulnerability signatures that it tracks.
In order to make a honeypot for this malicious behavior, you simply have to set up a Web server to respond appropriately to each of these linked URLs and have it be indexed by Google (not a trival task, but still quite doable). You can then track referring requests from Google by IP address, etc...
In order to defeat this type of tracking, an attacker could strip off the Referer header using an automated tool or a proxy, then route through an Onion router or some other anonymous proxy, but at least the server would still have some metrics to identify the relative freqency of attackers reaching the site through a "Google Hack."
---- Just another spud server.
So how come Google don't do anything about the hacks themselves?
With some hacks, like the URL based ones, it seems unlikely that removing them would affect any legitimate search.
The conclusions by courts in the open wireless networks seemed to be that the openess(physically) of a network was irrelevant - if it was private(in the mind of the owner) then you're not alowed in. So Google is not only sniffing out private networks they are also broadcasting them to the world!
How long before the hackers come up with a "rain cloud" counter-hack? After all, everyone knows that a rain cloud never eats honey (no, not a nip).
Really nice ..
So i tried similar searches, and got mostly seven(7) hits in google. Turned out all 7 where 'GHH' sites. Really funny that from today on I am registered as an hacker too!
memo to self: RTFA beFORE googling it
if you're ultra-paranoid, couldn't you just ban all robots from robots.txt, i'm sure there are non-compliant robots.. but legitimate ones like Google should abide, right?
lameness filter thwarted.
I don't understand?
what are these insecure tools?
and how does a search engine index aid someone
in hacking my site?
Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.
Pretty neat, but what I would prefer is a tool that uses the most common queries against your site to see if it can be google hacked. I guess this thing could be the database for this query tool. Perhaps this is something that might be in the creator's minds of this project?
try this search in Google: intitle:index.of "parent directory" *.mp3 This will turn out all mp3s out there on webservers that have directorylisting mistakenly turned on now you can change this to any file type, or any other specific filter that you are looking for. Thats "Google Hacks" in my books.. The honeypot would be to check for those kinds of searches and figure out how to counter them.
How many posts would a first poster post if a first poster could post first?
Stop Global Warming!
Just say no to irreversible processes!
"These insecure tools, when combined with the power of a search engine and index which Google provides, results in a convenient attack vector for malicious users."
how is your crappy site being indexed by google the fault of "insecure tools"? you have stuff to hide? don't put it where google can get it!
the only insecure "tool" is the site designer who exposes his own data...
Someone at 127.0.0.1 is running my website!!ELEVNETY!!!!111!!1!!!!
-Those who know do not say, Those who say do not know
This project deserves a pat on the back for thinking outside the box.
:)
Attackers have never needed an IP range to make an attack, and this is the first technology I've seen thus far that has responded to that principle. Simple concept, but very interesting and should be developed.
So, where's the dumpster diving honeypot?
I've been using this for a while.
m ?file=sitedigger2.zip
This tool will blow your mind.
You have to create an account with Google and acquire a key to use it.
Then point it at a site and let it run the hax0r search queries...
You will be amazed at what is exposed out there.
http://www.foundstone.com/resources/termsofuse.ht
We play the game with the bravery of being out of range
If people are looking for websites that you have content about, they are going to use a search engine. And they won't find your site because you told the engines not to index it.
Thank you Thank you Thank you!
I now have something to do for hours! I never knew of this useful "tool". And who says you never learn anything reading Slashdot...
user-agent: * Disallow: email.htm Disallow: /cgi-bin/
Disallow: /webmail/src/
Prevents Google or other robots from indexing these areas.
Or better yet, .htpasswd allows basic auth for sensitive areas under apache. Problem with the honeypot idea is it dissallows proper users from finding the correct URL to web-services.
Install, Then Run
You posted this in April. Some of us have been doing stuff like that for well over a year. Nice try on the credit grab though.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
Last time I Googled on "honeypot", all I got back was a bunch of links to pr0n sites...
The problem here is that I can't see a way of using Google that would mean truly illegal website cracking (vocabulary lesson: 'cracking' as in dismantle security measures; and not 'hacking' as in improving the linux kernel).
For example, the following "crack-search" example: 'intitle:index.of "parent directory" *.mp3', this only is useful if you mistakenly have left your http server on, I don't think the 'bad guy' is doing anything bad by using this, it is you who should disable your http server, or Google who should stop indexing this sites.
Can somebody enlighten me with an example of using Google to truly crack a website, rather than just using blatantly available services?
reads better, non?
HTTP-GET, sure. But care to explain how you make a HTTP-POST request with a <A> hyperlink?
Not Buzzword 2.0 compliant. Please speak english.