Slashdot Mirror
The "Google Hack" Honeypot
An anonymous reader writes "On the heels of Google Hacking for Penetration Testers, and Johnny Long's talks at Blackhat/Defcon over the weekend, comes the "Google Hack" Honeypot, a honeypot designed to lure in malicious search engine activity. They had a second release of their tools on monday, according to their site."
No, this serves to find out how people are using Google to attempt to take control of your stuff (site, servers, etc). By learning more about the methods of attack, we can figure out how to prevent these attacks.
It's the usual hacking cycle brought to the search engine scene. Malicious hackers find ways to penetrate, and this will try to find a way to stop it. When it's stopped, the hackers will just move on to another way. Later, rinse, repeat.
http://ghh.sourceforge.net/userfaq.php
A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:
"An information system resource whose value lies in unauthorized or illicit use of that resource."
Simply put a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers.
GHH allows administrators to track malicious hosts: observe who is perpetrating the attack and how it is being executed via the log. The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.
If I'm understanding it correctly, this is a system to keep out the users that are using google hacks. If someone finds your site because of a search string that matches a certain signature, I'm guessing that you could ban them. So if they find your site by searching for "top secret alien government technology", you can ban that user.
Here is a FAQ question from their site:
What is a honeypot?
A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:
"An information system resource whose value lies in unauthorized or illicit use of that resource."
Simply put a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers.
GHH allows administrators to track malicious hosts: observe who is perpetrating the attack and how it is being executed via the log. The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.
That's precisely the point of a Honeypot. It's something that looks like it might be a vulnerability, but isn't. SquirrelMail had a bunch of vulnerabilities, including an SQL injection vulnerability. These sites get themselves added to Google, and thus get pulled up when someone searches for a site to exploit, but they can't actually be exploited. However, the Honeypot site now has the remote IP address, browser being used, and whatever info it feels like collecting on the bad guys.
Read the FAQ, it explains a lot.
There is no sig, there is only Zuul.
tearing down barriers is not always good. some of these hacks are used by pornographers to phish for whoever (including kids) by evading familiy filters etc. I found a hack (a word) that will return zero results for legitimate sites but about 5,000 related to highly unnatural acts. if you are in google, you are one word away from reading the site descriptions of these sites. kind of makes you think twice about whether it's ever safe to hit the "im feeling lucky" button.
Google hacking is the process of reconnaisance with a target, through the use of google.
What this means, is that an attacker has a target, he can use google to find information/vulnerabilities of this target without actually ever touching the target at all, thereby giving no warning.
It's a much "safer" way of reconnaisance than directly going to a page and attempting trial and error attacks... The attacked has no idea there is any reconnaisance taking place, yet the attacker is finding more and more information about exploiting their target.
"HONEYPOTS"
Honeypots are designed to be in a controlled vulnerable state. You set up a server with known vulernabilities and put it in a controlled area of your network. Depending on the software used, there are various levels of interaction the honeypot will allow. Complicated honeypots can replicate a large network, recording all activities of the attacker and keeping their interest for longer. Simple honeypots only allow basic actions, and the attacker will become bored more quickly and you will get less information./P.
Overclockers
There seems to be a lot of confusion about how this works. You need to understand two things to understand the GHH - first what a 'Google Hack' is in the first place, and second how to create a honeypot to record malicious behavior.
First, a quick summary of Google hacking: Google obviously has a huge cache of URLs. If a vulnerability is published that can be identified by a URI string, then you can simple Google that URI to identify vulnerable hosts. The GHH main page has a list of the current vulnerability signatures that it tracks.
In order to make a honeypot for this malicious behavior, you simply have to set up a Web server to respond appropriately to each of these linked URLs and have it be indexed by Google (not a trival task, but still quite doable). You can then track referring requests from Google by IP address, etc...
In order to defeat this type of tracking, an attacker could strip off the Referer header using an automated tool or a proxy, then route through an Onion router or some other anonymous proxy, but at least the server would still have some metrics to identify the relative freqency of attackers reaching the site through a "Google Hack."
---- Just another spud server.
Then read the packages FAQ. And focus on this paragraph:
Why should I implement Google Hack Honeypot on my site?
GHH allows you to safely monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.
Results 1 - 10 of about 5,010 for penetration honeypot tool with Safesearch on. (0.40 seconds)
(and that was the google safe search)
try this search in Google: intitle:index.of "parent directory" *.mp3 This will turn out all mp3s out there on webservers that have directorylisting mistakenly turned on now you can change this to any file type, or any other specific filter that you are looking for. Thats "Google Hacks" in my books.. The honeypot would be to check for those kinds of searches and figure out how to counter them.
Sheesh, read the article. When there's a vulnerability in say, phpBB, and a haX0r wants to find it, they can just search google for the vulnerable version. So if you want to find a haX0r, just find a dude that searches google for vulnerable versions of phpBB. That's an example which has nothing to do with files that shouldn't be viewed or invisible links.
Also, if Google can find those files so can any other web-crawler.
Ugh.