Slashdot Mirror
The "Google Hack" Honeypot
An anonymous reader writes "On the heels of Google Hacking for Penetration Testers, and Johnny Long's talks at Blackhat/Defcon over the weekend, comes the "Google Hack" Honeypot, a honeypot designed to lure in malicious search engine activity. They had a second release of their tools on monday, according to their site."
Comment removed based on user account deletion
Wait, they used their tools for penetration testing? And a honeypot? I am going to search google images for penetration, honeypot and tool and see if I can add anything to the discussion
And All I Ask is a Tall Ship And a Star to Steer Her By
Why do I feel so damn inadequate reading this article?
;-)
Because when you read "honey pot" you immediately thought of catching hackers instead of what you should have thought of.
Sad isn't it?
GHDB Signature #1013 ("SquirrelMail version 1.4.4" inurl:src ext:php)
How is that a problem? Look at their demo page. Whoopdeedoo. Now I can stare at a SquirrelMail login screen. Still haven't gotten access to much of anything that I'm not supposed to. Heck, there are plenty of websites offering e-mail through SquirrelMail. Whatever...
WASTE - The Secure P2P
No, this serves to find out how people are using Google to attempt to take control of your stuff (site, servers, etc). By learning more about the methods of attack, we can figure out how to prevent these attacks.
It's the usual hacking cycle brought to the search engine scene. Malicious hackers find ways to penetrate, and this will try to find a way to stop it. When it's stopped, the hackers will just move on to another way. Later, rinse, repeat.
http://ghh.sourceforge.net/userfaq.php
A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:
"An information system resource whose value lies in unauthorized or illicit use of that resource."
Simply put a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers.
GHH allows administrators to track malicious hosts: observe who is perpetrating the attack and how it is being executed via the log. The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.
seriously, what good does this serve society? If you can prove that google hacking makes information more free, or that tearing down the barriers helps, well, fine.
If you want to see if you can secure data so it doesn't get google hacked - ok.
If you just want to show how nifty you are at using commonly available tools - there never has been any such thing as total privacy and there never will be.
-- Tigger warning: This post may contain tiggers! --
If I'm understanding it correctly, this is a system to keep out the users that are using google hacks. If someone finds your site because of a search string that matches a certain signature, I'm guessing that you could ban them. So if they find your site by searching for "top secret alien government technology", you can ban that user.
Here is a FAQ question from their site:
What is a honeypot?
A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:
"An information system resource whose value lies in unauthorized or illicit use of that resource."
Simply put a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers.
GHH allows administrators to track malicious hosts: observe who is perpetrating the attack and how it is being executed via the log. The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.
Google hacking is the process of reconnaisance with a target, through the use of google.
What this means, is that an attacker has a target, he can use google to find information/vulnerabilities of this target without actually ever touching the target at all, thereby giving no warning.
It's a much "safer" way of reconnaisance than directly going to a page and attempting trial and error attacks... The attacked has no idea there is any reconnaisance taking place, yet the attacker is finding more and more information about exploiting their target.
"HONEYPOTS"
Honeypots are designed to be in a controlled vulnerable state. You set up a server with known vulernabilities and put it in a controlled area of your network. Depending on the software used, there are various levels of interaction the honeypot will allow. Complicated honeypots can replicate a large network, recording all activities of the attacker and keeping their interest for longer. Simple honeypots only allow basic actions, and the attacker will become bored more quickly and you will get less information./P.
Overclockers
Between this article and the duped article mentioning Johnny Long's book, I think the editors just like the words like "penetration" and "long".
Ok, there's my dirty post for the day.
Slackware
There seems to be a lot of confusion about how this works. You need to understand two things to understand the GHH - first what a 'Google Hack' is in the first place, and second how to create a honeypot to record malicious behavior.
First, a quick summary of Google hacking: Google obviously has a huge cache of URLs. If a vulnerability is published that can be identified by a URI string, then you can simple Google that URI to identify vulnerable hosts. The GHH main page has a list of the current vulnerability signatures that it tracks.
In order to make a honeypot for this malicious behavior, you simply have to set up a Web server to respond appropriately to each of these linked URLs and have it be indexed by Google (not a trival task, but still quite doable). You can then track referring requests from Google by IP address, etc...
In order to defeat this type of tracking, an attacker could strip off the Referer header using an automated tool or a proxy, then route through an Onion router or some other anonymous proxy, but at least the server would still have some metrics to identify the relative freqency of attackers reaching the site through a "Google Hack."
---- Just another spud server.
OK, simply:
Tool creates fake web pages that look like vulnerable Web apps.
Google indexes fake pages.
Bad Guy searches Google for likely victims.
Google returns indexes of pages created by tool.
Bad Guy follows links.
Tool logs Bad Guy's IP and other information.
No Profit for Bad Guy.
Good Guys watch Bad Guy try to |-|@><0r the page, and log everything his does.
Good Guys contact Law Enforcement, present evidence.
Good Guys contact Bad Guy's ISP, present evidence.
(now, there are 2 possible outcomes - the ideal and the real.)
Ideal outcome
Law Enforcement goes after Bad Guy.
Bad Guy's ISP shuts Bad Guy down.
Bad Guy gets caught, convicted, and spends several years playing "Hide The Sausage" with his new friend Benjamin Dover the Serial Sodomist.
Real outcome
Law Enforcement ignores evidence as no money was lost.
Bad Guy's ISP ignores evidence as there is no Law Enforcement involvement, and Good Guys are not ISP's customers.
Bad Guy is distracted for a while and doesn't get to |-|@><0r as many systems.
www.eFax.com are spammers
Do what ? Say i deliberately have a directory on my site that is called /etc/passwd ? It is a highly relevant page containing stories and articles I have written
Say I have pages up with the same strings that are relevant to a number of Google hacks, like "Admin Panel powered by" etc etc ?
This stupid pre-emptive doctrine that has poisoned everything since 9/11 has to stop. Nothing has been 'settled' in the real world where things actually count.
if it was private
The Downing Street memo and numerous other leaks were intended to be private. Are you suggesting that the world shouldn't know what is happening ?
Stop being such an old granny.
try this search in Google: intitle:index.of "parent directory" *.mp3 This will turn out all mp3s out there on webservers that have directorylisting mistakenly turned on now you can change this to any file type, or any other specific filter that you are looking for. Thats "Google Hacks" in my books.. The honeypot would be to check for those kinds of searches and figure out how to counter them.
"These insecure tools, when combined with the power of a search engine and index which Google provides, results in a convenient attack vector for malicious users."
how is your crappy site being indexed by google the fault of "insecure tools"? you have stuff to hide? don't put it where google can get it!
the only insecure "tool" is the site designer who exposes his own data...