Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security The Internet

The "Google Hack" Honeypot 108

An anonymous reader writes "On the heels of Google Hacking for Penetration Testers, and Johnny Long's talks at Blackhat/Defcon over the weekend, comes the "Google Hack" Honeypot, a honeypot designed to lure in malicious search engine activity. They had a second release of their tools on monday, according to their site."
This discussion has been archived. No new comments can be posted.

The "Google Hack" Honeypot

Comments Filter:
  • by conner_bw ( 120497 ) on Thursday August 04, 2005 @04:31PM (#13244094) Journal

    I can't put my finger on it... Why do I feel so damn inadequate reading this article?

  • So is this thing designed to prove Google is doing nasty things? I'm really confused.
    • Re:Guh? (Score:1, Informative)

      by Anonymous Coward
      no, its designed to trick search engine h4x0r3z into thinking they found a real exploitable site when in fact its a fake honeypot.

      and then from this we can learn about what these h4x0r3z are doing and how to stop them
    • Re:Guh? (Score:5, Informative)

      by solive1 ( 799249 ) on Thursday August 04, 2005 @04:39PM (#13244198)
      No, this serves to find out how people are using Google to attempt to take control of your stuff (site, servers, etc). By learning more about the methods of attack, we can figure out how to prevent these attacks.

      It's the usual hacking cycle brought to the search engine scene. Malicious hackers find ways to penetrate, and this will try to find a way to stop it. When it's stopped, the hackers will just move on to another way. Later, rinse, repeat.
  • Tools (Score:5, Funny)

    by Alex P Keaton in da ( 882660 ) on Thursday August 04, 2005 @04:34PM (#13244135) Homepage
    Wait, they used their tools for penetration testing? And a honeypot? I am going to search google images for penetration, honeypot and tool and see if I can add anything to the discussion
  • by alecks ( 473298 )
    can someone please explain what this is. Neither the description, nor the linked article/page actually define what this is.
    • Re:huh? (Score:5, Informative)

      by Compholio ( 770966 ) on Thursday August 04, 2005 @04:39PM (#13244203)
      http://ghh.sourceforge.net/userfaq.php [sourceforge.net]

      A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:

      "An information system resource whose value lies in unauthorized or illicit use of that resource."

      Simply put a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers.

      GHH allows administrators to track malicious hosts: observe who is perpetrating the attack and how it is being executed via the log. The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.
    • Re:huh? (Score:3, Informative)

      by kevcol ( 3467 )
      Then read the packages FAQ. And focus on this paragraph:

      Why should I implement Google Hack Honeypot on my site?

      GHH allows you to safely monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.
      • GHH allows you to safely monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.

        That's a little different than a Honeypot, that sounds more like an IDS. But what I'm trying to figure out is how in the h
    • It's kind of like a Venus Flytrap for hackers. They are lured in by the sweet smeel of the nectar coating, and then SNAP. Nothing left for them to do but be slowly, painfully, excrutiatingly digested alive... Something like that anyway.
    • As I understand it, the term "honeypot" was coined during the cold war.

      Basically involved using sex to gain confidential information or to compromise an agent of the other side.
  • by sH4RD ( 749216 ) on Thursday August 04, 2005 @04:38PM (#13244179) Homepage
    GHDB Signature #1013 ("SquirrelMail version 1.4.4" inurl:src ext:php)

    How is that a problem? Look at their demo page [sourceforge.net]. Whoopdeedoo. Now I can stare at a SquirrelMail login screen. Still haven't gotten access to much of anything that I'm not supposed to. Heck, there are plenty of websites offering e-mail through SquirrelMail. Whatever...
    • by spacefight ( 577141 ) on Thursday August 04, 2005 @04:43PM (#13244264)
      From squirrelmail.org: Several cross site scripting (XSS) vulnerabilties have been discovered in SquirrelMail versions 1.4.0 - 1.4.4.

      I assume, that's the reason for the 1.4.4 login screen at their demo page.
      • Out of all the replies, yours made sense and you weren't an a**hole. Thank you, I now see the point.
      • Hmmm. Interesting, except that to exploit an XSS vulnerability, you would typically find a user of the site, and then persuade them to click on a crafted link with your exploit code embedded in it. Therefore you would normally target a user and check the sites they regularly visit. A honeypot would achieve nothing.
    • by BluhDeBluh ( 805090 ) on Thursday August 04, 2005 @04:44PM (#13244283)
      From what I can gather, SquirrelMail 1.4.4 contains a vunerability enabling you to do nasty things. By adding honeypot sites, it makes real sites to hack slightly more difficult if you're trying to find them via Google.
    • by jdreed1024 ( 443938 ) on Thursday August 04, 2005 @04:46PM (#13244309)
      Still haven't gotten access to much of anything that I'm not supposed to. Heck, there are plenty of websites offering e-mail through SquirrelMail. Whatever...

      That's precisely the point of a Honeypot. It's something that looks like it might be a vulnerability, but isn't. SquirrelMail had a bunch of vulnerabilities, including an SQL injection vulnerability. These sites get themselves added to Google, and thus get pulled up when someone searches for a site to exploit, but they can't actually be exploited. However, the Honeypot site now has the remote IP address, browser being used, and whatever info it feels like collecting on the bad guys.

      Read the FAQ [sourceforge.net], it explains a lot.

  • Silly tool (Score:1, Insightful)

    by wimp_org ( 896474 )

    You just need to make sure you do not put any items on your webserver you do not want to get viewed.
    And if you make invisible links to them. That is just plain stupid.

    Also, if Google can find those files so can any other web-crawler.

    Wimp_org

    • Re:Silly tool (Score:3, Informative)

      Sheesh, read the article. When there's a vulnerability in say, phpBB, and a haX0r wants to find it, they can just search google for the vulnerable version. So if you want to find a haX0r, just find a dude that searches google for vulnerable versions of phpBB. That's an example which has nothing to do with files that shouldn't be viewed or invisible links.

      Also, if Google can find those files so can any other web-crawler.

      Ugh.
  • by WillAffleckUW ( 858324 ) on Thursday August 04, 2005 @04:42PM (#13244255) Homepage Journal
    seriously, what good does this serve society? If you can prove that google hacking makes information more free, or that tearing down the barriers helps, well, fine.

    If you want to see if you can secure data so it doesn't get google hacked - ok.

    If you just want to show how nifty you are at using commonly available tools - there never has been any such thing as total privacy and there never will be.
    • tearing down barriers is not always good. some of these hacks are used by pornographers to phish for whoever (including kids) by evading familiy filters etc. I found a hack (a word) that will return zero results for legitimate sites but about 5,000 related to highly unnatural acts. if you are in google, you are one word away from reading the site descriptions of these sites. kind of makes you think twice about whether it's ever safe to hit the "im feeling lucky" button.
      • tearing down barriers is not always good. some of these hacks are used by pornographers to phish for whoever (including kids) by evading familiy filters etc. I found a hack (a word) that will return zero results for legitimate sites but about 5,000 related to highly unnatural acts. if you are in google, you are one word away from reading the site descriptions of these sites. kind of makes you think twice about whether it's ever safe to hit the "im feeling lucky" button.

        There we go. This is why I hardly eve
      • by Anonymous Coward
        They should change "I'm feeling lucky" to "Are you feeling lucky, punk?"
  • My Explanation (Score:4, Informative)

    by SuperJason ( 726019 ) on Thursday August 04, 2005 @04:44PM (#13244281) Homepage
    If I'm understanding it correctly, this is a system to keep out the users that are using google hacks. If someone finds your site because of a search string that matches a certain signature, I'm guessing that you could ban them. So if they find your site by searching for "top secret alien government technology", you can ban that user.

    Here is a FAQ question from their site:
      What is a honeypot?
    A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:

    "An information system resource whose value lies in unauthorized or illicit use of that resource."

    Simply put a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers.

    GHH allows administrators to track malicious hosts: observe who is perpetrating the attack and how it is being executed via the log. The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.
    • The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.

      Great...So the new goatse link will be some overzealous honeypot. You click the link and your ISP gets an email saying you're an evil hacker.

      Wouldn't it be more effective to report the websites with these vunerabilities to their hosting providers?
      • Nope. Wrongo. You only get trapped if you try to use an exploit on that site. You don't get trapped by merely visiting the page.

        You have to be doing something deliberately malicious in order to get caught by the honeypot.

        The honeypot just pretends to be something vulnerable in hopes of attracting criminals to attack it.
        • Re:My Explanation (Score:3, Insightful)

          by lspd ( 566786 )
          You have to be doing something deliberately malicious in order to get caught by the honeypot.

          So you encode evil input into the URL. Many scripts accept POST and GET.
          • by trezor ( 555230 )

            HTTP-GET, sure. But care to explain how you make a HTTP-POST request with a <A> hyperlink?

            • by bani ( 467531 )
              Yeah, i'd love to see this uber-leet HTTP-POST with <A> hyperlink too.
            • by lspd ( 566786 )
              I wasn't claiming that you can urlencode a POST into an hyperlink. I was saying that many scripts say they want POST but will happily accept urlencoded GET without complaining.

              If you track evil POSTs, you have to track evil GETs or you leave a simple workaround (just copy/paste your evil string on the URL.) OTOH, if you track and report evil GETs, then any unsuspecting fool who clicks on a bad hyperlink might be wrongfully reported.
  • by idontgno ( 624372 ) on Thursday August 04, 2005 @04:46PM (#13244313) Journal
    What am I missing here? A honeypot attracts would-be attackers with a false target to allow them to try their every wile against the honeypot while the pot's admins record every move.

    How do you honeypot Google? I'm fairly sure the nice folks at GoogleCorp aren't going to let you stick your honeypot in the way of the real thing. If the hacks in question are just malicious queries, how do you get the 1334 hax0rs to use your oh-so-attractive honeypot when every schmoe can type "www.google.com" into their attack script?

    Where's the flaw in my thinking? If you're not honeypotting the search, what's left?

    • by Anonymous Coward
      From the site These insecure tools, when combined with the power of a search engine and index which Google provides, results in a convenient attack vector for malicious users. GHH is a tool to combat this threat.

      Hackers use google to uncover these site's vulnerabilities. Thats all Google has to do with it!
    • by wowbagger ( 69688 ) on Thursday August 04, 2005 @05:16PM (#13244629) Homepage Journal
      OK, simply:

      Tool creates fake web pages that look like vulnerable Web apps.

      Google indexes fake pages.

      Bad Guy searches Google for likely victims.

      Google returns indexes of pages created by tool.

      Bad Guy follows links.

      Tool logs Bad Guy's IP and other information.

      No Profit for Bad Guy.

      Good Guys watch Bad Guy try to |-|@><0r the page, and log everything his does.

      Good Guys contact Law Enforcement, present evidence.

      Good Guys contact Bad Guy's ISP, present evidence.

      (now, there are 2 possible outcomes - the ideal and the real.)

      Ideal outcome

      Law Enforcement goes after Bad Guy.

      Bad Guy's ISP shuts Bad Guy down.

      Bad Guy gets caught, convicted, and spends several years playing "Hide The Sausage" with his new friend Benjamin Dover the Serial Sodomist.

      Real outcome

      Law Enforcement ignores evidence as no money was lost.

      Bad Guy's ISP ignores evidence as there is no Law Enforcement involvement, and Good Guys are not ISP's customers.

      Bad Guy is distracted for a while and doesn't get to |-|@><0r as many systems.
      • by Anonymous Coward
        Is it an 'ideal' outcome because someone would be sentanced to prison for commiting no crime and doing no damage, or because he would be repeatedly raped when he got there?

        Curiosity isn't a crime. Even if it was, no crime should be punished by what is essentially state sanctioned rape.
      • 'Bad guy' not so bad (Score:1, Interesting)

        by Anonymous Coward
        The problem here is that I can't see a way of using Google that would mean truly illegal website cracking (vocabulary lesson: 'cracking' as in dismantle security measures; and not 'hacking' as in improving the linux kernel).

        For example, the following "crack-search" example: 'intitle:index.of "parent directory" *.mp3', this only is useful if you mistakenly have left your http server on, I don't think the 'bad guy' is doing anything bad by using this, it is you who should disable your http server, or Google
      • Surely the point is to identify that you are being attacked, and how?

        Then you can develop counter measures...no?

        Your scenario falls under entrapment (in the UK anyhoo)
    • "...every schmoe can type "www.google.com" into their attack script?"

      This is not a Google search engine clone. This tool uses Google and other search engines to index fake vunerabilities in order to entice would-be hackers into trying to exploit a vunderability. This tool then logs the activity and the IP and such can be added to a blacklist database that other site admins can use to block malicious user IP's, report to ISP of IP address...potentially.

      That said, a hacker worth his salt most likely won't be
  • Or does this seem a little... Strange? I mean, it's all well and good to leave a honeypot out, but I think this is a bad move by Google. What about all those bees?
  • by I.M.O.G. ( 811163 ) <spamisyummy@gmail.com> on Thursday August 04, 2005 @04:54PM (#13244395) Homepage
    "GOOGLE HACKING"

    Google hacking is the process of reconnaisance with a target, through the use of google.

    What this means, is that an attacker has a target, he can use google to find information/vulnerabilities of this target without actually ever touching the target at all, thereby giving no warning.

    It's a much "safer" way of reconnaisance than directly going to a page and attempting trial and error attacks... The attacked has no idea there is any reconnaisance taking place, yet the attacker is finding more and more information about exploiting their target.

    "HONEYPOTS"

    Honeypots are designed to be in a controlled vulnerable state. You set up a server with known vulernabilities and put it in a controlled area of your network. Depending on the software used, there are various levels of interaction the honeypot will allow. Complicated honeypots can replicate a large network, recording all activities of the attacker and keeping their interest for longer. Simple honeypots only allow basic actions, and the attacker will become bored more quickly and you will get less information./P.

  • I think... (Score:3, Funny)

    by freshman_a ( 136603 ) on Thursday August 04, 2005 @05:01PM (#13244467) Homepage Journal
    Between this article and the duped [slashdot.org] article [slashdot.org] mentioning Johnny Long's book, I think the editors just like the words like "penetration" and "long".

    Ok, there's my dirty post for the day.
  • Honeypot Explained (Score:5, Informative)

    by spood ( 256582 ) on Thursday August 04, 2005 @05:16PM (#13244621) Homepage Journal
    There seems to be a lot of confusion about how this works. You need to understand two things to understand the GHH - first what a 'Google Hack' is in the first place, and second how to create a honeypot to record malicious behavior.

    First, a quick summary of Google hacking: Google obviously has a huge cache of URLs. If a vulnerability is published that can be identified by a URI string, then you can simple Google that URI to identify vulnerable hosts. The GHH main page has a list of the current vulnerability signatures that it tracks.

    In order to make a honeypot for this malicious behavior, you simply have to set up a Web server to respond appropriately to each of these linked URLs and have it be indexed by Google (not a trival task, but still quite doable). You can then track referring requests from Google by IP address, etc...

    In order to defeat this type of tracking, an attacker could strip off the Referer header using an automated tool or a proxy, then route through an Onion router or some other anonymous proxy, but at least the server would still have some metrics to identify the relative freqency of attackers reaching the site through a "Google Hack."
  • by Anonymous Coward

    So how come Google don't do anything about the hacks themselves?

    With some hacks, like the URL based ones, it seems unlikely that removing them would affect any legitimate search.

    The conclusions by courts in the open wireless networks seemed to be that the openess(physically) of a network was irrelevant - if it was private(in the mind of the owner) then you're not alowed in. So Google is not only sniffing out private networks they are also broadcasting them to the world!

    • by Anonymous Coward
      Do what ? Say i deliberately have a directory on my site that is called /etc/passwd ? It is a highly relevant page containing stories and articles I have written

      Say I have pages up with the same strings that are relevant to a number of Google hacks, like "Admin Panel powered by" etc etc ?

      This stupid pre-emptive doctrine that has poisoned everything since 9/11 has to stop. Nothing has been 'settled' in the real world where things actually count.

      if it was private

      The Downing Street memo and numerous other leak
  • How long before the hackers come up with a "rain cloud" counter-hack? After all, everyone knows that a rain cloud never eats honey (no, not a nip).
  • if you're ultra-paranoid, couldn't you just ban all robots from robots.txt, i'm sure there are non-compliant robots.. but legitimate ones like Google should abide, right?
  • I don't understand?

    what are these insecure tools?

    and how does a search engine index aid someone
    in hacking my site?
    • by Anonymous Coward
      Let me show by example.

      Let's say you have a website that runs SomeSoftware v1.0.

      Now let's say SomeSoftware v1.0 has an exploit that allows anyone to gain administrative priviledges to the software.

      If a hacker knows SomeSoftware has this vunlerability, if he wants to have some fun, all he needs to do is Google for "SomeSoftware" to find any website running SomeSoftware! Then he can mess with it.

      Now what the honeypot does, is it masquerades as one of these sites. It'll look just like SomeSoftware in a Googl
    • what are these insecure tools?
      The people running the place? :P
      and how does a search engine index aid someone in hacking my site?
      Maybe a demonstration [google.com] would help you out, here...
  • Pretty neat, but what I would prefer is a tool that uses the most common queries against your site to see if it can be google hacked. I guess this thing could be the database for this query tool. Perhaps this is something that might be in the creator's minds of this project?
    • ...I would prefer is a tool that uses the most common queries against your site to see if it can be google hacked.

      Google is not doing the hacking. I'll give you a simple step by step example hack:

      1) Let's say that you really like to use PHP on your site. Let's also say that PHP has a gaping security hole that will allow all sorts of "hacking" to take place. Lets just say that you don't know about this security hole just yet and so you don't know that it should be patched etc...

      With the situation set u
  • by bbdd ( 733681 ) on Thursday August 04, 2005 @06:49PM (#13245462)
    "These insecure tools, when combined with the power of a search engine and index which Google provides, results in a convenient attack vector for malicious users."

    how is your crappy site being indexed by google the fault of "insecure tools"? you have stuff to hide? don't put it where google can get it!

    the only insecure "tool" is the site designer who exposes his own data...
    • "These insecure tools, when combined with the power of a search engine and index which Google provides, results in a convenient attack vector for malicious users." Don't be so proud of this technological terror you have created, it is nothing compared to the power of the force
  • Someone at 127.0.0.1 is running my website!!ELEVNETY!!!!111!!1!!!!

!07/11 PDP a ni deppart m'I !pleH

Working...