Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Using Bad Material for the Good - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Using Bad Material for the Good

There is a huge amount of information shared online by attackers. Once again, pastebin.com is a nice place to start hunting. As this material is available for free, why not use it for the good? Attackers (with or without bots) are constantly looking for entry points on websites. Those entry points are a good place to search, for example, for SQL injections. Example:

add_to_cart.php?item=

As attackers are also hunting for new targets, they have automated tools or bots that scan the Internet for potential new victims. To do this, they use search engines and search for specific strings called "dorks". This term is coming from "Google Hacking Database Project"[1]. This is an old project but attackers are still creating lists of interesting URIs and it's quite easy to find them. Here is an example of pastie with a big list of dorks:

https://pastebin.com/ABZ8Z8zy
https://pastebin.com/Tdvi8vgK

Why not reuse this free "bad" material to perform hunting in your own website's logs and have a head start on attackers? The benefits are multiple: you will probably detect suspicious pages that should not be publicly available and you'll be able to detect if people are already scanning your infrastructure.

With Splunk, create a CSV file containing all the interesting dorks and use a query like the following one to search for them across all your Apache logs:

sourcetype=access_combined [|inputlookup dorks.csv | eval uri="*".dork."*" | fields uri]

Don't forget that more dorks you search for in your logs, more hits you will find. Try to reduce the noise by removing trusted IP addresses, etc.

A good alternative to Apache logs is to use a tool like Bro that will extract URLs on the fly from the network traffic. With this technique, you'll also be able to detect rogue web applications!

Happy hunting!

[1] https://www.exploit-db.com/google-hacking-database/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

337 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!