Hacker's Guide to ⭐Dorking⭐
Cyber SecurityTranscript
English (Auto-generated)
um anyway, this is his and I'm gonna teach you about a phenomenon called Dorking Dorking is when you use open source search engines. Usually not open source. Sorry. When you use publicly available search engines like google or Duck, Duck go or get hubs code search to find credentials or things that were put made accessible on accident to the web and use them to exploit things. Um it's not illegal to search for them. It's not illegal to find them, but it is illegal to use them. So we will not try them out. We'll just find them in our case. We're going to use GIT hub to look for secrets that have been uploaded on accident. If you have access to the code, which you should, we have a dorks markdown file here and we're going to try AWS and ssh. So I have access to get hubs new code search and future preview. But if you're using the old code search, you'll just have to change the syntax a little bit, but this should mostly stay the same and this will be available publicly soon anyway. Get hubs new code search. So let's get started, let's try to find some AWS credentials. So we're gonna use the path name and look for a certain file name. What would the file name be? Well, I happen to know that AWS credentials are stored in the home directory in a file called dot ws slash credentials. So let's just look for that and see what we get. Okay. We get a lot of stuff that's not credentials like this has a different file name. You have the right file name but a bunch of weird stuff in them. So first I'm gonna say it should not include the word end of the bar because this one down here has end of the bar. I don't want that. Not in the bar or I also don't want uh your access B. C. Any other weird stuff. A bunch of bunch of stars here. I don't want that for stars. Let's see if we get better. Okay. So what I'm seeing here is we have other file names like we have 11 back ends and all this other stuff that doesn't actually have credentials. So I'm gonna change this to be instead of just searching for these words in the path name. I'm gonna use a regular expression to search. I have to escape this little thing. And I want to say it should start with AWS and it should end with credentials. I don't want anything else inside of this file name. Do what we find now And here I'm gonna put this inside of the code even though we maybe aren't done yet. And just you guys can get easier. Look at it and there we go. We got some credentials, we see this process dot env one down here. I'm gonna get rid of process dot mm process dot mm Nice. And I guess I kinda want to give it a region like I don't think most of the good ones we're looking for have region in them for the region. And yeah, let's try that again. Okay. And there we go. Not bad, not bad. We have some more credentials. We have this one with a bunch of exes. I could probably get rid of that. I think there's only one page of results. So so it's not really a big deal but you can see we have this result here. We have 1234 5, 6 different results. So it's not spectacular but for something we just came up with on the spot. That's not bad at all. In the video description. I actually have a link to show you that uh to show you that you can go online and find dorks that for everything. You can imagine to find ssh credentials which we're gonna do right now, but to find private keys to find anything under the Sun sequel dumps with all kinds of user credentials in them. Um there's there's these have already been developed by the security community to such a level of sophistication and then you can even monitor for new york. So you can make your dorks and then you can monitor and have a script that checks for them when they show up and alerts and does all kinds of cool stuff and that's obviously security engineers. Your goal is to just have intelligence or even to warn the people. Obviously cybercriminals would use those alerts to auto pone those machines basically auto hack them or you have a script that sees the alerts, tries the credentials immediately and then changes the credentials and does other things like that, but not us. So we see we have this dork and the dork basically works. So let's try another one. I have ssh private keys here. Let's see if we can find ssh private keys. It's actually kind of easier because like the path for ssh private keys is dot ssh slash I D E R S A. And we just wanted to not say pub. So you see we already have some private keys here but we want to get rid of all these public keys. So we're gonna use a regular expression again. Okay. I just gotta escape slash just like we did last time. And what we want to say is that should end with I. D R. Say that's the most important thing. Okay, so we have over 100 files. So the situation here with these ssh keys is way worse. So AWS credentials, what do those give us S three things like that? Ssh though is almost kind of more brutal because you have a lot of developers and devops people who have access to like production machines and when they ssh into them to get a shell, they're not they're not they're not hesitating in with the user name and password. Right? Normally Anyway, they're gonna estate with private keys if you wanted to present, prevent yourself from being like having this problem by the way. One common thing I see them do is also limiting access to I. P. Addresses. So you have someone who logs in with their ssh private key but they also have to log in from the right I. P. Address. So usually have some process where you give your I. P. Address to an admin. He'll put it in the list of allowed addresses and if you try to ssh in and you're not from that I. P. Address and you obviously don't have the right ssh key then you don't get in. That's that's something I mean I've implemented before that's something you can do to mitigate this these keys from being from being lost for the for the AWS thing probably I guess two factor authentication would help but if you're trying to do it like with automation that might be difficult. But in the case of Ssh for sure you should have you can limit it to I. P. Addresses if you're talking about a production environment. So that was pretty easy. That's what dorking is all about. One limitation here on this github code. Source code search search is that you can't do case sensitive searching. Uh I ran into that with I've seen that with like someone like AWS where it's like login or like user name equals user name in all caps. And I would say no I don't I don't want to use her name in all caps, but it doesn't recognize caps or not. So it's kind of hard to deal with that. There are ways though, but that's the gist of dorking. Dorking is mostly associated with get with it started with get up with google. Google is like the king of where Dorking happens why? Because it's indexed everything. So there's just so much, so many things you can find and it does have operators that allow you to really specify some specific stuff that's likely to be vulnerable. But there you go. That's Dorking. I hope you enjoyed that. I hope that was educational. You can get an idea of how to find some stuff and why it's so important to be very, very careful with how you, what you upload. Right? Like when you, when you make a repo and you're just, oh yeah, whatever is in this directory just send it out there. Oops, that was my home directory. But hey, probably nothing top secret in there. Right, well you have all these dot files that you might not even be thinking about and they're, they're often pretty important. So be careful about that. Even in web directories, there can be things with secrets like ht access, which is authentication for http people will upload a web directory and I mean dot n files. That's like the classic one. Right? I mean we can look at dot em right now. Let's look for dot mm And we don't want dot mm Actually I'll just do it to show you guys build up dot m probably get a lot of normally okay. Dot mm dot Js etcetera, etcetera. Right? But what we want is things that end in dot mm And let's see, let's see if we find anything actually interesting here. Probably not because yes, sample dot mm I think here, you know what let's say, it has to start with that to let's just see if we can find anything and we find some AWS access key. But nothing real sorry. We we should technically be down here we go. Here's a secret. We have a stream api key, a stream user I d and a stream user token. That token seems like something that's probably probably secret. So there you go dB connection, this is some Mongo dB credentials. And usually like when you click on these, if you go to view repo just show you how easy this is from years ago. So that overwhelming probability that that won't work. But still, it's pretty bad. And if you're on get hubs normal search, I don't know how to do this on this search, but you can actually search by recent. So just making it extra bad. But in reality what you do is you write a script that does this for you anyway and just tries a bunch of stuff or is looking for something specific. Right. So anyway, happy dorking guys, I hope that was educational for you, and I will see you next time.
Phew! I was a tad disorganized in this one, gratitude to all for following along!