This is where things on the internet get interesting.
Google hacking critical infrastructure based on data from sites like ShodanHQ and others opens the door to further penetration of support systems. The more interesting part on this is that as these hacks were tested, the systems would only work well in Internet Explorer or relied on ActiveX controls that would prompt for download conditioning workers to download anything. Once the workers are conditioned, it would be easy enough to get them to download malware along with the SCADA system being hacked. There is a lot wrong with the idea that it is trivial to Google hack infrastructure, but there it is, and this chapter should be used by hack and pen testers worldwide to ensure that their infrastructure is not exposed in Google, or in other more precise systems like ShodanHQ
“cisco-ios”+”last-modified” inurl: xhome.htm
Risk Rating: 2
Almost 1200 entries in Google, this identifies cisco systems that have no login, they simply open up on an HTTP/HTTPS and drop the user right into the configuration of the system.
“cisco-ios” inurl: setup_report.htm
Risk Rating: 2
Almost 1000 entries in Google, this is the intitial setup screen for catalyst routers, with this screen there is no login or password required to go into the router to configure it. Similar to Cisco IOS + Last modified but more detailed on what can be grabbed from the system, or configure the catalyst system.
“Accessing Cisco WS-C3550″
Risk Rating: 1
There are only a handful of entries in this Google hack, but it does open the back door to some very interesting infrastructure issues. If you add 12T or 15 or other number for the IOS version to the end of C3550 like C3550-12T you can focus on specific IOS verions in this Google dork.
Risk Rating: 3
There are 2.460 entries in google that takes your right to the Flash/GUI set up for Cisco Routers. This is a very good Google hack for finding routers without password protection at all, and being able to configure them and change their settings, as well as download the configuration files for decrypting Cisco passwords off line.
Risk Rating: 5
With 2.4 million returns, there are a lot of cisco logs to read on Google. The good part about this is that there is a banner at the top that gives you access to exec and configuration of the router. If permissions are not set right it is easy to get to the router configuration, crack the passwords, and reconfigure the router over HTTPS. This is an extraordinarily interesting Google dork.
Risk Rating: 1
Precheck screen for Cisco IOS that automatically forwards to router.html, there are only a dozen of these in Google, but opens the door to router.html files, you will want to modify the ?presence=111111 to another number to traverse the router.
There is a risk rating of 1 to 5 on these, where a risk one is minimal, but a risk rating of 5 opens the doors to much more entertaining data along the path of critical infrastructure.
Realistically we cannot assume that companies know what they are doing anymore, nor can we blindly trust the competence of people who are running, managing, or implementing information security over something as simple as a router. What we need is a way to validate the national standards, and ensure that every action taken helps us secure critical infrastructure so that these kinds of holes are not as ever present as they are. I don’t make this data, copy and paste these into Google and see if what you find. Companies seriously need to wake up and understand that what they do, and how they work with their systems, carries a risk for all of us on the Internet.
(Cross-posted @ Hacking Cloud Computing)