Google Hacking Week : Find webcams, mediacenters and more with Inurl

Feb 27

Today on our Google Hacking week, we continue to use the Google search engine as a source for interesting information. In our  previous posts we talked about finding and downloading certain kinds of files but today we are on the lookout for “juicy devices”. 

The theory is quite simple : Most appliances like webcams, routers, copiers and more have web interfaces. A lot of different applications and services can also be controlled by a web interface. It’s easy and convenient when you can use the browser on your computer to configure and watch your webcam or change settings on your router while on your local lan. But what if those devices are hooked up directly to the internet ? 

Any device that gets connected directly to the internet is at some point scanned and indexed by Google and if you enter the right search term you will be able to find it. The way we are looking for those devices and services today is by using the INURL option. Some web interfaces (to your router or webcam) have a very specific way their URL looks. By searching for those specific url types with the INURL option.. you can find some very cool stuff. If people have done their homework most of these services will be blocked by a unique login or password. But some people just use the default password … or even none at all.

Let us take you an a walk through the net with some very specific INURL Google Dorks.

  • inurl:ViewerFrame?Mode= 
    • This one will get you some interesting webcams (some you can even control with your mouse). Look around and see if you can find the Giraffe Cam.
  • inurl:view/view.shtml
    • More network camera’s here. This one is in some dorm/college. You can control the zoom and the direction of the camera.
  • inurl:”:10000″ intext:”webmin”
    • Remember we talked about WEBMIN ? This will give you a list of all webmin servers connected directly to the internet. most of them are protected by a password (we hope) .. but common usernames like ROOT and some generic passwords might get you in. 
  • inurl:”32400/web/index.html#!/dashboard”
    • This will get you a list of PLEX media servers where people can store music and movies to watch on any device (even across the internet). Most of them are locked down with a login/password. Some of them … are not. Happy streaming.

webvammies

So you see : there are quite a few webservices out there that are inadvertently open to the indexing power of Google. Some clever searching and you can find them.

We close off by going by to our camera in the student dorm. Where is this ?  A simple ping of the url gives us the following IP :  138.25.6.37 and by going to Whereisthisip.net we find out that its Sydney Australia. Its THAT simple.

Puzzling information together.

This might all look like fun and games, but badly secured devices are dangerous. Whether you have weirdo’s peeking through your accidentally-publicly-connected Ip camera, or random people printing out documents on your www-connected printer.. its never good. Using the Domain name, the IP and the registration information of the domain people can quickly find out where and even WHO you are. If you skip good security and don’t use passwords (or default passwords) .. it does not bode well for you. Hackers even use the INURL search to find specific webservers/services with vulnerabilities. All they then need to do is run some code to take advantage of the exploit .. and they are in. Hackers don’t NEED to search for your open Webmin server with the buggy (and vulnerable) version of the http code .. Google did it for them.

Related Posts

kw707 : Downloading Torrents from anywhere.

Dec 15


This week we teach you the art of downloading. Wiseguy Daniel Messer tells you all about how to use the Piratbay browser to anonymise your traffic through  the TOR network, circumventing censorship,  nosy ISP’s and even our lovely friends over at the NSA.  After this insightful tutorial on using this ‘portable app’ its my turn to tell you about “Transmission”, A simple client to download torrent files, with a twist. We show you how to set it up, use it AND control it from just about anywhere. Ever been on your smartphone an thought .. Damn, I wish I could download this torrent back home ? We teach you how to use Transmission from anywhere on any device equipped with a browser. (Even from your phone). Stay tuned till the end because we have a special holiday-cheer announcement for a very special member of the Knightwise.com community. 

Shownotes.

Related Posts


Docuwiki : Take notes everywhere … seriously … every-where !

Nov 21

Greetings blog readers!  It is I, Matt, the stay-at-home g33kdad in Northern California.  I am writing today to discuss a topic that has been much on my mind lately and that is “note taking”.  I know, Y A W N, right?  Who cares?  You open a google doc, you jot some stuff down… or maybe I used a MS word doc for that… where did I save that again… is it in Evernote… oh, here’s some paper, i’ll just write it down… but, then I’ll just have to type it up later… and what if I want to work on it at my mom’s house…and if it’s stored on some company’s server somewhere, what kind of privacy is there… nevermind, I’ll just play xbox.

So, in the spirit of T. S. Eliot who wrote that immature poets copy while mature poets steal, I steal this from Allison Sheridan of the Nosillacast Podcast, “What is the problem to be solved?”

The problem, as I see it, is keeping track of information digitally (whether or not the information started out digital).  Now, unless you have been living under a rock for the recent past, you probably have an opinion on “cloud” services and computing. There are many different services available.  The ubiquitous choice seems to be Evernote. Evernote is a service that allows you to store your notes on an internet accessible server.  This gives you access to them from anywhere you have an internet connection.  There are apps for all the major mobile platforms and for most desktop operating systems. This is a very full-featured service and very powerful, as well.

Another option is to use Google Docs or another hosted word processor. This is a great option because the interface is similar to MS Word or other word processing programs and most of the formatting options you would have on the desktop are available in your web browser.

While these are good options, they have some flaws. They require a third-party to host your notes.  Having someone else handle the server maintenance and software is great, but you have to deal with privacy concerns.  You also have to deal with connectivity to that service. What if you have an internet outage or you find yourself somewhere without wifi. (Do you go places without wifi?) How do you add, edit, or read notes? Also, some services may not be designed for robust note-taking.

When it comes to third-party, cloud services, my personal feelings are these: 1. Any technology can be used to make my life better. 2. Any technology I don’t own or control can be used to make my life worse.  So I have to make a choice. Do I want the convenience of a service designed to meet the need? Do I want to keep all my notes in plain text on my personal computer? Is there another choice?

I have decided that a wiki is a very flexible platform for what I want to do.  In case you don’t know, a wiki (see: http://www.wikipedia.org/wiki/wiki) is a web-based platform for colabrative documents. Anybody who has a user account on a wiki can edit the content, their edits are tracked, and they are available to the public or to other users of the wiki, depending on the configuration.  Wikis have a simple formatting syntax that is easy to learn and use.  Wikis are also designed to store digital information. Links and rich-text and even multimedia can be stored and accessed through a wiki.

dokuwiki-part2-shot2

There are some caveats to this.  Wiki software is a web app that runs (in most cases) on a webserver. So you need to have access to a webserver to utilize a wiki. This can be a shared hosting account, a vps, or a small server in your home. The requirements are minimal. In some cases, wikis can be complicated to set up.

So, what do I do? I use a package called DokuWiki. DokuWiki is related to MediaWiki which is the software that powers one of the most famous wikis in the world, wikipedia.org.  It is a powerful package and works great for note-taking. There are many plugins available to change the syntax, provide for different content types and many other extensions. I have installed it on my home server and use it most every day for my needs. But there was a slight hiccup.  I still needed internet access to make notes.  Not a big deal when I’m on my home network, but even with dynamic DNS, I won’t have access if I can’t get to the internet.  Then, I discovered the “killer app”. There is a plugin called sync (http://www.dokuwiki.org/plugin:sync). This plugin uses XMLRPC to sync content between two dokuwiki installs. It can sync individual pages, whole namespaces (like folders or sub-directories), or even entire wiki instances.  Now, I run linux on my laptop and it was a 5 minute process to start a full LAMP stack on my daily driver. (a full LAMP stack is not necessary, lighttpd with php and SQLight is sufficient) I simply installed a local instance of DokuWiki and set up the sync profile to sync with my home server instance.  Now, if I’m out somewhere with no internet access, I can still access my wiki via “localhost”.  Then, when I get home or to a location with wifi, I run the sync and I have a backup of my notes! Excellent.

I have just scratched the surface of the possibilities of using DokuWiki for online note-taking. There are so many other uses for a wiki and I know that DokuWiki is so easy to deploy, I will be using it again.

Thanks for taking the time to read this article.  More to come! 

You can find more of Matt online at  @sahgeekdad on twitter or via  g33kdad.thestrangeland.net

Related Posts