SlideShare a Scribd company logo

Tenacious Diggity Skinny Dippin

Rob Ragan
Rob Ragan

All brand new tool additions to the Google Hacking Diggity Project - The Next Generation Search Engine Hacking Arsenal. As always, all tools are free for download and use. When last we saw our heroes, the Diggity Duo had demonstrated how search engine hacking could be used to take over someone’s Amazon cloud in less than 30 seconds, build out an attack profile of the Chinese government’s external networks, and even download all of an organization’s Internet facing documents and mine them for passwords and secrets. Google and Bing were forced to hug it out, as their services were seamlessly combined to identify which of the most popular websites on the Internet were unwittingly being used as malware distribution platforms against their own end-users. Now, we've traveled through space and time, my friend, to rock this house again... True to form, the legendary duo have toiled night and day in the studio (a one room apartment with no air conditioning) to bring you an entirely new search engine hacking tool arsenal that’s packed with so much tiger blood and awesome-sauce, that it’s banned on 6 continents. Many of these new Diggity tools are also fueled by the power of the cloud and provide you with vulnerability data faster and easier than ever thanks to the convenience of mobile applications.Just a few highlights of new tools to be unveiled are: * AlertDiggityDB – For several years, we’ve collected vulnerability details and sensitive information disclosures from thousands of real-time RSS feeds setup to monitor Google, Bing, SHODAN, and various other search engines. We consolidated this information into a single database, the AlertDiggityDB, forming the largest consolidated repository of live vulnerabilities on the Internet. Now it’s available to you. * Diggity Dashboard – An executive dashboard of all of our vulnerability data collected from search engines. Customize charts and graphs to create tailored views of the data, giving you the insight necessary to secure your own systems. This web portal provides users with direct access to the most current version of the AlertDiggityDB. * Bing Hacking Database (BHDB) 2.0 – Exploiting recent API changes and undocumented features within Bing, we’ve been able to completely overcome the previous Bing hacking limitations to create an entirely new BHDB that will make Bing hacking just as effective as Google hacking (if not more so) for uncovering vulnerabilities and data leaks on the web. This also will include an entirely new SharePoint Bing Hacking database, containing attack strings targeting Microsoft SharePoint deployments via Bing. * NotInMyBackYardDiggity – Don’t be the last to know if LulzSec or Anonymous post data dumps of your company’s passwords on PasteBin.com, or if a reckless employee shares an Excel spreadsheet with all of your customer data on a public website. This tool leverages both Google and Bing, and comes with pre-built queries that make i

TechnologyNews & Politics
1 of 48
Download to read offline
Tenacious Diggity Skinny Dippin' in a Sea of Bing 29 July 2012 – DEF CON 20 – Las Vegas, NV Presented by: Francis Brown & Rob Ragan Stach & Liu, LLC www.stachliu.com
2  
Agenda OVERVIEW •  Introduction/Background •  Advanced Attacks •  NEW Diggity Attack Tools •  Advanced Defenses •  NEW AlertDiggity Cloud Database •  Future Directions 3  
Introduction/Background GETTING UP TO SPEED 4  
Diggity Tools PROJECT OVERVIEW 5  
Diggity Tools ATTACK TOOLS Tool   Descrip,on   GoogleDiggity   Tradi,onal  Google  hacking  tool   BingDiggity   Bing  equivalent  of  tradi,onal  Google  hacking  tool   FlashDiggity   Adobe  Flash  security  scanning  tool   DLPDiggity   Data  loss  preven,on  scanning  tool   LinkFromDomain   Bing  footprin,ng  tool  based  on  off-­‐site  links   CodeSearch  Diggity   Open-­‐source  code  vulnerability  scanning  tool   MalwareDiggity   Malware  link  detec,on  tool  for  off-­‐site  links   6  
Diggity Tools NEW ATTACK TOOLS Tool   Descrip,on   PortScan  Diggity   Passive  port  scanning  via  Google   NotInMyBackYard   Easily  find  your  info  in  3rd  party  sites   BHDB  2.0   New  Bing  Hacking  DB  now  as  affec,ve  as  Google   Bing  BinaryMalware   Find  malware  via  Bing’s  indexing  of  executables   CodeSearch  REBORN   Brought  back  from  the  dead   SHODAN  Diggity   Easy  interface  to  SHODAN  search  engine   7  
Diggity Scraping NEW ACROSS ALL ATTACK TOOLS 8  
Diggity Scraping PROXIES SPECIFICATION 9  
Diggity Scraping MANUAL PROXIES SPECIFICATION 10  
Advanced Attacks WH AT YOU SHOULD KNOW 11  
NEW GOOGLE HACKING TOOLS PortScan Diggity 12  
PortScanning TARGETING HTTP ADMIN CONSOLES Searching for web admin interfaces on non-standard HTTP ports 13  
PortScanning TARGETING PORT RANGES Searching for specific port ranges 14  
PortScanning TARGETING VULNERABILITY Targeting specific HTTP ports example 15  
PortScan Diggity TARGETING HTTP ADMIN CONSOLES 16  
NEW GOOGLE HACKING TOOLS NotInMyBackYard 17  
Data Leaks on 3rd Party Sites SENSITIVE INFO EVERYWHERE Verizon - 2012 Data Breach Investigation Report 18  
PasteBin Leaks PASSWORDS IN PASTEBIN.COM POSTS •  Twitter feed tracking passwords leaked via PasteBin 19  
Cloud Docs Exposures PUBLIC CLOUD SEARCHING Public cloud storage document exposures 20  
Cloud Docs Exposures ROBOTS.TXT IS DEAD Personal photo galleries exposed 21  
Data Loss In The News MAJOR DATA LEAKS •  Yale Alumni 43,000 SSNs Exposed in Excel Spreadsheet 22  
NotInMyBackYard L O C A T I O N, L O C A T I O N, L O C A T I O N Cloud storage: Public presentations sharing sites: •  Google Docs/Drive, DropBox, •  slideshare.net, prezi.com, Microsoft SkyDrive, Amazon S3 present.me Social networking sites: Public charts and graphs sharing sites: •  Facebook, Twitter, LinkedIn •  ratemynetworkdiagram.com, gliffy.com Public document sharing sites: •  scribd.com, 4shared.com, Video sharing sites: issuu.com, docstoc.com, •  vimeo.com, dailymotion.com, metacafe.com, youtube.com PasteBin and text sharing sites: •  pastebin.com, pastie.org, … 23  
NotInMyBackYard PASTEBIN EXAMPLE 24  
NotInMyBackYard XLS IN CLOUD EXAMPLE 25  
Cloud Docs Exposures PUBLIC CLOUD SEARCHING Public cloud storage document exposures 26  
NEW GOOGLE HACKING TOOLS Bing Hacking Database v2.0 27  
Bing Hacking Database v2.0 STACH & LIU TOOLS BHDB v2.0 – Updates •  Bing hacking database •  Bing hacking limitations •  Disabled inurl:, link: and linkdomain: directives in March 2007 •  No support for ext:, allintitle:, allinurl: •  Limited filetype: functionality •  Only 12 extensions supported •  UPDATES (2012) •  ext: functionality now added •  inurl: work around by using instreamset:url: •  New BHDB 2.0 •  Several thousand more Bing dorks! 28  
NEW GOOGLE HACKING TOOLS BingBinaryMalwareSearch (BBMS) 29  
Bing Malware Search TARGETING MALWARE Targeting known malware signatures 30  
Google vs Bing Size MORE BANG FOR YOUR SEARCH 31  
NEW GOOGLE HACKING TOOLS CodeSearch Diggity 32  
Google Code Search VULNS IN OPEN SOURCE CODE •  Regex search for vulnerabilities in indexed public code, including popular open source code repositories: •  Example: SQL Injection in ASP querystring •  select.*from.*request.QUERYSTRING 33  
CodeSearch Diggity AMAZON CLOUD SECRET KEYS 34  
Cloud Security N O P R O M I S E S . . .N O N E Amazon AWS Customer Agreement •  http://aws.amazon.com/agreement/#10 35  
Cloud Crawling CREATE YOUR OWN SEARCH ENGINES 36  
NEW GOOGLE HACKING TOOLS SHODAN Diggity 37  
SHODAN HACKER SEARCH ENGINE •  Indexed service banners for whole Internet for HTTP (Port 80), as well as some FTP (23), SSH (22) and Telnet (21) services 38  
SHODAN FINDING SCADA SYSTEMS 39  
SHODAN FINDING SCADA SYSTEMS 40  
SHODAN Diggity FINDING SCADA SYSTEMS 41  
Advanced Defenses PRO TECT YO NECK 42  
Diggity Alert DB DATA MINING VULNS Diggity Alerts Database 43  
Future Directions WH AT W ILL HAPPEN 44  
Diggity Dashboards COMING SOON Google  Charts   Mobile  BI  Apps   45  
DLP Reporting PRACTICAL EXAMPLES 46  
Questions? Ask us something We’ll try to answer it. For more info: Fran Brown Rob Ragan (@sweepthatleg) Email: contact@stachliu.com Project: diggity@stachliu.com Stach & Liu, LLC www.stachliu.com
Thank You Stach & Liu Google Hacking Diggity Project info: http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/ 48  

Recommended

Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Rob Ragan
 
Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010Rob Ragan
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerRob Ragan
 
Hack attack pulp google
Hack attack pulp googleHack attack pulp google
Hack attack pulp googlesourav6388
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...Bishop Fox
 
DEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDF
DEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDFDEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDF
DEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDFBishop Fox
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 

Recommended

Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Rob Ragan
 
Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010Rob Ragan
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerRob Ragan
 
Hack attack pulp google
Hack attack pulp googleHack attack pulp google
Hack attack pulp googlesourav6388
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...Bishop Fox
 
DEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDF
DEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDFDEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDF
DEFCON 20 (2012) – Tenacious Diggity – 29July2012 – Slides.PDFBishop Fox
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
RAR and GNAP for VC HTTP API
RAR and GNAP for VC HTTP APIRAR and GNAP for VC HTTP API
RAR and GNAP for VC HTTP APIJustin Richer
 
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities ListOWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities ListBishop Fox
 
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWebPOC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWebDASOM KIM
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
Lazarus talk tlp white
Lazarus talk tlp whiteLazarus talk tlp white
Lazarus talk tlp whiteChristopher Doman
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoRaghav Bisht
 
天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統
天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統
天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統台灣資料科學年會
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingAPNIC
 
Microblogging: A Semantic Web and Distributed Approach
Microblogging: A Semantic Web and Distributed ApproachMicroblogging: A Semantic Web and Distributed Approach
Microblogging: A Semantic Web and Distributed ApproachAlexandre Passant
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingGareth Davies
 
Pulp Google Hacking
Pulp Google HackingPulp Google Hacking
Pulp Google HackingBishop Fox
 
Lord of the Bing: Taking Back Search Engine Hacking From Google and Bing
Lord of the Bing: Taking Back Search Engine Hacking From Google and BingLord of the Bing: Taking Back Search Engine Hacking From Google and Bing
Lord of the Bing: Taking Back Search Engine Hacking From Google and BingBishop Fox
 

More Related Content

What's hot

Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
RAR and GNAP for VC HTTP API
RAR and GNAP for VC HTTP APIRAR and GNAP for VC HTTP API
RAR and GNAP for VC HTTP APIJustin Richer
 
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities ListOWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities ListBishop Fox
 
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWebPOC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWebDASOM KIM
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoRaghav Bisht
 
天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統
天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統
天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統台灣資料科學年會
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingAPNIC
 
Microblogging: A Semantic Web and Distributed Approach
Microblogging: A Semantic Web and Distributed ApproachMicroblogging: A Semantic Web and Distributed Approach
Microblogging: A Semantic Web and Distributed ApproachAlexandre Passant
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingGareth Davies
 

What's hot (20)

Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
RAR and GNAP for VC HTTP API
RAR and GNAP for VC HTTP APIRAR and GNAP for VC HTTP API
RAR and GNAP for VC HTTP API
 
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities ListOWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities List
 
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWebPOC 2018 - whatever talk_ Let's go OSINT using DeepWeb
POC 2018 - whatever talk_ Let's go OSINT using DeepWeb
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
Lazarus talk tlp white
Lazarus talk tlp whiteLazarus talk tlp white
Lazarus talk tlp white
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with Maltego
 
天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統
天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統
天下武功唯快不破:利用串流資料實做出即時分類器和即時推薦系統
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijacking
 
Microblogging: A Semantic Web and Distributed Approach
Microblogging: A Semantic Web and Distributed ApproachMicroblogging: A Semantic Web and Distributed Approach
Microblogging: A Semantic Web and Distributed Approach
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google Hacking
 

Similar to Tenacious Diggity Skinny Dippin

Pulp Google Hacking
Pulp Google HackingPulp Google Hacking
Pulp Google HackingBishop Fox
 
Lord of the Bing: Taking Back Search Engine Hacking From Google and Bing
Lord of the Bing: Taking Back Search Engine Hacking From Google and BingLord of the Bing: Taking Back Search Engine Hacking From Google and Bing
Lord of the Bing: Taking Back Search Engine Hacking From Google and BingBishop Fox
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 
Defcon17 - dradis Framework: sharing information will get you root
Defcon17 - dradis Framework: sharing information will get you rootDefcon17 - dradis Framework: sharing information will get you root
Defcon17 - dradis Framework: sharing information will get you rootetd
 
Hacking the Public Presentation
Hacking the Public PresentationHacking the Public Presentation
Hacking the Public PresentationSpicer Group, Inc.
 
SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!Rafal Los
 
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...SSIMeetup
 
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earthPittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earthGrace Jansen
 
Apache Druid Vision and Roadmap
Apache Druid Vision and RoadmapApache Druid Vision and Roadmap
Apache Druid Vision and RoadmapImply
 
Google, Developer Experience and Discovery
Google, Developer Experience and DiscoveryGoogle, Developer Experience and Discovery
Google, Developer Experience and DiscoveryAde Oshineye
 
Guardian devexp and_discovery
Guardian devexp and_discoveryGuardian devexp and_discovery
Guardian devexp and_discoveryAde Oshineye
 
[Public] 7 archetipi della tecnologia moderna [italy]
[Public] 7 archetipi della tecnologia moderna [italy][Public] 7 archetipi della tecnologia moderna [italy]
[Public] 7 archetipi della tecnologia moderna [italy]Nicolas Bortolotti
 
AI: Your Personal Intern
AI: Your Personal InternAI: Your Personal Intern
AI: Your Personal InternJoe Brinkman
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
H2O at Poznan R Meetup
H2O at Poznan R MeetupH2O at Poznan R Meetup
H2O at Poznan R MeetupJo-fai Chow
 
[KubeCon NA 2018] Effective Kubernetes Develop: Turbocharge Your Dev Loop - P...
[KubeCon NA 2018] Effective Kubernetes Develop: Turbocharge Your Dev Loop - P...[KubeCon NA 2018] Effective Kubernetes Develop: Turbocharge Your Dev Loop - P...
[KubeCon NA 2018] Effective Kubernetes Develop: Turbocharge Your Dev Loop - P...Ambassador Labs
 
Open Social Technical Update for Java developers - Presented at sv-gtug.org m...
Open Social Technical Update for Java developers - Presented at sv-gtug.org m...Open Social Technical Update for Java developers - Presented at sv-gtug.org m...
Open Social Technical Update for Java developers - Presented at sv-gtug.org m...Chris Schalk
 
Android : How Do I Code Thee?
Android : How Do I Code Thee?Android : How Do I Code Thee?
Android : How Do I Code Thee?Viswanath J
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
 

Similar to Tenacious Diggity Skinny Dippin (20)

Pulp Google Hacking
Pulp Google HackingPulp Google Hacking
Pulp Google Hacking
 
Lord of the Bing: Taking Back Search Engine Hacking From Google and Bing
Lord of the Bing: Taking Back Search Engine Hacking From Google and BingLord of the Bing: Taking Back Search Engine Hacking From Google and Bing
Lord of the Bing: Taking Back Search Engine Hacking From Google and Bing
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
Defcon17 - dradis Framework: sharing information will get you root
Defcon17 - dradis Framework: sharing information will get you rootDefcon17 - dradis Framework: sharing information will get you root
Defcon17 - dradis Framework: sharing information will get you root
 
Hacking the Public Presentation
Hacking the Public PresentationHacking the Public Presentation
Hacking the Public Presentation
 
SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!SecTor '09 - When Web 2.0 Attacks!
SecTor '09 - When Web 2.0 Attacks!
 
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...
 
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earthPittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
PittsburgJUG_Cloud-Native Dev Tools: Bringing the cloud back to earth
 
Apache Druid Vision and Roadmap
Apache Druid Vision and RoadmapApache Druid Vision and Roadmap
Apache Druid Vision and Roadmap
 
Google, Developer Experience and Discovery
Google, Developer Experience and DiscoveryGoogle, Developer Experience and Discovery
Google, Developer Experience and Discovery
 
Guardian devexp and_discovery
Guardian devexp and_discoveryGuardian devexp and_discovery
Guardian devexp and_discovery
 
[Public] 7 archetipi della tecnologia moderna [italy]
[Public] 7 archetipi della tecnologia moderna [italy][Public] 7 archetipi della tecnologia moderna [italy]
[Public] 7 archetipi della tecnologia moderna [italy]
 
AI: Your Personal Intern
AI: Your Personal InternAI: Your Personal Intern
AI: Your Personal Intern
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
H2O at Poznan R Meetup
H2O at Poznan R MeetupH2O at Poznan R Meetup
H2O at Poznan R Meetup
 
[KubeCon NA 2018] Effective Kubernetes Develop: Turbocharge Your Dev Loop - P...
[KubeCon NA 2018] Effective Kubernetes Develop: Turbocharge Your Dev Loop - P...[KubeCon NA 2018] Effective Kubernetes Develop: Turbocharge Your Dev Loop - P...
[KubeCon NA 2018] Effective Kubernetes Develop: Turbocharge Your Dev Loop - P...
 
Open Social Technical Update for Java developers - Presented at sv-gtug.org m...
Open Social Technical Update for Java developers - Presented at sv-gtug.org m...Open Social Technical Update for Java developers - Presented at sv-gtug.org m...
Open Social Technical Update for Java developers - Presented at sv-gtug.org m...
 
Android : How Do I Code Thee?
Android : How Do I Code Thee?Android : How Do I Code Thee?
Android : How Do I Code Thee?
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
 

More from Rob Ragan

Nbt hacker fight
Nbt hacker fightNbt hacker fight
Nbt hacker fightRob Ragan
 
Expose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsExpose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsRob Ragan
 
DeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than DeadDeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than DeadRob Ragan
 
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and PhishingInterop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and PhishingRob Ragan
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansRob Ragan
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 

More from Rob Ragan (10)

Nbt hacker fight
Nbt hacker fightNbt hacker fight
Nbt hacker fight
 
Expose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsExpose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach Patterns
 
DeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than DeadDeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than Dead
 
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and PhishingInterop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response Plans
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the Wire
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Tenacious Diggity Skinny Dippin

  • 1. Tenacious Diggity Skinny Dippin' in a Sea of Bing 29 July 2012 – DEF CON 20 – Las Vegas, NV Presented by: Francis Brown & Rob Ragan Stach & Liu, LLC www.stachliu.com
  • 3. Agenda OVERVIEW •  Introduction/Background •  Advanced Attacks •  NEW Diggity Attack Tools •  Advanced Defenses •  NEW AlertDiggity Cloud Database •  Future Directions 3  
  • 4. Introduction/Background GETTING UP TO SPEED 4  
  • 5. Diggity Tools PROJECT OVERVIEW 5  
  • 6. Diggity Tools ATTACK TOOLS Tool   Descrip,on   GoogleDiggity   Tradi,onal  Google  hacking  tool   BingDiggity   Bing  equivalent  of  tradi,onal  Google  hacking  tool   FlashDiggity   Adobe  Flash  security  scanning  tool   DLPDiggity   Data  loss  preven,on  scanning  tool   LinkFromDomain   Bing  footprin,ng  tool  based  on  off-­‐site  links   CodeSearch  Diggity   Open-­‐source  code  vulnerability  scanning  tool   MalwareDiggity   Malware  link  detec,on  tool  for  off-­‐site  links   6  
  • 7. Diggity Tools NEW ATTACK TOOLS Tool   Descrip,on   PortScan  Diggity   Passive  port  scanning  via  Google   NotInMyBackYard   Easily  find  your  info  in  3rd  party  sites   BHDB  2.0   New  Bing  Hacking  DB  now  as  affec,ve  as  Google   Bing  BinaryMalware   Find  malware  via  Bing’s  indexing  of  executables   CodeSearch  REBORN   Brought  back  from  the  dead   SHODAN  Diggity   Easy  interface  to  SHODAN  search  engine   7  
  • 8. Diggity Scraping NEW ACROSS ALL ATTACK TOOLS 8  
  • 9. Diggity Scraping PROXIES SPECIFICATION 9  
  • 10. Diggity Scraping MANUAL PROXIES SPECIFICATION 10  
  • 11. Advanced Attacks WH AT YOU SHOULD KNOW 11  
  • 12. NEW GOOGLE HACKING TOOLS PortScan Diggity 12  
  • 13. PortScanning TARGETING HTTP ADMIN CONSOLES Searching for web admin interfaces on non-standard HTTP ports 13  
  • 14. PortScanning TARGETING PORT RANGES Searching for specific port ranges 14  
  • 15. PortScanning TARGETING VULNERABILITY Targeting specific HTTP ports example 15  
  • 16. PortScan Diggity TARGETING HTTP ADMIN CONSOLES 16  
  • 17. NEW GOOGLE HACKING TOOLS NotInMyBackYard 17  
  • 18. Data Leaks on 3rd Party Sites SENSITIVE INFO EVERYWHERE Verizon - 2012 Data Breach Investigation Report 18  
  • 19. PasteBin Leaks PASSWORDS IN PASTEBIN.COM POSTS •  Twitter feed tracking passwords leaked via PasteBin 19  
  • 20. Cloud Docs Exposures PUBLIC CLOUD SEARCHING Public cloud storage document exposures 20  
  • 21. Cloud Docs Exposures ROBOTS.TXT IS DEAD Personal photo galleries exposed 21  
  • 22. Data Loss In The News MAJOR DATA LEAKS •  Yale Alumni 43,000 SSNs Exposed in Excel Spreadsheet 22  
  • 23. NotInMyBackYard L O C A T I O N, L O C A T I O N, L O C A T I O N Cloud storage: Public presentations sharing sites: •  Google Docs/Drive, DropBox, •  slideshare.net, prezi.com, Microsoft SkyDrive, Amazon S3 present.me Social networking sites: Public charts and graphs sharing sites: •  Facebook, Twitter, LinkedIn •  ratemynetworkdiagram.com, gliffy.com Public document sharing sites: •  scribd.com, 4shared.com, Video sharing sites: issuu.com, docstoc.com, •  vimeo.com, dailymotion.com, metacafe.com, youtube.com PasteBin and text sharing sites: •  pastebin.com, pastie.org, … 23  
  • 24. NotInMyBackYard PASTEBIN EXAMPLE 24  
  • 25. NotInMyBackYard XLS IN CLOUD EXAMPLE 25  
  • 26. Cloud Docs Exposures PUBLIC CLOUD SEARCHING Public cloud storage document exposures 26  
  • 27. NEW GOOGLE HACKING TOOLS Bing Hacking Database v2.0 27  
  • 28. Bing Hacking Database v2.0 STACH & LIU TOOLS BHDB v2.0 – Updates •  Bing hacking database •  Bing hacking limitations •  Disabled inurl:, link: and linkdomain: directives in March 2007 •  No support for ext:, allintitle:, allinurl: •  Limited filetype: functionality •  Only 12 extensions supported •  UPDATES (2012) •  ext: functionality now added •  inurl: work around by using instreamset:url: •  New BHDB 2.0 •  Several thousand more Bing dorks! 28  
  • 29. NEW GOOGLE HACKING TOOLS BingBinaryMalwareSearch (BBMS) 29  
  • 30. Bing Malware Search TARGETING MALWARE Targeting known malware signatures 30  
  • 31. Google vs Bing Size MORE BANG FOR YOUR SEARCH 31  
  • 32. NEW GOOGLE HACKING TOOLS CodeSearch Diggity 32  
  • 33. Google Code Search VULNS IN OPEN SOURCE CODE •  Regex search for vulnerabilities in indexed public code, including popular open source code repositories: •  Example: SQL Injection in ASP querystring •  select.*from.*request.QUERYSTRING 33  
  • 34. CodeSearch Diggity AMAZON CLOUD SECRET KEYS 34  
  • 35. Cloud Security N O P R O M I S E S . . .N O N E Amazon AWS Customer Agreement •  http://aws.amazon.com/agreement/#10 35  
  • 36. Cloud Crawling CREATE YOUR OWN SEARCH ENGINES 36  
  • 37. NEW GOOGLE HACKING TOOLS SHODAN Diggity 37  
  • 38. SHODAN HACKER SEARCH ENGINE •  Indexed service banners for whole Internet for HTTP (Port 80), as well as some FTP (23), SSH (22) and Telnet (21) services 38  
  • 39. SHODAN FINDING SCADA SYSTEMS 39  
  • 40. SHODAN FINDING SCADA SYSTEMS 40  
  • 41. SHODAN Diggity FINDING SCADA SYSTEMS 41  
  • 42. Advanced Defenses PRO TECT YO NECK 42  
  • 43. Diggity Alert DB DATA MINING VULNS Diggity Alerts Database 43  
  • 44. Future Directions WH AT W ILL HAPPEN 44  
  • 45. Diggity Dashboards COMING SOON Google  Charts   Mobile  BI  Apps   45  
  • 46. DLP Reporting PRACTICAL EXAMPLES 46  
  • 47. Questions? Ask us something We’ll try to answer it. For more info: Fran Brown Rob Ragan (@sweepthatleg) Email: contact@stachliu.com Project: diggity@stachliu.com Stach & Liu, LLC www.stachliu.com
  • 48. Thank You Stach & Liu Google Hacking Diggity Project info: http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/ 48