If you’re responsible for your organization’s data security, it may be wise to become familiar with The Cult of the Dead Cow (cDc), and a security tool it produced called Goolag.
If you’ve never heard of cDc, it’s the “most accomplished and longest-running group in the computer underground and widely considered to be the most elite people to ever walk the face of the earth.” That’s what it says on cDc’s web site, anyway. Their killa appz & projektz include the Back Orifice series of “remote admin” tools first seen ten years ago, so they certainly have a fine pedigree and know what they are doing.
So what’s this Goolag all about then? Well, it’s a security scanner of sorts, which can find vulnerabilities on your corporate systems. Or anyone else’s for that matter. So as with most of these types of tools, it can be used by you or against you. Since someone may well try to use it against you in the future, your best bet for a responsible course of action is to use it on yourself now and see what it reveals.
More Web Server Security
The name Goolag is a corruption of Gulag, the Soviet Union’s directorate for labor camps. In 2006 cDc came up with a graphic with the world Goolag, in the same style as the famous Google logo, to protest against what it said was Google’s appeasement policy in China.
Earlier this year Goolag came back as the name for cDc’s automated .NET-based Google-hacking tool, the power of which the group demonstrated by using it to reveal stashes of pornographic material on Chinese government systems.
To understand what Goolag does, you need to understand the basics of Google hacking. Essentially, it’s the practice of using Dorks — carefully crafted advanced search terms — to discover valuable information which is available on many companies’ Web pages. Sometimes this information is meant to be publicly available, but more often it is to be found on pages never intended to be accessible over the Web, but which Google nonetheless uncovers. The whole practice was pioneered by Johnny I Hack Stuff, a good-guy hacker who likes to reveal googledorks, which he defines as “inept or foolish people as revealed by Google.”
Here’s an example: Pop
intitle:index.of passwd passwd.bak into Google to find pages with password files containing encrypted passwords. Set your cracker on them and you’ll have a list of accounts and passwords — if the passwords weren’t strong to begin with. By restricting the search to your own domain, you can see if you are revealing anything you shouldn’t, and if so, you can test your passwords using a utility like John the Ripper to see how strong they are.
Johhny has a hacking database of useful search terms to find things like passwords or vulnerable servers at http://johnny.ihackstuff.com/ghdb.php, and you can click on them to perform these searches one by one. But Goolag takes this to another plane altogether, by taking a huge list of Dorks and performing them automatically, searching for vulnerabilities on a specific domain, or the whole Internet. If you are using Goolag defensively to scan your own sites – there’s no obvious reason why you would want to search the whole Internet – you’d restrict the search to whatever domains you are responsible for.
Installing Goolag is as straightforward as can be, although slightly unnerving as a robotic voice talks you through the process as it installs. When it starts up you then get a cDc splash screen with a rather strange picture of a unicorn.
And then you’re on to the main screen, with a list of available Dorks on one side, space for results on the other, and an empty field where you can enter the host to scan, and a button to start the whole process. (See Figure 1)
Goolag ships with well over a thousand Dorks preloaded in an XML file, and you can add to this list any time you like. They are organized into categories, including “Files containing usernames”, “Files containing passwords”, “Vulnerable servers”, and so on. Clicking on individual Dorks or Dork categories activates those Dorks for the next scan.
Treading Lightly Around Google
Why not just scan using all the available Dorks and see what Google finds on your domain? Unfortunately this is where problems begin. One of the big benefits of Google hacking is that you don’t have any direct contact with the domain you are scanning: Google effectively does the scanning for you, and you query Google to get the results you are interested in. The problem is that while Google relies on automated operations to index pages on the Internet, it doesn’t like software carrying out automated Google searches.
This means that if you try to scan using more than ten or so Dorks at once, you’re likely to be faced with the dreaded Google “We’re sorry” page, informing you that your query looks similar to an automated request, and giving you a Captcha problem to solve to prove you are human if you want to continue.
To its credit, Goolag handles this with a certain aplomb, displaying the error page and allowing you to solve the Captcha before it continues, but if you trigger the error page once you’re likely to trigger it again after just a few more scans. If you wanted to try testing every possible Dork you’d be there solving Captchas for hours. Worse, once you’ve triggered the error page a few times you may find all your Google searches blocked for a period, including quite separate ones that you may want to do by hand later in the day. In practice, then, you’ll have to work your way through the Dorks five or ten at a time if you don’t want to spend your time solving Captchas.
If nothing else, Goolag lets you scan your web servers for vulnerabilities you never knew — or thought — it was exposing to the world in a moderately convenient way. It’s certainly more convenient than Google-hacking your site by hand, but thanks to Google it’s not a one click process either.
But at least if your CTO asks you how any vulnerabilities you do find were brought to your attention, you’ll have the kick of looking at him knowingly and muttering furtively that it’s all down to the Cult of the Dead Cow …