CCIS2410: Hacker Techniques & Tools

Lab 8.1--- Find String

Objective
Students will analyze website content offline for potentially revealing information.

Web Server Content Review

Business websites can contain a wealth of information that may be potentially
useful to an attacker if not carefully reviewed, filtered and controlled.

To minimize the amount of information available to outsiders and potential

attackers, web content should be thoroughly reviewed and scrutinized. If there is
not a specific business reason for the content to be available to the outside
world, it should be considered for removal from the website altogether.

Website reviews can be done manually or by using a tool to automate the

process. In a manual review, each page of the website is carefully reviewed and
assessed for potentially revealing content. Although tedious, and prone to
human error of missing content, this type of review can be used to find
information that does not match a specific word or pattern.

Automated reviews use a tool to quickly search every page of the website.
Although the search can typically be completed much more quickly than a
manual review, the type of data must match specific words or patterns. This
method is often used to review how and where phone numbers, email addresses
and specific words appear on the website.

Obtaining Website Content for Offline Review

Tools like Black Widow should be used to “suck” an entire website to your PC for
inspection and/or analysis. To complete this lab, you may be able to use the files
you created in Lab 8.9, or you may choose to grab a different website before
proceeding.

Copyright © Center for Systems Security and Information Assurance

Information Assurance – 2 Lab Manual (V1.0) Released: 5/05 Page 8.1.0/1

Using the FindCommonWebInfoLeaks.bat script
FindCommonWebInfoLeaks.bat makes use of the Findstr.exe program, which
comes with Windows and is contained in the System32 directory. Findstr.exe
allows a user to search for strings and regular expression patterns in a file.

1. Open the FindCommonWebInfoLeaks.bat batch file with Notepad. Locate

this line: (This line sets the switches that will be used with the Findstr.exe)

set _findstr_flags= /s /i /r

2. Open a command prompt window and use the built in help for the Findstr
(findstr /?) command to determine what each of these switches does:

/s =

/i =

/r =

3. Find the section titled “Useful information leak regular expressions” in the
FindCommonWebInfoLeaks.bat script. This section contains the regular
expressions or search strings that will be used to search for information in the
website files. Find the line that reads:

set _REGEX_Email_=".[@]"YourDomain.YourTopLevelDomain

4. Change this line to match the email address you wish to search for within the
target website. You are now ready to come through your “captured” website
for people’s e-mail addresses.

5. Open a command prompt window. Enter this command:

(Fill in the blank with the path to the website copy you wish to analyze)

FindCommonWebInfoLinks.bat _______________________ > results.txt

Tip: if the target website also contains PDF files, the output of
FindCommonWebInfoLeaks.bat may produce large blocks of text from the
PDFs that match the search strings, making it more difficult to review the
output from the rest of the web pages. You may want to delete the PDFs
prior to analyzing the website to make the remaining output easier to review.

Copyright © Center for Systems Security and Information Assurance

Information Assurance – 2 Lab Manual (V1.0) Released: 5/05 Page 8.1.0/2

6. Open results.txt with Notepad. How many e-mail addresses were “pulled”
from your captured website?

7. Was any interesting or useful information found in the target website? If yes,
describe that information here.

Analysis
How often do you think an organization should review its own websites to make
sure inappropriate content is not being released to outsiders?

What kind of policy or rules could an organization employ to minimize the

chances that someone might inadvertently place revealing or sensitive
information on the website?

Can you think of additional search strings or keywords that might be useful to
add to the FindCommonWebInfoLeaks.bat script?

Write your thoughts below, and try changing the script to also look for your new
keywords.

Copyright © Center for Systems Security and Information Assurance

Information Assurance – 2 Lab Manual (V1.0) Released: 5/05 Page 8.1.0/3