Figure 8.31 Webcams Placed Outside a Facility
Most network printers manufactured these days have some sort of Web-based interface
installed. If these devices (or even the documentation or drivers supplied with these devices)
are linked from a Web page, various Google queries can be used to locate them.
Once located, network printers can provide an attacker with a wealth of information. As
shown in Figure 8.32, it is very common for a network printer to list details about the sur-
rounding network, naming conventions, and more. Many devices located through a Google
search are still running a default, insecure configuration with no username or password
needed to control the device. In a worst-case scenario, attackers can view print jobs and
even coerce these printers to store files or even send network commands.
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 331
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 331
Figure 8.32 Networked Printers Provide Lots of Details
Table 8.11 shows queries that can be used to locate various network devices.
Table 8.11 Queries That Locate Various Network Devices
Network Device Query
AXIS 2400 inurl:indexFrame.shtml Axis
PhaserLink Printers intitle:”View and Configure PhaserLink”
Panasonic Network Cameras inurl:”ViewerFrame?Mode=”
332 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
Continued
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 332
Table 8.11 Queries That Locate Various Network Devices
Network Device Query
Sony NC RZ30 Camers SNC-RZ30 HOME
Sony NC RZ20 Cameras intitle:snc-z20 inurl:home/
Mobotix netcams (intext:”MOBOTIX M1” | intext:”MOBOTIX M10”)
intext:”Open Menu” Shift-Reload
Panasonic WJ-NT104 intitle:”WJ-NT104 Main Page”
XP PRO Webcams “powered by webcamXP” “Pro|Broadcast”
AXIS Cameras intitle:”Live View / - AXIS”

Phaser 6250N Printer “Phaser 6250” “Printer Neighborhood” “XEROX
CORPORATION”
Xerox Phaser Printer “Phaser740 Color Printer” “printer named: “
Phaser 8200 Printer “Phaser 8200” “Xerox” “refresh” “ Email Alerts”
Xerox Phaser 840 “Phaser 840 Color Printer” “Current Status”
Color Printer “printer named:”
Canon “WebView LiveScope” intitle:liveapplet inurl:LvAppl
Xerox Phaser 4500/6250/ intext:centreware inurl:status
8200/8400
Linux Dreamboxes intitle:”dreambox web”
Axis Netcams intitle:”Live View / - AXIS” | inurl:view/view.sht
Axis 200 intitle:”The AXIS 200 Home Page”
Fiery WebTools (“Fiery WebTools” inurl:index2.html) | “WebTools
enable **observe, *, ***flow * print jobs”
Konica Network Printer intitle:”network administration” inurl:”nic”
Ricoh Aficio 1022 inurl:sts_index.cgi
Ricoh Afficio Printer intitle:RICOH intitle:”Network Administration”
Canon ImageReady 3300, intitle:”remote ui:top page”
5000 & 60000.
HP Printers. inurl:hp/device/this.LCDispatcher
Webeye webcams. intitle:webeye inurl:login.ml
AXIS StorPoint CD+. intitle:”axis storpoint CD” intitle:”ip address”
Cisco Switches intitle:”switch home page” “cisco systems” “Telnet
- to”
HP switches intitle:”DEFAULT_CONFIG - HP”
Linksys webcam camera linksys inurl:main.cgi
My webcamXP server intitle:”my webcamXP server!” inurl:”:8080”
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 333
Continued
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 333

Table 8.11 continued Queries That Locate Various Network Devices
Network Device Query
Ricoh Aficio 2035 (inurl:webArch/mainFrame.cgi ) | (intitle:”web
(fax/scanner) image monitor” -htm -solutions)
Axis Network Camera inurl:netw_tcp.shtml
Tivo Devices inurl:TiVoConnect?Command=QueryServer
Embedded DVR intitle:”DVR Web client”
Panasonic Network Camera site:.viewnetcam.com -www.viewnetcam.com
Toshiba netcams intitle:”toshiba network camera - User Login”
CCTV webcams “please visit” intitle:”i-Catcher Console” Copyright
“iCode Systems”
AMX Netlink WebControl intitle:”AMX NetLinx”
XeroxDocuPrint printer. intitle:”Home” “Xerox Corporation” “Refresh
Status”
Xerox 860 and 8200 Printers. intext:”Ready with 10/100T Ethernet”
Lexmark printers intext:”UAA (MSB)” Lexmark -ext:pdf
Axis Netcams inurl:axis-cgi
SiteZap webcam “Starting SiteZAP 6.0”
EvoCam intitle:”EvoCam” inurl:”webcam.html”
Tandberg video conferencing intext:”Videoconference Management System”
appliances ext:htm
Novell Iprint inurl:”ipp/pdisplay.htm”
Phaser printers “Copyright (c) Tektronix, Inc.” “printer status”
Xerox DocuPrint printer intext:”MaiLinX Alert (Notify)” -site:net-
workprinters.com
Brother HL Printers inurl:”printer/main.html” intext:”settings”
Axis Storpoint axis storpoint “file view” inurl:/volumes/
Netsnap Online Cameras intitle:”Live NetSnap Cam-Server feed”
V-Gear Bee Web Cameras intitle:”V-Gear BEE”
Audio ReQuest home intitle:”AudioReQuest.web.server”

CD/MP3 player
CUPS Printers inurl:”:631/printers” -php -demo
iVista Camera intitle:”iVISTA.Main.Page”
Axis Video Cameras
Linksys Wireless-G web cams. inurl:”next_file=main_fs.htm” inurl:img
inurl:image.cgi
334 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
Continued
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 334
Table 8.11 continued Queries That Locate Various Network Devices
Network Device Query
SnapStream Digital filetype:cgi transcoder.cgi
Video Recorder
Axis Network Print Server intitle:”Network Print Server” filetype:shtm (
inurl:u_printjobs | inurl:u_server | inurl:a_server |
inurl:u_generalhelp | u_printjobs )
Axis Network Print Server intitle:”Network Print Server”
intext:”” filetype:shtm
ActiveX webcam intitle:”Browser Launch Page”
Sweex, Orite Web Cameras allinurl:index.htm?cus?audio
EDSR video cameras intitle:”EverFocus.EDSR.applet”
Epson Web Assist intitle:”EpsonNet WebAssist Rev”
Brother printers intitle:”Brother” intext:”View Configuration”
intext:”Brother Industries, Ltd.”
Linksys webcams intitle:Linksys site:ourlinksys.com
SupervisionCam intitle:”supervisioncam protocol”
Vivotec webcams inurl:camctrl.cgi
mmEye webcam allintitle:Brains, Corp. camera
Dell ESW Printers intitle:”Dell Laser Printer” ews
HomeSeer home intitle:HomeSeer.Web.Control |

automation server Home.Status.Events.Log
Samsung webthru cameras “Webthru User Login”
Lexmark printers (4 models) intitle:”Lexmark *” inurl:port_0
Aficio printers inurl:/en/help.cgi “ID=*”
HP Officejet help page. intitle:jdewshlp “Welcome to the Embedded Web
Server!”
Xerox Phaser printers. “display printer status” intitle:”Home”
GeoHttpServer inurl:JPGLogin.htm
Winamp Servers “About Winamp Web Interface” intitle:”Winamp
Web Interface”
NeroNet Servers intitle:”NeroNET - burning online”
Xerox (*Centre) Printers ext:dhtml intitle:”document centre|(home)” OR
intitle:”xerox”
Lexmark and Dell Printers inurl:”port_255” -htm
Adobe’s PrintGear intext:”Powered by: Adobe PrintGear” inurl:admin
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 335
Continued
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 335
Table 8.11 continued Queries That Locate Various Network Devices
Network Device Query
AVTech Video Web Server intitle:”—- VIDEO WEB SERVER —-” intext:”Video
Web Server” “Any time & Any where” username
password
VPON (Video Picture On Net) inurl:start.htm?scrw=
video surveillance system
Dell Printers intitle:”Dell *” inurl:port_0
Kpix Java Based Traffic (cam1java)|(cam2java)|(cam3java)|
Cameras (cam4java)|(cam5java)|(cam6java) -navy.mil -backflip
-power.ne.jp
Mobile Cameras inurl:”S=320x240” | inurl:”S=160x120”

inurl:”Q=Mob
Panasonic IP cameras inurl:”CgiStart?page=”
Dell and Lexmark Printers intitle:”configuration” inurl:port_0
Dell Laser Printer M5200 intitle:”Dell Laser Printer M5200” port_0
AXIS 240 Camera Servers intitle:”AXIS 240 Camera Server” intext:”server
push” -help
Veo Observer Web Client intitle:”Veo Observer Web Client”
Standalone Network Camera intitle:”Java Applet Page” inurl:ml
DVR Systems intitle:”WEBDVR” -inurl:product -inurl:demo
sensorProbe Environmental “Summary View of Sensors” | “sensorProbe8 v *” |
Monitoring Device “
iDVR Camera intitle:iDVR -intitle:”com | net | shop” -inurl:”asp |
htm | pdf | html | php | shtml | com | at | cgi | tv”
INTELLINET IP camera intitle:”INTELLINET” intitle:”IP Camera Homepage”
StarDot netcam intitle:”NetCam Live Image” edu gov -
johnny.ihackstuff.com
Netbotz devices intitle:”netbotz appliance” -inurl:.php -inurl:.asp -
inurl:.pdf -inurl:securitypipeline -announces
Phaser Network Printers Phaser numrange:100-100000 Name DNS IP “More
Printers” index help filetype:html | filetype:shtml
Orite 301 Netcams intitle:”Orite IC301” | intitle:”ORITE Audio IP-
Camera IC-301” -the -a
Brimsoft webcam intitle:”Biromsoft WebCam” -4.0 -serial -ask -crack -
software -a -the -build -download -v4 -3.01 -num-
range:1-10000
336 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
Continued
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 336
Table 8.11 continued Queries That Locate Various Network Devices
Network Device Query

VisionGS Webcam (intitle:”VisionGS Webcam
Software”)|(intext:”Powered by VisionGS
Webcam”) -showthread.php -showpost.php -
”Search Engine” -computersglobal.com -site:g
IQeye netcam intitle:”IQeye302 | IQeye303 | IQeye601 | IQeye602 |
IQeye603” intitle:”Live Images”
Samsung printers “This page is for configuring Samsung Network
Printer” | printerDetails.htm
Intel Netport Express intitle:”SNOIE Intel Web Netport Manager” OR
Print Server. intitle:”Intel Web Netport Manager Setup/Status”
Express6 live video controller Display Cameras intitle:”Express6 Live Image”
Sony SNT-V304 Video intitle:”Sony SNT-V304 Video Network Station”
Network Station inurl:hsrindex.shtml
Windows 2003 Remote inurl:Printers/ipp_0001.asp
Printing
Linksys wireless G Camera inurl:/img/vr.htm
Sony DCS-950 Web Camera DCS inurl:”/web/login.asp”
Dell laser printers intitle:”Dell Laser Printer *” port_0 -johnny.ihack-
stuff
INTELLINET IP Camera intitle:”::::: INTELLINET IP Camera Homepage :::::
Celestix Taurus Server intext:”Welcome to Taurus” “The Taurus Server
Appliance” intitle:”The Taurus Server Appliance”
Sharp printers intitle:”AR-*” “browser of frame dealing is neces-
sary”
Watchdogs WxGoos Camera intitle:”WxGoos-” (“Camera image”|”60 seconds” )
Nuvico DVR intitle:”DVR Client” -the -free -pdf -downloads -
blog -download -dvrtop
Hunt Electronics web cams “OK logout” inurl:vb.htm?logout=1
EverFocus DVR intitle:”Edr1680 remote viewer”
IVC Security Cameras intitle:”IVC Control Panel”

MOBOTIX Cameras (intitle:MOBOTIX intitle:PDAS) | (intitle:MOBOTIX
intitle:Seiten) | (inurl:/pda/index.html +camera)
Netbotz devices intitle:”Device Status Summary Page” -demo
iGuard Fingerprint intitle:”iGuard Fingerprint Security System”
Security System
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 337
Continued
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 337
Table 8.11 continued Queries That Locate Various Network Devices
Network Device Query
Veo Observer XT intitle:”Veo Observer XT” -
inurl:shtml|pl|php|htm|asp|aspx|pdf|cfm -
intext:observer
EyeSpyFX or OptiCamFX (intitle:(EyeSpyFX|OptiCamFX) “go to
Camera camera”)|(inurl:servlet/DetectBrowser)
MOBOTIX cameras inurl:cgi-bin/guestimage.html
Sony SNC-RZ30 IP camera intitle:”SNC-RZ30” -demo
Everfocus EDSR400 allintitle: EverFocus | EDSR | EDSR400 Applet
Everfocus EDR1680 allintitle:Edr1680 remote viewer
Everfocus EDR1600 allintitle: EDR1600 login | Welcome
Everfocus EDR400 allintitle: EDR400 login | Welcome
Boshe/Divar Net Cameras intitle:”Divar Web Client”
Axis Cameras intitle:”Live View / - AXIS” | inurl:view/view.shtml
OR inurl:view/indexFrame.shtml | intitle:”MJPG Live
Demo” | “intext:Select preset position”
Axis Cameras 2XXX Series allintitle: Axis 2.10 OR 2.12 OR 2.30 OR 2.31 OR
2.32 OR 2.33 OR 2.34 OR 2.40 OR 2.42 OR 2.43
“Network Camera “
BlueNet Video Viewer intitle:”BlueNet Video Viewer”
Stingray File Transfer Server intitle:”stingray fts login” | ( login.jsp

intitle:StingRay )
Softwell Technology allintitle:”DVR login”
“Wit-Eye” DVR
WR Control Lite Multi- inurl:wrcontrollite
Camera View
Device Query
Axis Video Server (CAM) inurl:indexFrame.shtml Axis
AXIS Video Live Camera intitle:”Live View / - AXIS”
AXIS Video Live View intitle:”Live View / - AXIS” | inurl:view/view.sht
AXIS 200 Network Camera intitle:”The AXIS 200 Home Page”
Canon Network Camera intitle:liveapplet inurl:LvAppl
Mobotix Network Camera intext:”MOBOTIX M1” intext:”Open Menu”
Panasonic Network Camera intitle:”WJ-NT104 Main Page”
Panasonic Network Camera inurl:”ViewerFrame?Mode=”
Sony Network Camera SNC-RZ30 HOME
338 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
Continued
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 338
Table 8.11 continued Queries That Locate Various Network Devices
Network Device Query
Seyeon FlexWATCH Camera intitle:flexwatch intext:”Home page ver”
Sony Network Camera intitle:snc-z20 inurl:home/
webcamXP “powered by webcamXP” “Pro|Broadcast”
Canon ImageReady intitle:”remote ui:top page”
Fiery Printer Interface (“Fiery WebTools” inurl:index2.html) | “WebTools
enable **observe, *, ***flow * print jobs”
Konica Printers intitle:”network administration” inurl:”nic”
RICOH Copier inurl:sts_index.cgi
RICOH Printers intitle:RICOH intitle:”Network Administration”
Tektronix Phaser Printer intitle:”View and Configure PhaserLink”

Xerox Phaser (generic) inurl:live_status.html
Xerox Phaser 6250 Printer “Phaser 6250” “Printer Neighborhood” “XEROX
CORPORATION”
Xerox Phaser 740 Printer “Phaser® 740 Color Printer” “printer named: “
phaserlink
Xerox Phaser 8200 Printer “Phaser 8200” “© Xerox” “refresh” “ Email Alerts”
Xerox Phaser 840 Printer Phaser® 840 Color Printer
Xerox Centreware Printers intext:centreware inurl:status
XEROX WorkCentre intitle:”XEROX WorkCentre PRO - Index”
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 339
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 339
Summary
Attackers use Google for a variety of reasons. An attacker might have access to an exploit for
a particular version of Web software and may be on the prowl for vulnerable targets. Other
times the attacker might have decided on a target and is using Google to locate information
about other devices on the network. In some cases, an attacker could simply be looking for
Web devices that are poorly configured with default pages and programs, indicating that the
security around the device is soft.
Directory listings provide information about the software versions in use on a device.
Server and application error messages can provide a wealth of information to an attacker and
are perhaps the most underestimated of all information-gathering techniques. Default pages,
programs, and documentation not only can be used to profile a target, but they serve as an
indicator that the server is somewhat neglected and perhaps vulnerable to exploitation.
Login portals, while serving as the “front door” of a Web server for regular users, can be
used to profile a target, used to locate more information about services and procedures in
use, and used as a virtual magnet for attackers armed with matching exploits. In some cases,
login portals are set up by administrators to allow remote access to a server or network.This
type of login portal, if compromised, can provide an entry point for an intruder as well.
Google can be used to locate or augment Web-based networking tools like NQT, which
enables remote execution of various network-querying applications. Using creative queries,

Google may even locate Web-enabled network devices in use by the target or output from
network statistical packages. Whatever your goal during a network-based assessment, there’s a
good chance Google can be used to augment your existing tools and techniques.
Solutions Fast Track
Locating and Profiling Web Servers
 Directory listings and default server-generated error messages can provide details
about the server. Even though this information could be obtained by connecting
directly to the server, an attacker armed with an exploit for a particular version of
software could find a target using a Google query designed to locate this
information.
 Server and application error messages proved a great deal of information, ranging
from software versions and patch level, to snippets of source code and information
about system processes and programs. Error messages are one of the most
underestimated forms of information leakage.
340 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 340