Author: entr0py
Date: 07.06.2007
Feedback: entr0py [AT] hush [DOT] ai
IRC: irc.2600.net #securitybay

Introduction
Google is one of the most popular web search engine in the Cyberspace. It is an extremely
powerful as well as persuasive search engine because it can be easily compromised by
inputting delineated search queries. This flaw or I can say boon has helped attackers to
acquire top-secret information that cannot be obtained by a normal search queries.
Anyway, in this tutorial I am going to elaborate various segments of Google. They are as
follows:

- Basic Google Search Operators

- Advanced Search Operators
- Malicious Search Queries
- Vulnerability Assessment via Google
- Best Practices

Basic Google Search Operators

As I mentioned earlier, Google has the ability to display confidential information.
However, for that, you need to know the basic search queries. Therefore, I am going to
demystify basic search queries.
 Quote usage: Well, if you use quotes to screen your search query, then the result
would be confined to the selected query. Like, for example, you want to search for
NT exploits. You must use quotes to cover your query in order to shorten down
the results. Example:

"NT Exploits"
 intext: The intext operator forces Google to search for the query in the website’s
text content. This operator overlooks URL and titles; instead, it focuses
completely on the text content. Example:

intext:"Netcat Readme".

"allintext" is a variant of the "intext" operator. The allintext operator returns links,
in which the complete query is present. Example:

allintext:"Format String Bugs".

 inurl: The inurl operator compels Google to search for the query in the website’s
URL. This operator ignores Text and Titles, instead, it rivets entirely on the URL.
Example:

inurl:"index.php?page=security_resources.html".

"allinurl" is a variant of the "inurl" operator. The allinurl operator returns URL’s,
in which the complete query is present. Example:

allinurl:"index.php?p=elf_format.html"
 intitle: The intitle operator obligates Google to search for the query in the
website’s title. This operator neglects URL and Titles; instead, it concentrates
entirely on the title. Example:

intitle:"Kernel Development"

"allintitle” is a variant of the "intitle" operator. The allintitle operator devolves

links, in which the complete query is present. Example:

allintitle:"Understanding the Linux Kernel"

 site: The site operator forces Google to return keywords from a specific website.
Example:

"Remote Desktop" site:www.rest0re.org

 cache: The cache operator forces Google to display cached websites. This means
that this operator will compel Google to provide links from its cache database.
This operator is extremely useful during reconnaissance operations. Let me give
you a quick example:

cache:www.microsoft.com
 info: The info operator will tell Google to provide you information about a
particular website. Let me show you an example:

info:www.linux.org
 related: The related operator will compel Google to provide you websites related
to a specific website. Let me give you a quick sample:

related:www.freebsd.org
 link: The link operator will compel Google to display websites that link to the
specified URL. This operator is helpful during affiliation building system.
Example:
 link:www.the-c0re.org
 filetype: The filetype operator will forced Google to show websites with the
specified extension or I can say filetype. This operator will help you in finding
source codes or whitepapers.

filetype:pdf site:www.infosecwriters.com

Advanced Search Operators

Until now, I have explained almost all the basic Google operators utilized by attackers to
gain confidential information. In this section, I am going to explain various other
operators used to obtain secret information.
 phonebook: The phonebook operator is one of the most effective dork used by
reconnaissance operators to gather personal information about a specific person.
Let me show you a quick example:

phonebook:Robert IL

Note: This operator will only show you US street addresses and phone numbers.

There are several variants of the above operator. Let me enlist them along with the
specified examples:

- bphonebook: The bphonebook operator will show information about a certain

Business center. Let me show a quick example:

bphonebook:UV Research and Development IL

- rphonebook: The rphonebook operator will show residential information of the

specified person.

rphonebook:Lanny IL
 define: The define operator will command Google to display websites that
contain definition of the specified word.

define:entropy

 safesearch: The safesearch operator will instruct Google to ignore spam, adult
sites, malicious links, and advertisement portals.

safesearch:XXX
  movie: The movie operator will compel Google to display reviews and show
times of the specified keyword.

movie:Gone with the Wind

 weather: The weather operator will instruct Google to list down the current
weather status of a particular location. Example:

weather Illinois
 store: The store operator forces Google to provide information from its Froogle
segment. Example:

R60 store:IBM

Obtaining Passwords via Google

Until now, I have elucidated all the popular Google operators or syntaxes. In this section,
I will be elaborating some malicious operators, which brings out a lot of confidential
information.
 allinurl:"auth_user_file.txt": This query compels Google to display the
Authenticated user file of a DC forum administrator. You need an efficient
password cracker like JTR (John the Ripper) because the authentication details are
usually enciphered.
 allinurl:passwd.txt: This query will show you the actual passwd file of the
website. This file contains the passwords of all the users of the site. Generally, the
user details are enciphered, hence, acquaint yourself with all the popular as well as
efficient password crackers.
 allinurl:service.pwd: This query will list down all the FrontPage service
passwords. However, they are usually encrypted in DES encryption algorithm.
Therefore, you need to be armored with a DES cracker.
 allinurl:passlist.txt: This query lists down all the passwords utilized within a
website.

 "http://*:*@www.anydomain.com": This is one of the most famous dorks used

by attackers because by using this dork, one can obtain member details that
includes usernames and passwords. This is mostly used to crack e-mail
passwords.
 .pwd.index: There is a whole list of dorks associated with this syntax. Let me
enlist them:
 - administrators.pwd.index
- authors.pwd.index
- service.pwd.index
 allinurl:WWWBoard/passwd.txt: This dork will list down all the websites that
deploy a vulnerable WWWBoard. This dork is also called as "script kiddie’s best
dork/friend".
 allinurl:.htpasswd: .htpasswd stores all kinds of passwords persisting in an
Apache httpd server. This search query will reveal the .htpasswd file!

Index Browsing via Google

Google gives you a chance to list down the Index directory. One can easily gain top-secret
data by browsing through the Index directories. So, let me enlist down all the dorks that
can provide you interesting things:
 "Index of /admin" OR "Index of /administrator" > This will list down all the
sensitive information within the administrator directory.
 "Index of /password" OR "Index of /passwords" > This will enlist the
password files. Well, some of them might be encrypted, therefore, you must armor
yourself with a powerful password cracker.
 "Index of /passwd"
 "Index of /" +password.txt
 "Index of /" +.htaccess > This will list down the directory of .htaccess
(Configuration file of Apache)
 "Index of/Root"
 "Index of" .bash_history > This will provide you the history of all the
commands executed by a terminal shell. This sometimes provides you sensitive
information.

 "Index of" pwd.db > The password database of a website.
"Index of" etc/passwd OR "Index of" etc/shadow > UNIX password directory.
The former contains plaintext passwords and the latter contains shadows
passwords/
 "Index of" spwd
 "Index of" master.passwd
  "Index of" htpasswd
 "Index of" config.php > Configuration file of a website.

Credits go to Debasis Mohanty for some dorks.

Vulnerability Assessment via Google

Google gives you a chance to assess the vulnerability status of a particular website. This
has popularized Google among the so-called "White Hats". Anyway, let me list down
several valuable techniques to assess the vulnerability status.
 Gaining Information about the website or server: One can easily gain a lot of
information about a website and a web server. This can be done by properly
utilizing Google. The common Google dorks used for site and server crawling:

- site:www.anysite.com
- site:anysite.com –site:www.anysite.com
 Utilizing Index Directories to acquire information: One can obtain a lot of
information by utilizing Index directories. Read the section Index Browsing via
Google for more information. Do use the following dork:

- “Index of /” +server
- “Index of /” +Apache/”
 Default pages: The default installation page provides significant information
about the website or the web server. Some dorks associated with this:

Apache:

- Intitle:Test.Page.for.Apache It.worked! this.web.site

- Intitle:Test.Page.for.Apache seeing.this.instead
- Intitle:Simple.page.for.Apache Apache.Hook.Functions
- Intitle:test.page "Hey, it worked !" "SSL/TLS-aware"

Microsoft IIS:

- allintitle:Welcome to Windows 2000 Internet Services

- allintitle:Welcome to Windows XP Server Internet Services
- intitle:welcome.to intitle:internet IIS

I would like to credit Johnny Long from Ihackstuff for the above information.
 Port Scanning via Google: One can port scan a web server by the means of
Google. Knowledge of ports and their services is a necessity. Anyway, here is the
dork:

inurl:":Port Number" intext:"Port Service"

 Using vulnerable inputs to assess vulnerability: I am going to list down several
vulnerable inputs that help in assessing known web application vulnerabilities like
CLRF, CSRF, XSS, SQL Injection, Password Disclosure etc. Let me list them
down:

allinurl:

• privmsg.php
• init.inc.php
• libpath=".php"
• module_root_path=".php"
• classes_dir
• inc_dir
• rf=
• returnpath=
• auth.php
• cart_isp_root
• BASE_path=
• class_path
• common.php?root_dir=
• redirect.cgi
• cvsweb.cgi
• login.jsp
• dbconnect.inc
• admin
• htgrep
• wais.pl
• amadmin.pl
• subscribe.pl
• news.cgi
• auctionweaver.pl
• acid_main.php
• access.log
• log.htm
• log.html
• log.txt
• logfile
 • logfile.htm
• logfile.html
• logfile.txt
• logger.html
• stat.htm
• stats.htm
• stats.html
• stats.txt
• webaccess.htm
• wwwstats.html
• source.asp
• perl
• mailto.cgi

Best Practices
To avoid the Google menace, one can deploy certain security measures. Well, let me list
down several practices that might help you in ignoring Google attacks, help you in
avoiding information disclosure and obviously help you in avoiding script kiddie attacks!:
 Incapacitate directory browsing: This is one of the best way to avoid critical
information disclosure.
 Authentication: Authenticate all the sensitive as well as confidential directories
and files. This will disable remote directory browsing
 Google Removal Process: Do a thorough Google dorking of your website. If you
find some of your top-secret files are listed down in the Google search archive,
then, quickly inform Google by visiting: www.google.com/remove.html
 Google Honeypot: Install the sophisticated Google Honeypot.
 Security Patches: Install the latest security patches and hot fixes.
 CHMOD: CHMOD your directories properly.

Conclusion
Well, that is it for now. I hope you liked the tutorial as much as I did writing it. I guess I
have managed to explain every single bit about Google. Do write a feedback at
entr0py@hush.ai. Before completely ending this tutorial, let me list down several
informative websites, you might want to check:

- http://johnny.ihackstuff.com/ - Johnny’s GHDB (Google Hacking Database)

- http://hackingspirits.com – Demystifying Google Hacks
- http://www.smart-dev.com/texts/google.txt
- http://www.wired.com/news/infostructure/0,1377,57897,00.html
- http://www.oreilly.com/catalog/googlehks/
- http://www.google.com/apis