ECSAv4 Module 02

Advanced
Penetration Testing
and Security Analysis
Module 2
Advanced Googling
g g
EC-Council
Copyright by EC-Council
All
Rights
Reserved.
Reproduction
is Strictly Prohibited
Copyright 2004 EC-Council. All rights reserved worldwide.
Module Objective
This module will familiarize you with:
EC-Council
Site Operator
intitle:index.of
error | warning
login
g | logon
g
admin | administrator
Google Advanced Search Form
Categorization of the Operators
Viewing
g Live Web Cams
Locating Source Code with Common Strings
Locating Vulnerable Targets
Locating Targets Via Demonstration Pages
Locating
g Targets
g Via Source Code
Vulnerable web Application Examples
Locating Targets Via CGI Scanning
A Single CGI Scan-Style Query
Directoryy Listings
g
Web Server Software Error Messages
The Goolag Scanner
All
Rights
Reserved.
Reproduction
Site Operator
The site operator is absolutely invaluable during the
information-gathering phase of an assessment.
A ssite
te sea
search
c ca
can be used to gat
gather
e information
o at o about tthee
servers and hosts that a target hosts.
Using
g simple
p reduction techniques,
q , we can quickly
q
y get
g an
idea about a targets online presence.
Consider the following
g simple
p example:
p
site:washingtonpost.com site:www.washingtonpost.com
This query effectively locates pages on the
washingtonpost.com
hi t
t
domain
d
i other
th th
than
www.washingtonpost.com
EC-Council
All
Rights
Reserved.
Reproduction
Site Operator (contd)
EC-Council
All
Rights
Reserved.
Reproduction
intitle:index.of
intitle:index.of is the universal

search for directory listings.
EC-Council
In most cases, this search applies

only to Apache-based servers, but
due to the overwhelming number
of Apache
Apache-derived
derived web servers on
the Internet, theres a good
chance that the server youre
profiling will be Apache-based.
All
Rights
Reserved.
Reproduction
intitle:index.of
EC-Council
All
Rights
Reserved.
Reproduction
error | warning
Error messages can reveal a great deal of information about a target.
Often overlooked, error messages can provide insight into the application or
operating system software a target is running, the architecture of the network the
target is on
on, information about users on the system
system, and much more
more.
Not only are error messages informative, they are prolific.
A query of intitle:error results in over 55 million results.
EC-Council
All
Rights
Reserved.
Reproduction
error | warning (contd)
EC-Council
All
Rights
Reserved.
Reproduction
login | logon
Login portals can reveal the software and operating system of a
target and in many cases self-help
target,
self help documentation is linked
from the main page of a login portal.
These documents are designed
g
to assist users who run into
problems during the login process.
Whether the user has forgotten his or her password or even
username, thi
this d
documents
t can provide
id clues
l
that
th t might
i ht h
help
l an
attacker.
Documentation linked from login portals lists email addresses,
phone
h
numbers,
b
or URLs off h
human assistants
i
who
h can h
help
l a
troubled user regain lost access.
These assistants,
assistants or help desk operators,
operators are perfect targets for
a social engineering attack.
EC-Council
All
Rights
Reserved.
Reproduction
login | logon (contd)
EC-Council
All
Rights
Reserved.
Reproduction
username | userid |
employee ID | your
employee.ID
your username is
is
There are many different ways to obtain a username from a target system.
Even though a username is the less important half of most authentication mechanisms, it
should at least be marginally protected from outsiders.
EC-Council
All
Rights
Reserved.
Reproduction
password | passcode | your password is

The word password is so common on the Internet,
there are over 73 million results for this one-word
query.
During an assessment,
assessment its
it s very likely that results for
this query combined with a site operator will include
pages that provide help to users who have forgotten
their passwords.
In some cases, this query will locate pages that provide
policy information about the creation of a password.
This type of information can be used in an intelligentguessing,

g
g, or even a brute-force,, campaign
p g against
g
a
password field.
EC-Council
All
Rights
Reserved.
Reproduction
password | passcode | your

password is
is (cont
(contd)
d)
EC-Council
All
Rights
Reserved.
Reproduction
admin | administrator
The word administrator is often used to describe the person in control of a
network or system.
The word administrator can also be used to locate administrative login pages, or
login portals.
The phrase Contact your system administrator is a fairly common phrase on the
web, as are several basic derivations.
A query such as please contact your * administrator will return results that
reference local,
local company
company, site
site, department
department, server
server, system
system, network
network, database
database,
email, and even tennis administrators.
If a web user is told to contact an administrator, the odds are that theres data of
at least moderate importance to a security tester.
EC-Council
All
Rights
Reserved.
Reproduction
admin | administrator (contd)
EC-Council
All
Rights
Reserved.
Reproduction
admin login
admin login reveals administrative login pages.
EC-Council
All
Rights
Reserved.
Reproduction
ext:html ext:htm
ext:shtml
ext:shtml ext:asp
ext:asp ext:php
ext:php
The ext:html ext:htm ext:shtml ext:asp
p ext:php
p pq
queryy uses ext,, a
synonym for the filetype operator, and is a negative query.
It returns no results when used alone and should be combined with a site
operator to work properly.
The idea behind this query is to exclude some of the most common
Internet file types in an attempt to find files that might be more
interesting.
EC-Council
All
Rights
Reserved.
Reproduction
ext:html ext:htm ext:shtml

ext:asp ext:php
ext:php (cont
(contd)
d)
EC-Council
All
Rights
Reserved.
Reproduction
inurl:temp | inurl:tmp |
inurl:backup | inurl:bak
The inurl:temp
p | inurl:tmp
p | inurl:backup
p | inurl:bak q
query,
y, combined with the
site operator searches for temporary or backup files or directories on a server.
Although there are many possible naming conventions for temporary or backup
files, this search focuses on the most common terms.
Since this search uses the inurl operator, it will also locate files that contain these
terms as file extensions, such as index.html.bak.
EC-Council
All
Rights
Reserved.
Reproduction
Google Advanced Search Form

Googles advanced search form is easy to use and provides more options for the
search.
search
It allows a user to select or prohibit pages with more accuracy.
It focuses on options, which results in more targeted and accurate search.
One can categorize the search by giving all word, exact phrase, or at least one
word.
B following
By
f ll i the
h below
b l
procedure,
d
iit iis simple
i l to perform
f
an advanced
d
d search:
h
Go to Googles standard search text box.
Click on Advanced search at right side of the search box.
EC-Council
All
Rights
Reserved.
Reproduction
Google Advanced Search

Form: Screenshot
EC-Council
All
Rights
Reserved.
Reproduction
Categorization of the
Operators
Search Service
Search Operators
Web Search
allinanchor:, allintext:, allintitle:, allinurl:, cache:, define:,

filetype:, id:, inanchor:, info:, intext:, intitle:, inurl:,
phonebook:,, related:,, rphonebook:,
p
p
, site:,, stocks:,,
Image Search
allintitle:, allinurl:, filetype:, inurl:, intitle:, site:
Groups
allintext:, allintitle:, author:, group:, insubject:, intext:,

i titl
intitle:
Directory
allintext:, allintitle:, allinurl:, ext:, filetype:, intext:,

intitle:, inurl:
News
allintext:, allintitle:, allinurl:, intext:, intitle:, inurl:,

location:, source:
Froogle
allintext:, allintitle:, store:
EC-Council
All
Rights
Reserved.
Reproduction
allinanchor:
allinanchor:
The query with allinanchor restricts the results to the
pages containing all the query terms in their inboundlinks.
Avoid
A id the
th use off any other
th search
h operators
t
while
hil using
i
allinanchor.
Example: allinanchor: Longest river:
It will
ill return
t
th
the results
lt that
th t contain
t i l
longest
t and
d river
i iin th
the
anchor text of the pages.
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - allinanchor:
EC-Council
All
Rights
Reserved.
Reproduction
allintext:
allintext:
The query with allintext restricts the results to the pages
containing
g all q
queryy terms onlyy in the text ((does not check
in the url, title).
Example: allintext: Best travel:
It will return the results that contain Best and travel in the text
of the page.
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - allintext:
EC-Council
All
Rights
Reserved.
Reproduction
allintitle:
allintitle:
The query with allintitle restricts results to pages containing
all query terms specified in the title.
Avoid the use of any other search operators while using
allintitle.
Example: allintitle: Vulnerability attacks:
It will return the results which contain vulnerability and attacks
in the title.
In image search, allintitle returns images that contain the

terms specified.
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - allintitle:
EC-Council
All
Rights
Reserved.
Reproduction
author:
author:
The query with author includes newsgroup articles by the
author,
h specified
ifi d iin the
h query.
The author name can be full name, partial name, or email ID.
Example: Hacking author: Linda Lee:
It will return the articles that contain the word Hacking written by
Linda Lee.
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - author:
EC-Council
All
Rights
Reserved.
Reproduction
cache:
cache:
The query cache:url displays Googles cached version of a
web
b page.
Do not put a space between cache: and the URL.
Example: cache:www.eccouncil.org:
It shows the cache version of eccouncil.
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - cache:
EC-Council
All
Rights
Reserved.
Reproduction
define:
define:
f
The query with define shows definitions from pages on the
web
b for
f the
h term specified.
ifi d
It is useful for finding definitions of words, phrases, and
acronyms.
Example:
E
l define:
d fi
h
hacking:
ki
It shows the definitions for the term Hacking.
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - define:
EC-Council
All
Rights
Reserved.
Reproduction
filetype:
ffiletype:
yp
The query with filetype:suffix shows the result pages whose
names end in suffix.
Example: web attacks filetype:pdf:
It returns Adobe Acrobat PDF files that match the term web
web and
attacks
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - filetype:
EC-Council
All
Rights
Reserved.
Reproduction
group:
group:
The query with group restricts results to newsgroup articles
from certain groups or subareas.
Example: Sleep group:misc.kids:
It returns articles in the subarea misc.kids
misc.kids that contain the word
sleep.
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - group:
EC-Council
All
Rights
Reserved.
Reproduction
inanchor:
inanchor:
Searches for the text representation of the link.
The query with inanchor restricts results to pages
containing the query terms specified.
Example: restaurants inanchor: menu:
It returns pages with anchor text in the links to the pages
containing
i i the
h word
d menu and
d the
h page contains
i the
h word
d
restaurants.
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - inanchor:
EC-Council
All
Rights
Reserved.
Reproduction
insubject:
insubject:
The query with insubject restricts articles in Google group to

pages, containing
t i i th
the query tterms specified.
ifi d
Example: Insubject:Security issue:
It returns Google Group articles that contain the phrase
S
Security
it iissue iin th
the subject.
bj t
It is equivalent to intitle:
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot in subject:
EC-Council
All
Rights
Reserved.
Reproduction
intext:
intext:
The q
queryy with intext:term restricts results to documents
containing the term in the text.
There must be no space between the intext: and the following
word.
Example: intext:poem
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - intext:
EC-Council
All
Rights
Reserved.
Reproduction
link:
link:
The query with link:URL shows pages that point to that
URL.
URL
Example: link:www.googleguide.com
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - link:
EC-Council
All
Rights
Reserved.
Reproduction
location:
location:
The q
queryy with location will show articles from Google
g
News, and only from the location specified.
Example: Hackers location: China:
It shows articles that match the term Hackers from sites in
China.
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - location:
EC-Council
All
Rights
Reserved.
Reproduction
Viewing Live Web Cams

You can find out live security cameras, traffic monitoring
cameras and many more using simple Google search
operators like: inurl, intitle, and intext.
These cameras generally use known protocols, which makes

it easy for anyone to access them.
Following are a few Google search links to find publicly

accessible live streaming feeds:
EC-Council
All
Rights
Reserved.
Reproduction
Viewing Live Web Cams

(cont d)
(contd)
inurl:/view.shtml
intitle:Live View / - AXIS | inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis cgi/jpg
inurl:axis-cgi/jpg
allintitle:Network Camera NetworkCamera
intitle:axis intitle:video server
intitle:liveapplet inurl:LvAppl
intitle:EvoCam inurl:webcam.html
EC-Council
All
Rights
Reserved.
Reproduction
Screenshot - Live Web

Cams
EC-Council
All
Rights
Reserved.
Reproduction
At a Traffic
ffi Signal
i
l
EC-Council
All
Rights
Reserved.
Reproduction
Live Web Cams Traffic

Signals 1
EC-Council
All
Rights
Reserved.
Reproduction

Signals 2
EC-Council
All
Rights
Reserved.
Reproduction

Signals 3
EC-Council
All
Rights
Reserved.
Reproduction

Signals 4
EC-Council
All
Rights
Reserved.
Reproduction

Signals 5
EC-Council
All
Rights
Reserved.
Reproduction

Signals 6
EC-Council
All
Rights
Reserved.
Reproduction

Signals 7
EC-Council
All
Rights
Reserved.
Reproduction

Signals 8
EC-Council
All
Rights
Reserved.
Reproduction

Signals 9
EC-Council
All
Rights
Reserved.
Reproduction

Signals 10
EC-Council
All
Rights
Reserved.
Reproduction
intranet | help.desk
The term intranet,
intranet despite more specific
technical meanings, has become a generic
term that describes a network confined to a
small group.
In most cases the term intranet describes a

closed or private network, unavailable to
the general public.
Many sites have configured portals that
allow access to an intranet from the
Internet, bringing this typically closed
network one step closer to potential
attackers
attackers.
EC-Council
All
Rights
Reserved.
Reproduction
Locating Public Exploit Sites

One way to locate exploit code is to focus on the file extension of the source code and then
search for specific content within that code.
code
Since source code is the text-based representation of the difficult-to-read machine code,
Google is well suited for this task.
For example, a large number of exploits are written in C, which generally uses source code
ending in a .c extension.
Aq
queryy for ffiletype:c
yp
exploit
p
returns around 5,
5,000 results,, most of which are exactlyy the
types of programs were looking for.
These are the most popular sites hosting C source code containing the word exploit, the
returned list is a good start for a list of bookmarks.
Using page-scraping techniques, we can isolate these sites by running a UNIX command
against the dumped Google results page.
grep Cached exp | awk F" " '{print $1}' | sort u

EC-Council
All
Rights
Reserved.
Reproduction
Locating Exploits via

Common Code Strings
Another way to locate exploit code is to focus on common strings within the
source code itself.
One way to do this is to focus on common inclusions or header file references.

references
For example, many C programs include the standard input/output library
f
functions,
ti
which
hi h are referenced
f
db
by an iinclude
l d statement
t t
t such
h as #i
#include
l d
<stdio.h> within the source code.
A query like this would locate C source code that contained the word exploit,
exploit
regardless of the files extension.
#include <stdio.h> Usage exploit

EC-Council
All
Rights
Reserved.
Reproduction
Searching for Exploit Code

with Nonstandard Extensions
EC-Council
All
Rights
Reserved.
Reproduction
Locating Source Code with

Common Strings
EC-Council
All
Rights
Reserved.
Reproduction
Locating Vulnerable Targets

Attackers are increasingly using Google to locate web-based targets that are
p
exploits.
p
vulnerable to specific
In fact, its not uncommon for public vulnerability announcements to contain
Google links to potentially vulnerable targets.
EC-Council
All
Rights
Reserved.
Reproduction
Locating Targets via

Demonstration Pages
Our goal is to develop a query string to locate vulnerable targets on the web; the vendors
website is a good place to discover what exactly the products
product s web pages look like.
like
For example, some administrators might modify the format of a vendor-supplied web page to
fit the theme of the site.
These types of modifications can impact the effectiveness of a Google search that targets a
vendor-supplied page format.
We can find that most sites look very similar and that nearly every site has a powered by
message at the bottom of the main page.
EC-Council
All
Rights
Reserved.
Reproduction
Powered by Tags are Common Query

Fodder for Finding Web Applications
EC-Council
All
Rights
Reserved.
Reproduction
Locating Targets via Source

Code
Lets take a look at how a hacker might
g use the source code of a p
program
g
to
discover ways to search for that software with Google.
To find the best search string
g to locate p
potentiallyy vulnerable targets,
g , we can visit
the web page of the software vendor to find the source code of the offending
software.
In cases where source code is not available
available, an attacker might opt to simply
download the malicious software and run it on a machine he controls to get ideas
for potential searches.
EC-Council
All
Rights
Reserved.
Reproduction
Vulnerable Web Application

Examples
EC-Council
All
Rights
Reserved.
Reproduction
Vulnerable Web Application

Examples (cont
(contd)
d)
EC-Council
All
Rights
Reserved.
Reproduction
Locating Targets via CGI

Scanning
One of the oldest and most familiar techniques for locating vulnerable web servers is
through
g the use of a CGI scanner.
These programs parse a list of known bad or vulnerable web files and attempt to locate
those files on a web server.
Based on various response
p
codes,, the scanner could detect the presence
p
of these p
potentiallyy
vulnerable files.
A CGI scanner can list vulnerable files and directories in a data file, such as:
EC-Council
All
Rights
Reserved.
Reproduction
A Single CGI Scan-Style Query

Example: search for inurl:/cgi-bin/userreg.cgi
EC-Council
All
Rights
Reserved.
Reproduction
Directory Listings
The server tag at the bottom of a directory listing can provide explicit detail about the type of
web server software that
thatss running.
running
If an attacker has an exploit for Apache 2.0.52 running on a UNIX server, a query such as
server.at Apache/2.0.52 will locate servers that host a directory listing with an Apache
2 0 52 server tag.
2.0.52
tag
EC-Council
All
Rights
Reserved.
Reproduction
Finding IIS 5.0 Servers

Query for Microsoft-IIS/5.0 server at
EC-Council
All
Rights
Reserved.
Reproduction
Web Server Software Error

Messages
Error messages contain a lot of useful information, but in the context of locating specific
servers,, we can use portions
p
of various error messages
g to locate servers running
g specific
p
software versions.
The absolute best way to find error messages is to figure out what messages the server is
capable of generating.
You could gather these messages by examining the server source code or configuration files
or by actually generating the errors on the server yourself.
The best way to get this information from IIS is by examining the source code of the error
pages themselves.
IIS 5 and 6, by default, display static HTTP/1.1 error messages when the server encounters
some sort of problem.
These error pages are stored by default in the %SYSTEMROOT%\help\iisHelp\common
directory.
EC-Council
All
Rights
Reserved.
Reproduction
Web Server Software Error

Messages (cont
(contd)
d)
A query such as intitle: The page cannot be found please following Internet *
S i can b
Services
be used
d tto search
h ffor IIS servers that
th t presentt a 400 error.
EC-Council
All
Rights
Reserved.
Reproduction
IIS HTTP/1.1 Error Page Titles
EC-Council
All
Rights
Reserved.
Reproduction
IIS HTTP/1.1 Error Page Titles

(cont d)
(contd)
EC-Council
All
Rights
Reserved.
Reproduction
Object Not Found Error

Message Used to Find IIS 5.0
50
EC-Council
All
Rights
Reserved.
Reproduction
Apache Web Server

Apache web servers can also be located by focusing on server-generated error messages.
Some generic searches such as Apache/1.3.27 Server at -intitle:index.of intitle:inf or
Apache/1.3.27 Server at -intitle:index.of intitle:error
EC-Council
All
Rights
Reserved.
Reproduction
Apache 2.0 Error Pages
EC-Council
All
Rights
Reserved.
Reproduction
Application Software Error

Messages
Although this ASP message is fairly benign, some ASP error messages are
much more revealing.
Consider the query ASP.NET_SessionIddata source=, which locates
unique strings found in ASP.NET application state dumps.
These dumps reveal all sorts of information about the running application
and the web server that hosts that application.
An advanced attacker could use encrypted password data and variable
information in these stack traces to subvert the security of the application
and
d perhaps
h
the
h web
b server iitself.
lf
EC-Council
All
Rights
Reserved.
Reproduction
ASP Dumps Provide

Dangerous Details
EC-Council
All
Rights
Reserved.
Reproduction
Many Errors Reveal Pathnames

and Filenames
EC-Council
All
Rights
Reserved.
Reproduction
CGI Environment Listings

Reveal Lots of Information
EC-Council
All
Rights
Reserved.
Reproduction
Default Pages
Another wayy to locate specific
p
types
yp of servers or web software is to search for
default web pages.
Most web software,, including
g the web server software itself,, ships
p with one or
more default or test pages.
These p
pages
g can make it easyy for a site administrator to test the installation of a
web server or application.
Google crawls a web server while it is in its earliest stages of installation, still
displaying a set of default pages.
In these cases, theres generally a short window of time between the moment
when Google crawls the site and when the intended content is actually placed on
the server.
EC-Council
All
Rights
Reserved.
Reproduction
A Typical Apache
Default Web Page
EC-Council
All
Rights
Reserved.
Reproduction
Locating Default Installations of

IIS 4.0
4 0 on Windows NT 4
4.0/OP
0/OP
EC-Council
All
Rights
Reserved.
Reproduction
Default Pages Query for Web

Server
Many different types of web servers can be located by querying for default
pages as well.
ll
EC-Council
All
Rights
Reserved.
Reproduction
Outlook Web Access Default

Portal
Query allinurl:exchange/logon.asp
EC-Council
All
Rights
Reserved.
Reproduction
Searching for Passwords

Password data, one of the Holy Grails during a penetration test, should be
protected.
Unfortunately, many examples of Google queries can be used to locate passwords
on the web.
EC-Council
All
Rights
Reserved.
Reproduction
Windows Registry Entries can

Reveal Passwords
A query, such as filetype:reg intext: internet account manager could reveal
interesting keys containing password data.
EC-Council
All
Rights
Reserved.
Reproduction
Usernames, Cleartext
Passwords and Hostnames
Passwords,
A search for password information,
information intext:(password | passcode | pass)
intext:(username | userid | user), combines common words for
passwords and user IDs into one query.
EC-Council
All
Rights
Reserved.
Reproduction
Goolag Scanner
Goolag Scanner is a software published by a famous hacker group, Cult
off the
h Dead
d Cow (CDC).
This software turns Googles
Google s search engine into a vulnerability scanner.
scanner
It allows to scan websites or Internet domains for vulnerabilities.

vulnerabilities
It works on the Dork

Dork pattern:
Dork is a search pattern used with Google's search engine.
The results o
of a do
dork search explores
po
po
possible
b securityy attacks.
EC-Council
All
Rights
Reserved.
Reproduction
Features of Goolag
Goolag scanner uses simple and readable xml documents.
It simplifies the use of myriad numbers of dorks to a few mouse clicks.

clicks
Knowledge of cryptic command line options and Google hacking basics are not
required to use this scanner.
scanner
It helps to check the website before criminals can attack weak points.
EC-Council
All
Rights
Reserved.
Reproduction
Goolag Scanner
Screenshot
EC-Council
All
Rights
Reserved.
Reproduction
Summary
In this module, we have reviewed Google penetration
t ti
testing.
We have discussed the advanced
Google techniques:
EC-Council
Overview of software error messages

Overview of default pages
Explanation of techniques to reveal password
L ti targets
Locating
t
t
Searching passwords
All
Rights
Reserved.
Reproduction
EC-Council
All
Rights
Reserved.
Reproduction
EC-Council
All
Rights
Reserved.
Reproduction
EC-Council
All
Rights
Reserved.
Reproduction

ECSAv4 Module 02

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

ECSAv4 Module 02

Caricato da

Copyright:

Formati disponibili

Advanced

Site Operator (contd)

intitle:index.of is the universal

In most cases, this search applies

A query of intitle:error results in over 55 million results.

error | warning (contd)

login | logon (contd)

password | passcode | your password is

This type of information can be used in an intelligentguessing,

password | passcode | your

admin | administrator (contd)

ext:html ext:htm ext:shtml

Google Advanced Search Form

Google Advanced Search

allinanchor:, allintext:, allintitle:, allinurl:, cache:, define:,

allintitle:, allinurl:, filetype:, inurl:, intitle:, site:

allintext:, allintitle:, author:, group:, insubject:, intext:,

allintext:, allintitle:, allinurl:, ext:, filetype:, intext:,

allintext:, allintitle:, allinurl:, intext:, intitle:, inurl:,

allintext:, allintitle:, store:

In image search, allintitle returns images that contain the

The query with insubject restricts articles in Google group to

Viewing Live Web Cams

These cameras generally use known protocols, which makes

Following are a few Google search links to find publicly

Viewing Live Web Cams

Screenshot - Live Web

Live Web Cams Traffic

Live Web Cams Traffic

Live Web Cams Traffic

Live Web Cams Traffic

Live Web Cams Traffic

Live Web Cams Traffic

Live Web Cams Traffic

Live Web Cams Traffic

Live Web Cams Traffic

Live Web Cams Traffic

In most cases the term intranet describes a

Locating Public Exploit Sites

grep Cached exp | awk F" " '{print $1}' | sort u

Locating Exploits via

One way to do this is to focus on common inclusions or header file references.

#include <stdio.h> Usage exploit

Searching for Exploit Code

Locating Source Code with

Locating Vulnerable Targets

Locating Targets via

Powered by Tags are Common Query

Locating Targets via Source

Vulnerable Web Application

Vulnerable Web Application

Locating Targets via CGI

A Single CGI Scan-Style Query

Finding IIS 5.0 Servers

Web Server Software Error

Web Server Software Error

IIS HTTP/1.1 Error Page Titles

IIS HTTP/1.1 Error Page Titles

Object Not Found Error

Apache Web Server

Apache 2.0 Error Pages

Application Software Error

ASP Dumps Provide

Many Errors Reveal Pathnames