GOOGLE HACKING FOR PENETRATION TESTERS

GOOGLE HACKING FOR

PENETRATION TESTERS

Chris Chromiak
SentryMetrics
March 27th, 2007

www.TASK.to
 GOOGLE HACKING FOR PENETRATION TESTERS

What is Google Hacking?

 It is NOT hacking into Google!!

 Johnny Long is the “grandfather” of Google hacking.
 His website http://johnny.ihackstuff.com is exclusively dedicated to
Google Hacking and you will find all sorts of cool information there.
 Google is much more than just a simple search interface and engine.
 Google crawls public websites for information every 6-8 weeks using an
automated search and record program called Googlebot.
 As more of our business processes, intellectual property and research
and development moves to a web environment, it will be more important
for security professionals to have the skills required to evaluate their sites
from the perspective of a malicious search engine user.

© Toronto Area Security Klatch 2007 www.TASK.to

 GOOGLE HACKING FOR PENETRATION TESTERS

Basic Google Operators

 Exclude terms using the NOT operator (minus sign)

 For example, searching SANS –GIAC will give you everything that has
SANS but not GIAC
 Include common words using the AND operator (plus sign)
 For example, searching SANS +GIAC will give you everything with the
words SANS and GIAC
 Searching for exact phrases must be surrounded by double quotes
 For example, “SANS and GIAC” will return all results that have SANS and
GIAC as a phrase
 Wildcards are represented by an asterisk
 Searching for SANS * “Storm Center” will return all entries with SANS any
word Storm Center
 Google searching is not case sensitive so SANS, sans and SaNs are all
the same

www.TASK.to
 GOOGLE HACKING FOR PENETRATION TESTERS

Some of the Advanced Google Search Techniques

 Site - restricts a search to a particular site or domain

 Intitle – finds strings in the title of a page

 Inurl – finds strings in the URL of a page

 Filetype – finds specific types of files based on file extension

 Link – searches for links to a site or URL

 Inanchor – finds text in the descriptive text of links

www.TASK.to
 GOOGLE HACKING FOR PENETRATION TESTERS

Google Hacking Tools

 Gooscan – Johnny Long’s free command line UNIX tool. It violates the
Google TOS. Gooscan automates queries designed to find potential
vulnerabilities on web pages against Google.
http://www.johnny.ihackstuff.com
 SiteDigger – A Windows tool that searches Google’s cache to look for
vulnerabilities, errors, configuration issues and proprietary information on
websites. http://www.foundstone.com/resources/proddesc/sitedigger.htm
 Wikto – Wikto is a Windows based web server assessment tool that uses
the Google hacking database (GHDB). This tool requires a Google
developer license. http://www.sensepost.com/research/wikto
 Advanced Dork – AdvancedDork is a Firefox extension designed to
quickly search for specific text inside Google’s Advanced Operators.
https://addons.mozilla.org/firefox/2144

www.TASK.to
 GOOGLE HACKING FOR PENETRATION TESTERS

How to use the GHDB

 The GHDB is the main repository for Google hacking tips and tricks
 Go to the GHDB at http://johnny.ihackstuff.com/ghdb.php
 Select the category you are interested in
 Some very juicy information here such as sensitive directories, vulnerable
servers, files containing passwords, error messages (which give out way
too much information), web server detection and sensitive online
shopping information such as customer data and credit card numbers
 Select the search criteria
 Select the entry name to get more details

www.TASK.to
 GOOGLE HACKING FOR PENETRATION TESTERS

Google Hacking Examples

 Information Disclosure – Google can gather sensitive and private

information and contents as well as intellectual property assets

 Vulnerability Assessment – Google is another component in the

penetration testing toolkit that allows you to identify, with a very low false
positive rate, vulnerable resources published on the Internet. These
mainly affect web based devices such as web servers, application servers
and network devices with a web based interface

 Social Engineering – Google can also be used to map information from

the virtual world to the real world in order to perform social engineering
testing

www.TASK.to
 GOOGLE HACKING FOR PENETRATION TESTERS

Information Disclosure

 Database definitions and dumps

1. “#mysql dump” filetype:sql (for SQL definition files)
2. filetype:ora ora (for Oracle configuration files)

 Exported Registry Settings

1. filetype:reg reg +intext:”internet account manager” (allows you to download the
registry to get juicy info like usernames, mail server settings, etc.)

 Login Credentials: Usernames and Passwords

1. filetype:pot inurl:john (passwords stored in a file john.pot by John the Ripper
publicly available on the Internet)

www.TASK.to
 GOOGLE HACKING FOR PENETRATION TESTERS

Vulnerability Assessment and Penetration Testing

 Identifying vulnerabilities and use Google to do your intelligence gathering

 Look for misconfigurations or “non” configurations
 Examples would include default installations, private web interfaces and
identifying devices such as printers
 Intitle:”Welcome to IIS 4.0” will find many default installations of IIS 4.0 –
you now own that server – scary!!
 Intitle:”Cisco Systems, Inc. VPN 3000 Concentrator” will get you access
to the web interface and chances are many of these have the default
username and password
 inurl:printer/main.html intext:settings will give you ownership of publicly
accessible network printers
 Filetype:rdp rdp will get you RDP access to many systems on the Internet
(some of which don’t have usernames or passwords!!)

www.TASK.to
 GOOGLE HACKING FOR PENETRATION TESTERS

Social Engineering

 Google groups is an online public discussion forum

 Thousands of newsgroup messages are posted here daily, some of them
containing very sensitive information
 A simple search for your organization’s domain name can return a lot of social
engineering information such as valid employee names, email addresses,
resources and other details
 Google group operators include:
1. author – searches for the author of a post based on name – author:@sans.org
2. group – allows you to find specific groups related to a given topic –
group:*.hacking.*
3. insubject – allows you to find searched terms within the message subject line –
insubject:”google hacking”
4. msgid – newsgroup messages uniquely identified by a message ID that looks
like an email address with a random username – msgid:123456@sans.org

www.TASK.to
 GOOGLE HACKING FOR PENETRATION TESTERS

Google Hacking Defenses

 Use common sense!! Basic security practices is all it takes. Defense in

depth, act diligently when configuring web based devices and have a
strong corporate security policy

 Use Google hacking techniques to uncover your own security problems.

So…..Google hack yourself!

 Work with Google for help in removing security breaches. They are easy
to work with and want to help! You can find contact info on their site.

www.TASK.to