Advanced googling
description
Transcript of Advanced googling
![Page 1: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/1.jpg)
Google Hacking
Search Engine Black-OpsJoshua Brashars
![Page 2: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/2.jpg)
Obligatory C.Y.A. Disclaimer:I am in NO way, shape, or form affiliated with the almighty Google. Google is a registered trademark, owned by people that are almost completely, but not at all like me. Void where prohibited, actual colors may vary, see your dealer for details, batteries not included. So please, Google, don’t sue me or pull the plug on me. I can’t imagine a life without Google, and trying to makes me cry, just like at the end of Old Yeller. What a great movie.
![Page 3: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/3.jpg)
Now that that’s out of the way…
![Page 4: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/4.jpg)
Who the heck is this guy?
Based out of San DiegoA moderator of http://johnny.ihackstuff.com/IT Support and Network SecurityA heck of a dancerNot as funny as he thinks he is…
![Page 5: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/5.jpg)
Google Hacking?!
What it is not:NOT hacking into Google itself!NOT something that requires “leet skillz”NOT limited to security!NOT related to the O’Reilly Book about SEO
![Page 6: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/6.jpg)
Ok, so what is it then?
Simply put, mining data the Google search engine has already indexed.
YES! It is easy…YES! Anyone can do it...YES! It can be very dangerous…YES! It is a great book written by Johnny Long…YES! That was a shameless plug…
![Page 7: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/7.jpg)
Advanced Operators
Before we can walk, we must learn to run. In Google’s terms, this means understanding advanced operators.
![Page 8: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/8.jpg)
Advanced OperatorsGoogle advanced operators help refine searches.They are included as part of the standard Google Query.Advanced operators use syntax such as the following:
Operator:search_term
There’s no space between the operator, the colon, and the search term!
![Page 9: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/9.jpg)
Advanced Operators at a glance
intitle: - Search page titleinurl: - Search URLsite: - limit results to a specific sitelink: - other sites that link to our subjectinanchor: - search within hyperlinksfiletype: - Starting to see a patern yet?
![Page 10: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/10.jpg)
A note on numrange…
Received a lot of press in the pastUsed for credit card and social security number searches.Sorry, that type of stuff is beyond the scope of this talk.
![Page 11: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/11.jpg)
A crash course in Advanced Googling
![Page 12: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/12.jpg)
Advanced Google Searching
![Page 13: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/13.jpg)
Google Hacking Basics
Putting advanced operators together in intelligent ways can cause a seemingly innocuous query…
![Page 14: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/14.jpg)
Google Hacking Basics
…can have devastating results!
![Page 15: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/15.jpg)
Basic Domain CrawlingThe site: operator narrows a search to a particular site, domain, or sub domain.Consider, site:umich.edu…
![Page 16: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/16.jpg)
![Page 17: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/17.jpg)
Basic Domain Crawling
Most obvious stuff floats to the topAs a security tester (or an attacker) we need to get to the less obvious stuffwww.umich.edu is way too obvious.
![Page 18: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/18.jpg)
Basic Domain FilterTo get rid of the most obvious junk, do a negative search!
site:umich.edu –site:www.umich.edu
![Page 19: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/19.jpg)
![Page 20: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/20.jpg)
Basic Domain Filter
This has several benefits:Low profile. The target can’t see the activity.Results are “ranked” by Google. This means that the most public stuff floats to the top. Some more interesting stuff trolls to the bottom.Leads for follow up recon. You aren’t just getting hosts and domain names, you get application data just by looking at the results snippet. One page of results can contain tons of info, such as e-mail addresses, names, etc…We can explore non-obvious relationships. This is HUGE!
![Page 21: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/21.jpg)
You’re ranting, Josh…
There are downsides, though.
In many cases it would be faster and easier as a good guy to use traditional techniques and tools that connect to the target, but remember – the bad guys can still find and target you through Google.
![Page 22: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/22.jpg)
Google Translation as a proxyUse Google to do your workEnglish to English translation
Still get the content, still readable, not your IP!http://www.google.com/translate?u=http%3A%2F%2Fwww.umich.edu&langpair=en%7Cen&hl=en&ie=UTF8
![Page 23: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/23.jpg)
Google translation as a proxy
The Caveat – ImagesNot truly anonymousImages requested from the site will still be processed with our IP addressStill, it’s a creative use of GoogleAlways test your proxies!
www.whatismyip.com
![Page 24: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/24.jpg)
Server Identification
Intitle:”index.of” “server at”There are two ways this is useful
If an attacker knows what version a server is, he may be able to locate an exploit for itIf an attacker has an exploit for a certain type of server, Google can ferret out some vulnerable hosts
![Page 25: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/25.jpg)
Server Identification
![Page 26: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/26.jpg)
More server identification queries“Apache/” “server at” intitle:”index.of”“Microsoft-IIS/* server at” intitle:”index.of”“Oracle HTTP Server Powered by Apache”intitle:”index.of”“Red Hat Secure/3.0 server at”intitle:”index.of”“Apache Tomcat/” intitle:”index.of”“AnWeb/1.42h” intitle:”index.of”
![Page 27: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/27.jpg)
Finding specific files
The filetype: operator allows us to find specific types of files.Consider log files, such as ws_ftp.log
Log files often contain juicy info such as IP addresses, directory structures, and more…Site:umich.edu filetype:log
![Page 28: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/28.jpg)
site:umich.edu filetype:log
![Page 29: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/29.jpg)
Directory Transversalinurl:"php?page=" inurl:html
![Page 30: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/30.jpg)
Directory TransversalThis…
![Page 31: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/31.jpg)
Directory Transversal…becomes this!
![Page 32: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/32.jpg)
Social EngineeringResumes can be valuable!
”curriculum vitae” site:umich.edu
![Page 33: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/33.jpg)
robots.txtRobots.txt can provide a roadmap for unknown, and potentially sensitive, directories and files.Robots.txt should not be spidered by the web server… but is that always the case?
![Page 34: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/34.jpg)
User-agent: * Disallow: /htbin/ Disallow: /shtbin/ Disallow: /stats/dynamic/ Disallow: /stats/static/ Disallow: /search/ Disallow: /caen/EITC2004/ Disallow: /ipe/studyabroad/funding/scholarships/Disallow: /caen/news/Volume_18/ Disallow: /caen/news/Volume_19/ Disallow: /caen/news/Volume_20/ Disallow: /admin/dean/ Disallow: /caen/systems/ Disallow: /caen/staff/ Disallow: /lost/ Disallow: /class/eecs381/ Disallow: /class/eecs493/
![Page 35: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/35.jpg)
Zero-Packet Port Scanning
Why get your hands dirty when someone else will do it for you?
![Page 36: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/36.jpg)
Whatchoo talkin’ bout, Willis?
Ok, before you throw things at me, allow me to clear up a few things about the phrase “zero packet” in this context:
Passive techniques are truly zero-packet. That’s not what I’m talking about.I’m talking about zero packets directly from source to target. Think proxy. It’s about staying out of the targets logs.Um… plus this is a talk about Google Hacking, sheesh!Oh, come on, it’s silly but it’s still fun!
![Page 37: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/37.jpg)
Zero-packet verification
So, it takes a few packets from us to the target to verify and fingerprint hosts.Now, DNS resolution is no big deal, but port scanning is. This flags IDS systems.Is there an interesting way to do traditional recon without sending any packets directly from us to the target?
![Page 38: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/38.jpg)
Everyone, say it with me…
(yes, even you in the front. Say it with me…)
![Page 39: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/39.jpg)
Old School! Finger…inurl:/cgi-bin/finger?”in real life”
![Page 40: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/40.jpg)
PHP Ping"Enter ip" inurl:"php-ping.php"
![Page 41: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/41.jpg)
PHP Port Scannerinurl:portscan.php "from port"|"Port Range"
![Page 42: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/42.jpg)
Yet another port scanner"server status" "enter domain below"
![Page 43: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/43.jpg)
Locating proxy servers(intitle:"502 Proxy Error")|(intitle:"503 Proxy Error") "The proxy server could not handle the request"
![Page 44: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/44.jpg)
CGIProxyintitle:"start using cgiproxy" no scripts ads
![Page 45: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/45.jpg)
WebUtilinurl:webutil.pl
![Page 46: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/46.jpg)
Network Query Toolintitle:"network query tool“
![Page 47: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/47.jpg)
Cache is your friend!
![Page 48: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/48.jpg)
Zero-packet Recon
The point is, Google can be used as an interesting, low-profile alternative to traditional recon techniques. We’ve used Google queries for low profile alternatives to
DNS resolutionUnix service queriesNetwork ReconWeb-based proxy servicesWeb crawling via cache
![Page 49: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/49.jpg)
Directory Listings, a Google hackers best friend!
intitle:”index of” “last modified”Virtual file server, can reveal sensitive files web surfers shouldn’t seeIndex listings provide an x-ray into the system. Just because our target doesn’t necessarily have directory listings, other sites with the same web apps might. This is handy!
![Page 50: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/50.jpg)
This helps narrow down server structure when we know which applications are installed…
![Page 51: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/51.jpg)
Who needs Kazaa?
Peer to peer applications use non-standard ports. Not always possible to install with given access.P2P Ports can be blocked at the firewall level.
![Page 52: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/52.jpg)
Google to the rescue!intitle:”index.of” Green Day mp3 last modified
![Page 53: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/53.jpg)
Google Hacking Showcase, 2005! Let the games begin!
Each of these screenshots were found using nothing but Google.
Here’s some of the best of the worst:
![Page 54: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/54.jpg)
intitle:"VNC Viewer for Java"
![Page 55: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/55.jpg)
intitle:"toshiba network camera - user login"
![Page 56: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/56.jpg)
![Page 57: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/57.jpg)
intitle:"Speedstream Router Management Interface"
![Page 58: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/58.jpg)
intitle:"Setup Home" "You will need to log in before" "change" "settings"
![Page 59: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/59.jpg)
inurl:SUSAdmin intitle:"Microsoft Software Update Services"
![Page 60: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/60.jpg)
"set up administrator user" inurl:pivot
![Page 61: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/61.jpg)
inurl:webArch/MainFrame.cgi
![Page 62: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/62.jpg)
intitle:"EpsonNet WebAssist" intitle:"Rev"
![Page 63: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/63.jpg)
Nessus Scan output! ext:nbe nbe
![Page 64: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/64.jpg)
VPN User Profiles intext:Host=*.* intext:UserPassword=* ext:pcf
![Page 65: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/65.jpg)
adminpassword sysprep filetype:inf
![Page 66: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/66.jpg)
intext:SQLiteManager inurl:main.php
![Page 67: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/67.jpg)
intitle:phpMyAdmin "Welcome to phpMyAdmin "*" "running on * as root@*"
![Page 68: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/68.jpg)
intitle:"Sipura.SPA.Configuration" -.pdf
![Page 69: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/69.jpg)
intitle:"EverFocus" intitle:"Applet"
![Page 70: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/70.jpg)
Even UMich is vulnerable…
![Page 71: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/71.jpg)
intitle:"TANDBERG" "This page requires a frame capable browser!“ site:umich.edu
![Page 72: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/72.jpg)
intitle:"Big Brother - Status" inurl:bb
![Page 73: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/73.jpg)
intitle:Remote.Desktop.Web.Connection inurl:tsweb
![Page 74: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/74.jpg)
+intext:"webalizer" +intext:"TotalUsernames" +intext:"Usage Statistics for"
![Page 75: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/75.jpg)
inurl:/tmp
![Page 76: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/76.jpg)
"please log in"
![Page 77: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/77.jpg)
intitle:intranet inurl:intranet +intext:"human resources"
![Page 78: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/78.jpg)
inurl:"exchange/logon.asp" OR intitle:"Microsoft Outlook Web Access - Logon"
![Page 79: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/79.jpg)
My personal favorite…
![Page 80: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/80.jpg)
site:umich.edu filetype:mbox
![Page 81: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/81.jpg)
So, what can be done?
Preventative maintenanceDisable directory listings if you do not need them.Password protect sensitive directoriesRobots.txt
But don’t let Google crawl it ;)
Don’t use default passwords!Do I really need to say this?
Google’s removal pagehttp://www.google.com/remove.html
![Page 82: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/82.jpg)
Go hack yourself, pal!
Wikto from Sensepost.AthenaGooscan
Note: Gooscan violates Google’s TOSYou really do not want Google pissed at you. Remember Old Yeller? Sadder than that.
![Page 83: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/83.jpg)
WIKTO, by Sensepost
Automates Google Hack ScanningAvailable for free from www.sensepost.comRequires a valid Google API KeyDesigned to allow site owners to test themselves for vulnerabilities
![Page 84: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/84.jpg)
Wikto
![Page 85: Advanced googling](https://reader034.fdocuments.in/reader034/viewer/2022051411/545c3d29b0af9f12318b4725/html5/thumbnails/85.jpg)
Thanks!
UMich for having me outJohnny Long for being a mentor and a friendThe whole team at http://johnny.ihackstuff.comThe endless (misguided?) loving support of my family and friends, and co-workersThe 7-11 by my house, for always being there for me when I need them.
Without the help of all of these people and more, none of this would be possible and I might still be jockeying tapes at the video store.