GoSecure Inc.
03/07/2007
�Hacking with Google for fun and profit!
October 2004
Robert Masse & Jian Hui Wang
GoSecure Inc.
03/07/2007
�Agenda
Google Introduction & Features Google Search Technique Google Basic Operators Google Advanced Operators Google Hacking Digging for vulnerability gold Identifying operating systems Vulnerability scanning Proxying Protect your information from Google
2 03/07/2007
GoSecure Inc.
�Google Hacking
Google Search Technique
Just put the word and run the search
You need to audit your Internet presence
One database, Google almost has it all!
One of the most powerful databases in the world Consolidate a lot of info Usage:
Student Business AlQaeda
One stop shop for attack, maps, addresses, photos, technical information
GoSecure Inc.
3 03/07/2007
�GoSecure Inc.
4 03/07/2007
�Google Hacking
Google Advance Search
A little more sophisticated
GoSecure Inc.
5 03/07/2007
�GoSecure Inc.
6 03/07/2007
�Google Hacking
Google Operators:
Operators are used to refine the results and to maximize the search value. They are your tools as well as hackers weapons
Basic Operators:
+, -, ~ , ., *, , |, OR
Advanced Operators:
allintext:, allintitle:, allinurl:, bphonebook:, cache:, define:, filetype:, info:, intext:, intitle:, inurl:, link:, phonebook:, related:, rphonebook:, site:, numrange:, daterange
7 03/07/2007
GoSecure Inc.
�Google Hacking
Basic Operators
(+) force inclusion of something common Google ignores common words (where, how, digit, single letters) by default:
Example: StarStar Wars Episode +I
(-) exclude a search term
Example: apple red
() use quotes around a search term to search exact phrases:
Example: Robert Masse
Robert masse without has the 309,000 results, but robert masse only has 927 results. Reduce the 99% irrelevant results
GoSecure Inc. 8 03/07/2007
�Google Hacking
Basic Operators
(~) search synonym:
Example: ~food
Return the results about food as well as recipe, nutrition and cooking information ( . ) a single-character wildcard:
Example: [Link]
Return the results of M@trix, matrix, metrix. ( * ) any word wildcard
GoSecure Inc.
9 03/07/2007
�Google Hacking
Advanced Operators: Site:
Site: Domain_name Find Web pages only on the specified domain. If we search a specific site, usually we get the Web structure of the domain Examples:
site:ca site:[Link] site:[Link]
GoSecure Inc.
10 03/07/2007
�4. Google Hacking
GoSecure Inc.
11 03/07/2007
�Google Hacking
Advanced Operators: Filetype:
Filetype: extension_type Find documents with specified extensions The supported extensions are:
- HyperText Markup Language (html) - Adobe Portable Document Format (pdf) - Adobe PostScript (ps) - Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku) - Lotus WordPro (lwp) - MacWrite (mw) - Text (ans, txt) - Microsoft PowerPoint (ppt) - Microsoft Word (doc) - Microsoft Works (wks, wps, wdb) - Microsoft Excel (xls) - Microsoft Write (wri) - Rich Text Format (rtf) - Shockwave Flash (swf)
Note: We actually can search asp, php and cgi, pl files as long as it is text-compatible.
Example: Budget filetype: xls
GoSecure Inc. 12 03/07/2007
�Google Hacking
Advanced Operators
A budget file we found .
GoSecure Inc.
13 03/07/2007
�GoSecure Inc.
14 03/07/2007
�Google Hacking
Advanced Operators Intitle:
Intitle: search_term Find search term within the title of a Webpage Allintitle: search_term1 search_term2 search_term3 Find multiple search terms in the Web pages with the title that includes all these words These operators are specifically useful to find the directory lists Example:
Find directory list: Intitle: [Link] parent directory
GoSecure Inc.
15 03/07/2007
�GoSecure Inc.
16 03/07/2007
�Google Hacking
Advanced Operators Inurl:
Inurl: search_term Find search term in a Web address Allinurl: search_term1 search_term2 search_term3 Find multiple search terms in a Web address Examples:
Inurl: cgi-bin Allinurl: cgi-bin password
GoSecure Inc.
17 03/07/2007
�GoSecure Inc.
18 03/07/2007
�Google Hacking
Advanced Operators Intext;
Intext: search_term Find search term in the text body of a document. Allintext: search_term1 search_term2 search_term3 Find multiple search terms in the text body of a document. Examples:
Intext: Administrator login Allintext: Administrator login
GoSecure Inc.
19 03/07/2007
�GoSecure Inc.
20 03/07/2007
�Google Hacking
Advanced Operators: Cache:
Cache: URL Find the old version of Website in Google cache Sometimes, even the site has already been updated, the old information might be found in cache Examples:
Cache: [Link]
GoSecure Inc.
21 03/07/2007
�GoSecure Inc.
22 03/07/2007
�Google Hacking
Advanced Operators
<number1>..<number2> Conduct a number range search by specifying two numbers, separated by two periods, with no spaces. Be sure to specify a unit of measure or some other indicator of what the number range represents Examples:
Computer $500..1000 DVD player $250..350
GoSecure Inc.
23 03/07/2007
�GoSecure Inc.
24 03/07/2007
�Google Hacking
Advanced Operators: Daterange:
Daterange: <start_date>-<end date> Find the Web pages between start date and end date Note: start_date and end date use the Julian date The Julian date is calculated by the number of days since January 1, 4713 BC. For example, the Julian date for August 1, 2001 is 2452122 Examples:
2004.07.10=2453196 2004.08.10=2453258
Vulnerabilities date range: 2453196-2453258
25 03/07/2007
GoSecure Inc.
�GoSecure Inc.
26 03/07/2007
�Google Hacking
Advanced Operators Link:
Link: URL Find the Web pages having a link to the specified URL Related: URL Find the Web pages that are similar to the specified Web page info: URL Present some information that Google has about that Web page Define: search_term Provide a definition of the words gathered from various online sources Examples: Link: [Link] Related: [Link] Info: [Link]
GoSecure Inc.
27 03/07/2007
�GoSecure Inc.
28 03/07/2007
�GoSecure Inc.
29 03/07/2007
�GoSecure Inc.
30 03/07/2007
�GoSecure Inc.
31 03/07/2007
�Google Hacking
Advanced Operators phonebook:
Phonebook Search the entire Google phonebook rphonebook Search residential listings only bphonebook Search business listings only Examples:
Phonebook: robert las vegas (robert in Las Vegas) Phonebook: (702) 944-2001 (reverse search, not always work) The phonebook is quite limited to U.S.A
GoSecure Inc.
32 03/07/2007
�GoSecure Inc.
33 03/07/2007
�GoSecure Inc.
34 03/07/2007
�Google Hacking
Google, Friend or Enemy?
Google is everyones best friend (yours or hackers) Information gathering and vulnerability identification are the tasks in the first phase of a typical hacking scenario Passitive, stealth and huge data collection Google can do more than search Have you used Google to audit your organization today?
GoSecure Inc.
35 03/07/2007
�Google Hacking
What can Google can do for a hacker?
Search sensitive information like payroll, SIN, even the personal email box Vulnerabilities scanner Transparent proxy
GoSecure Inc.
36 03/07/2007
�Google Hacking
Salary
Salary filetype: xls site: edu
GoSecure Inc.
37 03/07/2007
�GoSecure Inc.
38 03/07/2007
�Google Hacking
Security social insurance number
Intitle: Payroll intext: ssn filetype: xls site: edu
GoSecure Inc.
39 03/07/2007
�GoSecure Inc.
40 03/07/2007
�Google Hacking
Security Social Insurance Number
Payroll intext: Employee intext: ssn iletype: xls
GoSecure Inc.
41 03/07/2007
�GoSecure Inc.
42 03/07/2007
�Google Hacking
Financial Information
Filetype: xls checking account credit card intext: Application -intext: Form (only 39 results)
GoSecure Inc.
43 03/07/2007
�GoSecure Inc.
44 03/07/2007
�Google Hacking
Financial Information
Intitle: Index of [Link] (9)
GoSecure Inc.
45 03/07/2007
�GoSecure Inc.
46 03/07/2007
�Google Hacking
Personal Mailbox
Intitle: [Link] inurl: Inbox (456) (mit mailbox)
GoSecure Inc.
47 03/07/2007
�GoSecure Inc.
48 03/07/2007
�Google Hacking
Personal Mailbox
After several clicks , got the private email messages
GoSecure Inc.
49 03/07/2007
�GoSecure Inc.
50 03/07/2007
�Google Hacking
Personal Mailbox
Intitle: [Link] inurl: Inbox (inurl: User OR inurl: Mail) (220)
GoSecure Inc.
51 03/07/2007
�GoSecure Inc.
52 03/07/2007
�Google Hacking
Confidential Files
not for distribution confidential (1,760)
GoSecure Inc.
53 03/07/2007
�GoSecure Inc.
54 03/07/2007
�Google Hacking
Confidential Files
not for distribution confidential filetype: pdf (marketing info) (456)
GoSecure Inc.
55 03/07/2007
�GoSecure Inc.
56 03/07/2007
�Google Hacking
OS Detection Use the keywords of the default installation page of a Web server to search. Use the title to search Use the footer in a directory index page
GoSecure Inc.
57 03/07/2007
�Google Hacking
OS Detection-Windows
Microsoft-IIS/5.0 server at
GoSecure Inc.
58 03/07/2007
�GoSecure Inc.
59 03/07/2007
�Google Hacking
OS Detection - Windows
Default web page? Intitle: Welcome to Windows 2000 Internet Services
GoSecure Inc.
60 03/07/2007
�GoSecure Inc.
61 03/07/2007
�Google Hacking
OS Detection Apache 1.3.11-1.3.26
Intitle: [Link] [Link]
GoSecure Inc.
62 03/07/2007
�GoSecure Inc.
63 03/07/2007
�Google Hacking
OS Detection-Apache SSL enable
Intitle: [Link] SSL/TLS-aware (127)
GoSecure Inc.
64 03/07/2007
�GoSecure Inc.
65 03/07/2007
�Google Hacking
Search Passwords
Search the well known password filenames in URL Search the database connection files or configuration files to find a password and username Search specific username file for a specific product
GoSecure Inc.
66 03/07/2007
Search Passwords
Inurl: etc inurl: passwd
GoSecure Inc.
67 03/07/2007
�GoSecure Inc.
68 03/07/2007
�GoSecure Inc.
69 03/07/2007
�Google Hacking
Search Passwords
Intitle: Index of..etc passwd
GoSecure Inc.
70 03/07/2007
�GoSecure Inc.
71 03/07/2007
�Google Hacking
Search Passwords
"# -FrontPage-" inurl: [Link] (then crack it)
GoSecure Inc.
72 03/07/2007
�GoSecure Inc.
73 03/07/2007
�Google Hacking
Search Passwords
Inurl: [Link] filetype: pwd
GoSecure Inc.
74 03/07/2007
�GoSecure Inc.
75 03/07/2007
�Google Hacking
Search Passwords
Filetype: inc dbconn
GoSecure Inc.
76 03/07/2007
�GoSecure Inc.
77 03/07/2007
�Google Hacking
Search Passwords
Filetype: inc intext: mysql_connect
GoSecure Inc.
78 03/07/2007
�GoSecure Inc.
79 03/07/2007
�Google Hacking
Search Passwords
Filetype: ini +ws_ftp +pwd (get the encrypted passwords)
GoSecure Inc.
80 03/07/2007
�GoSecure Inc.
81 03/07/2007
�Google Hacking
Search Passwords
Filetype: log inurl: [Link]
GoSecure Inc.
82 03/07/2007
�GoSecure Inc.
83 03/07/2007
�Google Hacking
Search Username
+intext: "webalizer" +intext: Total Usernames +intext: Usage Statistics for
GoSecure Inc.
84 03/07/2007
�GoSecure Inc.
85 03/07/2007
�Google Hacking
License Key
Filetype: lic lic intext: key (33) (license key)
GoSecure Inc.
86 03/07/2007
�GoSecure Inc.
87 03/07/2007
�Google Hacking
Cookies Syntax
Filetype: inc inc intext: setcookie -cvs -examples sourceforge -site: [Link] (120) (cookie schema)
GoSecure Inc.
88 03/07/2007
�GoSecure Inc.
89 03/07/2007
�Google Hacking
Sensitive Directories Listing
Powerful buzz word: Index of Search the well known vulnerable directories names
GoSecure Inc.
90 03/07/2007
�Google Hacking
Sensitive Directories Listing
index of cgi-bin (3590)
GoSecure Inc.
91 03/07/2007
�GoSecure Inc.
92 03/07/2007
�Google Hacking
Sensitive Directories Listing
Intitle: Index of cfide (coldfusion directory)
GoSecure Inc.
93 03/07/2007
�GoSecure Inc.
94 03/07/2007
�Google Hacking
Sensitive Directories Listing
Intitle: [Link]
GoSecure Inc.
95 03/07/2007
�GoSecure Inc.
96 03/07/2007
�Google Hacking
Sensitive Directories Listing
Intitle: index of iissamples (dangeous iissamples) (32)
GoSecure Inc.
97 03/07/2007
�GoSecure Inc.
98 03/07/2007
�Google Hacking
Sensitive Directories Listing
Inurl: iissamples (1080)
GoSecure Inc.
99 03/07/2007
�GoSecure Inc.
100 03/07/2007
�Google Hacking
Database Manipulation
Different database applications leave different signatures on the database files
GoSecure Inc.
101 03/07/2007
�Google Hacking
Database Manipulation
Welcome to phpMyAdmin AND Create new database -intext: No Priviledge (find a page that might have privilege to update mysql)
GoSecure Inc.
102 03/07/2007
�GoSecure Inc.
103 03/07/2007
�Google Hacking
Database Manipulation
Welcome to phpMyAdmin AND Create new database (after several hits, we got this)
GoSecure Inc.
104 03/07/2007
�GoSecure Inc.
105 03/07/2007
�Google Hacking
Database Manipulation
Select a database to view intitle: filemaker pro (94) Filemaker
GoSecure Inc.
106 03/07/2007
�GoSecure Inc.
107 03/07/2007
�Google Hacking
Database Manipulation
After several clicks and you can query the table
GoSecure Inc.
108 03/07/2007
�GoSecure Inc.
109 03/07/2007
�Google Hacking
Database Manipulation
# Dumping data for table (username|user|users| password) -site: [Link] cvs (289) (backup data of mysqldump)
GoSecure Inc.
110 03/07/2007
�GoSecure Inc.
111 03/07/2007
�Google Hacking
Database Manipulation
# Dumping data for table (username|user|users| password) site: [Link] -cvs
GoSecure Inc.
112 03/07/2007
�GoSecure Inc.
113 03/07/2007
�Google Hacking
Database Manipulation
# Dumping data for table (username|user|users| password) -site: [Link] cvs
GoSecure Inc.
114 03/07/2007
�GoSecure Inc.
115 03/07/2007
�Google Hacking
Sensitive System Information
Network security reports have lists of vulnerabilities for your system Configuration files often contain the application parameters inventory
GoSecure Inc.
116 03/07/2007
�Google Hacking
Network Security Report (ISS)
Network Host Assessment Report Internet Scanner (iss report) (13)
GoSecure Inc.
117 03/07/2007
�GoSecure Inc.
118 03/07/2007
�Google Hacking
Network Security Report (ISS)
Host Vulnerability Summary Report (ISS report) (25)
GoSecure Inc.
119 03/07/2007
�GoSecure Inc.
120 03/07/2007
�Google Hacking
Network Security Report (nessus)
This file was generated by Nessus || intitle:Nessus Scan Report -site:[Link] (185)
GoSecure Inc.
121 03/07/2007
�GoSecure Inc.
122 03/07/2007
�Google Hacking
Network Scanner Report (Snort)
SnortSnarf alert page (15,500)
GoSecure Inc.
123 03/07/2007
�GoSecure Inc.
124 03/07/2007
�Google Hacking
Network Security Report (Snort)
Intitle: Analysis Console for Intrusion Databases +intext:by Roman Danyliw inurl:acid/ acid_main.php (13 results, acid alert database)
GoSecure Inc.
125 03/07/2007
�GoSecure Inc.
126 03/07/2007
�Google Hacking
Configuration Files ([Link])
(inurl: [Link] | inurl: [Link]) intext:disallow filetype:txt [Link] means to protect you privacy from crawlers But allows you to determine the file system architecture
GoSecure Inc.
127 03/07/2007
�GoSecure Inc.
128 03/07/2007
�Google Hacking
A vulnerable targets scanning example
Get the new vulnerabilities from advisory Find the signature from vendor Website Google search to find the targets Perform further malicious actions
GoSecure Inc.
129 03/07/2007
�Google Hacking
An advisory looks like
GoSecure Inc.
130 03/07/2007
�GoSecure Inc.
131 03/07/2007
�Google Hacking
Vendor Website Information
GoSecure Inc.
132 03/07/2007
�GoSecure Inc.
133 03/07/2007
�Google Hacking
Google search
Inurl: [Link]
GoSecure Inc.
134 03/07/2007
�GoSecure Inc.
135 03/07/2007
�Google Hacking
The victims Website
GoSecure Inc.
136 03/07/2007
�GoSecure Inc.
137 03/07/2007
�Google Hacking
Download the database Game over
GoSecure Inc.
138 03/07/2007
�GoSecure Inc.
139 03/07/2007
�Google Hacking
Transparent Proxy
Normal surfing on [Link]
GoSecure Inc.
140 03/07/2007
�GoSecure Inc.
141 03/07/2007
�Google Hacking
Transparent Proxy
When we use Google translation tool to surf [Link]
GoSecure Inc.
142 03/07/2007
�GoSecure Inc.
143 03/07/2007
�Google Hacking
Google Automated Scanning
Google doesnt like the idea about automating Google scan. They issue a free licence limited to 1000 queries/ day to Google Gooscan Gooscan is a UNIX (Linux/BSD/Mac OS X) tool that automates queries against Google search appliances, which helps to do the external vulnerability assessment. For more information about this tool, including the ethical implications of its use. See: http:// [Link]
GoSecure Inc.
144 03/07/2007
�Google Hacking
Google Automated Tools
SiteDigger SiteDigger searches Googles cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on Web sites. See: [Link]
GoSecure Inc.
145 03/07/2007
�GoSecure Inc.
146 03/07/2007
�Google Hacking
Google Automated Tools
Athena Another Google query tool. It supports an open XML configuration format to support multiple search engines (not just Google)
GoSecure Inc.
147 03/07/2007
�GoSecure Inc.
148 03/07/2007
�Google Hacking
Google Materials
Googledorks The famous Google Hack Website, it has many different examples of unbelievable things: http:// [Link].
GoSecure Inc.
149 03/07/2007
�GoSecure Inc.
150 03/07/2007
�Google Hacking
GoSecure Inc.
151 03/07/2007
�Google Hacking
Google Materials
Freshgoo Search Google for the page published on today, yesterday, within the last seven days or last 30 days: http:// [Link]/[Link]
GoSecure Inc.
152 03/07/2007
�GoSecure Inc.
153 03/07/2007
�Google Hacking
Protect Your Data
Keep patching your systems and applications Keep your sensitive data off the Web apply authentication
(RSA, Clienless VPN)
Disable directory browsing Google hack your Website Consider removing your site from Google's index: [Link] Use a [Link] file to against Web crawlers: [Link]
GoSecure Inc.
154 03/07/2007
�Google Hacking References
Google APIS: [Link]/apis Remove: [Link] Googledorks: [Link] Oreilly Google Hack: [Link] Google Hack Presentation, Jonhnny Long: [Link] ownloads&file=index&req=viewdownload&cid=1 Autism: Using google to hack: [Link]/texts/[Link] Google: Net Hacker Tool du Jour: [Link]
GoSecure Inc. 155 03/07/2007
�Contact Information: Robert Masse rmasse@[Link] [Link] 407 McGill, suite 900 Montral, Qubec, Canada H2Y 2G2 514-287-7427
GoSecure Inc.
156 03/07/2007
