pct1-30 - google hacks

8/3/2019 PCT1-30 - Google Hacks

1/157

03/07/2007GoSecure Inc.


2/157


Hacking with Google for fun andprofit!

October 2004

Robert Masse & Jian Hui Wang


3/157

03/07/2007GoSecure Inc.2

Google Introduction & Features Google Search Technique

Google Basic Operators

Google Advanced Operators

Google Hacking Digging for vulnerability gold

Identifying operating systems

Vulnerability scanning Proxying

Protect your information from Google


4/157


Google Search Technique Just put the word and run the search

You need to audit your Internet presence One database, Google almost has it all!

One of the most powerful databases in the world Consolidate a lot of info

Usage: Student

Business

AlQaeda

One stop shop for attack, maps, addresses, photos, technical information


5/157



6/157


Google Advance Search A little more sophisticated


7/15703/07/2007GoSecure Inc.

6


8/15703/07/2007GoSecure Inc.

7

Google Operators: Operators are used to refine the results and to maximize

the search value. They are your tools as well as hackersweapons

Basic Operators: +, -, ~ , ., *, , |, OR

Advanced Operators: allintext:, allintitle:, allinurl:, bphonebook:, cache:,

define:, filetype:, info:, intext:, intitle:, inurl:, link:,phonebook:, related:, rphonebook:, site:, numrange:,daterange


9/15703/07/2007GoSecure Inc.

8

Basic Operators (+) force inclusion of something common

Google ignores common words (where, how, digit, singleletters) by default:Example: StarStar Wars Episode +I

(-) exclude a search term

Example: apple red () use quotes around a search term to search exact

phrases:

Example: Robert Masse Robert masse without has the 309,000 results, but

robert masse only has 927 results. Reduce the 99%irrelevant results


10/15703/07/2007GoSecure Inc.

9

Basic Operators (~) search synonym:

Example: ~food

Return the results about food as well as recipe, nutrition

and cooking information ( . ) a single-character wildcard:

Example: m.trix

Return the results of M@trix, matrix, metrix.

( * ) any word wildcard


11/15703/07/2007GoSecure Inc.

10

Advanced Operators: Site: Site: Domain_name Find Web pages only on the specified domain. If we

search a specific site, usually we get the Web structureof the domain

Examples:site:ca

site:gosecure.ca

site:www.gosecure.ca


12/157



13/157


Advanced Operators: Filetype: Filetype: extension_type

Find documents with specified extensions

The supported extensions are:

- HyperText Markup Language (html) - Microsoft PowerPoint (ppt)- Adobe Portable Document Format (pdf) - Microsoft Word (doc)

- Adobe PostScript (ps) - Microsoft Works (wks, wps, wdb)

- Lotus 1-2-3 - Microsoft Excel (xls)

(wk1, wk2, wk3, wk4, wk5, wki, wks, wku) - Microsoft Write (wri)

- Lotus WordPro (lwp) - Rich Text Format (rtf)

- MacWrite (mw) - Shockwave Flash (swf)- Text (ans, txt)

Note: We actually can search asp, php and cgi, pl filesas long as it is text-compatible.Example: Budget filetype: xls


14/157


Advanced Operators A budget file we found .


15/157



16/157


Advanced Operators Intitle: Intitle: search_term

Find search term within the title of a Webpage

Allintitle: search_term1 search_term2 search_term3

Find multiple search terms in the Web pages with thetitle that includes all these words

These operators are specifically useful to find thedirectory lists

Example:Find directory list:

Intitle: Index.of parent directory


17/157



18/157


Advanced Operators Inurl: Inurl: search_term

Find search term in a Web address

Allinurl: search_term1 search_term2 search_term3

Find multiple search terms in a Web address

Examples:

Inurl: cgi-bin

Allinurl: cgi-bin password


19/157



20/157


Advanced Operators Intext; Intext: search_term Find search term in the text body of a document.

Allintext: search_term1 search_term2 search_term3 Find multiple search terms in the text body of a

document. Examples:

Intext: Administrator login

Allintext: Administrator login


21/157



22/157


Advanced Operators: Cache: Cache: URL

Find the old version of Website in Google cache

Sometimes, even the site has already been updated, the

old information might be found in cache Examples:

Cache: www.gosecure.com


23/157



24/157


Advanced Operators ..

Conduct a number range search by specifying twonumbers, separated by two periods, with no spaces. Besure to specify a unit of measure or some other indicatorof what the number range represents

Examples:

Computer $500..1000

DVD player $250..350


25/157



26/157


Advanced Operators: Daterange: Daterange: -

Find the Web pages between start date and end date

Note: start_date and end date use the Julian date

The Julian date is calculated by the number of dayssince January 1, 4713 BC. For example, the Juliandate for August 1, 2001 is 2452122

Examples:

2004.07.10=24531962004.08.10=2453258

Vulnerabilities date range: 2453196-2453258


27/157



28/157


Advanced Operators Link: Link: URL Find the Web pages having a link to the specified URL

Related: URL

Find the Web pages that are similar to the specified Web page

info: URL Present some information that Google has about that Web page

Define: search_term

Provide a definition of the words gathered from various onlinesources

Examples:

Link: gosecure.ca

Related: gosecure.ca

Info: gosecure.ca


29/157



30/157

03/07/2007GoSecure Inc. 29


31/157



32/157



33/157


Advanced Operators phonebook: Phonebook Search the entire Google phonebook rphonebook

Search residential listings only

bphonebook Search business listings only Examples:

Phonebook: robert las vegas (robert in Las Vegas)

Phonebook: (702) 944-2001 (reverse search, not always work)The phonebook is quite limited to U.S.A


34/157



35/157



36/157


Google, Friend or Enemy? Google is everyones best friend (yours or hackers) Information gathering and vulnerability identification

are the tasks in the first phase of a typical hackingscenario

Passitive, stealth and huge data collection Google can do more than search Have you used Google to audit your organization

today?


37/157


What can Google can do for a hacker? Search sensitive information like payroll, SIN, eventhe personal email box

Vulnerabilities scanner

Transparent proxy


38/157


Salary Salary filetype: xls site: edu


39/157



40/157


Security social insurance numberIntitle: Payroll intext: ssn filetype: xls site: edu


41/157



42/157


Security Social Insurance Number Payroll intext: Employee intext: ssn iletype: xls


43/157



44/157


Financial Information Filetype: xls checking account credit card -intext: Application -intext: Form (only 39 results)


45/157



46/157


Financial Information Intitle: Index of finances.xls (9)


47/157



48/157


Personal Mailbox Intitle: Index.of inurl: Inbox (456) (mit mailbox)


49/157



50/157


Personal Mailbox After several clicks , got the private emailmessages


51/157



52/157


Personal Mailbox Intitle: Index.of inurl: Inbox (inurl: User ORinurl: Mail) (220)


53/157



54/157


Confidential Files not for distribution confidential (1,760)


55/157



56/157


Confidential Files not for distribution confidential filetype: pdf(marketing info) (456)


57/157



58/157


OS Detection Use the keywords of the default installation page

of a Web server to search.

Use the title to search

Use the footer in a directory index page


59/157


OS Detection-Windows Microsoft-IIS/5.0 server at


60/157



61/157


OS Detection - Windows Default web page? Intitle: Welcome to Windows 2000 Internet Services


62/157



63/157


OS Detection Apache 1.3.11-1.3.26 Intitle: Test.Page.for.Apache seeing.this.instead


64/157



65/157


OS Detection-Apache SSL enable Intitle: Test.page SSL/TLS-aware (127)


66/157



67/157


Search Passwords Search the well known password filenames in URL

Search the database connection files orconfiguration files to find a password and username

Search specific username file for a specific product


68/157


Search Passwords Inurl: etc inurl: passwd


69/157



70/157



71/157


Search Passwords Intitle: Index of..etc passwd


72/157



73/157


Search Passwords "# -FrontPage-" inurl: service.pwd (then crack it)


74/157



75/157


Search Passwords Inurl: admin.pwd filetype: pwd


76/157


75


77/157


76

Search Passwords Filetype: inc dbconn


78/157


77


79/157


78

Search Passwords Filetype: inc intext: mysql_connect


80/157


79


81/157


80

Search Passwords Filetype: ini +ws_ftp +pwd (get the encrypted

passwords)


82/157


81


83/157


82

Search Passwords Filetype: log inurl: password.log


84/157


83


85/157


84

Search Username +intext: "webalizer" +intext: Total Usernames +intext:

Usage Statistics for


86/157


85


87/157


86

License Key Filetype: lic lic intext: key (33) (license key)


88/157


87


89/157


88

Cookies Syntax Filetype: inc inc intext: setcookie -cvs -examples -

sourceforge -site: php.net (120) (cookie schema)


90/157


89


91/157


90

Sensitive Directories Listing Powerful buzz word: Index of

Search the well known vulnerable directories names


92/157


91

Sensitive Directories Listing index of cgi-bin (3590)


93/157


92


94/157


93

Sensitive Directories Listing Intitle: Index of cfide (coldfusion directory)


95/157


94


96/157


95

Sensitive Directories Listing Intitle: index.of.winnt


97/157


96


98/157


97

Sensitive Directories Listing Intitle: index of iissamples (dangeous iissamples)

(32)


99/157


98


100/157


99

Sensitive Directories Listing Inurl: iissamples (1080)


101/157


100


102/157


101

Database Manipulation Different database applications leave different signatures

on the database files


103/157


102

Database Manipulation Welcome to phpMyAdmin AND Create new

database -intext: No Priviledge (find a page thatmight have privilege to update mysql)


104/157


103


105/157


104

Database Manipulation Welcome to phpMyAdmin AND Create new

database (after several hits, we got this)


106/157


105


107/157


106

Database Manipulation Select a database to view intitle: filemaker

pro (94) Filemaker


108/157


107


109/157


108

Database Manipulation After several clicks and you can query the table


110/157


109


111/157


110

Database Manipulation # Dumping data for table (username|user|users|

password) -site: mysql.com cvs (289) (backup dataof mysqldump)


112/157


111


113/157


112


password) site: mysql.com -cvs


114/157


113


115/157


114


password) -site: mysql.com cvs


116/157


115


117/157


116

Sensitive System Information Network security reports have lists of vulnerabilities for

your system

Configuration files often contain the applicationparameters inventory


118/157


117

Network Security Report (ISS) Network Host Assessment Report Internet

Scanner (iss report) (13)


119/157


118


120/157


119

Network Security Report (ISS) Host Vulnerability Summary Report (ISS report) (25)


121/157


120


122/157


121

Network Security Report (nessus) This file was generated by Nessus || intitle:Nessus

Scan Report -site:nessus.org (185)


123/157


122


124/157


123

Network Scanner Report (Snort) SnortSnarf alert page (15,500)


125/157


124


126/157


125

Network Security Report (Snort) Intitle: Analysis Console for Intrusion Databases

+intext:by Roman Danyliw inurl:acid/acid_main.php (13 results, acid alert database)


127/157


126


128/157


127

Configuration Files (robots.txt)

(inurl: robot.txt | inurl: robots.txt) intext:disallowfiletype:txt

Robots.txt means to protect you privacy from crawlers

But allows you to determine the file system architecture


129/157


128


130/157


129

A vulnerable targets scanning example

Get the new vulnerabilities from advisory

Find the signature from vendor Website

Google search to find the targets

Perform further malicious actions


131/157


130

An advisory looks like


132/157


131


133/157


132

Vendor Website Information


134/157


133


135/157


134

Google search

Inurl: smartguestbook.asp


136/157


135


137/157


136

The victims Website


138/157


137


139/157


138

Download the database Game over


140/157


139


141/157


140

Transparent Proxy

Normal surfing on www.myip.nu


142/157


141


143/157


142

Transparent Proxy

When we use Google translation tool to surfwww.myip.nu


144/157


143


145/157


144

Google Automated Scanning

Google doesnt like the idea about automating Googlescan. They issue a free licence limited to 1000 queries/day to Google

Gooscan

Gooscan is a UNIX (Linux/BSD/Mac OS X) tool thatautomates queries against Google search appliances,which helps to do the external vulnerability assessment.For more information about this tool, including theethical implications of its use. See: http://

johnny.ihackstuff.com
http://johnny.ihackstuff.com/http://johnny.ihackstuff.com/http://johnny.ihackstuff.com/http://johnny.ihackstuff.com/http://johnny.ihackstuff.com/http://johnny.ihackstuff.com/


146/157


145

Google Automated Tools

SiteDigger

SiteDigger searches Googles cache to look forvulnerabilities, errors, configuration issues, proprietaryinformation, and interesting security nuggets on Web

sites. See: http://www.foundstone.com
http://www.foundstone.com/http://www.foundstone.com/


147/157


146


148/157


147

Google Automated Tools

Athena

Another Google query tool. It supports an open XMLconfiguration format to support multiple search engines(not just Google)


149/157


148


150/157


149

Google Materials

Googledorks The famous Google Hack Website, it has many different

examples of unbelievable things: http://johnny.ihackstuff.com.
http://johnny.ihackstuff.com/http://johnny.ihackstuff.com/http://johnny.ihackstuff.com/http://johnny.ihackstuff.com/


151/157


150


152/157


151


153/157


Google Materials

Freshgoo

Search Google for the page published on today, yesterday,within the last seven days or last 30 days:http://www.freshgoo.com/index.php
http://www.freshgoo.com/index.phphttp://www.freshgoo.com/index.phphttp://www.freshgoo.com/index.phphttp://www.freshgoo.com/index.php


154/157



155/157


Protect Your Data

Keep patching your systems and applications Keep your sensitive data off the Web apply authentication

(RSA, Clienless VPN)

Disable directory browsing

Google hack your Website

Consider removing your site from Google's index:

http://www.google.com/remove.html.

Use a robots.txt file to against Web crawlers:

http://www.robotstxt.org.
http://www.robotstxt.org/http://www.google.com/remove.htmlhttp://www.robotstxt.org/http://www.robotstxt.org/http://www.google.com/remove.htmlhttp://www.google.com/remove.html


156/157


Google APIS:

www.google.com/apisRemove:http://www.google.com/remove.htmlGoogledorks:http://johnny.ihackstuff.com/

Oreilly Google Hack:http://www.oreilly.com/catalog/googlehks/Google Hack Presentation, Jonhnny Long:http://johnny.ihackstuff.com/modules.php?op=modload&name=ownloads&file=index&req=viewdownload&cid=1

Autism: Using google to hack:www.smart-dev.com/texts/google.txtGoogle: Net Hacker Tool du Jour:htt ://www.wired.com/news/infostructure/0 1377 57897 00.html
http://www.wired.com/news/infostructure/0,1377,57897,00.htmlhttp://www.smart-dev.com/texts/google.txthttp://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=1http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=1http://www.oreilly.com/catalog/googlehks/http://johnny.ihackstuff.com/http://www.google.com/remove.htmlhttp://www.google.com/apishttp://www.wired.com/news/infostructure/0,1377,57897,00.htmlhttp://www.wired.com/news/infostructure/0,1377,57897,00.htmlhttp://www.smart-dev.com/texts/google.txthttp://www.smart-dev.com/texts/google.txthttp://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=1http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=1http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=1http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=1http://www.oreilly.com/catalog/googlehks/http://www.oreilly.com/catalog/googlehks/http://johnny.ihackstuff.com/http://johnny.ihackstuff.com/http://www.google.com/remove.htmlhttp://www.google.com/remove.htmlhttp://www.google.com/apishttp://www.google.com/apis


157/157

Contact Information:

Robert [email protected]

407 McGill, suite 900Montral, Qubec, CanadaH2Y 2G2

514-287-7427

pct1-30 - google hacks

Documents