Google Hacking
Elena Galvn esCERT
SSI
SSI
Google Hacking
Google Hacking
Companies, organizations, products, opinions use websites to make themselves known A way of achieving that is to make search engines to find you Search engines robots scan web sites and classify them in rankings
SSI
SSI
Google Hacking
The most widely used web search engine: more than 80% of users Founded in 1998 More than 20.000 servers all over the World More than 8.000.000.000 URL stored
Services
Search engine News E-mail Pictures Maps Shared documents Blogs Bulletin boards Spreadsheets Publicity
SSI
Google Hacking
Based on
Google Hacking
PageRank
Page is the last name of the algorithm creator Complex mathematical equation with 500 million variables and 3.000 million terms
SSI
Google hacking
Google Hacking
Google can also be used by malicious people using advanced search techniques to access unauthorized information Brief history
ITWeb article:
While looking for data in Google on a CISCO IOS web server, a Security Focus researcher, Ryan Russell, found a link where he appeared on a .gov USA WebSite. Barry Cribb, form Digital Networks, found that entering a certain search pattern Google returned 38.000 pages with administrator login Finding websites using phpBB (PHP bulletin board) with a vulnerable version
SSI
Google Hacking
takes you to a site matching the search that has the highest ranking (not highest PageRank necessarily) Omits some common words (prepositions, articles) Case in-sensitive Offers spelling correction or alternative common spelling of the words being search
SSI
Google Hacking
A query with terms in quotes finds pages containing the exact quoted phrase Google will search for common words (stop words) included in quotes, which it would otherwise ignore.
USE [ to be or not to be ] NOT [ to be or not to be ]
+ Operator
force Google to search for a particular term. Used in front of stop words that Google would otherwise ignore
USE [ jobs in central +LA California ] NOT [ jobs in central LA California ]
- Operator
SSI
~ Operator
Google Hacking
OR and | Operators
.. Operator
* Operator
Google treats the * as a placeholder for a word or more than one word
SSI
cache
Google Hacking
highlight included words within the cached document [cache:www.google.com web] will show the cached content with the word "web" highlighted list webpages that have links to the specified webpage pages that are "similar" to a specified web page [related:www.google.com] will list web pages that are similar to the Google homepage information that Google has about that web page. For instance [info:www.google.com] will show information about the Google homepage
link
related
info
SSI
define
Google Hacking
provide a definition of the words you enter [define:google] Google, a popular search engine, is a tool for finding resources on the World Wide Web. treat the rest of the query terms as stock ticker symbols [stocks: intc yhoo] will show information about Intel and Yahoo
stocks
SSI
site
Google Hacking
allintitle
restrict the results to those with all of the query words in the title
[allintitle: google search] will return only documents that have both "google" and "search" in the title
intitle
allinurl
restrict the results to those with all of the query words in the url.
[allinurl: google search] will return only documents that have both "google" and "search" in the url.
inurl
Same idea as intitle and allintitle intitle:index of IIS allintitle: index of IIS
SSI
ext: filetype:
Google Hacking
restrict the results to pages whose names end in suffix. [email security filetype:pdf OR filetype:doc ] Extensions contemplated
http://www.google.es/help/faq_filetypes.html#what
group:
restrict your Google Groups results to newsgroup articles from certain groups or subareas info:URL will present some information about the corresponding web page restrict articles in Google Groups to those that contain the terms you specify in the subject/text/ title
id: info:
SSI
Google Hacking
SSI
Google Hacking
These searches locate vulnerable servers. These searches are often generated from various security advisory posts, and in many cases are product or version-specific. Really retarded error messages that say WAY too much! No usernames or passwords, but interesting stuff none the less. PASSWORDS, for the LOVE OF GOD!!! Google found PASSWORDS! These files contain usernames, but no passwords... Still, google finding usernames on a web site.. Examples of queries that can help a hacker gain a foothold into a web server These are login pages for various services. Consider them the front door of a website's more sensitive functions.
SSI
Google Hacking
These pages contain such things as firewall logs, honey pot logs, network information, IDS logs... all sorts of fun stuff! Google's collection of web sites sharing sensitive directories. The files contained in here will vary from sensitive to uber-secret! Examples of queries that can reveal online shopping info like customer data, suppliers, orders, credit card numbers, credit card info, etc This category contains things like printers, video cameras, and all sorts of cool things found on the web with Google. HUNDREDS of vulnerable files that Google can find on websites These searches reveal servers with specific vulnerabilities. These are found in a different way than the searches found in the "Vulnerable Files" section. These links demonstrate Google's awesome ability to profile web servers..
SSI
filetype:bak inurl:index.html filetype:bak inurl:htacces|passwd|shadow|htusers filetype:sql (passwd values **** | password values **** | pass values ****) filetype:mdb inurl:account|users|administrators|admin| passwd|password filetype:bak login.php filetype:old login.php inurl:temp | inurl:tmp | inurl:backup | inurl:bak | inurl:old
Google Hacking
SSI
Google Hacking
Reveal Windows 2000 Internet Information Server with default home page
intitle: Welcome to Windows 2000 Internet Services Intitle:Test Page for Apache
SSI
Google Hacking
Yeids Nessus scan reports. Even if some of the vulnerabilities have been fixed, we can still gather valuable information about the network/hosts. Nagios (Network monitoring program) Status page. See what ports are being monitored as well as ip addresses. Be sure to check the google cached page first. status screen for the Solwise ADSL modem. Information available from this page includes IP addresses, MAC addresses, subnet mask, firware version of the modem. Attackers can use this information to formulate an attack. MRTG traffic analysis pages. This page lists information about machines on the network including CPU load, traffic statistics, etc. This information can be useful in mapping out a network.
inurl:status.cgi?host=all -cvs
SSI
Google Hacking
Default configurations Test files never removed hidden URLs badly protected
Noarchive: dont store in Google cache
Use metarags
<meta name=GOOGLEBOT content=NOARCHIVE /> Disalow: directories not to be scanned by GoogleBot BUT.. [filetype:txt inurl:robots.txt] shows exactly what you dont want to be shown
http://www.whitehouse.gov/robots.txt .
Use robot.txt
SSI
Reference
Google Hacking
SSI