Google Hacking

http://home.ubalt.edu/abento/753/footscan/googlehacking.html

This is an introduction to the use of the Google search tools for obtaining information about organizations, servers, vulnerabilities, usernames, encrypted and clear text passwords, etc. There are books (1,2) published on this topic, therefore this is only a brief overview of these tools and techniques.

---

1. Google basic search techniques

   The main on-line references are The Google Hacker's Guide (pages 1-13) by Johnny Long. and, of course, Google basic and operators.
   • google assumes that two or more words entered are in an AND relationship, but excludes from the search common words like the, how, where. To force one of these common words to be included in the search you need to add a + in front of it, e.g. in "how nice of you" to include how use +how nice of you. On the other hand if you want to exclude a term you can use a - in front of it ,e.g. how -nice of you would exclude nice.

   • phrase searches should use double-quotes surrounding the phrase, e.g. "how nice of you." You can use mixed searches combining words with phrases, e.g. George "how nice of you."

   • Google operators allow powerful searches, and use the format operator:search. The following table summarize these operators.

     Operator	Description	Argument
     site:	search in a specific site	yes
     filetype:	search for specific document type	yes
     link:	search for pages with link	no
     cache:	search cached version of a page	no
     intitle:	search term in page title	no
     inurl:	search term in page URL	no
     intext:	search term in page content - regular search	no

     Most of these operators are straightforward, but a few require additional explanations, as follows.

   • Google keeps a list of filetypes it can search at http://www.google.com/help/faq_filetypes.html, summarized below:
     • Adobe Portable Document Format (pdf)
     • Adobe PostScript (ps)
     • Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku)
     • Lotus WordPro (lwp)
     • MacWrite (mw)
     • Microsoft Excel (xls)
     • Microsoft PowerPoint (ppt)
     • Microsoft Word (doc)
     • Microsoft Works (wks, wps, wdb)
     • Microsoft Write (wri)
     • Rich Text Format (rtf)
     • Shockwave Flash (swf)
     • Text (ans, txt)

2. Google hacking techniques

   The main on-line reference continues to be The Google Hacker's Guide (pages 14-26) by Johnny Long. Johnny also maintains the Google Hacking Database (GHDB) with known uses of Google search for hacking. Note: the examples selected below follow the textbook for easy reference by the students.
   • Exploring title messages from servers, e.g. intitle:"Welcome to IIS 4.0" You can see the results here. This is a list of servers running what is in the message, in the case IIS 4.0.

   • Exploring server messages in the URL, e.g."VNC Desktop" inurl:5800 You can see the results here. This is a list of servers running VNC in port 5800 (we will study VNC as a remote control software and its vulnerabilities later in the course).

   • Exploring filetype to find servers with FrontPage vulnerabilities, e.g. filetype:pwd service Note that pwd is not one of the types listed above, but Google still looks for service.pwd and you can see the results here. This is a list of usernames and encrypted passwords. As we will study later in the course a hacker can use John the Ripper to crack the password using brute force. The damage here is defacing a Web site, but users tend to repeat username and passwords elsewhere.

   • Exploring filetype and inurl to find password files in servers, e.g. filetype:bak inurl:"htaccess|passwd|shadow|htusers" and you can see the resultshere. This is a list of usernames and encrypted passwords for login in servers. The damage here can be devastating, if the root password is available, as in one case it is. We will discuss UNIX/Linux vulnerabilities, the use of shadow passords, etc, later in the course.

   • Exploring filetype, inurl and intext to find DB passwords, e.g. filetype:properties inurl:db intext:password and you can see the results here. This is a list of files containing username and password in databases. Once more you can see the root password, and in one case is blank!?!?

   • Exploring security vulnerability scanners' output, not even using operators, e. g. "This file was generated by Nessus" and see the results here. This is a list of vulnerabilities found in servers generated by the Nessus scanner that were not deleted from the servers after it was run. The hacker has the vulnerabilities identified for him/her ...

   The above examples only touch a small number of the cases collected by Johnny Long in the Google Hacking Database (GHDB). There are 1387 entries in the database organized in 14 categories.

This tutorial also does not cover automated tools for Google hacking although they exist for Windows and Linux/UNIX. You should note that Google requires prior authorization for you to use any automated tool with this purpose.