Author: entr0py Date: 07.06.2007 Feedback: entr0py [AT] hush [DOT] ai IRC: irc.2600.net #securitybay Introduction Google is one of the most popular web search engine in the Cyberspace. It is an extremely powerful as well as persuasive search engine because it can be easily compromised by inputting delineated search queries. This flaw or I can say boon has helped attackers to acquire top-secret information that cannot be obtained by a normal search queries. Anyway, in this tutorial I am going to elaborate various segments of Google. They are as follows:
-
Basic Google Search Operators Adva Advanc nced ed Sear Search ch Op Oper erat ator orss Mal Malicio icious us Sear Search ch Qu Quer erie iess Vulne Vulnerrabili ability ty Ass Asses essm smen entt via via Googl Googlee Best Practices
Basic Google Search Operators As I mentioned earlier, Google has the ability to display confidential information. However, for that, you need to know the basic search queries. Therefore, I am going to demystify basic search queries. Quote usage: Well, if you use quotes to screen your search query, then the result would be confined to the selected query. Like, for example, you want to search for NT exploits. You must use quotes to cover your query in order to shorten down the results. Example:
"NT Exploits" intext: The intext operator forces Google to search for the query in the website’s text content. This operator overlooks URL and titles; instead, it focuses completely on the text content. Example:
intext:"Netcat Readme". "allintext" is a variant of the "intext" operator. The allintext operator returns links, in which the complete query is present. Example: allintext:"Format String Bugs".
inurl: The inurl operator compels Google to search for the query in the website’s URL. This operator ignores Text and Titles, instead, it rivets entirely on the URL. Example:
inurl:"index.php?page=security_resources.html". "allinurl" is a variant of the "inurl" operator. The allinurl operator returns URL’s, in which the complete query is present. Example: allinurl:"index.php?p=elf_format.html" intitle: The intitle operator obligates Google to search for the query in the website’s title. This operator neglects URL and Titles; instead, it concentrates entirely on the title. Example:
intitle:"Kernel Development" "allintitle” is a variant of the "intitle" operator. The allintitle operator devolves links, in which the complete query is present. Example: allintitle:"Understanding the Linux Kernel" site: The site operator forces Google to return keywords from a specific website. Example:
"Remote "Remote Desktop" site:www.rest0re.org cache: The cache operator forces Google to display cached websites. This means that this operator will compel Google to provide links from its cache database. This operator is extremely useful during reconnaissance operations. Let me give you a quick example:
cache:www.microsoft.com info: The info operator will tell Google to provide you information about a particular website. Let me show you an example:
info:www.linux.org related : The related operator will compel Google to provide you websites related to a specific website. Let me give you a quick sample:
related:www.freebsd.org link: The link operator will compel Google to display websites that link to the specified URL. This operator is helpful during affiliation building system. Example:
link:www.the-c0re.org filetype: The filetype operator will forced Google to show websites with the specified extension or I can say filetype. This operator will help you in finding source codes or whitepapers.
filetype:pdf site:www.infosecwriters.com
Advanced Search Operators Op erators Until now, I have explained almost all the basic Google operators utilized by attackers to gain confidential information. In this section, I am going to explain various other operators used to obtain secret information. phonebook: The phonebook operator is one of the most effective dork used by reconnaissance operators to gather personal information about a specific person. Let me show you a quick example: phonebook:Robert IL Note: This operator will only show you US street addresses and phone numbers.
There are several variants of the above operator. Let me enlist them along with the specified examples: -
bphonebook: The bphonebook operator will show information about a certain Business center. Let me show a quick example:
bphonebook:UV Research and Development IL -
rphonebook: The rphonebook operator will show residential information of the specified person.
rphonebook:Lanny IL define: The define operator will command Google to display websites that contain definition of the specified word.
define:entropy
safesearch: The safesearch operator will instruct Google to ignore spam, adult sites, malicious links, and advertisement portals.
safesearch:XXX
movie: The movie operator will compel Google to display reviews and show times of the specified keyword.
movie:Gone with the Wind weather: The weather operator will instruct Google to list down the current weather status of a particular location. Example:
weather Illinois store: The store operator forces Google to provide information from its Froogle segment. Example: R60 store:IBM
Obtaining Passwords via Google Until now, I have elucidated all the popular Google operators or syntaxes. In this section, I will be elaborating some malicious operators, which brings out a lot of confidential information. allinurl:"auth_user_file.txt": This query compels Google to display the Authenticated user file of a DC forum administrator. You need an efficient password cracker like JTR (John the Ripper) because the authentication details are usually enciphered. allinurl:passwd.txt: This query will show you the actual passwd file of the website. This file contains the passwords of all the users of the site. Generally, the user details are enciphered, hence, acquaint yourself with all the popular as well as efficient password crackers. allinurl:service.pwd: This query will list down all the FrontPage service passwords. However, they are usually encrypted in DES encryption algorithm. Therefore, you need to be armored with a DES cracker. allinurl:passlist.txt: This query lists down all the passwords utilized within a website.
"http://*:*@www.anydomain.com": This is one of the most famous dorks used by attackers because by using this dork, one can obtain member details that includes usernames and passwords. This is mostly used to crack e-mail passwords. .pwd.index: There is a whole list of dorks associated with this syntax. Let me enlist them:
- administrators.pwd.index - authors.pwd.index - service.pwd.index allinurl:WWWBoard/passwd.txt: This dork will list down all the websites that deploy a vulnerable WWWBoard. This dork is also called as "script kiddie’s best dork/friend". allinurl:.htpasswd: .htpasswd stores all kinds of passwords persisting in an Apache httpd server. This search query will reveal the .htpasswd file!
Index Browsing via Google Google gives you a chance to list down the Index directory. One can easily gain top-secret data by browsing through the Index directories. So, let me enlist down all the dorks that can provide you interesting things: "Index of /admin" OR "Index " Index of /administrator" > This will list down all the sensitive information within the administrator directory. "Index of /password" OR "Index of /passwords" > This will enlist the password files. Well, some of them might be encrypted, therefore, you must armor yourself with a powerful password cracker. "Index of /passwd" "Index of /" +password.txt "Index of /" +.htaccess > This will list down the directory of .htaccess (Configuration file of Apache) "Index of/Root" "Index of" .bash_history > This will provide you the history of all the commands executed by a terminal shell. This sometimes provides you sensitive information. "Index of" pwd.db > The password database of a website. "Index of" etc/passwd OR "Index of" etc/shadow > UNIX password directory. The former contains plaintext passwords and the latter contains shadows passwords/ "Index of" spwd "Index of" master.passwd master.passwd
"Index of" htpasswd "Index of" config.php > Configuration file of a website.
Credits go to Debasis Mohanty for some dorks.
Vulnerability Assessment Assessment via Google Google gives you a chance to assess the vulnerability status of a particular website. This has popularized Google among the so-called "White Hats". Anyway, let me list down several valuable techniques to assess the vulnerability status. Gaining Information about the th e website or server: server: One can easily gain a lot of information about a website and a web server. This can be done by properly utilizing Google. The common Google dorks used for site and server crawling:
-
site site:w :www ww.a .an nysite site..com site:a site:any nysi site.c te.com om –site –site:ww :www.a w.any nysi site.c te.com om Utilizing Index Director Di rectories ies to acquire information: One can obtain a lot of information by utilizing Index directories. Read the section Index Browsing via Google for more information. Do use the following dork:
-
“Ind Index of of /” +ser +serv ver “Ind Index of /” +Ap +Apache/” e/” Default pages: The default installation page provides significant information about the website or the web server. Some dorks associated with this: Apache:
-
Intitle: Intitle:Test.P Test.Page age.for .for.Apa .Apache che It.work It.worked! ed! this.web this.web.site .site Inti Intitle tle:Te :Test.P st.Pag age.f e.for.A or.Apa pach chee seein seeing.th g.this is.in .instea stead d Intitle:Simple.page.for.Apache Intitle:Simple.pa ge.for.Apache Apache.Hook.Functions Apache.Hoo k.Functions Intitle:test.page Intitle:test. page "Hey, it worked !" "SSL/TLS-aware"
Microsoft IIS:
-
alli allinti ntitle tle:We :Wellcome come to Wind Windows ows 2000 2000 Intern Internet et Servi Services ces allin allintitle:W title:Welcom elcomee to Win Windows dows XP XP Serve Serverr Intern Internet et Serv Service icess intitle:welcome.to intitle:welco me.to intitle:internet intitle:inter net IIS
I would like to credit Johnny Long from Ihackstuff for the above information.
Port Scanning via Google: One can port scan a web server by the means of Google. Knowledge of ports and their services is a necessity. Anyway, here is the dork:
inurl:":Port Number" intext:"Port Service" Using vulnerable inputs to assess vulnerability: I am going to list down several vulnerable inputs that help in assessing known web application vulnerabilities like CLRF, CSRF, XSS, SQL Injection, Password Disclosure etc. Let me list them down: allinurl: • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
privmsg.php init.inc.php libpath=".php" module_root_path=".php" classes_dir inc_dir rf= returnpath= auth.php cart_isp_root BASE_path= class_path common.php?root_dir= redirect.cgi cvsweb.cgi login.jsp dbconnect.inc admin htgrep wais.pl amadmin.pl subscribe.pl news.cgi auctionweaver.pl acid_main.php access.log log.htm log.html log.txt logfile
• • • • • • • • • • • • •
logfile.htm logfile.html logfile.txt logger.html stat.htm stats.htm stats.html stats.txt webaccess.htm wwwstats.html source.asp perl mailto.cgi
Best Practices To avoid the Google menace, one can deploy certain security measures. Well, let me list down several practices that might help you in ignoring Google attacks, help you in avoiding information disclosure and obviously help you in avoiding script kiddie attacks!: Incapacitate director directory y browsing: This is one of the best way to avoid critical information disclosure. Authentication: Authenticate all the sensitive as well as confidential directories and files. This will disable remote directory browsing Google Removal Process: Process: Do a thorough Google dorking of your website. If you find some of your top-secret files are listed down in the Google search archive, then, quickly inform Google by visiting: www.google.com/remove.html Google Honeypot: Install the sophisticated Google Honeypot. Security Patches: Install the latest security patches and hot fixes. CHMOD: CHMOD your directories properly.
Conclusion Well, that is it for now. I hope you liked the tutorial as much as I did writing it. I guess I have managed to explain every single bit about Google. Do write a feedback at
[email protected]. Before completely ending this tutorial, let me list down several informative websites, you might want to check:
-
http://j http://johnn ohnny.i y.ihac hackstuf kstuff.com f.com// - Johnny’ Johnny’ss GHDB (Google (Google Hacki Hacking ng Databa Database) se)
-
http://ha http://hacki ckings ngspiri pirits.com ts.com – Demy Demystif stifyin ying g Google Google Hacks Hacks http: http://w //www. ww.sm smart art-d -dev ev.c .com om/tex /texts/ ts/goo googl gle.tx e.txtt http://ww http://www.wir w.wired.c ed.com om/new /news/in s/infostru fostructur cture/0 e/0,1377 ,1377,57 ,57897,0 897,00.htm 0.htmll http: http://w //www. ww.ore oreil illy ly.com .com/c /catal atalog/ og/go googl ogleh ehks ks/ / http:/ ttp://w /www ww.g .goo oogl gle. e.co com m/api /apiss