Google Hacking

Overview

Reconnaissance is the act of collecting information about an organization or individual that will help to enable a computer or network attack. One of the easiest ways to do reconnaissance on a potential target is to leverage the power of search engines. Search engines can be used to gather information about a target and find potential vulnerabilities in an anonymous and risk free fashion. Google hacking has become the most readily available tool for hacker reconnaissance.

Google Dorks

Google is the most powerful search engine in the world and therefore a tool of choice for many hackers. Hackers have developed clever forms of advanced Google searches or queries that produce targeted and relevant information for an attacker. The searches involve Google search engine operators used in such a way as to reveal interesting information. These types of searches are called Googledorks or just dorks. To use a dork all you have to do is look one up at the GHDB, place it in the Google search field, and hit enter. You can find a list of dorks at the Google Hacking Database at http://johnny.ihackstuff.com/ghdb/. Here are some examples of Google queries and the search operators that can be used.

Google Search Directives

  • site: – by specifying the site you will obtain targeted results that reveal the breadth of a domain including subdomains
    example: site:yahoo.com -site:www.yahoo.com (place that search in Google and you will receive information about various yahoo subdomains)
  • link:<a website> – this search will return all the websites that link to a specified website. This search has the potential to return all related business customers, associates, suppliers etc. example:

    link:www.somewebsite.com

  • intitle:index.of – this search targets Apache webserver directories that have no landing webpage but instead reveal an index of all the files in the directory. Usually information about the version of Apache is revealed as well.

    Lab Example 1: intitle:index.of – Type that search into Google to search for an Apache server with directory indexing turned on and it will reveal an index of open files. You can also or target a specific website (site:) and specific types of text or files. In the second example below a search for “passwd” may reveal a password file from a /etc directory. The minus ftp directive (-ftp) subtracts uncrackable, decoy ftp server results from the output. See the examples below and a screenshot of an actual resulting page that was found:


    intitle:index.of

    intitle:index.of passwd -ftp

    see the resulting passlist.txt file below:


    You could target a specific website by adding the “site:” directive:
    site:<some website> intitle:index.of passwd -ftp

    Lab Example 2: intitle: – Searching for backdoors. When a hacker compromises a system they frequently put a backdoor in for easy utilization at a later time. Often times hackers use well known backdoor exploits that become indexed on Google and easily discovered on the internet. This is an embarrassing situation if you are the server owner and your server has root access posted on the internet for all to find and see. If you find one of these opened backdoors do not access the server, it is illegal to access a server without permission, and you could be blaimed for creating the backdoor in the first place. By searching for known text that will reveal compromised pages, Google can reveal former and currently compromised systems. Even a search for a well known Apache/Php backdoor like “Antichat” revealed 3 open, root access, backdoors to compromised servers. Warning, do not enter compromised systems:

    intitle:”Antichat Shell” “disable functions”

    • error | warning – eror messages or warning messages can reveal valuable information about. programming language configuration and settings, database configurations, paths, usernames etc.
      example: intitle:error , error | warning
    • login | logon – search for login portals or front doors
    • username | userid | employee.ID | “your username is” – search directly for pages that may reveal usernames or possible help pages for recovering them
    • admin | administrator | “admin login” – this search attempts to gather results about administrative login portals or other administrative details
    • password | passcode | “your password is” – another variation that can reveal how passwords may function on a given site if not the passwords themselves
  • site:<a website> admin | password | username – You can use the above searches in conjunction with a “site:” to target a specific site
  • inurl:temp | inurl:tmp |inurl:backup | inurl:bak – this search combined with a site query will return files folders that have “temp” or “bak” in the url. example:
    site:<some website.com> inurl:temp | inurl:bak
  • ext:<file type> – creates a search based on a file type.

    Lab Example 3: ext:rdp – put that search into Google and you will be surprised by the links that are returned.Try clicking on some of the returned links and you will be prompted with a Remote Desktop desktop login screen for various remote desktops and servers. You may find someone logged in and observable! See my test example below, you can see I was presented with a Server 2003 login in Spanish:


    ext:rdp


  • -ext:<file type> – using a site:<somesite.com> search in conjunction with -ext:<some file type> you can remove specific file types from the results of a query (-ext:html, -ext:php, -ext:asp, -ext:htm). For instance if you wanted to see .php or .asp results you would not include those in the query
    example: site:yahoo.com -ext:html -ext:htm -ext:shtml (would not return yahoo html pages)
  • filetype: – this search allows you to specify a specific filetype that you are searching for
  • Lab Example 4: A specified text search between quotation marks. I wanted to see if I could find a webpage interface to a database server. One of the most popular database servers is mySQL and the most popular management web interface to mySQL is phpMyAdmin. I tried a test to see if Google could find a phpMyAdmin webpage with root access. I went to the phpMyAdmin download website and examined their demo pages to help identify text specific to a phpMyAdmin landing page with root access. I believe I found one with a Google search of the following two terms: “open new phpmyadmin window” “Create database”. In the spirit of ethical hacking, after landing on a phpMyAdmin page with seemingly root access  I merely hit the browser back button and did not attempt to create or delete a database. Can you identify other search terms that reveal wide open phpMyAdmin webpages?

Search operators that can be used in Google web searches:

allinanchor:
allintext:
allintitle:         example: allintitle:danscourses photoshop
allinurl:
cache:
define:
filetype:         example: danscourses.com filetype:swf
id:
inanchor:
info:
intext:
intitle:
inurl:
phonebook:
related:
rphonebook:
site:
stocks:

 

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *