This is an introduction to the use of the Google search tools for obtaining information about organizations, servers, vulnerabilities, usernames, encrypted and clear text passwords, etc. There are books (1,2) published on this topic, therefore this is only a brief overview of these tools and techniques.
Google basic search techniques
The main on-line references are The Google Hacker's Guide (pages 1-13) by Johnny Long. and, of course, Google basic and operators.
- google assumes that two or more words entered are in an AND relationship, but excludes from the search common words like the, how, where. To force one of these common words to be included in the search you need to add a + in front of it, e.g. in "how nice of you" to include how use +how nice of you. On the other hand if you want to exclude a term you can use a - in front of it ,e.g. how -nice of you would exclude nice.
- phrase searches should use double-quotes surrounding the phrase, e.g. "how nice of you." You can use mixed searches combining words with phrases, e.g. George "how nice of you."
- Google operators allow powerful searches, and use the format operator:search. The following table summarize these operators.
Most of these operators are straightforward, but a few require additional explanations, as follows.
||search in a specific site
||search for specific document type
||search for pages with link
||search cached version of a page
||search term in page title
||search term in page URL
||search term in page content - regular search
- Google keeps a list of filetypes it can search at http://www.google.com/help/faq_filetypes.html, summarized below:
- Adobe Portable Document Format (pdf)
- Adobe PostScript (ps)
- Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks,
- Lotus WordPro (lwp)
- MacWrite (mw)
- Microsoft Excel (xls)
- Microsoft PowerPoint (ppt)
- Microsoft Word (doc)
- Microsoft Works (wks, wps, wdb)
- Microsoft Write (wri)
- Rich Text Format (rtf)
- Shockwave Flash (swf)
- Text (ans, txt)
The main on-line reference continues to be The Google Hacker's Guide (pages 14-26) by Johnny Long. Johnny also maintains the Google Hacking Database (GHDB) with known uses of Google search for hacking. Note: the examples selected below follow the textbook for easy reference by the students.
Google hacking techniques
The above examples only touch a small number of the cases collected by Johnny Long in the Google Hacking Database (GHDB). There are 1387 entries in the database organized in 14 categories.
- Exploring title messages from servers, e.g. intitle:"Welcome to IIS 4.0" You can see the results here. This is a list of servers running what is in the message, in the case IIS 4.0.
- Exploring server messages in the URL, e.g."VNC Desktop" inurl:5800 You can see the results here. This is a list of servers running VNC in port 5800 (we will study VNC as a remote control software and its vulnerabilities later in the course).
- Exploring filetype to find servers with FrontPage vulnerabilities, e.g. filetype:pwd service Note that pwd is not one of the types listed above, but Google still looks for service.pwd and you can see the results here. This is a list of usernames and encrypted passwords. As we will study later in the course a hacker can use John the Ripper to crack the password using brute force. The damage here is defacing a Web site, but users tend to repeat username and passwords elsewhere.
- Exploring filetype and inurl to find password files in servers, e.g. filetype:bak inurl:"htaccess|passwd|shadow|htusers" and you can see the results here. This is a list of usernames and encrypted passwords for login in servers. The damage here can be devastating, if the root password is available, as in one case it is. We will discuss UNIX/Linux vulnerabilities, the use of shadow passords, etc, later in the course.
- Exploring filetype, inurl and intext to find DB passwords, e.g. filetype:properties inurl:db intext:password and you can see the results here. This is a list of files containing username and password in databases. Once more you can see the root password, and in one case is blank!?!?
- Exploring security vulnerability scanners' output, not even using operators, e. g. "This file was generated by Nessus" and see the results here. This is a list of vulnerabilities found in servers generated by the Nessus scanner that were not deleted from the servers after it was run. The hacker has the vulnerabilities identified for him/her ...
This tutorial also does not cover automated tools for Google hacking although they exist for Windows and Linux/UNIX. You should note that Google requires prior authorization for you to use any automated tool with this purpose.
This page is maintained by Al Bento
who can be reached at firstname.lastname@example.org. This page was last updated on January 30, 2012. Although we will attempt to keep this information accurate, we can not guarantee the accuracy of the information provided.