1. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007

2. www.TASK.to © Toronto Area Security Klatch 2007 GOOGLE HACKING FOR PENETRATION TESTERS What is Google Hacking?  It is NOT hacking into Google!!  Johnny Long is the “grandfather” of Google hacking.  His website http://johnny.ihackstuff.com is exclusively dedicated to Google Hacking and you will find all sorts of cool information there.http://johnny.ihackstuff.com  Google is much more than just a simple search interface and engine.  Google crawls public websites for information every 6-8 weeks using an automated search and record program called Googlebot.  As more of our business processes, intellectual property and research and development moves to a web environment, it will be more important for security professionals to have the skills required to evaluate their sites from the perspective of a malicious search engine user.

3. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Basic Google Operators  Exclude terms using the NOT operator (minus sign)  For example, searching SANS –GIAC will give you everything that has SANS but not GIAC  Include common words using the AND operator (plus sign)  For example, searching SANS +GIAC will give you everything with the words SANS and GIAC  Searching for exact phrases must be surrounded by double quotes  For example, “SANS and GIAC” will return all results that have SANS and GIAC as a phrase  Wildcards are represented by an asterisk  Searching for SANS * “Storm Center” will return all entries with SANS any word Storm Center  Google searching is not case sensitive so SANS, sans and SaNs are all the same

4. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Some of the Advanced Google Search Techniques  Site - restricts a search to a particular site or domain  Intitle – finds strings in the title of a page  Inurl – finds strings in the URL of a page  Filetype – finds specific types of files based on file extension  Link – searches for links to a site or URL  Inanchor – finds text in the descriptive text of links

5. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Google Hacking Tools  Gooscan – Johnny Long’s free command line UNIX tool. It violates the Google TOS. Gooscan automates queries designed to find potential vulnerabilities on web pages against Google. http://www.johnny.ihackstuff.com http://www.johnny.ihackstuff.com  SiteDigger – A Windows tool that searches Google’s cache to look for vulnerabilities, errors, configuration issues and proprietary information on websites. http://www.foundstone.com/resources/proddesc/sitedigger.htmhttp://www.foundstone.com/resources/proddesc/sitedigger.htm  Wikto – Wikto is a Windows based web server assessment tool that uses the Google hacking database (GHDB). This tool requires a Google developer license. http://www.sensepost.com/research/wiktohttp://www.sensepost.com/research/wikto  Advanced Dork – AdvancedDork is a Firefox extension designed to quickly search for specific text inside Google’s Advanced Operators. https://addons.mozilla.org/firefox/2144 https://addons.mozilla.org/firefox/2144

6. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS How to use the GHDB  The GHDB is the main repository for Google hacking tips and tricks  Go to the GHDB at http://johnny.ihackstuff.com/ghdb.phphttp://johnny.ihackstuff.com/ghdb.php  Select the category you are interested in  Some very juicy information here such as sensitive directories, vulnerable servers, files containing passwords, error messages (which give out way too much information), web server detection and sensitive online shopping information such as customer data and credit card numbers  Select the search criteria  Select the entry name to get more details

7. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Google Hacking Examples  Information Disclosure – Google can gather sensitive and private information and contents as well as intellectual property assets  Vulnerability Assessment – Google is another component in the penetration testing toolkit that allows you to identify, with a very low false positive rate, vulnerable resources published on the Internet. These mainly affect web based devices such as web servers, application servers and network devices with a web based interface  Social Engineering – Google can also be used to map information from the virtual world to the real world in order to perform social engineering testing

8. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Information Disclosure  Database definitions and dumps 1. “#mysql dump” filetype:sql (for SQL definition files) 2. filetype:ora ora (for Oracle configuration files)  Exported Registry Settings 1. filetype:reg reg +intext:”internet account manager” (allows you to download the registry to get juicy info like usernames, mail server settings, etc.)  Login Credentials: Usernames and Passwords 1. filetype:pot inurl:john (passwords stored in a file john.pot by John the Ripper publicly available on the Internet)

9. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Vulnerability Assessment and Penetration Testing  Identifying vulnerabilities and use Google to do your intelligence gathering  Look for misconfigurations or “non” configurations  Examples would include default installations, private web interfaces and identifying devices such as printers  Intitle:”Welcome to IIS 4.0” will find many default installations of IIS 4.0 – you now own that server – scary!!  Intitle:”Cisco Systems, Inc. VPN 3000 Concentrator” will get you access to the web interface and chances are many of these have the default username and password  inurl:printer/main.html intext:settings will give you ownership of publicly accessible network printers  Filetype:rdp rdp will get you RDP access to many systems on the Internet (some of which don’t have usernames or passwords!!)

10. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Social Engineering  Google groups is an online public discussion forum  Thousands of newsgroup messages are posted here daily, some of them containing very sensitive information  A simple search for your organization’s domain name can return a lot of social engineering information such as valid employee names, email addresses, resources and other details  Google group operators include: 1. author – searches for the author of a post based on name – author:@sans.org 2. group – allows you to find specific groups related to a given topic – group:*.hacking.* 3. insubject – allows you to find searched terms within the message subject line – insubject:”google hacking” 4. msgid – newsgroup messages uniquely identified by a message ID that looks like an email address with a random username – msgid:123456@sans.org

11. www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Google Hacking Defenses  Use common sense!! Basic security practices is all it takes. Defense in depth, act diligently when configuring web based devices and have a strong corporate security policy  Use Google hacking techniques to uncover your own security problems. So…..Google hack yourself!  Work with Google for help in removing security breaches. They are easy to work with and want to help! You can find contact info on their site.