Google Hacking for Reconnaissance
Many who are new to hacking, tend to discount the need to do information gathering and want to rush right into attacking the target system. Those with more experience, like yourselves, understand that the more we know about the target, the better our chances of success. Furthermore, for every minute we spend gathering information about our target, we save about 3 minutes of wasted time attempting exploits that will not work. As a result, therefore information gathering is time well invested.
Module 2 will be focused upon gathering information about our target from publicly available sources. Often this is termed "passive reconnaissance" as we never touch the target system.
As this is an advanced course, I assume that most of you are familiar with Google hacking, but for those of you who are not, this will serve as a brief introduction. For those of you who are familiar with the basics, I hope to introduce you to some new advanced Google hacking that will make this lesson worth your while.
As all of you know, Google operates the most widely used Internet search engine on the planet. Google crawls nearly every web page, of every web site, and builds a huge database of all the information it gathers. Most people then use Google's database to search for keywords relevant to their search and Google then retrieves the most relevant web sites based upon its algorithm.
What few know is that Google has special keywords and operators that assist us in extracting very specific information from their humongous database. As a hacker, that Google database may yield information about potential targets that is invaluable.
Let's take a look at a few of those keywords and what they do.
Please note that Google's key words require a colon(:) between the keyword and the search terms, such as, intitle:hakin9.
Although for from an exhaustive list, here are some of the more widely used Google keywords;
If you use the allinanchor keyword, Google will restrict your search to those web pages that have ALL of the terms you are looking for in the anchor of the page.
If you use the allintext keyword, Google will restrict your search to those pages that have ALL of the search terms you specify in the text of the page.
If you use the allintitle keyword, Google will restrict your search to those pages that have ALL of the search terms you specify in the title of the page.
If you use the allinurl keyword, Google will restrict your search to those pages that have ALL of the search terms you specify in the URL of the page.
If you use the filetype keyword, Google will restrict your search to those pages that have are of the filetype you specify. For instance, to search for Adobe PDF file, you could use filetype:pdf
If you use the inachor keyword, Google will restrict your search to those pages that have search terms you specify in the anchor of the page.
If you use the intext keyword, Google will restrict your search to those pages that have the search terms you specify in the text of the page.
If you use the intitle keyword, Google will restrict your search to those pages that have the search terms you specify in the title of the page.
If you use the inurl keyword, Google will restrict your search to those pages that have the search terms you specify in the URL of the page.
When you use the link keyword followed by the URL, it will show you all the site that link back to the URL specified.
If you use the site keyword, Google will restrict your search to the site or domain you specify.
Let's look at some examples of how we can use Google hacking to find relevant web sites and files.
As you know, many firms store important financial any other information in Excel files. We could use a simple Google hack that looks for the filetype .xls
We can get a bit more selective and combine Google keywords to look for Excel files, in government websites (by using the keyword site with the top level domain .gov) that have the word "contact" in their URL. This will hopefully yield web pages that have contact lists from government agencies, a possible treasure trove for social engineering.
filetype:xls site:gov inurl:contact
If I was looking for an Excel file with email addresses, I might use the following
Some Google hacks can be useful files that are specific to hacking a particular application. For instance, Oracle database has connections called TNSNames. We could search for those tnsnames by;
Many PHP applications are vulnerable to SQL injection and other attacks. We can look for these types of web applications with;
Some other Google hacks that might yield interesting results include;
intitle:"site administration:please log in"
If I were pursuing a social engineering attack and I wanted gather useful information on my target, I might use;
intitle:"curriculum vitae" filetype:doc
Some firms will put their vulnerability scan online for staff to view, not realizing that the whole world may be able to view it. If I can view a firm's vulnerability scan, I will then know what vulnerabilities exist on their network and then hacking it becomes relatively simple exercise. For instance, if we were looking for a Retina (Retina is a major vulnerability scanning product) scan report, we could use;
intitle:"Retina Report" "Confidential Information"
Or, we could look for Nessus scan with;
intitle:"Nessus Report" "Confidential Information"
...and then open one of the search results to find the following.
Some of the more fun Google hacks include looking for vulnerable web cams.
When we click on one of these search results, we can access the administration panel of these camera like below.
Some other interesting Google hacks that might yield interesting results to the hacker include;
site:edu admin grades
inurl:main.php Welcome to phpMyAdmin
Google hacking is a key skill that every hacker should be aware of and master. In many cases, it can yield information on our target that may save us hours or even days in exploiting the target.