As all of us know, Google operates the most widely used Internet search engine on the planet. Google crawls nearly every web page, of every website, and builds a massive database of all the information it gathers. Most people then use Google's database to search by keywords for articles relevant to the subject of their inquiry. Google then retrieves the most relevant websites based upon its algorithm (the PageRank algorithm, named for Larry Page, one of Google’s founders) which prioritizes the articles.
What few know is that Google has particular keywords and operators that can assist you in extracting precise information from this extraordinary database. As a hacker, that Google database may yield information about potential targets that could prove invaluable, including passwords.
Let's take a look at a few of those keywords and what they do.
Google Hacking Keywords
Please note that Google's keywords require a colon(:) between the keyword and the search terms, such as intitle:hackers-arise.
Although far from an exhaustive list, here are some of the more widely used Google keywords;
If you use the site keyword, Google restricts your search to the site or domain you specify.
Google Hacking Examples
Let's look at some examples of how we can use Google hacking to find relevant web sites and files.
As you know, many firms store important financial and other information in Excel files. We could use a simple Google hack that looks for the Excel filetype, “.xls” or “.xlsx”.
filetype:xls
We can get a bit more selective and combine Google keywords to look for Excel files in government websites (by using the keyword site with the top level domain .gov) that have the word "contact" in their URL. This yields web pages that have contact lists from government agencies, a possible treasure trove for social engineering.
filetype:xlssite:govinurl:contact
If I were looking for an Excel file with email addresses, I might use the following:
filetype:xls inurl:email.xls
Many PHP applications are vulnerable to SQL injection and other attacks. We can look for these types of web applications with:
inurl:index.php?id=
Some other Google hacks that might yield interesting results include:
intitle:"site administration:please log in"
If I were pursuing a social engineering attack and I want to gather useful information on my target, I might use:
intitle:"curriculum vitae" filetype:doc
Effectively finding unsecured web cams is one of the more fun aspects of Google hacks. The following list shows some of these effective hacks for finding vulnerable web cams:
These Google dorks are innumerable and some people such as Johnny Long, specialize in developing effective Google dorks. Johnny Long is famous for developing effective Google dorks and has written a couple of good books on the subject. Another good source for Google dorks is the Exploit Database at www.exploit-db.com. If we go there and click on the GHDB tab to the left of the screen, we can find the latest Google dorks.
When we click on the GHDB tab, it opens:
Here we can find thousands of Google dorks. Some are more effective than others. We can be very specific about the kind of dorks we are seeking. For instance, if we were targeting WordPress websites, we could enter the keyword “wordpress" in the search window, and this site would display all the Google dorks relevant to WordPress built websites (WordPress is the world's most popular content management system for building websites). Among the many Google dorks we find here is a more complex one that combines several phrases:
filetype:sqlintext:password | pass | passwdintext:usernameintext:INSERT INTO `users` VALUES
When we use this dork, we find several web sites. When we click on one, we find the following:
As you can see, we were able to find a SQL script that inserted users and passwords into a database. As we can scan through this script, we find numerous username and password pairs. These should make hacking these accounts pretty simple!
Google Hacking Summary
Google hacking is a key skill that every hacker should be aware of and master. In many cases, it can yield information on our target that may save us hours or even days in exploiting the target.
As we continue to expand on information gathering techniques, keep in mind that you are unlikely to use all of these techniques on one project. Each project is unique, and you will need to customize your information gathering techniques to the target. It is also important to note here that we are using publicly available information that does not require we "touch" the domain or website of the potential target and, thereby, trigger some alert by an Intrusion Detection System (IDS) or other security devices as we are gathering information on the target.