Google Hacking

University of Sunderland

CSEM02

Harry R Erwin, PhD

Peter Dunne, PhD

Basics

• Web Search

• Newsgroups

• Images

• Preferences

• Language Tools

Google Queries

• Non-case sensitive• * in a query stands for a word• ‘.’ in a query is a single character wildcard• Automatic stemming• Ten-word limit• AND (+) is assumed, OR (|) and NOT (-) must be

entered• “” for a phrase

More Queries

• You can control the language of the pages and the language of the reports

• You can restrict the search to specific countries

Controlling Searches

• Intitle, allintitle• Inurl, allinurl• Filetype• Allintext• Site• Link• Inanchor• Daterange• Cache• Info

• Related• Phonebook• Rphonebook• Bphonebook• Author• Group• Msgid• Insubject• Stocks• Define

Controlling Searches (II)

• These operators can be used to restrict searches.

• To restrict the search to the university: site:sunderland.ac.uk

• Or to search for seventh moon merlot in the uk: “seventh moon” merlot site:uk

Typical Filetypes

• Pdf

• Ps

• Xls

• Ppt

• Doc

• Rtf

• Txt

Why Google

• You access Google, not the original website.

• Most crackers access any site, even Google via a proxy server.

• Why? If you access the cached web page and it contains images, you will get the images from the original site.

Directory Listings

• Search for intitle:index.of• Or intitle:index.of “parent directory”• Or intitle:index.of name size• Or intitle:index.of inurl:admin• Or intitle:index.of filename• This can then lead to a directory traversal• Look for filetype:bak, too, particularly if you want

to expose sql data generated on the fly

Commonly Available Sensitive Information

• HR files

• Helpdesk files

• Job listings

• Company information

• Employee names

• Personal websites and blogs

• E-mail and e-mail addresses

Network Mapping

• Site:domain name• Site crawling, particularly by indicating

negative searches for known domains• Lynx is convenient if you want lots of hits:

– lynx -dump “http://www.google.com/search?\– q=site:name+-knownsite&num=100” >\– test.html

• Or use a Perl script with the Google API

Link Mapping

• Explore the target site to see what it links to. The owners of the linked sites may be trusted and yet have weak security.

• The link operator supports this kind of search.

• Also check the newsgroups for questions from people at the organization.

Web-Enabled Network Devices

• The Google webspider often encounters web-enabled devices. These allow an administrator to query their status or manage their configuration using a web browser.

• You may also be able to access network statistics this way.

Searches to Worry About

• Site:• Intitle:index.of• Error|warning• Login|logon• Username|userid|

employee.ID| “your username is”

• Password|passcode| “your password is”

• Admin|administrator• -ext:html -ext:htm

-ext:shtml -ext:asp -ext:php

• Inurl:temp|inurl:tmp| inurl:backup|inurl:bak

• Intranet|help.desk

Protecting Yourselves

• Solid security policy

• Public web servers are Public!

• Disable directory listings

• Block crawlers with robots.txt

• <META NAME=“ROBOTS” CONTENT=“NOARCHIVE”>

• NOSNIPPET is similar.

More Protection

• Passwords

• Delete anything you don’t need from the standard webserver configuration

• Keep your system patched.

• Hack yourself

• If sensitive data gets into Google, use the URL removal tools to delete it.