Google Hacking

Google Hacking
Elena Galvn esCERT

SSI

SSI

Google Hacking

Let people know you

Google Hacking

Companies, organizations, products, opinions use websites to make themselves known A way of achieving that is to make search engines to find you Search engines robots scan web sites and classify them in rankings

SSI

SSI

Google Hacking

Google

The most widely used web search engine: more than 80% of users Founded in 1998 More than 20.000 servers all over the World More than 8.000.000.000 URL stored

Services

Search engine News E-mail Pictures Maps Shared documents Blogs Bulletin boards Spreadsheets Publicity

SSI

Google Hacking

Google search ranking

Based on

Google Hacking

Words searched Collective internet intelligence

Secret criteria that keeps changing

If SITE_1 refers SITE_2 then SITE_2 has one point

PageRank

Page is the last name of the algorithm creator Complex mathematical equation with 500 million variables and 3.000 million terms

SSI

Google hacking

Google Hacking

Google can also be used by malicious people using advanced search techniques to access unauthorized information Brief history

mid year 2000 an article published in magazine The register:

ITWeb article:

While looking for data in Google on a CISCO IOS web server, a Security Focus researcher, Ryan Russell, found a link where he appeared on a .gov USA WebSite. Barry Cribb, form Digital Networks, found that entering a certain search pattern Google returned 38.000 pages with administrator login Finding websites using phpBB (PHP bulletin board) with a vulnerable version

Late 2004, Santy worm propagated using Google

SSI

Google basic search

Im feeling lucky button

Google Hacking

takes you to a site matching the search that has the highest ranking (not highest PageRank necessarily) Omits some common words (prepositions, articles) Case in-sensitive Offers spelling correction or alternative common spelling of the words being search

Google search button

SSI

Google finer search (1/2)

Google Hacking

Parameters evaluated left to right Quoted Phrases

A query with terms in quotes finds pages containing the exact quoted phrase Google will search for common words (stop words) included in quotes, which it would otherwise ignore.
USE [ to be or not to be ] NOT [ to be or not to be ]

+ Operator

force Google to search for a particular term. Used in front of stop words that Google would otherwise ignore
USE [ jobs in central +LA California ] NOT [ jobs in central LA California ]

- Operator

Force Google to skip results containing the qualified term.

SSI

Google finer search (2/2)

~ Operator

Google Hacking

Find also synonyms, or similar words, of the qualified word

Interested in food facts as well as nutrition and cooking information? [ ~run ] matches run, runners, running, as well as marathon
[ ~food ~facts ]

OR and | Operators

search terms immediately adjacent to the operator

[ filter OR stop junk email OR spam ]

.. Operator

number range specification

[ Russian Revolution 1800..2000 ]

* Operator

Google treats the * as a placeholder for a word or more than one word

SSI

[ California election Oct * 2003 OR 10/*/03 OR October * 2003 ]

Google advanced operators: Alternate query types

cache

Google Hacking

highlight included words within the cached document [cache:www.google.com web] will show the cached content with the word "web" highlighted list webpages that have links to the specified webpage pages that are "similar" to a specified web page [related:www.google.com] will list web pages that are similar to the Google homepage information that Google has about that web page. For instance [info:www.google.com] will show information about the Google homepage

link

related

info

SSI

Google advanced operators: Other information needs

define

Google Hacking

provide a definition of the words you enter [define:google] Google, a popular search engine, is a tool for finding resources on the World Wide Web. treat the rest of the query terms as stock ticker symbols [stocks: intc yhoo] will show information about Intel and Yahoo

stocks

SSI

Google advanced operators: Query modifiers

site

Google Hacking

restrict the results to those websites in the given domain

[help site:www.google.com] will find pages about help within www.google.com

allintitle

restrict the results to those with all of the query words in the title
[allintitle: google search] will return only documents that have both "google" and "search" in the title

intitle

restrict the results to documents containing that word in the title

Putting [intitle:] in front of every word in your query is equivalent to putting [allintitle:] at the front of your query: [intitle:google intitle:search] is the same as [allintitle: google search].

allinurl

restrict the results to those with all of the query words in the url.
[allinurl: google search] will return only documents that have both "google" and "search" in the url.

inurl

Same idea as intitle and allintitle intitle:index of IIS allintitle: index of IIS

SSI

Find websites with allow to see the directory structure

Google advanced operators: miscelanea

ext: filetype:

Google Hacking

restrict the results to pages whose names end in suffix. [email security filetype:pdf OR filetype:doc ] Extensions contemplated

http://www.google.es/help/faq_filetypes.html#what

group:

restrict your Google Groups results to newsgroup articles from certain groups or subareas info:URL will present some information about the corresponding web page restrict articles in Google Groups to those that contain the terms you specify in the subject/text/ title

id: info:

insubject: intext: intitle:

SSI

Automating Google search

Parameters can be sent using GET method

Google Hacking

hl: home language q: query

www.google.es/search?hl=es&q=test+vulnerability +web&restrict=countryEN&lr=lang_es&hl=ca&num=5&s tart=6

SSI

Google Hacking Database

Advisories and Vulnerabilities (215 entries)

Google Hacking

These searches locate vulnerable servers. These searches are often generated from various security advisory posts, and in many cases are product or version-specific. Really retarded error messages that say WAY too much! No usernames or passwords, but interesting stuff none the less. PASSWORDS, for the LOVE OF GOD!!! Google found PASSWORDS! These files contain usernames, but no passwords... Still, google finding usernames on a web site.. Examples of queries that can help a hacker gain a foothold into a web server These are login pages for various services. Consider them the front door of a website's more sensitive functions.

Error Messages (68 entries)

Files containing juicy info (230 entries)

Files containing passwords (135 entries)

Files containing usernames (15 entries)

Footholds (21 entries)

Pages containing login portals (232 entries)

SSI

Google Hacking Database

Pages containing network or vulnerability data (59 entries)

Google Hacking

These pages contain such things as firewall logs, honey pot logs, network information, IDS logs... all sorts of fun stuff! Google's collection of web sites sharing sensitive directories. The files contained in here will vary from sensitive to uber-secret! Examples of queries that can reveal online shopping info like customer data, suppliers, orders, credit card numbers, credit card info, etc This category contains things like printers, video cameras, and all sorts of cool things found on the web with Google. HUNDREDS of vulnerable files that Google can find on websites These searches reveal servers with specific vulnerabilities. These are found in a different way than the searches found in the "Vulnerable Files" section. These links demonstrate Google's awesome ability to profile web servers..

Sensitive Directories (61 entries)

Sensitive Online Shopping Info (9 entries)

Various Online Devices (201 entries)

Vulnerable Files (57 entries)

Vulnerable Servers (48 entries)

Web Server Detection (72 entries)

SSI

Using Google to find vulnerabilities

Find backup copies

filetype:bak inurl:index.html filetype:bak inurl:htacces|passwd|shadow|htusers filetype:sql (passwd values **** | password values **** | pass values ****) filetype:mdb inurl:account|users|administrators|admin| passwd|password filetype:bak login.php filetype:old login.php inurl:temp | inurl:tmp | inurl:backup | inurl:bak | inurl:old

Google Hacking

Find default configurations of well known web applications

filetype:php info.php inurl:main.php phpMyAdmin

Find samba servers accesible form internet

SSI

Intitle: Samba Web Administration Tool intext:Help Workgroup

Using Google to find vulnerabilities

Google Hacking

Find public PHPmyadmin servers executing as root user (no authentication)

intitle:phpMyAdmin Welcome to phyMyAdmin * * * running on * as root@*

Reveal Windows 2000 Internet Information Server with default home page

intitle: Welcome to Windows 2000 Internet Services Intitle:Test Page for Apache

Find apache version using the default page

Reveal Microsoft IIS 6.0 with public directories

Microsoft-IIS/6.0 intitle:index.of intitle:Index ofetc passwd

Servers exposing /etc/passwd publicly

SSI

Using Google to find vulnerabilities

Google Hacking

intitle:"Nessus Scan Report" "This file was generated by Nessus

Yeids Nessus scan reports. Even if some of the vulnerabilities have been fixed, we can still gather valuable information about the network/hosts. Nagios (Network monitoring program) Status page. See what ports are being monitored as well as ip addresses. Be sure to check the google cached page first. status screen for the Solwise ADSL modem. Information available from this page includes IP addresses, MAC addresses, subnet mask, firware version of the modem. Attackers can use this information to formulate an attack. MRTG traffic analysis pages. This page lists information about machines on the network including CPU load, traffic statistics, etc. This information can be useful in mapping out a network.

inurl:status.cgi?host=all -cvs

intitle:"ADSL Configuration page

intext:"Tobias Oetiker" "traffic analysis

SSI

Prevent form Google hacking

Google Hacking

Be aware of the information made available in a website

Default configurations Test files never removed hidden URLs badly protected
Noarchive: dont store in Google cache

Use metarags

<meta name=GOOGLEBOT content=NOARCHIVE /> Disalow: directories not to be scanned by GoogleBot BUT.. [filetype:txt inurl:robots.txt] shows exactly what you dont want to be shown
http://www.whitehouse.gov/robots.txt .

Use robot.txt

Review and create secure configurations

SSI

Reference

Tools to evaluate web servers security

Google Hacking

FoundStone Sitedigger, Apollo 2.0 Athena Wikto

GHDB. Google Hacking Database

Collection of Google hacking techniques

http://johnny.ihackstuff.com/ghdb.php

SSI