����������� �� � �����

Author: entr0pyDate: 07.06.2007Feedback: entr0py [AT] hush [DOT] aiIRC: irc.2600.net #securitybay

IntroductionGoogle is one of the most popular web search engine in the Cyberspace. It is an extremelypowerful as well as persuasive search engine because it can be easily compromised byinputting delineated search queries. This flaw or I can say boon has helped attackers toacquire top-secret information that cannot be obtained by a normal search queries.Anyway, in this tutorial I am going to elaborate various segments of Google. They are asfollows:

- Basic Google Search Operators- Advanced Search Operators- Malicious Search Queries - Vulnerability Assessment via Google- Best Practices

Basic Google Search OperatorsAs I mentioned earlier, Google has the ability to display confidential information.However, for that, you need to know the basic search queries. Therefore, I am going todemystify basic search queries.

�Quote usage: Well, if you use quotes to screen your search query, then the resultwould be confined to the selected query. Like, for example, you want to search forNT exploits. You must use quotes to cover your query in order to shorten downthe results. Example:

"NT Exploits"

�intext: The intext operator forces Google to search for the query in the website’stext content. This operator overlooks URL and titles; instead, it focusescompletely on the text content. Example:

intext:"Netcat Readme".

"allintext" is a variant of the "intext" operator. The allintext operator returns links,in which the complete query is present. Example:

allintext:"Format String Bugs".

�inurl: The inurl operator compels Google to search for the query in the website’sURL. This operator ignores Text and Titles, instead, it rivets entirely on the URL.Example:

inurl:"index.php?page=security_resources.html".

"allinurl" is a variant of the "inurl" operator. The allinurl operator returns URL’s,in which the complete query is present. Example:

allinurl:"index.php?p=elf_format.html"

�intitle: The intitle operator obligates Google to search for the query in thewebsite’s title. This operator neglects URL and Titles; instead, it concentratesentirely on the title. Example:

intitle:"Kernel Development"

"allintitle” is a variant of the "intitle" operator. The allintitle operator devolveslinks, in which the complete query is present. Example:

allintitle:"Understanding the Linux Kernel"

�site: The site operator forces Google to return keywords from a specific website.Example:

"Remote Desktop" site:www.rest0re.org

�cache: The cache operator forces Google to display cached websites. This meansthat this operator will compel Google to provide links from its cache database.This operator is extremely useful during reconnaissance operations. Let me giveyou a quick example:

cache:www.microsoft.com

�info: The info operator will tell Google to provide you information about aparticular website. Let me show you an example:

info:www.linux.org

�related: The related operator will compel Google to provide you websites relatedto a specific website. Let me give you a quick sample:

related:www.freebsd.org

�link: The link operator will compel Google to display websites that link to thespecified URL. This operator is helpful during affiliation building system.Example:

link:www.the-c0re.org

�filetype: The filetype operator will forced Google to show websites with thespecified extension or I can say filetype. This operator will help you in findingsource codes or whitepapers.

filetype:pdf site:www.infosecwriters.com

Advanced Search Operators Until now, I have explained almost all the basic Google operators utilized by attackers togain confidential information. In this section, I am going to explain various otheroperators used to obtain secret information.

�phonebook: The phonebook operator is one of the most effective dork used byreconnaissance operators to gather personal information about a specific person.Let me show you a quick example:

phonebook:Robert IL

Note: This operator will only show you US street addresses and phone numbers.

There are several variants of the above operator. Let me enlist them along with thespecified examples:

- bphonebook: The bphonebook operator will show information about a certainBusiness center. Let me show a quick example:

bphonebook:UV Research and Development IL

- rphonebook: The rphonebook operator will show residential information of thespecified person.

rphonebook:Lanny IL

�define: The define operator will command Google to display websites thatcontain definition of the specified word.

define:entropy

�safesearch: The safesearch operator will instruct Google to ignore spam, adultsites, malicious links, and advertisement portals.

safesearch:XXX

�movie: The movie operator will compel Google to display reviews and showtimes of the specified keyword.

movie:Gone with the Wind

�weather: The weather operator will instruct Google to list down the currentweather status of a particular location. Example:

weather Illinois

�store: The store operator forces Google to provide information from its Frooglesegment. Example:

R60 store:IBM

Obtaining Passwords via GoogleUntil now, I have elucidated all the popular Google operators or syntaxes. In this section,I will be elaborating some malicious operators, which brings out a lot of confidentialinformation.

�allinurl:"auth_user_file.txt": This query compels Google to display theAuthenticated user file of a DC forum administrator. You need an efficientpassword cracker like JTR (John the Ripper) because the authentication details areusually enciphered.

�allinurl:passwd.txt: This query will show you the actual passwd file of thewebsite. This file contains the passwords of all the users of the site. Generally, theuser details are enciphered, hence, acquaint yourself with all the popular as well asefficient password crackers.

�allinurl:service.pwd: This query will list down all the FrontPage servicepasswords. However, they are usually encrypted in DES encryption algorithm.Therefore, you need to be armored with a DES cracker.

�allinurl:passlist.txt: This query lists down all the passwords utilized within awebsite.

�"http://*:*@www.anydomain.com": This is one of the most famous dorks usedby attackers because by using this dork, one can obtain member details thatincludes usernames and passwords. This is mostly used to crack e-mailpasswords.

�.pwd.index: There is a whole list of dorks associated with this syntax. Let meenlist them:

- administrators.pwd.index- authors.pwd.index- service.pwd.index

�allinurl:WWWBoard/passwd.txt: This dork will list down all the websites thatdeploy a vulnerable WWWBoard. This dork is also called as "script kiddie’s bestdork/friend".

�allinurl:.htpasswd: .htpasswd stores all kinds of passwords persisting in anApache httpd server. This search query will reveal the .htpasswd file!

Index Browsing via GoogleGoogle gives you a chance to list down the Index directory. One can easily gain top-secretdata by browsing through the Index directories. So, let me enlist down all the dorks thatcan provide you interesting things:

�"Index of /admin" OR "Index of /administrator" > This will list down all thesensitive information within the administrator directory.

�"Index of /password" OR "Index of /passwords" > This will enlist thepassword files. Well, some of them might be encrypted, therefore, you must armoryourself with a powerful password cracker.

�"Index of /passwd"

�"Index of /" +password.txt

�"Index of /" +.htaccess > This will list down the directory of .htaccess(Configuration file of Apache)

�"Index of/Root"

�"Index of" .bash_history > This will provide you the history of all thecommands executed by a terminal shell. This sometimes provides you sensitiveinformation.

�"Index of" pwd.db > The password database of a website.�"Index of" etc/passwd OR "Index of" etc/shadow > UNIX password directory.The former contains plaintext passwords and the latter contains shadowspasswords/

�"Index of" spwd

�"Index of" master.passwd

�"Index of" htpasswd

�"Index of" config.php > Configuration file of a website.

Credits go to Debasis Mohanty for some dorks.

Vulnerability Assessment via GoogleGoogle gives you a chance to assess the vulnerability status of a particular website. Thishas popularized Google among the so-called "White Hats". Anyway, let me list downseveral valuable techniques to assess the vulnerability status.

�Gaining Information about the website or server: One can easily gain a lot ofinformation about a website and a web server. This can be done by properlyutilizing Google. The common Google dorks used for site and server crawling:

- site:www.anysite.com- site:anysite.com –site:www.anysite.com

�Utilizing Index Directories to acquire information: One can obtain a lot ofinformation by utilizing Index directories. Read the section Index Browsing viaGoogle for more information. Do use the following dork:

- “Index of /” +server - “Index of /” +Apache/”

�Default pages: The default installation page provides significant informationabout the website or the web server. Some dorks associated with this:

Apache:

- Intitle:Test.Page.for.Apache It.worked! this.web.site - Intitle:Test.Page.for.Apache seeing.this.instead- Intitle:Simple.page.for.Apache Apache.Hook.Functions- Intitle:test.page "Hey, it worked !" "SSL/TLS-aware"

Microsoft IIS:

- allintitle:Welcome to Windows 2000 Internet Services- allintitle:Welcome to Windows XP Server Internet Services- intitle:welcome.to intitle:internet IIS

I would like to credit Johnny Long from Ihackstuff for the above information.

�Port Scanning via Google: One can port scan a web server by the means ofGoogle. Knowledge of ports and their services is a necessity. Anyway, here is thedork:

inurl:":Port Number" intext:"Port Service"

�Using vulnerable inputs to assess vulnerability: I am going to list down severalvulnerable inputs that help in assessing known web application vulnerabilities likeCLRF, CSRF, XSS, SQL Injection, Password Disclosure etc. Let me list themdown:

allinurl:

• privmsg.php• init.inc.php• libpath=".php"• module_root_path=".php"• classes_dir• inc_dir• rf=• returnpath=• auth.php• cart_isp_root• BASE_path=• class_path• common.php?root_dir=• redirect.cgi • cvsweb.cgi • login.jsp • dbconnect.inc • admin • htgrep • wais.pl • amadmin.pl • subscribe.pl • news.cgi • auctionweaver.pl • acid_main.php • access.log • log.htm • log.html • log.txt • logfile

• logfile.htm • logfile.html • logfile.txt • logger.html • stat.htm • stats.htm • stats.html • stats.txt • webaccess.htm • wwwstats.html • source.asp • perl • mailto.cgi

Best PracticesTo avoid the Google menace, one can deploy certain security measures. Well, let me listdown several practices that might help you in ignoring Google attacks, help you inavoiding information disclosure and obviously help you in avoiding script kiddie attacks!:

�Incapacitate directory browsing: This is one of the best way to avoid criticalinformation disclosure.

�Authentication: Authenticate all the sensitive as well as confidential directoriesand files. This will disable remote directory browsing

�Google Removal Process: Do a thorough Google dorking of your website. If youfind some of your top-secret files are listed down in the Google search archive,then, quickly inform Google by visiting: www.google.com/remove.html

�Google Honeypot: Install the sophisticated Google Honeypot.

�Security Patches: Install the latest security patches and hot fixes.

�CHMOD: CHMOD your directories properly.

ConclusionWell, that is it for now. I hope you liked the tutorial as much as I did writing it. I guess Ihave managed to explain every single bit about Google. Do write a feedback atentr0py@hush.ai. Before completely ending this tutorial, let me list down severalinformative websites, you might want to check:

- http://johnny.ihackstuff.com/ - Johnny’s GHDB (Google Hacking Database)

- http://hackingspirits.com – Demystifying Google Hacks- http://www.smart-dev.com/texts/google.txt- http://www.wired.com/news/infostructure/0,1377,57897,00.html- http://www.oreilly.com/catalog/googlehks/- http://www.google.com/apis