Google hacking is the practice of using specially crafted search engine queries to cull information about a target. It should be part of every pen-tester's repertoire. The idea is to turn Google's extensive search powers after an enterprise's vulnerable servers and files, password logs, open directories, Web-based device-management panels, remote desktop protocol clients or administration interfaces for routers and switches. You want...
to discover the sensitive security information that's exposed on the Internet before a black hat does. The trick is to use advanced operators, special searching techniques offered by Google that enable advanced queries. Here is a sampling of advanced operators that you can combine with a search term against your company's domain:
- intitle, allintitle -- searches for terms in Web page or Google group title
- inurl, allinurl -- searches for terms in URLs
- filetype -- searches URLs that end in a particular file extension
- allintext -- searches for a string within text of a page
- site -- searches only for pages hosted on a specific server or domain
- link -- searches for pages that link to other pages
- inanchor -- searches text representation of a link in an HTML anchor
- daterange -- searches for pages indexed by Google within certain date ranges
- cache -- searches for cached versions of pages
- info -- searches summary information of a site
- related -- displays sites related to a site
- phonebook -- searches for business or residential phone listings
- rphonebook -- searches for residential phone listings only
- bphonebook -- searches for business phone listings only
- author -- searches for authors of newsgroup posts
- group -- searches title of Google Groups posts for search terms
- msgid -- searches for Google Groups message identifiers, strings that identify newsgroup posts
- insubject -- searches Google Groups for subject lines
- stocks -- searches for stock market information about a company
- define -- returns definitions for a search term
Source: "Google Hacking for Penetration Testers" by Johnny Long
Also, several tools run automatic Google scans against your company's domain to determine if sensitive information is exposed via a search query. They include:
- SiteDigger -- Automated and Windows-based Uses Google API and requires Google license key. Download at www.foundstone.com/resources/proddesc/sitedigger.htm
- Witko -- Requires Google license key; compatible with Google Hacking Database. Available http://www.sensepost.com/research/wikto/
- Athena -- Windows-based, Performs only one search at a time. Download at http://snakeoillabs.com*
- Gooscan -- Linux-based; does bulk searches. Download at http://johnny.ihackstuff.com/*
*--Denotes product does use the Google API, which is a violation of Google's terms of service. Google has the option of blocking your IP range from using its search engine.
Source: "Google Hacking for Penetration Testers" by Johnny Long.
About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.