Google Hacking For Penetration Testers
Google Hacking for PenetrationTestersUsing Google as a Security Testing ToolJohnny Longjohnny@ihackstuff.com
What we’re doing I hate pimpin’, but we’re covering many techniques coveredin the “Google Hacking” book. For much more detail, I encourage you to check out“Google Hacking for Penetration Testers” by SyngressPublishing.
Advanced OperatorsBefore we can walk, we must run. In Google’s terms this meansunderstanding advanced operators.
Advanced Operators Google advanced operators help refine searches. They are included as part of a standard Google query. Advanced operators use a syntax such as the following:operator:search term There’s no space between the operator, the colon, and thesearch term!
Advanced Operators at a GlanceOperatorAdvancedoperatorscan becombinedin lintextsitelinkIn othercases,mixingshould bjectmsgidPurposeSearch pagetitleSearch pagetitleSearch URLSearch URLSearchspecific filesSearch text ofpage onlySearchspecific siteSearch forlinks to pagesSearch linkanchor textLocatenumberSearch indate rangeGroup authorsearchGroup namesearchGroup subjectsearchGroup msgidsearchMixes withotheroperators?Can oyesyesyesyesyesyesyesyesyeslike intitlenoyesyesnoyesyesyesyesnotreallyyesnolike intitlenot reallynot reallyyesyesyesyesyesyesyesyesyesnonot reallynoyesyesnononot syesyesnonotreallynonotreallyyesnot reallynot reallyyesnonoyesnot reallyyesyeslike eallyyesnot reallyDoes search work innot reallynot reallySomeoperatorscan only beused tosearchspecificareas ofGoogle, asthesecolumnsshow.
Crash course in advanced operatorsSome operatorssearch overlappingareas. Consider site,inurl and filetype.SITE:Site can notsearch port.INURL:Inurl can search thewhole URL, includingport and filetype.FILETYPE:Filetype can only search fileextension, which may be hard todistinguish in long URLs.
Advanced Google SearchingThere aremany ways tofind the samepage. Theseindividualqueries couldall help find thesame page.filetype:phpintext:navigateintitle:”I hack stuff”numrange:99999-100000
Advanced Google SearchingPut those individualqueries together intoone monster query andyou only get that onespecific result.Adding advancedoperators reducesthe number of resultsadding focus to thesearch.
Google Hacking BasicsPutting operators together inintelligent ways can cause aseemingly innocuous query INURL:adminINURL:ordersFILETYPE:php
Google Hacking Basics can returndevastating results!CustomernamesOrder AmountsPaymentdetails!
Google Hacking BasicsLet’s take a look at some basic techniques:Anonymous GooglingSpecial Characters
Anonymous GooglingThe cache link is agreat way to grabcontent after it’sdeleted from the site.The question is, whereexactly does thatcontent come from?
Anonymous Googling Some folks use the cache link as an anonymizer, thinkingthe content comes from Google. Let’s take a closer look.This line from thecached page’sheader gives aclue as to what’sgoing on
Anonymous GooglingThis tcpdump output showsour network traffic whileloading that cached page.21:39:24.648422 IP 192.168.2.32.51670 64.233.167.104.8021:39:24.719067 IP 64.233.167.104.80 192.168.2.32.5167021:39:24.720351 IP 64.233.167.104.80 192.168.2.32.5167021:39:24.731503 IP 192.168.2.32.51670 64.233.167.104.8021:39:24.897987 IP 192.168.2.32.51672 82.165.25.125.8021:39:24.902401 IP 192.168.2.32.51671 82.165.25.125.8021:39:24.922716 IP 192.168.2.32.51673 82.165.25.125.8021:39:24.927402 IP 192.168.2.32.51674 82.165.25.125.8021:39:25.017288 IP 82.165.25.125.80 192.168.2.32.5167221:39:25.019111 IP 82.165.25.125.80 192.168.2.32.5167221:39:25.019228 IP 192.168.2.32.51672 82.165.25.125.8021:39:25.023371 IP 82.165.25.125.80 192.168.2.32.5167121:39:25.025388 IP 82.165.25.125.80 192.168.2.32.5167121:39:25.025736 IP 192.168.2.32.51671 82.165.25.125.8021:39:25.043418 IP 82.165.25.125.80 192.168.2.32.5167321:39:25.045573 IP 82.165.25.125.80 192.168.2.32.5167321:39:25.045707 IP 192.168.2.32.51673 82.165.25.125.8021:39:25.052853 IP 82.165.25.125.80 192.168.2.32.51674This is Google.This is Phrack.We touched Phrack’s webserver. We’re notanonymous.
Anonymous Googling Obviously we touched the site, but why? Here’s more detailed tcpdump x00b00x00c00x00d00x00e00x00f00d6c 4745 5420 2f67 7266 782f 3831 736d626c 7565 2e6a 7067 2048 5454 502f 312e310d 0a48 6f73 743a 2077 7777 2e70 68726163 6b2e 6f72 670d 0a43 6f6e 6e65 6374696f 6e3a 206b 6565 702d 616c 6976 650d0a52 6566 6572 6572 3a20 6874 7470 3a2f2f36 342e 3233 332e 3136 312e 3130 342f7365 6172 6368 3f71 3d63 6163 6865 3a4c4251 5a49 7253 6b4d 6755 4a3a 7777 772e7068 7261 636b 2e6f 7267 2f2b 2b73 6974653a 7777 772e 7068 7261 636b 2e6f 72672b70 6872 6163 6b26 686c 3d65 6e0d 0a55.lGET./grfx/81smAn .104/search?q cache:LBQZIrSkMgUJ:www.phrack.org/ site:www.phrack.org phrack&hl en.U
Anonymous GooglingThis line spells it out.Let’s click this link andsniff the connectionagain .
Anonymous GooglingThis time, the entire conversationwas between us (192.168.2.32)and Google (64.233.167.104)23:46:53.996067 IP 192.168.2.32.52912 64.233.167.104.8023:46:54.025277 IP 64.233.167.104.80 192.168.2.32.5291223:46:54.025345 IP 192.168.2.32.52912 64.233.167.104.8023:46:54.025465 IP 192.168.2.32.52912 64.233.167.104.8023:46:54.094007 IP 64.233.167.104.80 192.168.2.32.5291223:46:54.124930 IP 64.233.167.104.80 192.168.2.32.5291223:46:54.127202 IP 64.233.167.104.80 192.168.2.32.5291223:46:54.128762 IP 64.233.167.104.80 192.168.2.32.5291223:46:54.128836 IP 192.168.2.32.52912 64.233.167.104.8023:47:54.130200 IP 192.168.2.32.52912 64.233.167.104.8023:47:54.154500 IP 64.233.167.104.80 192.168.2.32.5291223:47:54.154596 IP 192.168.2.32.52912 64.233.167.104.80
Anonymous Googling What made the difference? Let’s compare the two URLS: Original:http://64.233.187.104/search?q cache:Z7FntxDMrMIJ:www.phrack.org/hardcover62/ phrack hardcover62&hl en Cached Text Only:http://64.233.187.104/search?q cache:Z7FntxDMrMIJ:www.phrack.org/hardcover62/ phrack hardcover62&hl en&lr &strip 1Adding &strip 1 to the endof the cached URL onlyshows Google’s text, notthe target’s.
Anonymous Googling Anonymous Googling can be helpful, especially if combinedwith a proxy. Here’s a summary.Perform a Googlesearch.Right-click the cachedlink and copy the linkto the clipboard.Paste the URL to the addressbar, add &strip 1, hit return.You’re only touching Googlenow
Special Search Characters We’ll use some special characters in our examples. Thesecharacters have special meaning to Google. Always use these characters without surrounding spaces! ( ) force inclusion of something common( - ) exclude a search term( “ ) use quotes around search phrases( . ) a single-character wildcard( * ) any word( ) boolean ‘OR’Parenthesis group queries (“master card” mastercard)
Google’s PHP Blocker: “We’re Sorry.” Google has started blocking queries, most likely as a resultof worms that slam Google with ‘evil queries.’This is a query forInurl:admin.php
Google Hacker’s workaround Our original query looks like this:http://www.google.com/search?q inurl:admin.php&hl en&lr &c2coff 1&start 10&sa N Stripped down, the query looks like this:http://www.google.com/search?q inurl:admin.php&start 10 We can modify our query (inurl:something.php is bad) by changingthe case of the file extension, like so:http://www.google.com/search?q inurl:admin.PHP&start 10http://www.google.com/search?q inurl:admin.pHp&start 10http://www.google.com/search?q inurl:admin.PhP&start 10This works in the web interface as well.
Pre-AssessmentThere are many things to consider before testing a target, many ofwhich Google can help with. One shining example is the collection ofemail addresses and usernames.
Trolling for Email Addresses A seemingly simple search uses the @ sign followed by theprimary domain name.The “@” sign doesn’ttranslate well But we can still usethe results
Automated Trolling for Email Addresses We could use a lynx to automate the download of thesearch results:lynx -dump http://www.google.com/search?q @gmail.com test.html We could then use regular expressions (like this puppy byDon Ranta) to troll through the results:[a-zA-Z0-9. -] @(([a-zA-Z0-9 -]{2,99}\.) [a-zA-Z]{2,4}) ((25[0-5] 2[0-4][0-9] 1[0-9][0-9] [19][0-9] [1-9])\.(25[0-5] 2[0-4][0-9] 1[0-9][0-9] [1-9][0-9] [1-9])\.(25[0-5] 2[0-4][0-9] 1[0-9][09] [1-9][0-9] [1-9])\.(25[0-5] 2[0-4][0-9] 1[0-9][0-9] [1-9][0-9] [1-9])) Run through grep, this regexp would effectively find emailaddresses (including addresses containing IP numbers)
More Email Automation The ‘email miner’ PERL script by Roelof Temmingh atsensepost will effectively do the same thing, but via theGoogle API:This searches thefirst ten Googleresults with onlyone hit againstyour API key.
More Email AutomationRunning the tool through50 results (with a 5parameter instead of 1)finds even il.comsilverwolfwsc@gmail.comall in sidentbush@gmail.comprabhav78@gmail.com
More email address locationsThesequeries locateemailaddresses inmore“interesting”locations
More email address locationsThesequeries locateemailaddresses inmore“interesting”locations
Network MappingGoogle is an indispensable tool for mapping out an Internet-connectednetwork.
Basic Site Crawling the site: operator narrows a search to a particular site,domain or subdomain.One powerful querylists every Googleresult for a web site!site: microsoft.com
Basic Site CrawlingMost often, asite searchmakes theobvious stufffloat to the top.As asecuritytester, weneed to getto the lessobviousstuff.www.microsoft.com isway too obvious
Basic Site Crawling To get rid of the more obvious crap, do a negative search.Notice that theobvious “www” ismissing, replacedby more interestingdomains.site: microsoft.com-site:www.microsoft.com
Basic Site Crawling Repeating this process of site reduction, tracking what floatsto the top leads to nasty big queries m
Basic Site Crawling The results of such a big query reveal more interestingresults Research page HTTPS page Eventually we’llrun into a 32query limit, andthis processtends to betedious.
Intermediate Site CrawlingUsing lynx tocapture theGoogle resultspage .returns thesameresults.and sed andawk to processthe HTML
So what? Well, honestly, host and domain enumeration isn’t new, butwe’re doing this without sending any packets to the targetwe’re analyzing. This has several benefits:– Low profile. The target can’t see your activity.– Results are “ranked” by Google. This means that the mostpublic stuff floats to the top. Some more “interesting stuff” trollsnear the bottom.– “Hints” for follow-up recon. You aren’t just getting hosts anddomain names, you get application information just by lookingat the snippet returned from Google. One results page can beprocessed for many types of info. Email addresses, names,etc. More on this later on – Since we’re getting data from several sources, we can focus onnon obvious relationships. This is huge! Some down sides:– In some cases it may be faster and easier as a good guy to usetraditional techniques and tools that connect to the target, butremember- the bad guys can still find and target you viaGoogle!
Advanced Site Crawling Google frowns on automation, unless you use tools writtenwith their API. Know what you’re running unless you don’tcare about their terms of service. We could easily modify our lynx retrieval command to pullmore results, but in many cases, more results won’t equalmore unique hosts. So, we could also use another technique to locate hosts plain old fashion common word queries.
Advanced Site CrawlingSearching formultiplecommon wordslike “web”, “site”,“email”, and“about” alongwith site appended to afile
Advanced Site CrawlingSiftingthrough theouput fromthosequeries, wefind manymoreinterestinghits.
Advanced Site CrawlingRoelof Temmingh fromsensepost.com coded thistechnique into a PERL (APIbased) script calleddns-mine.pl to achieve muchmore efficient results.We’ll look more atcoding later
Too much noise, not enough signal Getting lists of hosts and (sub)domains is great. It gives youmore targets, but there’s another angle. Most systems are only as secure as their weakest link. If a poorly-secured company has a trust relationship withyour target, that’s your way in. Question: How can we determine site relationships withGoogle? One Answer: the “link” operator.
Raw Link Usagelink: combined with thename of a siteshows sites that linkto that site.link: has limitsthough. Seemapquesthere?
Link has limits combining link:with site: doesn’tseem to work
Link has limitsLink: gets treatedlike normalsearch text (not asearch modifier)when combinedwith otheroperators.
Link has other limitsKnowing that thesesites link towww.microsoft.comis great, but howrelevant is thisinformation?Do we necessarily care aboutGoogle-ranked relationships?How do we get to REALrelationships?
Non-obvious site relationships Sensepost to the rescue again! ) BiLE (the Bi-directional Link Extractor), available fromhttp://www.sensepost.com/garage portal.html helps usgather together links from Google and piece together theserelationships. There’s much more detail on this process in theirwhitepaper, but let’s cover the basics
Non-obvious site relationships A link from a site weighs more than a link to a site– Anyone can link to a site if they own web space (which is freeto all) A link from a site with a lot of links weighs less that a linkfrom a site with a small amount of links– This means specifically outbound links.– If a site has few outbound links, is is probably lighter.– There are obvious exceptions like link farms.
Non-obvious site relationships A link to a site with a lot of links to the site weighs less thata link to a site with a small amount of links to the site.– If external sources link to a site, it must be important (or morespecifically popular)– This is basically how Google weighs a site. The site that was given as input parameter need not end upwith the highest weight – a good indication that the providedsite is not the central site of the organization.”– If after much research, the site you are investigating doesn’tweight the most, you’ve probably missed the target’s main site.
Who is Sensepost?Relying on Google’s6400 results can bedaunting andmisleading.
Non-obvious site relationships It seems dizzying to pull all this together, but BiLE doeswonders. Let’s point it at sensepost.com:This is the extraction phase.BiLE is looking for links towww.sensepost.com (viaGoogle) and writing the resultsto a file called “out”
Non-obvious site relationships This is the weigh phase. BiLE takes the output from the extraction phase And weighs the results usingthe four main criteria ofweighing discussed above aided primarily by Googlesearches.This shows the strongestrelationships to our target site first,which during an assessment equateto secondary targets, especially forinformation gathering.
The next step Let’s say we’relooking at NASA .We could use‘googleturd’searches, likesite:nasa tolocate typoswhich may bereal sites How can we verifiythese?
Host verification Cleaning the names and running DNS lookups is one way Pay dirt! Now what?We could further expandon these IP ranges viaDNS queries as well
Expanding out Once armed with a list of sites and domains, we couldexpand out the list in several ways. DNS queries arehelpful, but what else can we do to get more names to try? From whatever source, let’s say we get two names fromverizon, ‘foundation’ and investor’
Google Sets Although this is a simple example, wecan throw these two words intoGoogle Sets .
Expanding Then, we can take all these words and perform DNS hostlookups against each of these combinations:.this leads to a new hit,‘business.verizon.com’.Google sets allowsyou to expand on alist once you run outof options.
Fuzzing Given hosts with numbers and “predictable” names, wecould fuzz the numbers, performing DNS lookups on thosenames I’ll let Roelof at sensepost discuss this topic, however )
Limitless mapping possibilities Once you get rolling with Google mapping, especiallyautomated recursive mapping, you’ll be AMAZED at howdeep you can dig into the layout of a target.
Port scanning Although crude, thereare ways to do basic“portscanning” withGoogle. First, combine inurlsearches for a port withthe name of a servicethat commonly listenson that port (optionallycombined with the siteoperator)
Inurl -intext scanning Antoher way to go is touse a port number withinurl, combined with anegative intext searchfor that port number.This search locatesservers listening on port8080.
Third party scanners When all else fails, Google for servers that can do yourportscan for you!
Document Grinding and DatabaseDiggingDocuments and databases contain a wealth of information.Let’s look at ways to foster abuse of SQL databases with Google.
SQL Usernames“Access denied for user”“using password”
SQL Schemas Entire SQL Database dumps“# Dumping data for table”Adding ‘username’ or‘password’ to this querymakes things reallyinteresting.
Improper commandtermination can beabused quite easilyby an attacker.SQL injection hints"ORA-00933:SQL commandnot properlyended""Unclosed quotationmark before thecharacter string"
SQL source Getting lines of SQL source can aid an attacker.intitle:"ErrorOccurred" "Theerror occurred in"
Going after SQL passwordsfiletype:inc intext:mysql connectInclude files withcleartextpasswords
More SQL Passwords Question: What’s the SQL syntax that can be used to set apasswords? (TWO WORDS) One Answer: “Identified by”
More SQL Passwords The slightly more hardcore version
Various database detection queriesSQL dump detectionDatabase detection
AutomationPage Scraping in PerlAPI querying in Perl
Page Scraping with Perl Thie Perl code, by James Foster, provides a goodframework for “page scraping” Google results. This method relies on manually querying Google, andsearching the resultant HTML for the “interesting stuff.”#!/usr/bin/perl -wuse IO::Socket;We will be making socketcalls. We needIO::Socket.#Section 2 query '/search?hl en&q dog'; server 'www.google.com'; port 80;We hardcode our query(which we can makeaparameter later), ourGoogle server and ourport number.
Page Scraping with Perlsub socketInit(){ socket IO::Socket::INET- new(Proto 'tcp',PeerAddr server,PeerPort port,Timeout 10,);unless( socket){die("Could not connect to server: port");} socket- autoflush(1);}Next we have a very genericsocket initializationsubroutine.
Page Scraping with PerlThis subroutine sends theGoogle query (hardcodedabove) and accepts oneparameter, the Google query.sub sendQuery( ){my ( myquery) @ ;print
Google Hacking for Penetration Testers Using Google as a Security Testing Tool Johnny Long johnny@ihackstuff.com. What we’re doing I hate pimpin’, but we’re covering many techniques covered in the “Google Hacking”
Google Hacking for Penetration Testers Using Google as a Security Testing Tool Johnny Long . What we're doing I hate pimpin', but we're covering many techniques covered in the "Google Hacking"book. For much more detail, I encourage you to check out "Google Hacking for Penetration Testers"bySyngress Publishing. Advanced .
SEC561 Immersive Hands-On Hacking Techniques SEC573 Python for Penetration Testers- GPYC SEC575 Mobile Device Security and Ethical Hacking - GMOB SEC617 Wireless Ethical Hacking, Penetration Testing, and Defences - GAWN Penetration Testing an Etical Hacing SEC642 Advanced Web App Penetration Testing and Ethical Hacking
Hacking Concepts 1.10 What is Hacking? 1.11Who is a Hacker? 1.12 Hacker Classes 1.13 Hacking Phases o Reconnaissance o Scanning o Gaining Access o Maintaining Access o Clearing Tracks Ethical Hacking Concepts 1.14 What is Ethical Hacking? 1.15 Why Ethical Hacking is Necessary 1.16 Scope and Limitations of Ethical Hacking
Wireless Penetration Testing and Ethical Hacking SEC 617 Advanced Penetration Testing, Exploit Writing, and Ethical Hacking SEC 660 Advanced Exploit Development for Penetration Testers SEC 760 The Computing Technology Industry Association. Cyber Security Training and Certifications. . Google Hacking
Assessment, Penetration Testing, Vulnerability Assessment, and Which Option is Ideal to Practice? Types of Penetration Testing: Types of Pen Testing, Black Box Penetration Testing. White Box Penetration Testing, Grey Box Penetration Testing, Areas of Penetration Testing. Penetration Testing Tools, Limitations of Penetration Testing, Conclusion.
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
Grammar as a Foreign Language Oriol Vinyals Google vinyals@google.com Lukasz Kaiser Google lukaszkaiser@google.com Terry Koo Google terrykoo@google.com Slav Petrov Google slav@google.com Ilya Sutskever Google ilyasu@google.com Geoffrey Hinton Google geoffhinton@google.com Abstract Synta
technologies and computation methods for the automotive traction motors. Various cooling methods, including the natural, forced air, forced liquid and phase change types, are discussed with the pros and cons of each method being compared. The key factors for optimizing the heat transfer efficiency of each cooling system are highlighted here. Furthermore, the real life examples of these methods .
