Advanced Information Gathering AKA Google Hacking

Advanced Information
Gathering
2004
Gareth Davies – NSS MSC Sdn Bhd
gareth.davies@mynetsec.com
Gareth Davies Advanced Info Gathering Page 1

Outline
 Information Gathering
 What you can Harvest
 The power of modern search engines
 Using Google fully
 The Google API & Google based apps
 Some juicy Google hacks
 Recommendations

Info Gathering (I)
 Generally the first step of a pen test
 Very important for profiling a company
 Leveraging public resources to find
private information
 Fully utilized by 'Blackhat' hackers
 By linking information from different
sources a complete picture can be built

Info Gathering (II)
 The main thing to note here is
STEALTH
 These activities are passive and non-intrusive
 Utilizing the memory of the net:
 Google Cache
 archive.org
 Newsgroups (used to be Dejanews)

Example of DNS leakage

Info Gathering (IV)
 Such information gathering is now even
easier with tools such as
 dnsreports.com
 whois.sc
 nqt.php
 network-tools.com
 netcraft.com
 ip-plus.net/tools/dns_check_set.en.html

Info Gathering (V)
whois.sc reverse IP lookup

What you can harvest (I)
 Like any kind of hacking, passive
information gathering is about thinking
outside the box
 Utilizing the many links between
information sources is a key
 Picking out useful info is the skill, this
activity is akin to modern age
dumpster diving

What you can harvest (II)
 Think outside the lines:
 Check job databases for vacancies
 Discloses types of technology used
 Trawl newsgroups for technical postings
 Sometimes can reveal whole topology
 Locate company registration details
 Can give away physical locations
 Find out personal details about employees
 May be used in social engineering attacks

What you can harvest (III)
Example usenet posting

What you can harvest (IV)
Example job posting

The Power of Search Engines
 Search engines have evolved hugely
since the beginning
 They now have MEMORY
 Google cache
 Advanced search operands now exist
 filetype:
 inurl:
 intitle:

The Power of SEs (II)
 Google is the MIGHT
 Masses of info, often unrelated
 Teoma is the REFINE
 Find exactly what you want
 Fast is the DEPTH
 Locate some obscure parts of the web
 Don't be reliant on one engine
Reference: searchlore.org

The Power of SEs (III)
 Only 3% of people use the advanced
features of Google..
 People tend to get locked in to 1 search
engine when there are so many
 Each engine has different strengths,
learn to utilize them all
 searchlore.org is a great place to learn
about the different engines

Using Google Fully (I)
 People often overlook the breadth of
Google:
 Google Groups (usenet archive)
 Google images (searchable images)
 Google News (aggregated news)
All of these resources are useful when
information gathering

Using Google Fully (II)
 The most useful advanced operators:
 site: (restrict search to a single site)
 [all]intitle: (looks for words in the title)
 [all]inurl: (look for words within the url)
 cache: (view the Google cache)
 filetype: (locate a certain file type)
 link: (lists links to a given site)
 related: (view related sites)

Using Google Fully (III)
 Other operators:
 [+] Essential words (e.g. +word)
 [-] Words to exclude (e.g. -exclude)
 [~] Similar to, will include synonyms
 [.] Single letter wildcard
 [“] Put around multiple words to search for
an exact phrase (e.g +”my phrase”)

The Google API and Apps
 Information about the Google web API
can be found here:
http://www.google.com/apis/
 Google is offering a BETA service
utilising WSDL and SOAP which allows
developers to create applications that
can call Google information directly
 Queries are limited to 1000 per day

API and Apps (II)
 Foundstone SiteDigger™:
 Uses the Google API
 Requires Google API licence key (free)
 Suited to targeting a specific domain or
organisation
 Over 100 pre-defined queries
 Uses XML so you can add more queries
 Has auto-update for definitions

API and Apps (III)

API and Apps (IV)
 Buyukada Athena::
 Doesn't rely on the Google API
 Suited to finding general misconfigurations
 Uses extensible XML format which allows
support for engines other than Google
 Developed after SiteDigger was found too
limited

API and Apps (V)

Juicy Google Hacks
 The number one source for Google
Hacks is Johnny Longs site:
http://johnny.ihackstuff.com
 Most of the following info comes from
his Google Hacks database

Juicy Google Hacks (II)
 Default Server pages
 Shows sloppy administration
 intitle:test.page.for.apache “it worked”
 allintitle:Netscape FastTrack Server Home
Page
 intitle: “Welcome to Windows 2000
Internet Services”

Juicy Google Hacks (III)

Juicy Google Hacks (IV)
 Passwords
 "Index of" htpasswd / passwd
 allinurl: admin mdb
 "config.php"
 auth_user_file.txt
 filetype:dat "password.dat"
 filetype:ini ws_ftp pwd

Juicy Google Hacks (V)

Juicy Google Hacks (VI)
 There are currently 540 Google Hacks
in the database
 Shown were just a few common
examples to outline the amount of
information available
 Play around, be inventive
This is just the beginning

Recommendations
 Disable Directory Browsing
 Do not put sensitive information in web
browseable directories
 Don't rely on security through obscurity
 Conduct these tests on your own
domains and fix any rogue findings

Conclusion
 Information gathering is important and
is being used
 There is no way to know people are
doing this
 Be aware of what you have available on
the web
 Learn and understand the discussed
techniques and tools

Questions?
www.mynetsec.com

Advanced Information Gathering AKA Google Hacking

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to Advanced Information Gathering AKA Google Hacking (20)

More from Gareth Davies (7)

Recently uploaded (20)

Advanced Information Gathering AKA Google Hacking