Scribd Logo
Upload

Welcome to Scribd!

  • AppSec2004-Kartik Trivedi-Advanced Google Hacking

    Uploaded by

    Kislay Chaudhary
    8 views20 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views20 pages

    AppSec2004-Kartik Trivedi-Advanced Google Hacking

    Uploaded by

    Kislay Chaudhary

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    ADVANCED GOOGLE HACKING

    -KARTIK TRIVEDI
    Consultant / Trainer - Foundstone
    LA Chapter Chair / Contributor
    Kartik.trivedi@foundstone.com
    OWASP
    AppSec
    June 2004 NYC Copyright © 2004 - The OWASP Foundation
    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License.

    The OWASP Foundation


    http://www.owasp.org
    “Using public sources openly and without resorting
    to illegal means, it is possible to gather at least
    80 percent of all information required about the
    enemy”
    - Al Qaeda training manual

    OWASP AppSec 2004


    AGENDA

     How Google works


     Information disclosure with Google
     Tools
     Countermeasures

    OWASP AppSec 2004


    How Google Works

    OWASP AppSec 2004


    Information Disclosure with Google

    OWASP AppSec 2004


    Information Disclosure with Google

    Advanced Search Operators


    site: (.edu, .gov, foundstone.com, usc.edu)
    filetype: (txt, xls, mdb, pdf, .log)
    Daterange: (julian date format)
    Intitle / allintitle
    Inurl / allinurl

    OWASP AppSec 2004


    Information Disclosure with Google

    OWASP AppSec 2004


    Information Disclosure with Google

    OWASP AppSec 2004


    Information Disclosure with Google

    OWASP AppSec 2004


    Information Disclosure with Google

    OWASP AppSec 2004


    Information Disclosure

    Private information
    Remote Admin Interface
    Configuration management
    Error messages
    Backup files
    Public vulnerabilities
    Technology Profile

    OWASP AppSec 2004


    Tools

    Using Web interface


    Athena
    GooScan
    Using Web Service API
    SiteDigger

    OWASP AppSec 2004


    Automated Tools - GooScan

    OWASP AppSec 2004


    Tools - Athena

    OWASP AppSec 2004


    Tools - SiteDigger

    OWASP AppSec 2004


    Tools - SiteDigger

    OWASP AppSec 2004


    Tools - SiteDigger

     Version 2 features (tentative release 15th July)


     Proxy support / Google appliance support
     XML signatures in OASIS WAS format
     Adding signatures for OWASP top 10
     Signature contribution option
     Raw search tab
     Configurable # of results

    OWASP AppSec 2004


    Countermeasures

    Keep sensitive data off the web!!


    Perform periodic Google Assessments
    Update robots.txt
    Use meta-tags: NOARCHIVE
    http://www.google.com/remove.html.

    OWASP AppSec 2004


    SUMMARY

    How Google works


    Information disclosure with Google
    Tools
    Countermeasures

    OWASP AppSec 2004


    Thanks

    ….for listening

    Kartik.trivedi@foundstone.com

    OWASP AppSec 2004

    You might also like