You are on page 1of 82

Information Gathering

with Google

Maximiliano Soler
e-Mail:
Twitter: @maxisoler

Information Gathering with Google

Presentation

c0c0n 2010 @ Kochi, India

Information Gathering with Google


Who am I?
Maximiliano Soler, Security Researcher & Enthusiast. Actually
working as Security Administrator, in a International Bank. I have
discovered vulnerabilities in different applications Web and products
of Microsoft.
Too working like Security Consultant in some projects: OWASP,
WASSEC, Security-Database and Zero Science Lab.
Fanatic of the open standards like CVE, CWE, OVAL, CCE.

c0c0n 2010 @ Kochi, India

Information Gathering with Google


Objective of the Talk
Demonstrate the variety of information to which is possible to access
without using sophisticated mechanisms, within reach of anyone.
From the Browser to our objective, gathering information to carry out
the attack.

c0c0n 2010 @ Kochi, India

Information Gathering with Google

General Information

c0c0n 2010 @ Kochi, India

Information Gathering with Google


Why Google?
It only returns pages that contain the terms that you entered.
It considers the location of the search terms in the page.
It offers an outstanding summary of each result.
It keeps pages Web in your cache.

c0c0n 2010 @ Kochi, India

Information Gathering with Google


Information Gawhat?
A great part of process of hacking or harm systems, consist on the
gathering information.
Without the appropriated investigation, on what services, ports,
applications o Web servers are running it would take us very much of
time carry out the attack or win access to the objective system.
The technique is considered an activity of the passive type. It
doesn't involve invasion or manipulation of the objective. It is
hidden.
c0c0n 2010 @ Kochi, India

Information Gathering with Google


Information Gawhat?
This information can be obtained through public resources, executing
utilities like Whois, NSLookup, NetCraft, DNS Reports or simply
looking for manually through the Web.

c0c0n 2010 @ Kochi, India

Information Gathering with Google


Stages of Information Gathering
01 - Gathering information
02 - Locating the network range
03 - Identifying active machines
04 - Finding open ports and applications
05 - Detecting operating systems
06 - Fingerprinting services
07 - Mapping the network
Source: Certified Ethical Hacker, EC Council

c0c0n 2010 @ Kochi, India

Information Gathering with Google


Stages of Information Gathering

Information Gathering about the objective.

Identify vulnerabilities.

Exploit vulnerabilities.

got r00t?

c0c0n 2010 @ Kochi, India

10

Information Gathering with Google

Using Google
Dorks / Search Operators

c0c0n 2010 @ Kochi, India

11

Information Gathering with Google


Using Google
Dorks / Search Operators

What are they?


The operators of search of Google are consultation terms or
symbols that carry out special actions. These operators allow to be
what you look for in a quick and precise way, offering additional
control beyond the page Advanced Search.

c0c0n 2010 @ Kochi, India

12

Information Gathering with Google


Dorks / Search Operators

c0c0n 2010 @ Kochi, India

13

Information Gathering with Google


Dorks / Search Operators
How do they work?
Use of quotation marks : It can specify to the motor of Google
that wants to look for an expression made up of two or more words
literally, writing the terms to look for among quotation marks.
Example: c0c0n 2010.
Asterisk "*": It allows to substitute words, and to enlarge this way
the searches.
Example: c0c0n *.

c0c0n 2010 @ Kochi, India

14

Information Gathering with Google


Dorks / Search Operators
AND: In a predetermined way Google looks for results uniting the
words introduced by the user using this operator. This way the final
result of a search without specifying anything or using will be the
same.
Example: c0c0n AND security conference.
Operator "": It is good to exclude results of the search. It should
be specified before the term to obviate.
Example: c0c0n -Hacking".

c0c0n 2010 @ Kochi, India

15

Information Gathering with Google


Dorks / Search Operators
OR or symbol"|": The condition OR indicates that could not be
simultaneously the two words in each result of the search, but each
one of them for separate, it will specify the operator OR among the
terms that should complete this approach.
Example: c0c0n OR Security Conference.
Operator ~: It allows to look for synonyms of a term.
Example: "~Security.

c0c0n 2010 @ Kochi, India

16

Information Gathering with Google


Dorks / Search Operators
Ranges "num1..num2": If the beginning of a range is known, is
possible to look for until a certain number.
Example: 72.14.253.104..255.
Various operators in a logical way can be used, containing them
among parenthesis.

c0c0n 2010 @ Kochi, India

17

Information Gathering with Google


Dorks / Search Operators
inanchor:

allinanchor:

intext:

allintext:

intitle:

allintitle:

inurl:

allinurl:

link:

cache:

filetype:

define:

phonebook:

related:

info:

site:
id:

c0c0n 2010 @ Kochi, India

18

Information Gathering with Google


Dorks / Search Operators

intitle:

site:

c0c0n 2010 @ Kochi, India

inurl:

filetype:

19

Information Gathering with Google


Dorks / Search Operators
inanchor: It only shows the pages that have the keyword or
keywords in the text of the links that point to her. Based on the
backlinks or external links.
allinanchor: Contrary to the previous sample the whole coincidence.
intext: It only shows the pages that have the keyword or keywords
inside the body of the pages.
allintext: It only shows the pages that have the keyword or
keywords in the text of the page. Complete coincidence.

c0c0n 2010 @ Kochi, India

20

Information Gathering with Google


Dorks / Search Operators
intitle: It shows only the pages that have the keyword or keywords
inside the title of the pages.
allintitle: It establishes a complete coincidence of the looked for
terms.
inurl: It shows only the pages that have the keyword o keywords in
the URL of pages.
allinurl: It establishes a complete coincidence of the looked for
terms.

c0c0n 2010 @ Kochi, India

21

Information Gathering with Google


Dorks / Search Operators
link: It shows the links of a domain of Web pages.
cache: It shows cache of a domain of Web pages.
define: It shows definitions for a search.
related: It shows Web pages related.
phonebook: It looks for in the public listings of telephones, name,
address, telephone numbers.
info: o id: It will show information that Google keeps about a place
or resource Web.

c0c0n 2010 @ Kochi, India

22

Information Gathering with Google


Dorks / Search Operators
filetype: It filters the results for file types. (pdf, ppt, doc, txt, etc).
site: It shows the indexed Web pages by Google for a domain or
subdomain. Depending if is specified www, it will include or not
the subdomains.

c0c0n 2010 @ Kochi, India

23

Information Gathering with Google

and Now
What we can find?!

c0c0n 2010 @ Kochi, India

24

Information Gathering with Google


What we can find?!

Vulnerable products.
Error messages.
Files that contain sensitive information.
Files that contain passwords.
Files that contain usernames.
Foot-holds and support information to the access.
Pages with access forms.
Pages that contain relative data to vulnerabilities.
Directory sensitive.
Sensitive information on e-commerce and e-banking.
Devices online hardware.
Vulnerable files.
Vulnerable servers.
Detection of Web Servers.

c0c0n 2010 @ Kochi, India

25

Information Gathering with Google


What we can find?!

Maybe this it is your face,


after seeing all the information that we can find.
c0c0n 2010 @ Kochi, India

26

Information Gathering with Google


Vulnerable products
Through different publications about vulnerabilities discovered, we
can identifying vulnerable servers. Generally related to the versions.

c0c0n 2010 @ Kochi, India

27

Information Gathering with Google


Vulnerable products

inurl:gov.ar + intext:phpinfo
c0c0n 2010 @ Kochi, India

28

Information Gathering with Google


Error messages
The error messages, many times they offer valuable information to
understand how the applications/scripts is executed and what user
they use is this time.

c0c0n 2010 @ Kochi, India

29

Information Gathering with Google


Error messages

intext:"access denied for user" "using password" inurl:gov.ar


c0c0n 2010 @ Kochi, India

30

Information Gathering with Google


Files that contain sensitive information
Without users or passwords, interesting and useful information.

c0c0n 2010 @ Kochi, India

31

Information Gathering with Google


Files that contain sensitive information

inurl:gov.ar inurl:robots.txt
c0c0n 2010 @ Kochi, India

32

Information Gathering with Google


Files that contain passwords
And yes, passwords! as easy as to look for. :-D

c0c0n 2010 @ Kochi, India

33

Information Gathering with Google


Files that contain passwords

inurl:gov.ar + inurl:config.xml
c0c0n 2010 @ Kochi, India

34

Information Gathering with Google


Files that contain usernames
Files that contain usernames, without passwords.

c0c0n 2010 @ Kochi, India

35

Information Gathering with Google


Files that contain usernames

inurl:admin inurl:userlist
c0c0n 2010 @ Kochi, India

36

Information Gathering with Google


Foot-holds and support information to the access
A simple way to win access, looking for files without protection.

c0c0n 2010 @ Kochi, India

37

Information Gathering with Google


Foot-holds and support information to the access

intitle:"PHP Shell *" "Enable stderr" filetype:php


c0c0n 2010 @ Kochi, India

38

Information Gathering with Google


Pages with access forms
The typical login pages, through portals, blogs, or any system that it
is administered via Web.

c0c0n 2010 @ Kochi, India

39

Information Gathering with Google


Pages with access forms

inurl:gov.ar inurl:wp-login.php
c0c0n 2010 @ Kochi, India

40

Information Gathering with Google


Pages that contain relative data to vulnerabilities
Interesting information, firewall logs, report of vulnerabilities,
services in execution and muuuch more.

c0c0n 2010 @ Kochi, India

41

Information Gathering with Google


Pages that contain relative data to vulnerabilities

intitle:"Nessus Scan Report" "This file was generated by Nessus"


c0c0n 2010 @ Kochi, India

42

Information Gathering with Google


Directory sensitive
Depending on the case, we will find information more or less
sensitive. Use general.

c0c0n 2010 @ Kochi, India

43

Information Gathering with Google


Directory sensitive

inurl:backup intitle:index.of inurl:admin


c0c0n 2010 @ Kochi, India

44

Information Gathering with Google


Sensitive information on e-commerce and e-banking
Where do you buy and what do you buy? information about clients,
salespersons, order of purchase, and e-commerce exposed.

c0c0n 2010 @ Kochi, India

45

Information Gathering with Google


Sensitive information on e-commerce and e-banking

SecurityTracker Alert ID: 1004384

inurl:"shopadmin.asp" "Shop Administrators only"


c0c0n 2010 @ Kochi, India

46

Information Gathering with Google


Devices online hardware
The possibility to administer printers, video cameras, to spy to other,
etc.

c0c0n 2010 @ Kochi, India

47

Information Gathering with Google


Devices online hardware

Which is the default login?! YES, it works!

intitle:"EverFocus EDSR Applet"


c0c0n 2010 @ Kochi, India

48

Information Gathering with Google


Vulnerable files
A lot of vulnerable files, within reach of a click.

c0c0n 2010 @ Kochi, India

49

Information Gathering with Google


Vulnerable files

intext:"File Upload Manager v1.3" "rename to"


c0c0n 2010 @ Kochi, India

50

Information Gathering with Google


Vulnerable servers
Different ways of access to servers, installations by default, scripts
without configuring.

c0c0n 2010 @ Kochi, India

51

Information Gathering with Google


Vulnerable servers

intitle:"Remote Desktop Web Connection"


c0c0n 2010 @ Kochi, India

52

Information Gathering with Google


Detection of Web Servers
Identify through versions, vulnerable servers, access by default,
documents of help, logins, etc.

c0c0n 2010 @ Kochi, India

53

Information Gathering with Google


Detection of Web Servers

intext:"Microsoft-IIS/5.0 server at" inurl:gov.*


c0c0n 2010 @ Kochi, India

54

Information Gathering with Google

Looking for the Code

c0c0n 2010 @ Kochi, India

55

Information Gathering with Google


Looking for the Code
Google provides a simple way of finding vulnerabilities in software,
through Google Code Search, we can find vulnerabilities in the
code source.
http://www.google.com/codesearch

c0c0n 2010 @ Kochi, India

56

Information Gathering with Google


Looking for the Code

JavaServer Pages (.jsp) Cross Site Scripting


<%=.*getParameter

c0c0n 2010 @ Kochi, India

57

Information Gathering with Google


Looking for the Code

JavaServer Pages (.jsp) SQL Injection


executeQuery.*getParameter

c0c0n 2010 @ Kochi, India

58

Information Gathering with Google


Looking for the Code

PHP - Cross Site Scripting


lang:php (print\(|echo)\s\$_(GET|REQUEST)

c0c0n 2010 @ Kochi, India

59

Information Gathering with Google


Playing with the API of Google
What are the APIs?
API is the initials of Application Programming Interface. In other
words, they are the methods that the developer of any application
offers to other developers so that they can use with its application.
With what programming languages can I use the APIs of
Google?
The developers can make petitions to Google, using several
languages, as Java, Perl or Visual Studio. NET, others.

c0c0n 2010 @ Kochi, India

60

Information Gathering with Google


Playing with the API of Google
What applications can I make with the APIs of Google?
So a lot of applications can be developed in environment Web and
inside a classic program too.
How does the APIs of Google work?
The applications wrote by the developers are connected to the
service Web API of Google. This communication is carried out by the
protocol named SOAP (Simple Object Access Protocol). It is based
on XML, and it is used for the exchange of information among
applications.

c0c0n 2010 @ Kochi, India

61

Information Gathering with Google

Tools and Utilities

c0c0n 2010 @ Kochi, India

62

Information Gathering with Google


Tools
Gooscan v1.0
Gooscan is a tool that automates the consultations toward Google.
Thought as a Scanner CGI, the communication is not made directly
on the objective. It is Google who responds.
Features
Developed in C.
Is possible to add or remove dorks.
Automate searches can infringe the Terms of Use of Google.
http://security-sh3ll.blogspot.com/2008/11/gooscan-automatedgoogle-hacking-tool.html

c0c0n 2010 @ Kochi, India

63

Information Gathering with Google


Tools
SiteDigger v3.0
SiteDigger looks for in the cache of Google, to find vulnerabilities,
errors, configuration by defaultt, and another type of information
related to the security of the Website.
Features

Improved user interface, signature upgrade and page of results.


API of Google doesn't require.
Support for Proxy and TOR.
Results in real time..
Update of signatures.
Possibility to keep the signatures and configuration.
Requires: Microsoft .NET Framework v3.5

c0c0n 2010 @ Kochi, India

64

Information Gathering with Google


SiteDigger v3.0

http://www.foundstone.com/us/resources/proddesc/sitedigger.htm
c0c0n 2010 @ Kochi, India

65

Information Gathering with Google


Tools
Athena v2.0
It uses files XML with the searches, it can be personalized. It works
in the same way that a navigator Web.
Features

Compatibility with SiteDigger.


Modify files XML.
It doesnt use API of Google.
A search at the same time.
Requires: Microsoft .NET Framework v1.1
http://snakeoillabs.com/wordpress/2004/11/07/athena-20-is-go/

c0c0n 2010 @ Kochi, India

66

Information Gathering with Google


Tools
Athena v2.0

c0c0n 2010 @ Kochi, India

67

Information Gathering with Google


Tools
ProminentDork v1.0
Oriented to carry out fuzzing and to find SQLi, XSS, LFI, RFI trough
Google.
Features

Developed in C#, license GNU.


Multiple queries.
Support for GHDB.
Use Proxy.
Recognizes the CAPTCHA.
http://prominentsecurity.com

c0c0n 2010 @ Kochi, India

68

Information Gathering with Google


Tools
ProminentDork v1.0

c0c0n 2010 @ Kochi, India

69

Information Gathering with Google


Tools
Advanced Dork (Firefox Addon)
It is an extension for Firefox that allows in an easy and quick way
through a contextual menu to use more than 15 dorks.

https://addons.mozilla.org/en-US/firefox/addon/2144/

c0c0n 2010 @ Kochi, India

70

Information Gathering with Google


Tools
Advanced Dork (Firefox Addon)

c0c0n 2010 @ Kochi, India

71

Information Gathering with Google

Social Engineering
Increasing the game

c0c0n 2010 @ Kochi, India

72

Information Gathering with Google


Social Engineeringincreasing the game
We can discover information about the administrators and
the environment where they act:
Used technologies, via job searches.
Level of knowledge, via technical publications.
Hobbies.
Skills.
Friends, via social networks like Facebook,
Linkedin, Google/Yahoo! Groups,).
Or also...personal telephone ;-) ----->

c0c0n 2010 @ Kochi, India

73

Information Gathering with Google

Recommendations

c0c0n 2010 @ Kochi, India

74

Information Gathering with Google


Recommendations
Secure the Servers and the Web applications used.
Testing and implementing trough political of security the last
available upgrades.
Disable the browsing for directory.
Not to publish sensitive information without authentication.
Analyze the searches that conduces to our Websites, could be
entering HTTP Logs.

c0c0n 2010 @ Kochi, India

75

Information Gathering with Google


Recommendations
What do we make if we discover that Google is indexing
sensitive information?!
We should inform it to Google and they will proceed to eliminate of
their cache this information:
http://www.google.com/remove.html

c0c0n 2010 @ Kochi, India

76

Information Gathering with Google

Conclusions

c0c0n 2010 @ Kochi, India

77

Information Gathering with Google


Conclusions
Information Gathering, is a very useful technique. :-)
Files with sensitive information, no matter if is deleted of the Web
Servers they continue being in the cache of Google.
Use the google dorks, to see what information we can find about
our Website in Google.
Learn and understand the different techniques and tools
mentioned.
The security by darkness, doesn't exist!
Accept our vulnerability instead of trying to hide it is the best way to adapt to
the reality.
c0c0n 2010 @ Kochi, India

78

Information Gathering with Google


Recommended Websites
Google Guide
- http://www.googleguide.com/
Dirson
- http://google.dirson.com
Official Blog of Google (This Week Search)
- http://googleblog.blogspot.com/
Google Help: Cheat Sheet
- http://www.google.com/help/cheatsheet.html
Google Hacking Database (Johnny)
- http://www.hackersforcharity.org/ghdb/

c0c0n 2010 @ Kochi, India

79

Information Gathering with Google


Recommended Websites
Gooscan v1.0
http://security-sh3ll.blogspot.com/2008/11/gooscan-automatedgoogle-hacking-tool.html
SiteDigger v3.0
http://www.foundstone.com/us/resources/proddesc/sitedigger.htm
ProminentDork v1.0
http://prominentsecurity.com/?p=91
Athena 2.0
http://snakeoillabs.com/wordpress/2004/11/07/athena-20-is-go/
Advanced Dork (Firefox Addon)
https://addons.mozilla.org/en-US/firefox/addon/2144/
c0c0n 2010 @ Kochi, India

80

Information Gathering with Google


Questions

c0c0n 2010 @ Kochi, India

81

Information Gathering with Google

Thank you!!
Maximiliano Soler
e-Mail:
Twitter: @maxisoler
c0c0n 2010 @ Kochi, India

82