The ethical hacking demo was carried out by Betsy Davies (pictured) from Dulwich, south London, and virtual private network provider HMA to highlight just how.
Google Hacking Overview. Overview. Google Hacking is a term that encapsulates a wide range of techniques for querying Google to reveal vulnerable Web applications and sometimes to pinpoint vulnerabilities within specific web applications. Besides revealing flaws in web applications, Google Hacking allows you to find sensitive data, useful for the Reconnaissance stage of an attack, such as emails associated with a site, database dumps or other files with usernames and passwords, unprotected directories with sensitive files, URLs to login portals, different types of system logs such as firewall and access logs, unprotected pages that contain sensitive information such as web- connected printers or cameras with data about their usage, status, location and so on. Advanced operators for querying Google. Advanced operators allow you to get more specific search results from your queries. Most of the time, they allow you to view a list of the most relevant and useful results.
For example, you can use advanced operators to get only files of a particular type or filter so that the results of your search are limited to a specific website. If you simply use a Google search term, you will see all the results that match the given terms. Advanced operators, however, make it possible to get a subset of the original results that match certain characteristics.
This can be easily illustrated by querying Google for a domain and compare that to querying with the site operator for the given domain. The former query would give results to all kinds of external websites that mention that domain while the latter would narrow the results down to those originating from the chosen domain. Advanced operators usually take the form of operator: search- term and are directly written in your query string.
There should be no space between the operator and the search term and the search term itself cannot contain spaces, or the query will fail. To use spaces, we would have to surround the phrase with quotation marks.
Quotation marks serve the purpose of telling Google to search for an exact match. To test this, you can try searching Google with a term like there is a lot of fish in the sea and retrying the search with the same term but encapsulated in quotation marks – “there is a lot of fish in the sea.”Figure 1: Results from enclosing search words with quotation marks vs. All rights reserved.”allintitle: Welcome to Windows XP Server Internet Servicesfiletype: Limits the results to web resources matching the desired file type (not always correct)filetype: xls intext: email intext: passwordsite: Limits the results to web resources within a given websitefiletype: xls site: apple.
Info: Shows additional links/actions which can be followed such as showing Google’s cache of the website, visiting similar pages, viewing pages which link to the given page and so on. Gets the cache that Google has for the given web pagecache: sitepoint. Excludes the term/operator from the resultsinurl: citrix inurl: login. Adding the phrase in quotation marks returns only results that are an exact match to what is sought forinurl: ”server- status” intext: ”Apache Server Status”*A wildcard for any unknown/arbitrary words.
Best Computer courses to study to get jobs easily. Students must choose courses wisely. One must always choose courses that promise jobs. Jobs are limited nowadays.
It is not used for completing a word like foot* but pinpoints that anys word could be at that search position. The phrase that follows the + modifier must exist within the results. It can be used to include an overly common word which Google typically neglects in queries.“Machine gun” +uzi. A single- character wildcard, any single character can be in that placeinurl. A dork is just an already found Google query which is known to return useful results such as exploits or sensitive data. When browsing the dorks available in the Google Hacking Database, you ought to be looking at their submission date as some dorks are old and may not prove useful.
Old submissions relating to exploits, vulnerabilities and other flaws of specific software versions may easily become irrelevant after a period of time. Math Resource Studio 4 Keygen Free there. However, there are some dorks that deal with ways to harvest information which still work no matter the submission date – such as ways to find database dumps, to find pages with downloads, to get unprotected directory listings (to some extent) and so on. Basic penetration testing through Google Hacking. As shown above, Google can be used for (passive) information gathering. It is a great tool for footprinting and allows for mobility and anonymity during the footprinting process. The information that Google Hacking results can show is generally publicly available and can be found manually, should one have the time and resources to search for it.
With Google Hacking, you are not actively engaging with the system, but you can easily collect information typically sought in the Reconnaissance phase of an attack such as error messages, passwords, usernames, sensitive directories, devices and hardware online, detect web servers and vulnerabilities within them, pages with access forms, and sensitive e- banking and e- commerce information. Thus, you can directly find usernames and passwords which could easily be exploited to get access, you can find possible devices and software which can be targeted, etc., which makes Google an invaluable tool. In fact, Google Hacking is a concept with which you have to be acquainted if you plan on taking an exam such as the Certified Ethical Hacker (CEH) exam. There are many ways to look for usernames and passwords through Google queries. For example, you can search for .
Those databases usually contain most of the data related to a website – such as its users, passwords, user details and so on. One query is: filetype: sql inurl: backup inurl: wp- content. This will search for database dumps in websites whose URL contains the words backup and wp- content.
Wp- content is the folder where the user and some plugins upload their files in the popular CMS Word. Press on which many websites are built, and backup can potentially filter the results to people who decided to place a copy of their database online in case something happens.
Figure 2: Querying Google for database dumps. The query returned many results, most of which were actual database dumps of Word. Press installations. Those database dumps contained information about the Word. Press administrative users such as their username, email, hashed password, amongst other potentially useful information. The Word. Press administrative users themselves are usually located in the wp.
For example, . htpasswd can be used in websites to perform Basic Authentication. With Basic Authentication, browsers show login fields which can be checked for matches within an . Figure 5: Basic Authentication in a website. Your browsers show login fields which can be checked for matches within a .
There are many ways to search for this particular file. The Google Hacking Database proposes simply typing htpasswd, but you can search for htpasswd. As seen here, searches for one type of information can often expose other data that can be used in the pen testing process. Figure 6: An arbitrary file with a username and password found online. Figure 7: An arbitrary file with a username and password found online. Identifying system version information.
As we have seen in the operators table, we can get directory listings by incorporating “index. Queries such as intitle: index.
Apache. You can add the site: operator to that query to search for directory listings leaking server information in specific websites. For example, a search for intitle: index. Apache), its version and the operating system of the machine it is on as seen in the picture below. Figure 8: Querying to retrieve server information. Finding websites using vulnerable software. Another use for Google hacking is to identify systems that are running a known vulnerable version of software.
Many web applications add a “Powered By” field somewhere on the page and sometimes mention the version of the software. That means if you find a vulnerability in, let’s say v. Bulletin, you can search for other websites who are also susceptible to this vulnerability. Figure 9: An example of “Powered By” field that indicates the software versioning.
The picture above shows v. Bulletin installed on a website which is noted by the informational footer.
Should a vulnerability exist in that version of v. Bulletin, other vulnerable sites would be easily reached. Queries to start your tests with. Site: targetsite. Intitle: index. of – when you start examining a website it is a good idea to look at any potential directory listings first. Those can sometimes reveal information about the server and will certainly show files which may reveal additional information.
This operator will only display results from Apache based servers and not others such as sites served with Node. Apache is the web server dominating the market.
However, there are many websites that are in production mode without hiding possible errors. The actual error or warning is usually prepended with error: or warning: so you can search for those on a particular website. Depending on the website and its subject- matter, false positives may emerge.
Figure 1. 4: Searching for errors and warnings in a specific website. Figure 1. 5: The My. SQL database user is revealed from a PHP warning found through Google. As you can see above, a simple search for errors and warnings in a website revealed a database error which showed that the database user is artshis.
My. SQL database is used on the machine and that the website is using a legacy PHP My. SQL extension which may be vulnerable to SQL injections. This search will capture files, directories and file extensions on the server containing one of the most common backup/temporary names. You can add additional parameters to the query to get more specific results. For example, adding inurl: wp- content to the query would show back up files and directories that are inside the public assets folder of a Word. Press installation.
Cyber Security Certification Programs.