Using Google, an SQL injection on a random website can be performed within 0.2 Google seconds. Specially crafted words given as input to Google are named as dorks, or google dorks. These dorks can be used to reveal vulnerable servers on the Internet, to gather sensitive data, vulnerable files that are uploaded, sub-domains, and so on. Effective usage of Google Hacking can make the pentest process considerably easier.
id
id
Date
Category
Dork
Description
Link
1
2003/06/24
Vulnerable Servers
"Welcome to Intranet"
According to whatis.com: "An intranet is a private network that is contained within an enterprise. [...] The main purpose of an intranet is to share company information and computing resources among employees [...] and in general looks like a private version of the Internet." Intranets, by definition should not be available to the Internet's unwashed masses as they may contain private corporate information.
2
2003/06/24
Files Containing Usernames
sh_history files
Ok, this file contains what a user typed at a shell command prompt. You shouldn't advertise this file. You shouldn't flash it to a web crawler. It contains COMMANDS and USERNAMES and stuff... *sigh* Sometimes there aren't words to describe how lame people can be. This particular theme can be carried further to find all sorts of things along these lines like .profile, .login, .logout files, etc. I just got bored with all the combinations...
3
2003/06/24
Files Containing Passwords
mysql history files
The .mysql_history file contains commands that were performed against a mysql database. A "history" of said commands. First, you shouldn't show this file to anyone, especially not a MAJOR SEARCH ENGINE! Secondly, I sure hope you wouldn't type anything sensitive while interacting with your databases, like oh say USERNAMES AND PASSWORDS...
4
2003/06/24
Files Containing Juicy Info
mt-db-pass.cgi files
These folks had the technical prowess to unpack the movable type files, but couldn't manage to set up their web servers properly. Check the mt.cfg files for interesting stuffs...
5
2003/06/24
Web Server Detection
Windows 2000 Internet Services
At first glance, this search reveals even more examples of operating system users enabling the operating system default web server software. This is generally accepted to be a Bad Idea(TM) as mentioned in the previous example. However, the googleDork index on this particular category gets quite a boost from the fact that this particular screen should NEVER be seen by the general public. To quote the default index screen: "Any users attempting to connect to this site are currently receiving an 'Under Construction page'" THIS is not the 'Under Construction page.' I was only able to generate this screen while sitting at the console of the server. The fact that this screen is revealed to the general public may indicate a misconfiguration of a much more insidious nature...
6
2003/06/24
Web Server Detection
IIS 4.0
Moving from personal, lightweight web servers into more production-ready software, we find that even administrators of Microsoft's Internet Information Server (IIS) sometimes don't have a clue what they're doing. By searching on web pages with titles of "Welcome to IIS 4.0" we find that even if they've taken the time to change their main page, some dorks forget to change the titles of their default-installed web pages. This is an indicator that their web server is most likely running, or was upgraded from, the now considered OLD IIS 4.0 and that at least portions of their main pages are still exactly the same as they were out of the box. Conclusion? The rest of the factory-installed stuff is most likely lingering around on these servers as well. Old code: FREE with operating system.Poor content management: an average of $40/hour. Factory-installed default scripts: FREE with operating system.Getting hacked by a script kiddie that found you on Google: PRICELESS.For all the things money can't buy, there's a googleDork award.
7
2003/06/24
Sensitive Directories
Look in my backup directories! Please?
Backup directories are often very interesting places to explore. More than one server has been compromised by a hacker's discovery of sensitive information contained in backup files or directories. Some of the sites in this search meant to reveal the contents of their backup directories, others did not. Think about it. What.s in YOUR backup directories? Would you care to share the contents with the whole of the online world? Probably not. Whether intentional or not, bsp.gsa.gov reveals backup directory through Google. Is this simply yet another misconfigured .gov site? You decide. BSP stands for "best security practices," winning this site the Top GoogleDork award for this category.
8
2003/06/24
Web Server Detection
OpenBSD running Apache
I like the OpenBSD operating system. I really do. And I like the Apache web server software. Honestly. I admire the mettle of administrators who take the time to run quality, secure software. The problem is that you never know when security problems will pop up. A BIG security problem popped up within the OpenBSD/Apache combo back in the day.Now, every administrator that advertised this particular combo with cute little banners has a problem. Hackers can find them with Google. I go easy on these folks since the odds are they.ve patched their sites already. Then again, they may just show up on zone-h..
PGP is a great encryption technology. It keeps secrets safe. Everyone from drug lords to the head of the DEA can download PGP to encrypt their sensitive documents. Everyone, that is except googleDorks. GoogleDorks, it seems, don't understand that anyone in possession of your private keyring (secring) can get to your secret stuff. It should noever be given out, and should certainly not be posted on the Internet. The highest ranking is awarded for this surprising level of ineptitude.
10
2003/06/24
Files Containing Passwords
people.lst
People list.
11
2003/06/24
Files Containing Passwords
passwd
There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The hits in this search show "passwd" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show!
12
2003/06/24
Files Containing Passwords
master.passwd
There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The hits in this search show "master.passwd" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show!For master.passwd, be sure to check other files in the same directory...
13
2003/06/24
Files Containing Passwords
pwd.db
There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The his in this search show "pwd.db" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show!
14
2003/06/24
Files Containing Passwords
htpasswd / htpasswd.bak
There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show!
15
2003/06/24
Files Containing Passwords
htpasswd / htgroup
There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show!You'll need to sift through these results a bit...
16
2003/06/24
Files Containing Passwords
spwd.db / passwd
There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show!
17
2003/06/24
Files Containing Passwords
passwd / etc (reliable)
There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show!
18
2003/06/24
Files Containing Juicy Info
AIM buddy lists
These searches bring up common names for AOL Instant Messenger "buddylists". These lists contain screen names of your "online buddies" in Instant Messenger. Not that's not too terribly exciting or stupid unless you want to mess with someone's mind, and besides, some people make these public on purpose. The thing that's interesting are the files that get stored ALONG WITH buddylists. Often this stuff includes downloaded pictures, resumes, all sorts of things. This is really for the peepers out there, and it' possible to spend countless hours rifling through people's personal crap. Also try buddylist.blt, buddy.blt, buddies.blt.
19
2003/06/24
Files Containing Passwords
config.php
This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database. Way to go, googleDorks!!
20
2003/06/24
Error Messages
MYSQL error message: supplied argument....
One of many potential error messages that spew interesting information. The results of this message give you real path names inside the webserver as well as more php scripts for potential "crawling" activities.
21
2003/06/24
Files Containing Juicy Info
Ganglia Cluster Reports
These are server cluster reports, great for info gathering. Lesse, what were those server names again?
22
2003/06/24
Files Containing Juicy Info
ICQ chat logs, please...
ICQ (http://www.icq.com) allows you to store the contents of your online chats into a file. These folks have their entire ICQ directories online. On purpose?
23
2003/06/24
Web Server Detection
Apache online documentation
When you install the Apache web server, you get a nice set of online documentation. When you learn how to use Apache, your supposed to delete these online Apache manuals. These sites didn't. If they're in such a hurry with Apache installs, I wonder what else they rushed through?
24
2003/06/24
Error Messages
Coldfusion Error Pages
These aren't too horribly bad, but there are SO MANY of them. These sites got googlebotted while the site was having "technical difficulties." The resulting cached error message gives lots of juicy tidbits about the target site.
25
2003/06/24
Files Containing Juicy Info
Financial spreadsheets: finance.xls
Let's put our finances on our website in a secret directory so we can get to it whenever we need to!
Category Descriptions
Footholds Queries that can help an attacker gain a foothold into a web server.
Web Server Detection Googles awesome ability to profile web servers.
Sensitive Directories Collection of web sites sharing sensitive directories.
Files Containing Username Files contain usernames, but no passwords.
Sensitive Data Files Containing e.g. passwords, usernames, backups, sensitive information, config files.
SQL injection Vulnerabilities to bypass application security measures.
Vulnerable Files Vulnerable files that Google can find on websites
Vulnerable Servers Searches reveal servers with specific vulnerabilities.
Pages Containing Login Portals Login pages for various services, front door of a websites with more sensitive functions.
Error Messages Verbose error messages that include e.g. username, password, …
Advisories and Vulnerabilities Searches locate vulnerable servers, various security advisory posts, and in many cases are product or version-specific.
Network or Vulnerability Data Contain such things as firewall, honeypot, IDS logs, network information, …
Files Containing Juicy Info No usernames or passwords, but interesting stuff none the less.
Various Online Devices Contains things like printers, video cameras, and all sorts of cool things.
Sensitive Online Shopping Info Queries that can reveal online shopping infomation like customer data, suppliers, orders, credit card info, …
Understanding Google Dorks Operators
Lets take a look at the special google search operators that are used to construct those high powered google hack search terms.
intitle – Specifying intitle, will tell google to show only those pages that have the term in their html title. For example intitle:”login page” will show those pages which have the term “login page” in the title text.
allintitle – Similar to intitle, but looks for all the specified terms in the title.
inurl – Searches for the specified term in the url. – For example inurl:”login.php” or inurl:login.jsp intitle:login.
allinurl – Same as inurl, but searches for all terms in the url.
filetype – Searches for specific file types. filetype:pdf will looks for pdf files in websites. Similarly filetype:txt looks for files with extension .txt – For example “sensitive but unclassified” filetype:pdf
ext – Similar to filetype. ext:pdf finds pdf extension files.
intext – Searches the content of the page. Somewhat like a plain google search. For example intext:”index of /” or Host=*.* intext:enc_UserPassword=* ext:pcf
allintext – Similar to intext, but searches for all terms to be present in the text.
site – Limits the search to a specific site only. – For example site:example.com
If a hacker wishes to search by a field other than the URL, the following can be effectively substituted:
intitle:
inurl:
intext:
define:
site:
phonebook:
maps:
book:
froogle:
info:
movie:
weather:
related:
link:
These options will help a hacker uncover a lot of information about a site that isn’t readily apparent without a Google Dork. These options also offer ways to scan the web to located hard to find content.
Disclaimer
Use this only for research purposes and ethical hacking, do not break any laws by exploiting weaknesses of companies!
