Google Hacking Database (GHDB) – Google Dorks – OSINT – Recon
Using Google, an SQL injection on a random website can be performed within 0.2 Google seconds. Specially crafted words given as input to Google are named as dorks, or google dorks. These dorks can be used to reveal vulnerable servers on the Internet, to gather sensitive data, vulnerable files that are uploaded, sub-domains, and so on. Effective usage of Google Hacking can make the pentest process considerably easier.
"Welcome to Intranet"
According to whatis.com: "An intranet is a private network that is contained within an enterprise. [...] The main purpose of an intranet is to share company information and computing resources among employees [...] and in general looks like a private version of the Internet." Intranets, by definition should not be available to the Internet's unwashed masses as they may contain private corporate information.
Files Containing Usernames
Ok, this file contains what a user typed at a shell command prompt. You shouldn't advertise this file. You shouldn't flash it to a web crawler. It contains COMMANDS and USERNAMES and stuff... *sigh* Sometimes there aren't words to describe how lame people can be. This particular theme can be carried further to find all sorts of things along these lines like .profile, .login, .logout files, etc. I just got bored with all the combinations...
Files Containing Passwords
mysql history files
The .mysql_history file contains commands that were performed against a mysql database. A "history" of said commands. First, you shouldn't show this file to anyone, especially not a MAJOR SEARCH ENGINE! Secondly, I sure hope you wouldn't type anything sensitive while interacting with your databases, like oh say USERNAMES AND PASSWORDS...
Files Containing Juicy Info
These folks had the technical prowess to unpack the movable type files, but couldn't manage to set up their web servers properly. Check the mt.cfg files for interesting stuffs...
Web Server Detection
Windows 2000 Internet Services
At first glance, this search reveals even more examples of operating system users enabling the operating system default web server software. This is generally accepted to be a Bad Idea(TM) as mentioned in the previous example. However, the googleDork index on this particular category gets quite a boost from the fact that this particular screen should NEVER be seen by the general public. To quote the default index screen: "Any users attempting to connect to this site are currently receiving an 'Under Construction page'" THIS is not the 'Under Construction page.' I was only able to generate this screen while sitting at the console of the server. The fact that this screen is revealed to the general public may indicate a misconfiguration of a much more insidious nature...
Web Server Detection
Moving from personal, lightweight web servers into more production-ready software, we find that even administrators of Microsoft's Internet Information Server (IIS) sometimes don't have a clue what they're doing. By searching on web pages with titles of "Welcome to IIS 4.0" we find that even if they've taken the time to change their main page, some dorks forget to change the titles of their default-installed web pages. This is an indicator that their web server is most likely running, or was upgraded from, the now considered OLD IIS 4.0 and that at least portions of their main pages are still exactly the same as they were out of the box. Conclusion? The rest of the factory-installed stuff is most likely lingering around on these servers as well. Old code: FREE with operating system.Poor content management: an average of $40/hour. Factory-installed default scripts: FREE with operating system.Getting hacked by a script kiddie that found you on Google: PRICELESS.For all the things money can't buy, there's a googleDork award.
Look in my backup directories! Please?
Backup directories are often very interesting places to explore. More than one server has been compromised by a hacker's discovery of sensitive information contained in backup files or directories. Some of the sites in this search meant to reveal the contents of their backup directories, others did not. Think about it. What.s in YOUR backup directories? Would you care to share the contents with the whole of the online world? Probably not. Whether intentional or not, bsp.gsa.gov reveals backup directory through Google. Is this simply yet another misconfigured .gov site? You decide. BSP stands for "best security practices," winning this site the Top GoogleDork award for this category.
Web Server Detection
OpenBSD running Apache
I like the OpenBSD operating system. I really do. And I like the Apache web server software. Honestly. I admire the mettle of administrators who take the time to run quality, secure software. The problem is that you never know when security problems will pop up. A BIG security problem popped up within the OpenBSD/Apache combo back in the day.Now, every administrator that advertised this particular combo with cute little banners has a problem. Hackers can find them with Google. I go easy on these folks since the odds are they.ve patched their sites already. Then again, they may just show up on zone-h..
PGP is a great encryption technology. It keeps secrets safe. Everyone from drug lords to the head of the DEA can download PGP to encrypt their sensitive documents. Everyone, that is except googleDorks. GoogleDorks, it seems, don't understand that anyone in possession of your private keyring (secring) can get to your secret stuff. It should noever be given out, and should certainly not be posted on the Internet. The highest ranking is awarded for this surprising level of ineptitude.
Files Containing Passwords
Footholds Queries that can help an attacker gain a foothold into a web server.
Web Server Detection Googles awesome ability to profile web servers.
Sensitive Directories Collection of web sites sharing sensitive directories.
Files Containing Username Files contain usernames, but no passwords.
Sensitive Data Files Containing e.g. passwords, usernames, backups, sensitive information, config files.
SQL injection Vulnerabilities to bypass application security measures.
Vulnerable Files Vulnerable files that Google can find on websites
Error Messages Verbose error messages that include e.g. username, password, …
Advisories and Vulnerabilities Searches locate vulnerable servers, various security advisory posts, and in many cases are product or version-specific.
Network or Vulnerability Data Contain such things as firewall, honeypot, IDS logs, network information, …
Files Containing Juicy Info No usernames or passwords, but interesting stuff none the less.
Various Online Devices Contains things like printers, video cameras, and all sorts of cool things.
Sensitive Online Shopping Info Queries that can reveal online shopping infomation like customer data, suppliers, orders, credit card info, …
Understanding Google Dorks Operators
Lets take a look at the special google search operators that are used to construct those high powered google hack search terms.
intitle – Specifying intitle, will tell google to show only those pages that have the term in their html title. For example intitle:”login page” will show those pages which have the term “login page” in the title text.
allintitle – Similar to intitle, but looks for all the specified terms in the title.
inurl – Searches for the specified term in the url. – For example inurl:”login.php” or inurl:login.jsp intitle:login.
allinurl – Same as inurl, but searches for all terms in the url.
filetype – Searches for specific file types. filetype:pdf will looks for pdf files in websites. Similarly filetype:txt looks for files with extension .txt – For example “sensitive but unclassified” filetype:pdf
ext – Similar to filetype. ext:pdf finds pdf extension files.
intext – Searches the content of the page. Somewhat like a plain google search. For example intext:”index of /” or Host=*.* intext:enc_UserPassword=* ext:pcf
allintext – Similar to intext, but searches for all terms to be present in the text.
site – Limits the search to a specific site only. – For example site:example.com
If a hacker wishes to search by a field other than the URL, the following can be effectively substituted:
These options will help a hacker uncover a lot of information about a site that isn’t readily apparent without a Google Dork. These options also offer ways to scan the web to located hard to find content.
Use this only for research purposes and ethical hacking, do not break any laws by exploiting weaknesses of companies!