Google Hacking

1GoogleHacking101EditedbyMattPayne,CISSP15June2005Updated10August2006•What’snewintheworldofGoogle?•GoogleBombing•SchneierinSecretsandLies–Attackatadistance–Emergentbehavior–Automation•Googleasamirror•“InterestingSearches”–Softwareversions–Passwords,creditcardnumbers,ISOs•CGIScanning–Vulnerablesoftware•DefenseagainstGoogleHacking3What’snewatGoogle?•Code.Google.com–aSourceForge.netcompetitor!–Getyourprojectimmediately!•Nothreedaywaitwithapersonlookingatyourprojectdescription•Calendar.google.com–•GoogleSearchHistory•GoogleDesktop!--Multipledesktops!–There’saSDK!Thirdpartiescanmakewidgets–clickOKtoinstall(andtrust)thewidget•Userslovetoclickok!•Trends.google.com4MoreGoogleGoodness…•GoogleDataAPIs-Readandwritedatausingasimple,standardprotocol.•GoogleTalkXMPP-FederatewithGoogleTalkusingtheXMPPprotocol.•BloggerAPI-Create,read,update,anddeleteBloggerblogpostswithAtom.•GoogleToolbarAPI-CreatecustombuttonsfortheGoogleToolbar.•GoogleEarthKML-CreateandsharecontentwiththeGoogleEarthclient.–Trackflightsintheair!•fboweb.com/antest/ge/intro.aspx?old=1•Akatinyurl.com/krdzf•GoogleDesktopSDK-WriteUI,indexing,andqueryplug-insforGoogleDesktop.•GoogleGadgetsAPI-WritecustommodulesforGoogle'sPersonalizedHomepage.–Google.com/ig–Many3rdpartiesmakeyouclickoktotrustthem…•GoogleMapsAPI-EmbedGoogleMapsinyourownwebpages.5gmap-pedometer.com6GoogleBombing!=GoogleHacking••AGooglebomborGooglewashisanattempttoinfluencetherankingofagivensiteinresultsreturnedbytheGooglesearchengine.DuetothewaythatGoogle'sPageRankalgorithmworks,awebsitewillberankedhigherifthesitesthatlinktothatpagealluseconsistentanchortext.8SimplyPut•“Googleallowsforagreatdealoftargetreconnaissancethatresultsinlittleornoexposurefortheattacker.”–JohnnyLong•UsingGoogleasa“mirror”searchesfind:–GooglesearchesforCreditCardandSS#s–Googlesearchesforpasswords–CGI(activecontent)scanning9AnatomyofaSearch•Areonlyconnectedwebpagesindexed?•NO!–OperasubmitseveryURLviewedtoGoogleforlaterindexing….11Johnny.ihackstuff.com•JohnnyLong–WroteGoogleHackingforPenetrationTesters;ISBN1931836361–Manyfreeonlinearticles.•TwoPDFscachedatMattPayne.org/talks/gh•Seethereferencesslide•Orjustusegoogle12GoogleandZeroDayAttacks•SlashdotHeadline:NetWormUsesGoogletoSpread:–PostedbymichaelonTueDec21,'0406:15PMfromtheweb-service-takes-on-new-meaningdept.troop23writesAwebwormthatidentifiespotentialvictimsbysearchingGoogleisspreadingamongonlinebulletinboardsusingavulnerableversionoftheprogramphpBB,securityprofessionalssaidonTuesday.Almost40,000sitesmayhavealreadybeeninfected.InanoddtwistifyouuseMicrosoft'sSearchenginetoscanforthephrase'NeverEverNoSanity'--partofthedefacementtextthattheSantywormusestoreplacefilesoninfectedWebsites--returnsnearly39,000hits.Readerpmfsentinafewmoreinformationlinks:F-SecureweblogandBugtraqposting.Update:12/2203:34GMTbyT:ZephyrXerolinkstothisnews.comarticlethatsaysGoogleisnowsquashingrequestsgeneratedbytheworm.13LocalExample•Monday14February,2005@10:11amUpdate:Nowitsoundslikeeveryonewashitwithanexploitonawstatswhichtookoutquiteafewbloggersandothersites.==Actually,phorumgothitwithittoo!Afterrunningmyserversomething.netforquiteawhileon'borrowedtime',iteventuallygothackedinto-justthisweekend.TheSimiensCrewtookcredittoawebpagedefacement,andbydoingsomegoogling...they'vehitquiteafewwebsitesevenjustthislastweekend!Mybestguesssofarwasanattackononeofmymany3rd-partyPHP-runservicesthatIhavenottakenthetimetowatchandpatchforsecurityannouncements.Couldhavebeengallery,phorum,webcalendar,icalendar,etc...I'lldosomeinvestigatingandhopefullyfindout.Imayhavebeenluckythough,itsoundslikethesewerejustdefacementsandnotall-outattacks,othervictimshavenotreportedanydatalossatleast.Icanrespectthat.WhatIcan'trespectthoughisthemanydefacementsthey'veputupwithFrontPageastheHTMLgenerator!14EnoughBS,HowDoIGetResults?•Pickyourkeywordscarefully&bespecific•DoNOTexceed10keywords•UseBooleanmodifiers•Useadvancedoperators•Googleignoressomewords*:a,about,an,and,are,as,at,be,by,from,how,i,in,is,it,of,on,or,that,the,this,to,we,what,when,where,which,with*From:Google201,AdvancedGoogology-PatrickCrispen,CSU15Google'sBooleanModifiers•ANDisalwaysimplied.•OR:Escobar(NarcoticsORCocaine)•-=NOT:Escobar-Pablo•+=MUST:Escobar+Roberto•Usequotesforexactphrasematching:–nobodyputsbabyinacorner16Wildcards•GooglesupportswordwildcardsbutNOTstemming.–It'stheendofthe*asweknowitworks.–butAmericanPsycho*won'tgetyoudecentresultsonAmericanPsychologyorAmericanPsychophysics.17AdvancedSearchinggoogleguide.comand…AdvancedSearchPage:•cache:•define:•info:•intext:•intitle:•inurl:•link:•related:•stocks:•filetype:•numrange1973..2005•source:•phonebook:://tinyurl.com/5yjnxDEMO:on-2-13-1973..2004visa4356000000000000..435699999999999919Review:BasicSe