When it comes to passive information gathering, there are multiple avenues we can follow: target website analysis, email harvesting, whois enumeration, search engines, ... wait a minute, what was that last one? Search engines. If we're trying to find information about anything nowadays, which company do we turn to? Which corporation knows where we are every second of the day, what our browsing habits are, and what that suspicious lump on our thigh is?
Just kidding. Of course I'm talking about Google. But how can we leverage the power of the big G to our advantage in a pentest? The simple answer is search operators.
Search Operators
Google has built-in search operators that can aid us in finding specific information that is relevant to our target organization. For example, we can use the '@' operator to search for social accounts like @katyperry, or the '#' operator to find trending topics like #mancrushmonday. You can find a couple of other basic search operators here.
However, in order to find some really useful information, we need to get creative and combine these search operators. Let's say we want to find all the PDF files on http://www.hak5.org/. We can combine the "site" and "filetype" search operators to do just that:
And voila! Now obviously there's no privileged information available on this site (because they know what they're doing), but if an organization isn't careful with their files, a confidential .pdf, .xls, or other file could easily be leaked to the public. We'll look at one more quick example before moving to the mother lode of google hacking.
By now, you've probably heard about finding open security cameras and webcams through Google. First we'll need to know some kind of identifying signature of a specific technology. In this case, we'll be searching for Mobotix cameras. A unique identifier for Mobotix cameras is the file path "control/userimage.html", so we'll look for this with the "inurl" operator.
Wow, 147 results! That's a decent amount of open cameras. And remember, this is just for one specific brand. You could use the "and" operator to concatenate results for cameras made by JVC, Panasonic, Sony, etc. Now that we've seen how useful Google can be for information gathering, you might start asking... "Isn't there a better way to do this? What if I don't know various signatures for vulnerabilities?"
And voila! Now obviously there's no privileged information available on this site (because they know what they're doing), but if an organization isn't careful with their files, a confidential .pdf, .xls, or other file could easily be leaked to the public. We'll look at one more quick example before moving to the mother lode of google hacking.
By now, you've probably heard about finding open security cameras and webcams through Google. First we'll need to know some kind of identifying signature of a specific technology. In this case, we'll be searching for Mobotix cameras. A unique identifier for Mobotix cameras is the file path "control/userimage.html", so we'll look for this with the "inurl" operator.
Wow, 147 results! That's a decent amount of open cameras. And remember, this is just for one specific brand. You could use the "and" operator to concatenate results for cameras made by JVC, Panasonic, Sony, etc. Now that we've seen how useful Google can be for information gathering, you might start asking... "Isn't there a better way to do this? What if I don't know various signatures for vulnerabilities?"
Google Hacking Database
Introducing the Google Hacking Database (GHDB). If you've used Exploit Database before, then you're probably already familiar with this awesome tool. If not, you're in for a real treat. The GHDB makes it terrifyingly easy to find good google fu to use on targets. Everything is already sorted into the following categories:
To demonstrate exactly how powerful this is, we'll use another scenario. Say you're enumerating on a target and you've found out that they're using Joomla as their CMS. This is a great find, but unfortunately you're really unfamiliar with Joomla. How are you supposed to know where to look? Sure you could rummage through all of the documentation, but that will only get you so far. A better option? Use GHDB, select the "Advisories and Vulnerabilities" section and simply type in "Joomla".
BLAM! Hundreds of Joomla specific vulnerabilities to search for. Play around with searching for files containing usernames, passwords, and other privileged information. It's amazing how much stuff is publicly available online. Just remember, don't do anything illegal!
In addition, with a simple python or ruby script, you could automate searching for all of these, and store the results in a database to find which vulnerabilities are applicable to your target. That actually sounds like a cool project. I'm gonna go get my hands dirty. Search ya later!
To demonstrate exactly how powerful this is, we'll use another scenario. Say you're enumerating on a target and you've found out that they're using Joomla as their CMS. This is a great find, but unfortunately you're really unfamiliar with Joomla. How are you supposed to know where to look? Sure you could rummage through all of the documentation, but that will only get you so far. A better option? Use GHDB, select the "Advisories and Vulnerabilities" section and simply type in "Joomla".
BLAM! Hundreds of Joomla specific vulnerabilities to search for. Play around with searching for files containing usernames, passwords, and other privileged information. It's amazing how much stuff is publicly available online. Just remember, don't do anything illegal!
In addition, with a simple python or ruby script, you could automate searching for all of these, and store the results in a database to find which vulnerabilities are applicable to your target. That actually sounds like a cool project. I'm gonna go get my hands dirty. Search ya later!