Google hacking tutorial
Using search engines as a hacking tool
Google hacking involves using special search terms in the google search engine to narrow down the search results to something very specific. Hackers use it to find vulnerable or exploitable websites, servers and confidental/sensitive data that got exposed to the internet due to poor security.
Google search supports several advanced operators that can be used to search specific parts of a webpage like its title, url, domain name, or content type etc. Using such advanced filtering it is possible to discover very specific things of interest. For example pdfs, login pages and even devices like router and webcams.
Google search terms used by hackers to discover such exploitable material through search engines are called google dorks. Although it all started with google, the term google hacking now covers not only google search but any search engine in general.
Lets take a look at the special google search operators that are used to construct those high powered google hack search terms.
Specifying intitle, will tell google to show only those pages that have the term in their html title. For example intitle:"login page" will show those pages which have the term "login page" in the title text.
Similar to intitle, but looks for all the specified terms in the title.
Searches for the specified term in the url. For example inurl:"login.php".
Same as inurl, but searches for all terms in the url.
Searches for specific file types. filetype:pdf will looks for pdf files in websites. Similarly filetype:txt looks for files with extension .txt
Similar to filetype. ext:pdf finds pdf extension files.
Searches the content of the page. Somewhat like a plain google search. For example intext:"index of /".
Similar to intext, but searches for all terms to be present in the text.
Limits the search to a specific site only. site:example.com
Using this in a search will show all results that link to that url. link:www.binarytides.com returns all results that have links to www.binarytides.com.
Passing cache: will return results that link to cached versions of pages Google stores. cache:brown fox will return results that contain brown and/or fox in cached pages Google’s database contains.
When related: is used it returns results that are similar to the url you specified. related:www.lokisec.com will return results that are similar to lokisec.com.
Hacking with the operators
Now these operators are used to craft very powerful search terms that reveal lots free hackable stuff over the internet. Here are some common techniques
Specific url structures
First are those that look for specific url structures for example
intitle:"admin login" + inurl:"admin.php" intext:"username" intext:"password"
That term will find all pages that have the term admin login in their title, admin.php in their url and the terms username and password in the html content somewhere. And what is the purpose of finding such a page ? You already guessed!
Now a days websites are often hacked through sql injection. Google can be used to even find websites vulnerable to sql injection. Common search terms are
inurl:"section.php?id=" inurl:"item_id.php?id=" inurl:"itemid.php?id="
These terms just find database driven pages written in php and in most cases powered by mysql. Hackers would then check if the query term id is sql injectable or not. If yes then great or terrible things follow.
Google hacking can be used to discover online devices like routers, webcams, printers and other similar devices that expose some kind of webpages to google. Check out my previous post on hacking webcams with google.
Now there is another search engine called shodan, that can be used to find devices more efficiently.
Google hacking has been used extensively for both intrusions and information mining. Valuable information like email addresses, phone number can be mined out of the search engine. Even credit card information is sometimes leaked through vulnerable applications. Once there was a vulnerability in a asp shopping cart application that could allow a hacker to simply pull out the database of customers and find confidential information.
Google hacking serves as a useful tool in penetration testing as well. Tools like metasploit, recon-ng and nmap now have automated scripts that search google for useful information related to a particular site or organisation. Google hacking also finds excellent use in social engineering attacks and carrying out phishing campaigns. Check out an earlier post which shows how to harvest email addresses using metasploit in an automated fashion without much effort. Another tool called social engineering toolkit can be used to carry out a phishing attack on all the emails.
Although google hacking is an old topic and technique, it remains effective even to this day, simply because vulnerable websites, misconfigured servers keep coming up every now and then all over the internet, and google monitors it all.
A long time ago a book was written on google hacking by Johnny Long named "The Google Hacker's Guide".
Download the Book
He also maintained a free community driven database of powerful google dorks at http://johnny.ihackstuff.com/ but it has now been moved to http://www.exploit-db.com/google-dorks/. Check out the exploit db google dorks do some lame hacking over the internet.
Check out the presentation by Johnny Long