T23

Concurrent Class
10/3/2013 3:00:00 PM

"The Google Hacking Database:

A Key Resource to Exposing
Vulnerabilities"
Presented by:

Kiran Karnad
Mimos Berhad

Brought to you by:

340 Corporate Way, Suite 300, Orange Park, FL 32073

888-268-8770 904-278-0524 [email protected] www.sqe.com
Kiran Karnad
MIMOS Berhad

After more than sixteen years in software testing and implementation, Kiran Karnad found his
true calling in penetration testing. Proudly calling himself a hands-on lead for information
security, Kiran has worked with several Fortune 500 companies and mentored software test
teams in multiple geographies. Currently leading the functional and security efforts at MIMOS,
Kiran strives to identify process improvement opportunities throughout the organization and to
implement them effectively.
 9/19/2013

The Google Hacking Database

Product Quality and Reliability Engineering

Team
Kiran Karnad, MIMOS Bhd

A Key Resource to exposing vulnerabilities

1
 9/19/2013

Disclaimer

Disclaimer

2
 9/19/2013

Whats This All About?

Google & Bing Basics - OSINT

Basic, Phrase, Advanced Search

Whats Google Hacks All About?

Sample Hacks

Script for OS INT

In the Recent Past

If you are not hacked, you are not important!

3
 9/19/2013

What all can be hacked

Network

Hardware hacking
Wireless
Social Engineering

Mobile
Lock Picking

Web hacking

OS INT

What you dont know might hurt

4
 9/19/2013

OSINT Lets define

Intelligence collected OSINT

from public sources Communities

Google Government FBI, CBI etc

Social Engines Military Defence Intel Agency
Details on next slide Homeland Security
Business Commercial,
Competitor INT, BI
Anonymous & LulzSec shodan,
GHDB

OSINT Some methods

5
 9/19/2013

GOOGLE HACKING

Its what you expose

How Google Works

6
 9/19/2013

Search Types Supported

Basic Search

Advanced Phrase
Operators Search

BASIC SEARCH

The most used type of search

7
 9/19/2013

So InSenSItiVe

5W 1H Google doesnt mind

8
 9/19/2013

Mark my Ten Words, thats it

The reason for the previous results

9
 9/19/2013

* Avoiding * 10-word limitation *

And Im Always There

10
 9/19/2013

Now, try this +the * *

Search Types
General Search
Not cAsE seNSitiVE
No more than 10 keywords in a search
Google ignores a, 5w1h, this, to, we
AND is always implied
Date of birth of Hugh Jackman

Phrase Search
Use quotes
Use + to force a term and to exclude
No space follows these signs
See the SERPs for with and without
quotes

11
 9/19/2013

PHRASE SEARCH

More shrewd searches

Is there a difference?

12
 9/19/2013

Force The Plus, Exclude The Minus

OR vs. AND

13
 9/19/2013

OR | or

A quick Recap

Operators
Logical
OR case sensitive
Mathematical
+ (must) and (not) have special meaning
No Stemming
OK: Its the end of the * as we know it
KO: American Psycho* wont give psychology or
psychophysics
* represents a word, not the completion of a word
Period is a single character wild card
Lets try some

14
 9/19/2013

ADVANCED OPERATORS

Stop No More!

Know Thy Web Page

15
 9/19/2013

Intitle:

inurl:

Intext:

Inanchor:

16
 9/19/2013

filetype:

Numrange:
Lets try one query:

http://www.google.com/#q=100000000..999999999+filetype:sql

Advanced Operators = advanced queries

List of most used Advanced

operators
Intitle:
Operator:search_term no space Inurl:
after and before the : Intext:
Inanchor:
Filetype:
Continued

17
 9/19/2013

Advanced Operators contd

More Advanced Operators

Numrange:
Try a space between the operator Daterange:
and the term and see the results Site:
count Related:
Cache:
Link:

T1ll n0w, w3 534Rch3d

B451c
Phr453
0p3r4t0r5

Fr0m n0w, w3 H4ck

18
 9/19/2013

Intitle:index.of server.at

So What?
What can a hacker do with this info?
Go to http://www.cvedetails.com
Check vulnerabilities for Apache 2.2.16
Trigger Metasploit

19
 9/19/2013

Intitle:index.of server.at site:aol.com

Linux server installer files are obtained

Files on AOL
server.

Files on MIT
server.

Hyped Music
Query is: Intitle:index.of name size
Check out the site hypem.com in SERPS
Try directory traversal
from any page, you can
download tons of music!

Their business is selling

music online!

20
 9/19/2013

Our Learning Till Now

Directory
Listings

Show server
version
information

Useful for intitle:index.of server.at

an attacker
intitle:index.of server.at site:aol.com
Finding intitle:index.of "parent directory"
Directory
Listings intitle:index.of name size

Piracy MP3s
Intitle:index.of mp3 jackson AND iso kaspersky
Remember, Google stems!

21
 9/19/2013

Piracy MP3s
Intitle:index.of mp3 jackson
Yields 20+ pages of songs in mp3 format
No need to wait for website instructions!
Remember, Google stems!
Intitle:index.of iso kaspersky
Gets the AV installers from various websites
Most of them with professional key or cracks
Even beta versions are available

More Piracy ISO

Inurl:microsoft intitle:index.of filetype:iso
Get MS ISO files from everywhere!

22
 9/19/2013

Johnnys Disclaimer

Listing all the index pages

Each of these pages can be hacked since the

hacker knows the version and type for the
App Server, Database & the Web Server

23
 9/19/2013

Listing all the subdomains

HR Intranet with details on

Some details a hacker
gets from here:

HR Forms and
Policies
New Staff Info
Consultation
Health Benefits
Salary packaging
Contact Person
Office and
Meeting Room
Layout
Emails and Phones
Training
Pay Calculation
inurl:intranet intitle:intranet +intext:"human resources"

24
 9/19/2013

PuTTY SSH Logs with juicy info

Usernames and Passwords

Results here: d:\official\white papers\starwest2013\uname-pwd.xls

And uname-pwd2.xls

25
 9/19/2013

SQL Injectable Websites

The first query brought

38K results

Just by reordering, we got

3.3 Mil in lesser time!

Each of these can be

hacked with SQLI and all
these are just PHP!

Our Learning Till Now

Combining Inurl:microsoft.com inurl:www.microsoft.com
operators
does the Inurl:intranet intitle:intranet +intext:human resource
magic
Filetype:log username putty

inurl:admin intext:username= AND email= AND

password= OR pass= filetype:xls
intitle:index.of inurl:admin

Filetype:php inurl:id=

26
 9/19/2013

Database Querying

Query to get mySQL

connection details

This also enumerates all

the tables via the SQL

So you know the

connection details, IP and
the tables!

Login, Password, Website All in One!

The Query: filetype:xls "username | password

One of the results on page 1:

http://teachersites.schoolworld.com/.../files/teachers%20passwords.xls

Number of results: 46500

27
 9/19/2013

Login, Password, Website All in One!

The Query: filetype:xls "username | password

One of the results on page 1:

http://teachersites.schoolworld.com/.../files/teachers%20passwords.xls

Number of results: 46500

A Quick Q
What do you think this query does?

inurl:"passes" OR inurl:"passwords" OR inurl:"credentials" -search -

download -techsupt -git -games -gz -bypass -exe filetype:txt @yahoo.com
OR @gmail OR @hotmail OR @rediff

28
 9/19/2013

Our Learning Till Now

filetype:phps mysql_connect

filetype:xls "username | password

inurl:"passes" OR inurl:"passwords" OR inurl:"credentials" -

search -download -techsupt -git -games -gz -bypass -exe
filetype:txt @yahoo.com OR @gmail OR @hotmail OR
@rediff

NOT BORED YET?

Lets dig in some more!

29
 9/19/2013

Which sites have been hacked?

All hacked sites have a r00t.php

inurl:r00t.php

The Logs might help

Checking hacked website logs for more info

allintext:fs-admin.php

30
 9/19/2013

Must Tries
Hacked websites inurl:r00t.php
Hacked logs allintext:fs-admin.php
Finding login for portals intitle:admin intitle:login
SSH usernames filetype:log username putty
Getting user list Inurl:admin inurl:userlist
Passwords! filetype:pass pass intext:userid
SQL Passwords filetype:sql password
Usernames inurl:admin filetype:xls
Passwords inurl:password filetype:xls
More!! inurl:passwd filetype:xls (pdf, doc, mdb)

More Stuff!
intitle:"Index of" passwords modified
allinurl:auth_user_file.txt
"access denied for user" "using password
"A syntax error has occurred" filetype:ihtml
allinurl: admin mdb
"ORA-00921: unexpected end of SQL command
inurl:passlist.txt
"Index of /backup
"Chatologica MetaSearch" "stack tracking:"

31
 9/19/2013

Listings of what you want

"parent directory " DVDRip -xxx -html -htm -php -shtml
Change
the word opendivx -md5 -md5sums

after the "parent directory "Xvid -xxx -html -htm -php -shtml
parent
opendivx -md5 -md5sums
directory
to what "parent directory " Gamez -xxx -html -htm -php -shtml

you opendivx -md5 -md5sums

want "parent directory " MP3 -xxx -html -htm -php -shtml

opendivx -md5 -md5sums

"parent directory " Name of Singer or album -xxx html htm -php -shtml -opendivx -
md5 -md5sums

CGI Scanner
Google can be used as
a CGI scanner.

The index.of or inurl

searchs are good tools
to find vulnerable
targets. For example, a
allinurl:/random_banner/index.cgi
Google search for this:

Hurray! There are only

four two now the
broken
random_banner
program will cough up
any file on that web
server, including the
password file

32
 9/19/2013

Passwords
"# -FrontPage-" inurl:service.pwd

FrontPage passwords.. very nice

clean search

results listing !!
"AutoCreate=TRUE password=*"

This searches the password for

"Website Access Analyzer", a http://www.coara.or.jp/~passy/
Japanese software that creates
web statistics. For those who can
read Japanese, check out the
author's site at:
"http://*:*@www" domainname
This is a query to get inline
passwords from search engines
(not just Google), you must type
"http://*:*@www" gamespy or http://*:*@wwwgamespy
in the query followed with the
domain name without the .com
or .net
Another way is by just typing
"http://bob:bob@www"

More Passwords IRC and Access

"sets mode: +k"

This search reveals channel

keys (passwords) on IRC as
revealed from IRC chat
logs.
eggdrop filetype:user user
These are eggdrop config
files. Avoiding a fullblown
discussion about eggdrops
and IRC bots, suffice it to
say that this file contains
usernames and passwords
allinurl: admin mdb
for IRC users.

Not all of these pages are

administrator's access
databases containing
usernames, passwords and
other sensitive
information, but many are!

33
 9/19/2013

MySQL Passwords & ETC directory

intitle:"Index of" config.php

This search brings up sites with

"config.php" files. To skip the
technical discussion, this

intitle:index.of.etc
configuration file contains both a
username and a password for an
SQL database. Most sites with
forums run a PHP message base.
This file gives you the keys to that
forum, including FULL ADMIN
access to the database.

This search gets you access to the

etc directory, where many, many,
many types of password files can
be found. This link is not as
reliable, but crawling etc
directories can be really fun!

Passwords in backup files

filetype:bak
inurl:"htaccess|passwd|shadow|htusers"

This will search for backup files (*.bak) created by

some editors or even by the administrator himself
(before activating a new version). Every attacker
knows that changing the extension of a file on a
web server can have ugly consequences.

34
 9/19/2013

Serial Numbers
Let's pretend you need a serial number for Windows XP Pro.

In the Google search bar type in just like this - "Windows XP Professional"
94FBR the key is the 94FBR code.. it was included with many MS Office
registration codes so this will help you dramatically reduce the amount of
'fake' sites (usually pornography) that trick you. Or if you want to find the
serial for WinZip 8.1 -
"WinZip 8.1" 94FBR

Credit Cards!!
Number
Ranges to
find Credit
Card, SSN,
Account
Numbers

Numbers Amex: (15 digits) 300000000000000..399999999999999

MC: (16 digits) 5178000000000000..5178999999999999

Visa : (16 digits) 4356000000000000..4356999999999999

35
 9/19/2013

Working Samples!

Credit-Cards-Pastebin.txt

Some More Working Samples

36
 9/19/2013

CC TV Control
The first query produced
3000+ results!

Lets click on one of

the SERPS

Pan, scan, tilt & zoom

You can control

the camera

Many more queries possible for CCTV

inurl:LvAppl intitle:liveapplet
inurl:"viewerframe?mode=motion"
intitle:"Live View / - AXIS"
intitle:"snc-rz30 home"
inurl:indexFrame.shtml "Axis Video Server
So where is the database?
http://www.exploit-db.com/google-dorks/

37
 9/19/2013

OK, IM CONVINCED

So, how do I secure myself?

Securing ourselves from Google Hackers

38
 9/19/2013

SOME ADDITIONAL INFO

To Inspire You To Be A Security Tester

BHDB

39
 9/19/2013

How Vulnerability Scanners work

Scanner Limitations
If the DB doesnt have it, it wont detect it purely signature based

Authentication by scanner is not trust-worthy

Lacks IDS detection bypass

No realistic fuzzing possible

Cant replace manual SQL Injection

No intelligence in detecting attack vectors and surfaces

Working with custom apps is a limitation

Can identify points of weakness but cant anticipate complex attack schemes

Cant handle asynchronous & offline attack vectors

Limitations should be clearly understood

Cant detect logic flaws, weak cryptographic functions, information leakage etc

40
 9/19/2013

WHERE DO ACTUAL
HACKS COME FROM
So, who are these hackers?

Real-life hacker categories

41
 9/19/2013

THE TAKE-AWAY

Top Simple Security Searches that Work!

Queries

Combine searches with site: operator

Intitle:index.of Leads to a direct hack
intitle:intranet | help.desk
Filetype:xls username OR password

Inurl:admin inurl:userlist

42
 9/19/2013

More Queries
Inurl:admin OR inurl:password filetype:xls (csv)

Inurl:lvappl Live Applet site:*.*

inurl:intranet intitle:intranet +intext:"human resources"

Filetype:log username putty

So where is the GH database?

Top Ten Searches PDF (http://tinyurl.com/starwestghdb2013)

AUTOMATION

Automating the Google Searches

43
 9/19/2013

Search API OS Script

Google Web Search API Wsdl deprecated

Now Custom Search APIs used

Google controls the use: https://developers.google.com/web-search/terms

Open source script: http://pastebin.com/uE5wJWMy

1. Download the script 2. Rename as .JS 3. Create data file 4. Call in any HTML

http://www.exploit-db.com/google-dorks/

Tools within OS Systems

Open Source penetration testing platforms such as
Backtrack and Kali support tools for Google hacking. They
are:
Exploit-DB
Searchsploit
Goodork
Websploit
Social Engineering Toolkit
Burp Suite (decoder)

44
 9/19/2013

So

About the Presenter

45
9/19/2013

46