- Google Hacking For Penetration Testers Filetype Pdf
- Google Hacking For Penetration Testers Volume 2 Pdf
Not a day goes by in my life where I don’t use Google search. Nothing is easier than loading up the page, typing in a phrase, and seeing 650,000 related articles come back to you -- but therein lies the problem. Google is an amazing tool but tends to over-deliver unless you’re very specific and know a few advanced search operators. In this blog post, I’m going to attempt to show some relatively simple Google hacks that will make recon a breeze, and hopefully translate over into the rest of your searches as well.
Advanced Penetration Testing: 269 Pages: 2. The Basics of Web Hacking: 179 Pages: 3. The Basics of Hacking and Penetration Testing: 178 Pages: 4. The Art of Deception by Kevin Mitnick: 577 Pages: 5. SQL Injection Attacks and Defense: 761 Pages: 6. Metasploit - The Penetration Tester's Guide: 332 Pages: 7. Ethical Hacking and Penetration Testing. The Google Hacking tool uses your browser to make requests to Google using specific search expressions (Google dorks) that can find interesting information about the target. You have finished your free scans. Kali works only on Linux Machines. It is one of the best pen testing tools that enables you to create a backup and recovery schedule that fit your needs. It promotes a quick and easy way to find and update the largest database of security penetration testing collection to-date.
Google search operates a few ways. Typing a phrase will look for the exact phrase, as well as variations of the phrase (adding or subtracting words), to try to come close to what you want. It also operates on Boolean operators such as “OR,” and “AND.” Finally, there are some advanced filters you can write inline with your search to help narrow things down. For the purposes of this post, we’re going to focus on the last two methods. I've also included a cheat sheet to help with more advanced Google hacking during your penetration testing
The Basics of Search
There are two basic searches I use all the time; quotes around phrases, and the + operator. These two functions alone can be immensely helpful when gathering information or filtering through junk.
Quotes around phrases require Google to search the whole phrase, not just parts of it. Take a look at the results for
with and without quotes; they will be significantly different. You can also place a quote around a single word - without it, Google will try looking at variations of the word (for example, the phrase ‘Malware Hunting’ without quotes may return results for Malware Hunters, Malware Hunt, Virus Hunting, etc.)
The + operator before a word will only return results that specifically include that word. Building upon the last example, a search for
will only return results where OpenSSL is being discussed along with that phrase.
Boolean Operators in Google: No really, just give me what I want.
Google search results vastly improve with the AND or OR operators. AND is similar to the + operator above, and can be used in parenthesis as well to build queries. It binds two terms together and will only give you exact results.
In this example, we’re trying to find a previous AlienVault blog post on building a Malware Hunter’s home lab. Searching Malware Hunter Home Lab by itself does return what we want, but also returns over 45,000 other pages -- and after the first few pages, the relevance of each result drops dramatically. By modifying this to contain some Boolean operators and quotation marks, we can search for
Google Hacking For Penetration Testers Filetype Pdf
and narrow this down to 3,500. The results are also much more geared toward what we want. Using the example above, maybe we don’t quite recall what the phrasing of the article was. We remember that it was either malware or virus hunting, and it was a home lab setup. Using the query
we can narrow down to 4,200 results, from malware virus hunter home lab which returns a whopping half million. Another operator you should know is the NOT operator. Google simply uses a minus sign in front of the word to exclude it from all search results. Building on the query above, we want to exclude any results that mention Twitter. We simply modify the query to
and no results including the word Twitter will be returned. This can be risky however, especially when excluding social media - many legitimate sites will have links to their social media presence on each page. However, this leads us into our next section…
Custom Inline Filters: Seriously Powerful.
There are a ton of very powerful, restrictive filters that are Google-specific. I’ll go over a few of my favorites, and have the supplemental cheat sheet available if you want to try out some more. Be advised that once you start stringing these together, Google will get suspicious. After a few queries, expect to get a CAPTCHA challenge page along with your IP address and search query - this is normal. Put in the query and you’ll get a few more advanced searches out of them before it reappears. This is intended mainly to stop automated scrapers and scripts, and the only surefire way I’ve found to avoid it is to do a normal, uncomplicated search in between your advanced searches.
A sample of Google’s search CAPTCHA
Remember you can also use the above filters in conjunction with the below inline filters; for example, -site:microsoft.com excludes microsoft, +site:microsoft.com requires it.
- site: This filter will restrict the rest of your search to one website. Rather than returning Wikipedia links, Reddit links, Twitter links, etc - you can focus on one particular site. Let's use it to search for password dumps on Pastebin with the following query:
Unraveling this query, we’re requiring the phrase “password dump,” only returning results that include @gmail.com addresses, and limiting our results to the website “pastebin.com” -- this returns 73 results, all very relevant to what we want.
- inurl: Maybe the exact site doesn’t matter much, but you only want results with part of a url present. In this example we’ll search for phpMyAdmin databases indexed by Google:
this returns lots of poorly configured phpMyAdmin installs. Further filtering with site: above, a penetration tester could quickly search for misconfigured services during the recon portion of their test.
- filetype: Filetype is a great way to search for files that were exposed to the internet erroneously, or shared and long forgotten. We can use standard file extensions without the dot (think pdf, not .pdf) to see what’s been left out for public consumption. In the following query, we’ll pull all .PDF files left from NIST.gov that have the phrase “best practice” somewhere in them.
From a penetration testing reconnaissance standpoint, this could help you collect authentic corporate documents and inside contacts for a social engineering campaign, pull out potentially sensitive data, scan for leaks in their regulatory compliance requirements, and countless other things.
Beyond narrowing down your search results, security practitioners and penetration testers can leverage their knowledge of systems and vulnerabilities along with Google hacking to perform audits. With these tools you can see what’s “available on the outside,” and where your potential exposure is. During penetration tests, you can use these tools to build out social engineering campaigns or locate sensitive information the target may have forgotten was even public. Here are a few queries you can modify to find some very interesting data.
Find open web directories containing the word TERM on Apache or IIS servers:
Find password dumps on pastebin:
Find Excel files on nist.gov (hint: Click on “view omitted search results” for more):
Look for Apache Tomcat installs on a specific website:
Search for Windows XP exploits, but do not include anything on Exploit-DB.com:
Conclusion
Hopefully the techniques outlined above will help make your life a little easier. While I initially learned these search operators to help myself professionally, hardly a day goes by when I don't use them for personal searching as well. Google is a wealth of information, but often times, you need to separate the wheat from the chaff to find what you're really looking for.
About the Author
Jayme is a systems administrator by trade, IT Manager by role, penetration tester by passion, and is always on the hunt for interesting infosec information. https://www.twitter.com/highmeh
Google Hacking For Penetration Testers Volume 2 Pdf
| Author | : Johnny Long |
| Publisher | : Syngress |
| Release Date | : 16 December 2015 |
| ISBN 10 | : 9780128029640 |
| Pages | : 234 pages |
| Rating | : |
Google is the most popular search engine ever created, but Google's search capabilities are so powerful, they sometimes discover content that no one ever intended to be publicly available on the Web, including social security numbers, credit card numbers, trade secrets, and federally classified documents. Google Hacking for Penetration Testers, Third Edition, shows you how security professionals and system administratord manipulate Google to find this sensitive information and 'self-police' their own organizations. You will learn how Google Maps and Google Earth provide pinpoint military accuracy, see how bad guys can manipulate Google to create super worms, and see how they can 'mash up' Google with Facebook, LinkedIn, and more for passive reconnaissance. This third edition includes completely updated content throughout and all new hacks such as Google scripting and using Google hacking with other search engines and APIs. Noted author Johnny Long, founder of Hackers for Charity, gives you all the tools you need to conduct the ultimate open source reconnaissance and penetration testing. Third edition of the seminal work on Google hacking Google hacking continues to be a critical phase of reconnaissance in penetration testing and Open Source Intelligence (OSINT) Features cool new hacks such as finding reports generated by security scanners and back-up files, finding sensitive info in WordPress and SSH configuration, and all new chapters on scripting Google hacks for better searches as well as using Google hacking with other search engines and APIs