Google: A Hacker's Best Friend In the last few years a number of news articles appeared that warned of the fact that hackers (or crackers if you will) make use of the google search engine to gain access to files they shouldn't be allowed to see or have access to. This knowledge is nothing new to some people but personally I have always wondered how exactly a thing like this works. VNUnet.s James Middleton wrote an article in 2001 talking about hackers using a special search string on google to find sensitive banking data: "One such posting on a security newsgroup claimed that searching using the string 'Index of / +banques +filetype:xls' eventually turned up sensitive Excel spreadsheets from French banks. The same technique could also be used to find password files"[1] Another article that appeared on wired.com told us how Adrian Lamo, a hacker who made the news often the last couple of years, explained that google could be used to gain access to websites of big corporations. database interface -- into Google recently yielded about 200 links, almost all of which led to FileMaker databases accessible online..[2] These articles kept on coming up in the online news. U.S. Military and Government websites were vulnerable because admin scripts could be found using google, medical files, personal records, everything suddenly seemed just one google search away. But these articles seemed to show up once every half year and always talked about it as if it was something new. Another thing was, the articles never explained how one would actually go about doing this. Almost never an example of a search string was given. The last time I read one of these articles I decided it was time to find out for myself, whether google actually could do all they say it can. The following is a report of my findings and a description of some techniques and search strings one could use. Theory The theory behind this is actually quite simple. Either you think of certain data you would like to acquire and try and imagine in what files this kind of data could be stored and you search for these files directly. (Search for *.xls files for example) Or you take the more interesting approach and you try to think of a certain software that allows you to perform certain tasks or to access certain things and you search for critical files of this software. An example could be a content management system. You read up on this particular content management system, check out of what files it exists and search for those. A great example is that of the databases mentioned above, where you know the string .view database. is used on pages that shouldn.t be accessible to you and you then search for pages containing that string, or you check the software and notice that the option to view a database is linked on a webpage within this software called .viewdbase.htm. and you search for .viewdbase.htm. The most important thing is to have a clear goal, to know what it is you want to find. Then search for these specific files or trademarks that these files have.
Google Search Options Specific file types: *.xls, *.doc, *.pdf *.ps *.ppt *.rtf Google allows you to search for specific file types, so instead of getting html-files as a result (websites) you get Microsoft excel files for example. The search string you would use would be this: Filetype:xls (for excel files) or filetype:doc for word files. But maybe more interesting would be searching for *.db files and *.mdb files. Google by the way doesn.t tell you you can search for *.db and *mdb files. I wonder what other file types one can search for. Things that come to mind are *.cfg files or *.pwd files, *.dat files, stuff like that. Try and think of something that might get you some interesting results. Inurl Another useful search option is the inurl: option which allows one to search for a certain word one would want to be in the url. This gives you the opportunity to search for specific directories/folders, especially in combination with the .index of. option, about which I will talk later on. An example would be inurl:admin which would give you results of website urls that have the word Index of The index of option is another option that isn.t especially thought of by the creators of google, but comes in very handy. If you use the .index of. string you will find directory listings of specific folders on servers. An example could be: which would get you many directory listings of admin folders. (don.t forget to use the quotes in this case since you are looking for the entire .index of. string, not just for .index. and .of.) Site The site option allows you to come up with results that only belong to a certain domain name extension or to a specific site. For example one could search for .com sites or .box.sk sites or .nl sites, but also for results from just one site, but more interesting might be to search for specific military or government websites. An example of a search string would be: Site:mil or site:gov Site:neworder.box.sk .board. Intitle Intitle is another nice option. It allows you to search for html files that have a certain word or words in the title. The format would be intitle:wordhere. You could check out what words appear in the title of some online control panel or content management system and then search google for this word with the intitle option, to find these control panel pages. Link The Link option allows you to check which sites link to a specific site. As described in Hacking Exposed Third Edition, this could be useful:
These search engines provide a handy facility that allows you to search for all sites that have links back to the target organization.s domain. This may not seem significant at first but let.s explore the implications. Suppose someone in an organization decides to put up a rogue website at home or on 4] Combining search options The above mentioned search options might or might not be known to you, but even though they can amount to some interesting results, it.s a fact that when you start combining them, that.s when google.s magic starts to show. For example, one could try this search string: inurl:nasa.gov filetype:xls "restricted" or this one: site:mil filetype:xls "password" or maybe site:mil .index of. admin (I.m just producing these from the top of my head, I don.t know whether they.d result in anything interesting, that.s where you come in. You got to find a search string that gets the results you want.) Examples; The Good Stuff Specific file types: *.xls, *.doc, *.pdf *.ps *.ppt *.rtf To start out simple, you can try and search directly for files that you believe might hold interesting information. The obvious choices for me were things like: Password, passwords, pwd, account, accounts, userid, uid, login, logins, secret, secrets, all followed by either *.doc or *.xls or *.db This led me to quite some interesting results, especially with the *.db option but I actually also found some passwords.doc files, containing working passwords. http://www.doc.state.ok.us/Spr...ris...0for%20web.xls http://www.bmo.com/investorrel...nt/...ew/private.xls http://www.nescaum.org/Greenhouse/Pr...ipant_List.xls http://www.dscr.dla.mil/aviationinve...nce_5Apr01.xls http://web.nps.navy.mil/~drdolk/is3301/PART_IS3301.XLS Admin.cfg Admin.cfg is, most of the times, an admin configuration file of some sort. Many different software obviously use names like .config. or .admin. or .setup., etc. And most of the times these files contain sensitive information and thus, shouldn.t be accessible for people browsing the web. I tried a search for admin.cfg, using the following search string on google: inurl:admin.cfg .index of. This led me to many results of which many were useless. But some paid out. I found for example: http://www.alternetwebdesign.com/cgi...timi/admin.cfg Which contained a password. This was the admin password for a database located at http://www.alternetwebdesign.c...rec....cgi?admin.cfg This database contained sensitive client data of this particular company. I then proceeded to e-mail the company and tell them about the flaw. They replied to me in a very friendly manner and told me they appreciated my help and that they would take the necessary steps to solve the problem. Webadmin
Social Networking Bookmarks