Introduction
Google is world’s most popular and powerful search engine which has the ability to accept pre-defined commands as input and produce unbelievable results. This enables malicious users like hackers, crackers, and script kiddies etc to use Google search engine extensively to gather confidential or sensitive information which is not visible through common searches.
In this paper I shall cover the below given points that an administrators or security professionals must take into account to prevent such information disclosures:
Google’s Advance Search Query Syntaxes
Querying for vulnerable sites or servers using Google’s advance syntaxes
Securing servers or sites from Google’s invasion
Google’s Advance Search Query Syntaxes
Below discussed are various Google’s special commands and I shall be explaining each command in brief and will show how it can be used for critical information digging.
[ intitle: ]
The “intitle:” syntax helps Google restrict the search results to pages containing that word in the title. For example, “intitle: login password” (without quotes) will return links to those pages that has the word "login" in their title, and the word "password" anywhere in the page.
Similarly, if one has to query for more than one word in the page title then in that case “allintitle:” can be used instead of “intitle” to get the list of pages containing all those words in its title. For example using “intitle: login intitle: password” is same as querying “allintitle: login password”.
[ inurl: ]
The “inurl:” syntax restricts the search results to those URLs containing the search keyword. For example: “inurl: passwd” (without quotes) will return only links to those pages that have "passwd" in the URL.
Similarly, if one has to query for more than one word in an URL then in that case “allinurl:” can be used instead of “inurl” to get the list of URLs containing all those search keywords in it. For example: “allinurl: etc/passwd“ will look for the URLs containing “etc” and “passwd”. The slash (“/”) between the words will be ignored by Google.
[ site: ]
The “site:” syntax restricts Google to query for certain keywords in a particular site or domain. For example: “exploits site:hackingspirits.com” (without quotes) will look for the keyword “exploits” in those pages present in all the links of the domain “hackingspirits.com”. There should not be any space between “site:” and the “domain name”.
[ filetype: ]
This “filetype:” syntax restricts Google search for files on internet with particular extensions (i.e. doc, pdf or ppt etc). For example: “filetype:doc site:gov confidential” (without quotes) will look for files with “.doc” extension in all government domains with “.gov” extension and containing the word “confidential” either in the pages or in the “.doc” file. i.e. the result will contain the links to all confidential word document files on the government sites.
[ link: ]
“link:” syntax will list down webpages that have links to the specified webpage. For Example: “link:www.securityfocus.com” will list webpages that have links pointing to the SecurityFocus homepage. Note there can be no space between the "link:" and the web page url.
[ related: ]
The “related:” will list web pages that are "similar" to a specified web page. For Example: “related:www.securityfocus.com” will list web pages that are similar to the Securityfocus homepage. Note there can be no space between the "related:" and the web page url.
[ cache: ]
The query “cache:” will show the version of the web page that Google has in its cache. For Example: “cache:www.hgce.org” will show Google's cache of the Google homepage. Note there can be no space between the "cache:" and the web page url.
If you include other words in the query, Google will highlight those words within the cached document. For Example: “cache:www.hgce.org guest” will show the cached content with the word "guest" highlighted.
[ intext: ]
The “intext:” syntax searches for words in a particular website. It ignores links or URLs and page titles. For example: “intext:exploits” (without quotes) will return only links to those web pages that has the search keyword "exploits" in its webpage.
Querying for vulnerable sites or servers using Google’s advance syntaxes
Well, the Google’s query syntaxes discussed above can really help people to precise their search and get what they are exactly looking for.
Now Google being so intelligent search engine, malicious users don’t mind exploiting its ability to dig confidential and secret information from internet which has got restricted access. Now I shall discuss those techniques in details how malicious user dig information from internet using Google as a tool.
Using “Index of ” syntax to find sites enabled with Index browsing
A webserver with Index browsing enabled means anyone can browse the webserver directories like ordinary local directories. Here I shall discuss how one can use “index of” syntax to get a list links to webserver which has got directory browsing enabled. This becomes an easy source for information gathering for a hacker. Imagine if the get hold of password files or others sensitive files which are not normally visible to the internet. Below given are few examples using which one can get access to many sensitive information much easily.
Index of /admin
Index of /passwd
Index of /password
Index of /mail
"Index of /" +passwd
"Index of /" +password.txt
"Index of /" +.htaccess
"Index of /secret"
"Index of /confidential"
"Index of /root"
"Index of /cgi-bin"
"Index of /credit-card"
"Index of /logs"
"Index of /config"
Looking for vulnerable sites or servers using “inurl:” or “allinurl:”
Using “allinurl:winnt/system32/” (without quotes) will list down all the links to the server which gives access to restricted directories like “system32” through web. If you are lucky enough then you might get access to the cmd.exe in the “system32” directory. Once you have the access to “cmd.exe” and are able to execute it then you can go ahead in further escalating your privileges over the server and compromise it.
Using “allinurl:wwwboard/passwd.txt”(without quotes) in the Google search will list down all the links to the server which are vulnerable to “WWWBoard Password vulnerability”. To know more about this vulnerability you can have a look at the following link:
http://www.securiteam.com/exploits/2BUQ4S0SAW.html
Using “inurl:.bash_history” (without quotes) will list down all the links to the server which gives access to “.bash_history” file through web. This is a command history file. This file includes the list of command executed by the administrator, and sometimes includes sensitive information such as password typed in by the administrator. If this file is compromised and if contains the encrypted unix (or *nix) password then it can be easily cracked using “John The Ripper”.
Using “inurl:config.txt” (without quotes) will list down all the links to the servers which gives access to “config.txt” file through web. This file contains sensitive information, including the hash value of the administrative password and database authentication credentials. For Example: Ingenium Learning Management System is a Web-based application for Windows based systems developed by Click2learn, Inc. Ingenium Learning Management System versions 5.1 and 6.1 stores sensitive information insecurely in the config.txt file. For more information refer the following links:
http://www.securiteam.com/securitynews/6M00H2K5PG.html
Other similar search using “inurl:” or “allinurl:” combined with other syntaxs
inurl:admin filetype:txt
inurl:admin filetype:db
inurl:admin filetype:cfg
inurl:mysql filetype:cfg
inurl:passwd filetype:txt
inurl:iisadmin
inurl:auth_user_file.txt
inurl:orders.txt
inurl:"wwwroot/*."
inurl:adpassword.txt
inurl:webeditor.php
inurl:file_upload.php
inurl:gov filetype:xls "restricted"
index of ftp +.mdb allinurl:/cgi-bin/ +mailto
Looking for vulnerable sites or servers using “intitle:” or “allintitle:”
Using [allintitle: "index of /root”] (without brackets) will list down the links to the web server which gives access to restricted directories like “root” through web. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.
Using [allintitle: "index of /admin”] (without brackets) will list down the links to the websites which has got index browsing enabled for restricted directories like “admin” through web. Most of the web application sometimes uses names like “admin” to store admin credentials in it. This directory sometimes contains sensitive information which can be easily retrieved through simple web requests.
Other similar search using “intitle:” or “allintitle:” combined with other syntaxs
intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
intitle:"index of" members OR accounts
intitle:"index of" user_carts OR user_cart
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov
Other interesting Search Queries
To search for sites vulnerable to Cross-Sites Scripting (XSS) attacks:
allinurl:/scripts/cart32.exe
allinurl:/CuteNews/show_archives.php
allinurl:/phpinfo.php
To search for sites vulnerable to SQL Injection attacks:
allinurl:/privmsg.php
allinurl:/privmsg.php
Securing servers or sites from Google’s invasion
Below given are the security measures which system administrators and security professionals must take into account to secure critical information available online, falling into wrong hands:
Install latest security patches available till date for the applications and as well as the operating system running on the servers.
Don’t put critical and sensitive information on servers without any proper authentication system which can be directly accessible to anyone on internet.
Disable directory browsing on the webserver. Directory browsing should be enabled for those web-folders for which you want to give access to anyone on internet.
If you find any links to your restricted server or sites in Google search result then it should be removed. Visit the following link for more details:
http://www.google.com/remove.html
Disable anonymous access in the webserver through internet to restricted systems directory.
Install filtering tools like URLScan for servers running IIS as webserver.
Conclusion
Sometimes increase in sophistication in the systems creates new problems. Google being so sophisticated can be used by any Tom, Dick & Harry on internet to dig sensitive information which is normally neither visible nor reachable to anyone.
The only options left for the security professionals and systems administrators are to secure and harden their systems from such un-authorized invasion.
Other most powerful query
1. Security camera hacks
Step 1: 1. Security camera hacks
CAMERA HACKS
inurl:“viewerframe?mode=motion” (requires activeX)
intitle:“snc-rz30 home” (requires activeX)
intitle:“WJ-NT104 Main”
inurl:LvAppl intitle:liveapplet (great pan and zoom)
intitle:“Live View / – AXIS” (my favorite)
inurl:indexFrame.shtml “Axis Video Server”
2. Un-spidered websites
Step 2: 2. Un-spidered websites
PAGES THAT CAN’T BE SEARCHED
“robots.txt” “disallow:” filetype:txt
3. Microsoft Frontpage
Step 3: 3. Microsoft Frontpage
FRONT PAGE HACK
inurl:_vti_pvt “service.pwd”
4. PHP Photo Albums
Step 4: 4. PHP Photo Albums
PHP PHOTO ALBUMS
inurl:“phphotoalbum/upload
5. VNC User Hack
Step 5: 5. VNC User Hack
VNC HACK
“vnc desktop” inurl:5800 ….all the way up to 5806
6. Network Printers
Step 6: 6. Network Printers
PRINTER CONTROL PANELS
intext"UAA(MSB)" Lexmark -ext:pdf
inurl:“port_255” -htm
7. PHP Admin Accounts
Step 7: 7. PHP Admin Accounts
PHP ADMINS
intitle:phpMyAdmin “Welcome to phpMyAdmin *” “running on * as root@*”
Top 10 Google Search Tricks
10. Get the local time anywhere
What time is it in Bangkok right now? Ask Google. Enter simply what time is it to get the local time in big cities around the world, or add the locale at the end of your query, like what time is it hong kong to get the local time there. 9. Track flight status
Enter the airline and flight number into the Google search box and get back the arrival and departure times right inside Google's search results. 8. Convert currency, metrics, bytes, and more
Google's powerful built-in converter calculator can help you out whether you're cooking dinner, traveling abroad, or building a PC. Find out how many teaspoons are in a quarter cup (quarter cup in teaspoons) or how many seconds there are in a year (seconds in a year) or how many euros there are to five dollars (5 USD in Euro). For the geekier set, bits in kilobytes (155473 bytes in kilobytes) and numbers in hex or binary (19 in binary) are also pretty useful. 7. Compare items with "better than" and find similar items with "reminds me of"
Reader Adam taps the wisdom of the crowds by searching for like items using key phrases. He writes in:Simply search for, in quotes: "better than _keyword_" Some example results:
Results 1 - 100 of about 550 English pages for " better than WinAmp".
Results 1 - 57 of 57 English pages for " better than mIRC".
Results 1 - 100 of about 17,500 English pages for " better than Digg". (Wow. Poor Digg.)
The results will almost always lead you to discovering alternatives to whatever it is you're searching for. Using the same concept, you can use this trick to discover new music or movies. For example, " reminds me of _someband_" or "sounds like _someband_" will pull up artists people have thought sounded similar to the one you typed in. This is also a great way to find good, no-name musicians you'd probably never know of otherwise.
Examples:
Results 1 - 88 of 88 English pages for " reminds me of Metallica".
Results 1 - 36 of 36 English pages for " similar to Garden State".
Results 1 - 66 of 66 English pages for " sounds like The Shins".
Just get creative and you'll, without a doubt, find cool new stuff you probably never knew existed.
6. Use Google as a free proxy
What, your company blocks that hip new web site just because it drops the F bomb occasionally? Use Google's cache to take a peek even when the originating site's being blocked, withcache:example.com. 5. Remove affiliate links from product searches
When you're sick of seeing duplicate product search results from the likes of eBay, Bizrate, Pricerunner, and Shopping.com, clear 'em out by stacking up the-site:ebay.com -site:bizrate.com -site:shopping.com operator. Alternately, check out Give Me Back My Google (original post), a service that does all that known reseller cleaning up for you when you search for products. Compare this GMBMG search for a Cruzer 1GB flash drive to the regular Google results. 4. Find related terms and documents
Ok, this one's direct from any straight-up advanced search operator cheat sheet, but it's still one of the lesser-used tricks in the book. Adding a tilde (~) to a search term will return related terms. For example, Googling ~nutrition returns results with the words nutrition, food, and health in them. 3. Find music and comic books
Using a combination of advanced search operators that specify music files available in an Apache directory listing, you can turn Google into your personal Napster. Go ahead, try this search for Nirvana tracks: -inurl:(htm|html|php) intitle:"index of" +"last modified" +"parent directory" +description +size +(wma|mp3) "Nirvana". (Sub out Nirvana for the band you're interested in; use this one in conjunction with number 7 to find new music, too.) The same type of search recipe can find comic books as well. 2. ID people, objects, and foreign language words and phrases with Google Image Search
Google Image search results show you instead of tell you about a word. Don't know what jicama looks like? Not sure if the person named "Priti" who you're emailing with is a woman or a man? Spanish rusty and you forgot what "corazon" is? Pop your term into Google Image Search (or type image jicama into the regular search box) to see what your term's about. 1. Make Google recognize faces
If you're doing an image search for Paris Hilton and don't want any of the French city, a special URL parameter in Google's Image search will do the trick. Add &imgtype=face to the end of your image search to just get images of faces, without any inanimate objects. Try it out with a search for rose (which returns many photos of flowers) versus rose with the face parameter. What's your favorite ninja Google search technique? Tell us about it in the comments.