How to use Google for hacking? (Google hacks)
Post date: May 5, 2011 12:02:31 PM
Google search engine can be used to hack into remote servers or gatherconfidential or sensitive information which are not visible throughcommon searches.
Google is the world’s most popular and powerfulsearch engine. It has the ability to accept pre-defined commands asinputs which then produces unbelievable results.
Google’s Advanced Search Query Syntax
Discussedbelow are various Google’s special commands and I shall be explainingeach command in brief and will show how it can be used for gettingconfidential data.
[ intitle: ]
The “intitle:” syntax helps Google restrict the search results to pages containing that word in the title.
intitle: login password
will return links to those pages that has the word "login" in their title, and the word "password" anywhere in the page.
Similarly,if one has to query for more than one word in the page title then inthat case “allintitle:” can be used instead of “intitle” to get thelist of pages containing all those words in its title.
intitle: login intitle: password
is same as
allintitle: login password
[ inurl: ]
The“inurl:” syntax restricts the search results to those URLs containingthe search keyword.
For example: “inurl: passwd” (without quotes) willreturn only links to those pages that have "passwd" in the URL.
Similarly,if one has to query for more than one word in an URL then in that case“allinurl:” can be used instead of “inurl” to get the list of URLscontaining all those search keywords in it.
allinurl: etc/passwd
will look for the URLs containing “etc” and “passwd”. The slash (“/”) between the words will be ignored by Google.
[ site: ]
The “site:” syntax restricts Google to query for certain keywords in a particular site or domain.
exploits site:google.com
willlook for the keyword “exploits” in those pages present in all the linksof the domain “google.com”. There should not be any spacebetween “site:” and the “domain name”.
[ filetype: ]
This “filetype:” syntax restricts Google search for files on internet with particular extensions (i.e. doc, pdf or ppt etc).
filetype:doc site:gov confidential
willlook for files with “.doc” extension in all government domains with“.gov” extension and containing the word “confidential” either in thepages or in the “.doc” file. i.e. the result will contain the links toall confidential word document files on the government sites.
[ link: ]
“link:” syntax will list down webpages that have links to the specified webpage.
link:www.expertsforge.com
willlist webpages that have links pointing to the SecurityFocus homepage.Note there can be no space between the "link:" and the web page url.
[ related: ]
The “related:” will list web pages that are "similar" to a specified
web page.
related:www.expertsforge.com
willlist web pages that are similar to the Securityfocus homepage. Notethere can be no space between the "related:" and the web page url.
[ cache: ]
The query “cache:” will show the version of the web page that Google has in its cache.
cache:www.pctipsbyanu.tk
will show Google's cache of the Google homepage. Note there can be no space between the "cache:" and the web page url.
If you include other words in the query, Google will highlight those words within the cached document.
cache:www.pctipsbyanu.tk guest
will show the cached content with the word "guest" highlighted.
[ intext: ]
The “intext:” syntax searches for words in a particular website. It ignores links or URLs and page titles.
intext:exploits
will return only links to those web pages that has the search keyword "exploits" in its webpage.
[ phonebook: ]
“phonebook” searches for U.S. street address and phone number information.
phonebook:Anu+IN
willlist down all names of person having “Anu” in their names and locatedin “India(IN)”. This can be used as a great tool for hackersincase someone want to do dig personal information for socialengineering.
Google Hacks
Well, the Google’s querysyntaxes discussed above can really help people to precise their searchand get what they are exactly looking for.
Now Google being sointelligent search engine, hackers don’t mind exploiting its ability todig much confidential and secret information from the net which theyare not supposed to know. Now I shall discuss those techniques indetails how hackers dig information from the net using Google and howthat information can be used to break into remote servers.
Index Of
Using “Index of ” syntax to find sites enabled with Index browsing
Awebserver with Index browsing enabled means anyone can browse thewebserver directories like ordinary local directories. The use of“index of” syntax to get a list links to webserver which has gotdirectory browsing enabled will be discussd below. This becomes an easysource for information gathering for a hacker. Imagine if the get holdof password files or others sensitive files which are not normallyvisible to the internet. Below given are few examples using which onecan get access to many sensitive information much easily.
Index of /admin
Index of /passwd
Index of /password
Index of /mail
"Index of /" +passwd
"Index of /" +password.txt
"Index of /" +.htaccess
"Index of /secret"
"Index of /confidential"
"Index of /root"
"Index of /cgi-bin"
"Index of /credit-card"
"Index of /logs"
"Index of /config"
Looking for vulnerable sites or servers using “inurl:” or “allinurl:”
a.Using “allinurl:windows/system32/” (without quotes) will list down allthe links to the server which gives access to restricted directorieslike “system32” through web. If you are lucky enough then you might getaccess to the cmd.exe in the “system32” directory. Once you have theaccess to “cmd.exe” and is able to execute it.
b. Using“allinurl:wwwboard/passwd.txt”(without quotes) in the Google searchwill list down all the links to the server which are vulnerable to“WWWBoard Password vulnerability”. To know more about thisvulnerability you can have a look at the following link: HERE
c.Using “inurl:.bash_history” (without quotes) will list down all thelinks to the server which gives access to “.bash_history” file throughweb. This is a command history file. This file includes the list ofcommand executed by the administrator, and sometimes includes sensitiveinformation such as password typed in by the administrator. If thisfile is compromised and if contains the encrypted unix (or *nix)password then it can be easily cracked using “John The Ripper”.
d.Using “inurl:config.txt” (without quotes) will list down all the linksto the servers which gives access to “config.txt” file through web.This file contains sensitive information, including the hash value ofthe administrative password and database authentication credentials.
ForExample: Ingenium Learning Management System is a Web-based applicationfor Windows based systems developed by Click2learn, Inc. IngeniumLearning Management System versions 5.1 and 6.1 stores sensitiveinformation insecurely in the config.txt file. For more informationrefer the following
links: HERE
Other similar search using “inurl:” or “allinurl:” combined with other syntax
inurl:admin filetype:txt
inurl:admin filetype:db
inurl:admin filetype:cfg
inurl:mysql filetype:cfg
inurl:passwd filetype:txt
inurl:iisadmin
inurl:auth_user_file.txt
inurl:orders.txt
inurl:"wwwroot/*."
inurl:adpassword.txt
inurl:webeditor.php
inurl:file_upload.php
inurl:gov filetype:xls "restricted"
index of ftp +.mdb allinurl:/cgi-bin/ +mailto
Looking for vulnerable sites or servers using “intitle:” or “allintitle:”
a.Using [allintitle: "index of /root”] (without brackets) will list downthe links to the web server which gives access to restricteddirectories like “root” through web. This directory sometimes containssensitive information which can be easily retrieved through simple webrequests.
b. Using [allintitle: "index of /admin”] (withoutbrackets) will list down the links to the websites which has got indexbrowsing enabled for restricted directories like “admin” through web.Most of the web application sometimes uses names like “admin” to storeadmin credentials in it. This directory sometimes contains sensitiveinformation which can be easily retrieved through simple web requests.
Other similar search using “intitle:” or “allintitle:” combined with other syntax
intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
intitle:"index of" members OR accounts
intitle:"index of" user_carts OR user_cart
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov
Other interesting Search Queries
- To search for sites vulnerable to Cross-Sites Scripting (XSS) attacks:
allinurl:/scripts/cart32.exe
allinurl:/CuteNews/show_archives.php
allinurl:/phpinfo.php
- To search for sites vulnerable to SQL Injection attacks:
allinurl:/privmsg.php
Google Hacking
allintitle:Brains, Corp. camera
allintitle:"index of/admin"
allintitle:"index of/root"
allintitle:restricted filetype:doc site:gov
allintitle:restricted filetype :mail
allintitle:sensitive filetype:doc
allinurl:/bash_history
allinurl:winnt/system32/ (get cmd.exe)
ext:ini eudora.ini
ext:pwd inurl:(service|authors|administrators |users) "# -FrontPage-"
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
filetype:conf slapd.conf
filetype:ctt "msn"
filetype:mdb inurl:"account|users|admin|administrators|passwd|password"
filetype:mdb inurl:users.mdb
filetype:QDF QDF
filetype:pdf "Host Vulnerability Summary Report" "Assessment Report"
filetype:sql ("passwd values ****" | "password values ****" | "pass values ****" )
filetype:xls inurl:"email.xls"
filetype:user eggdrop user
"Index of /admin"
"Index of /" +.htaccess
"Index of /mail"
"Index of /" "Parent Directory" "WS_FTP.ini" filetype:ini
"Index of /" +passwd
"Index of /password"
"Index of /" +password.txt
intext:"BiTBOARD v2.0" "BiTSHiFTERS Bulletin Board"
intext:centreware inurl:status
intext:"MOBOTIX M1"
intext:"MOBOTIX M10"
intext:"Open Menu"
intext:"powered by Web Wiz Journal"
intext:"Tobias Oetiker" "traffic analysis"
intitle:index.of "Apache/1.3.28 Server at"
intitle:index.of "Apache/2.0 Server at"
intitle:index.of "Apache/* Server at"
intitle:index.of "HP Apache-based Web Server/*"
intitle:index.of "IBM _ HTTP _ Server/* * Server at"
intitle:index.of "Microsoft-IIS/4.0 Server at"
intitle:index.of "Microsoft-IIS/5.0 Server at"
intitle:index.of "Microsoft-IIS/6.0 Server at"
intitle:index.of "Microsoft-IIS/* Server at"
intitle:index.of "Netscape/* Server at"
intitle:index.of "Oracle HTTP Server/* Server at"
intitle:index.of "Red Hat Secure/*"
intitle:"Apache::Status" (inurl:server-status | inurl:status.html | inurl:apache.html)
intitle:"Welcome to IIS 4.0!"
intitle:"Welcome to Windows 2000 Internet Services"
intitle:"Welcome to Windows XP Server Internet Services"
intitle:"Welcome to Your New Home Page!"
intitle:"Test Page for Apache Installation" "It worked!" "this Web site!"
intitle:"Test Page for Apache Installation" "Seeing this instead"
intitle:"Test Page for Apache Installation" "You are free"
intitle:"Test Page for the Apache Http Server on Fedora Core"
intitle:"Test Page for the Apache Web Server on RedHat Linux"
intitle:"Test Page for the SSL/TLS-aware Apache Installation" "Hey, it worked!"
intitle:"index of" .bash_history
intitle:"index of" etc/shadow
intitle:"index.of" finances.xls
intitle:"index of" htpasswd
intitle:"Index Of" inurl:maillog
intitle:"index of" master.passwd
intitle:"index of" members OR accounts
intitle:"index.of" mystuff.xml
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"Index of" pwd.db
intitle:"Index of" .sh_history
intitle:"index of" spwd
intitle:"index.of" trillian.ini
intitle:"index of" user_carts OR user_cart
intitle:"active webcam page"
intitle:"ASP Stats Generator *.*" "ASP Stats Generator" "2003-2004 weppos"
intitle:"curriculum vitae" "phone * * *" "address *"
intitle:"Dell Laser Printer" ews
intitle:"EvoCam" inurl:"webcam.html"
intitle:liveapplet inurl:LvAppl
intitle:"Multimon UPS status page"
intitle:"my webcamXP server!" inurl:":8080"
intitle:"statistics of" "advanced web statistics"
intitle:"System Statistics" +"System and Network Information Center"
intitle:"Terminal Services Web Connection"
intitle:"Usage Statistics for" "Generated by Webalizer"
intitle:"VNC Desktop" inurl:5800
intitle:"Web Server Statistics for ****"
inurl:admin filetype:db
inurl:admin inurl:backup intitle:index.of
inurl:"auth_user_file.txt"
inurl:"/axs/ax-admin.pl" -script
inurl:"/cricket/grapher.cgi"
inurl:hp/device/this.LCDispatcher
inurl:iisadmin
inurl:indexFrame.shtml Axis
inurl:"main.php" "phpMyAdmin" "running on"
inurl:passwd filetype:txt
inurl:"printer/main.html" intext:"settings"
inurl:server-info "Apache Server Information"
inurl:"ViewerFrame?Mode="
inurl:"wvdial.conf" intext:"password"
inurl:"wwwroot/*."
site:gov confidential
site:mil confidential
site:mil "top secret"
"Copyright (c) Tektronix, Inc." "printer status"
"Host Vulnerability Summary Report"
"http://*:*@www"
"Network Vulnerability Assessment Report"
"not for distribution"
"Output produced by SysWatch *"
"These statistics were produced by getstats"
"This file was generated by Nessus"
"This report was generated by WebLog"
"This summary was generated by wwwstat"
"Generated by phpSystem"
"Host Vulnerability Summary Report"
"my webcamXP server!"
sample/LvAppl/
"TOSHIBA Network Camera - User Login"
/home/homeJ.html
/ViewerFrame?Mode=Motion
This reveals mySQL database dumps. These database dumps list the structure and content of databases, which can reveal many different types of sensitive information. http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22%23mysql+dump%22+filetype%3Asql&btnG=Search
These log files record info about the SSH client PUTTY. These files contain usernames, site names, IP addresses, ports and various other information about the SSH server connected to. http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=filetype%3Alog+username+putty
These files contain cleartext usernames and passwords, as well as the sites associated with those credentials. Attackers can use this information to log on to that site as that user. http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=filetype%3Alog+inurl%3A%22password.log%22
This file contains port number, version number and path info to MySQL server. http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=intitle%3A%22index+of%22+mysql.conf+OR+mysql_config
This search reveals sites which may be using Shockwave (Flash) as a login mechanism for a site. The usernames and passwords for this type of login mechanism are often stored in plaintext inside the source of the .swl file. http://www.google.com/search?hl=en&lr=&q=inurl%3Alogin+filetype%3Aswf+swf
These are oulook express email files which contain emails, with full headers. The information in these emails can be useful for information gathering about a target. http://www.google.com/search?hl=en&lr=&q=filetype%3Aeml+eml+%2Bintext%3A%22Subject%22+%2Bintext%3A%22From%22+%2Bintext%3A%22To%22
This google search reveals users names, pop3 passwords, email addresses, servers connected to and more. The IP addresses of the users can also be revealed in some cases. http://www.google.com/search?num=100&hl=en&lr=&q=filetype%3Areg+reg+%2Bintext%3A%22internet+account+manager
Footprinting Websites and Information Gathering Resources
A hacker or pen tester may also do a Google search or a site search to locate information about employees. Some sites useful to find more information about an organization and its employees include:
www.trula.com - real estate
www.zillow.com - real estate
www.netronline.com - real estate
www.whosarat.com - informants
www.zabaseach.com - name, address, location info
www.zoominfo.com - person & company data
www.vitalrec.com - people info
www.pipl.com - people search
www.skipease.com/blog/ - people search
www.pretrieve.com - people search
www.publicdata.com - people search
www.urapi.com - people search
https://addons.mozilla.org/en-US/firefox/addon/1912 (who is this person)
www.nndb.com – people activity tracker
www.willyancey.com/finding.htm online info
www.courthousedirect.com - property records
www.turboscout.com - multisearch engine tool
www.theultimates.com - phone number lookup
http://skipease.whitepages.com/reverse_address - address lookup
www.thevault.com - company search / profile
www.blogsearchengine.com - search blogs for info or person
www.ccrs.info - China based company search /profile
www.hoovers.com - company search / profile
www.lexisnexis.com - company search / profile
www.topix.net - region specific news articles
www.pacer.uscourts.gov/natsuit.html - Court records
www.oihweb.com - online investigation techniques
www.linkedin.com - business person's network
Footprinting Links
Google Hacking Database
A search that finds password hashes
Nessus Reports from Google
More Passwords from Google
Google Hacks Volume III by Halla
G-Zapper Blocks the Google Cookie to Search Anonymously
SiteDigger 2.0 searches Google’s cache to look for vulnerabilities
BeTheBot - View Pages as the Googlebot Sees Them
An experts-exchange page to demonstrate the Googlebot
HTTP Header Viewer
Masquerading Your Browser
User Agent Switcher :: Firefox Add-ons
Modify Headers :: Firefox Add-ons
User Agent Sniffer for Project 1
GNU Wget - Tool to Mirror Websites
Teleport Pro - Tool to Mirror Websites
Google Earth
Finding Subdomains (Zone Transfers)
Dakota Judge rules that Zone Transfers are Hacking
Internet Archive - Wayback Machine
Wikto - Web Server Assessment Tool - With Google Hacking
VeriSign Whois Search from VeriSign, Inc.
whois.com
ARIN: WHOIS Database Search
Border Gateway Protocol (BGP) and AS Numbers
Internic | Whois - the only one that finds hackthissite.org
Teenager admits eBay domain hijack
NeoTrace
VisualRoute traceroute: connection test, trace IP address, IP trace, IP address locations