How to use Google for hacking? (Google hacks)

Post date: May 5, 2011 12:02:31 PM

Google search engine can be used to hack into remote servers or gatherconfidential or sensitive information which are not visible throughcommon searches.

Google is the world’s most popular and powerfulsearch engine. It has the ability to accept pre-defined commands asinputs which then produces unbelievable results.

Google’s Advanced Search Query Syntax

Discussedbelow are various Google’s special commands and I shall be explainingeach command in brief and will show how it can be used for gettingconfidential data.

[ intitle: ]

The “intitle:” syntax helps Google restrict the search results to pages containing that word in the title.

intitle: login password

will return links to those pages that has the word "login" in their title, and the word "password" anywhere in the page.

Similarly,if one has to query for more than one word in the page title then inthat case “allintitle:” can be used instead of “intitle” to get thelist of pages containing all those words in its title.

intitle: login intitle: password

is same as

allintitle: login password

[ inurl: ]

The“inurl:” syntax restricts the search results to those URLs containingthe search keyword. 

For example: “inurl: passwd” (without quotes) willreturn only links to those pages that have "passwd" in the URL.

Similarly,if one has to query for more than one word in an URL then in that case“allinurl:” can be used instead of “inurl” to get the list of URLscontaining all those search keywords in it.

allinurl: etc/passwd

will look for the URLs containing “etc” and “passwd”. The slash (“/”) between the words will be ignored by Google.

[ site: ]

The “site:” syntax restricts Google to query for certain keywords in a particular site or domain.

exploits site:google.com

willlook for the keyword “exploits” in those pages present in all the linksof the domain “google.com”. There should not be any spacebetween “site:” and the “domain name”.

[ filetype: ]

This “filetype:” syntax restricts Google search for files on internet with particular extensions (i.e. doc, pdf or ppt etc).

filetype:doc site:gov confidential

willlook for files with “.doc” extension in all government domains with“.gov” extension and containing the word “confidential” either in thepages or in the “.doc” file. i.e. the result will contain the links toall confidential word document files on the government sites.

[ link: ]

“link:” syntax will list down webpages that have links to the specified webpage.

link:www.expertsforge.com

willlist webpages that have links pointing to the SecurityFocus homepage.Note there can be no space between the "link:" and the web page url.

[ related: ]

The “related:” will list web pages that are "similar" to a specified

web page.

related:www.expertsforge.com

willlist web pages that are similar to the Securityfocus homepage. Notethere can be no space between the "related:" and the web page url.

[ cache: ]

The query “cache:” will show the version of the web page that Google has in its cache.

cache:www.pctipsbyanu.tk

will show Google's cache of the Google homepage. Note there can be no space between the "cache:" and the web page url.

If you include other words in the query, Google will highlight those words within the cached document.

cache:www.pctipsbyanu.tk guest

will show the cached content with the word "guest" highlighted.

[ intext: ]

The “intext:” syntax searches for words in a particular website. It ignores links or URLs and page titles.

intext:exploits

will return only links to those web pages that has the search keyword "exploits" in its webpage.

[ phonebook: ]

“phonebook” searches for U.S. street address and phone number information.

phonebook:Anu+IN

willlist down all names of person having “Anu” in their names and locatedin “India(IN)”. This can be used as a great tool for hackersincase someone want to do dig personal information for socialengineering.

Google Hacks

Well, the Google’s querysyntaxes discussed above can really help people to precise their searchand get what they are exactly looking for.

Now Google being sointelligent search engine, hackers don’t mind exploiting its ability todig much confidential and secret information from the net which theyare not supposed to know. Now I shall discuss those techniques indetails how hackers dig information from the net using Google and howthat information can be used to break into remote servers.

Index Of

Using “Index of ” syntax to find sites enabled with Index browsing

Awebserver with Index browsing enabled means anyone can browse thewebserver directories like ordinary local directories. The use of“index of” syntax to get a list links to webserver which has gotdirectory browsing enabled will be discussd below. This becomes an easysource for information gathering for a hacker. Imagine if the get holdof password files or others sensitive files which are not normallyvisible to the internet. Below given are few examples using which onecan get access to many sensitive information much easily.

Index of /admin

Index of /passwd

Index of /password

Index of /mail

"Index of /" +passwd

"Index of /" +password.txt

"Index of /" +.htaccess

"Index of /secret"

"Index of /confidential"

"Index of /root"

"Index of /cgi-bin"

"Index of /credit-card"

"Index of /logs"

"Index of /config"

Looking for vulnerable sites or servers using “inurl:” or “allinurl:”

a.Using “allinurl:windows/system32/” (without quotes) will list down allthe links to the server which gives access to restricted directorieslike “system32” through web. If you are lucky enough then you might getaccess to the cmd.exe in the “system32” directory. Once you have theaccess to “cmd.exe” and is able to execute it.

b. Using“allinurl:wwwboard/passwd.txt”(without quotes) in the Google searchwill list down all the links to the server which are vulnerable to“WWWBoard Password vulnerability”. To know more about thisvulnerability you can have a look at the following link: HERE

c.Using “inurl:.bash_history” (without quotes) will list down all thelinks to the server which gives access to “.bash_history” file throughweb. This is a command history file. This file includes the list ofcommand executed by the administrator, and sometimes includes sensitiveinformation such as password typed in by the administrator. If thisfile is compromised and if contains the encrypted unix (or *nix)password then it can be easily cracked using “John The Ripper”.

d.Using “inurl:config.txt” (without quotes) will list down all the linksto the servers which gives access to “config.txt” file through web.This file contains sensitive information, including the hash value ofthe administrative password and database authentication credentials.

ForExample: Ingenium Learning Management System is a Web-based applicationfor Windows based systems developed by Click2learn, Inc. IngeniumLearning Management System versions 5.1 and 6.1 stores sensitiveinformation insecurely in the config.txt file. For more informationrefer the following

links: HERE

Other similar search using “inurl:” or “allinurl:” combined with other syntax

inurl:admin filetype:txt

inurl:admin filetype:db

inurl:admin filetype:cfg

inurl:mysql filetype:cfg

inurl:passwd filetype:txt

inurl:iisadmin

inurl:auth_user_file.txt

inurl:orders.txt

inurl:"wwwroot/*."

inurl:adpassword.txt

inurl:webeditor.php

inurl:file_upload.php

inurl:gov filetype:xls "restricted"

index of ftp +.mdb allinurl:/cgi-bin/ +mailto

Looking for vulnerable sites or servers using “intitle:” or “allintitle:”

a.Using [allintitle: "index of /root”] (without brackets) will list downthe links to the web server which gives access to restricteddirectories like “root” through web. This directory sometimes containssensitive information which can be easily retrieved through simple webrequests.

b. Using [allintitle: "index of /admin”] (withoutbrackets) will list down the links to the websites which has got indexbrowsing enabled for restricted directories like “admin” through web.Most of the web application sometimes uses names like “admin” to storeadmin credentials in it. This directory sometimes contains sensitiveinformation which can be easily retrieved through simple web requests.

Other similar search using “intitle:” or “allintitle:” combined with other syntax

intitle:"Index of" .sh_history

intitle:"Index of" .bash_history

intitle:"index of" passwd

intitle:"index of" people.lst

intitle:"index of" pwd.db

intitle:"index of" etc/shadow

intitle:"index of" spwd

intitle:"index of" master.passwd

intitle:"index of" htpasswd

intitle:"index of" members OR accounts

intitle:"index of" user_carts OR user_cart

allintitle: sensitive filetype:doc

allintitle: restricted filetype :mail

allintitle: restricted filetype:doc site:gov

Other interesting Search Queries

- To search for sites vulnerable to Cross-Sites Scripting (XSS) attacks:

allinurl:/scripts/cart32.exe

allinurl:/CuteNews/show_archives.php

allinurl:/phpinfo.php

- To search for sites vulnerable to SQL Injection attacks:

allinurl:/privmsg.php

• 1. Google Hacking

  2.  

  3. allintitle:Brains, Corp. camera

  4.  

  5. allintitle:"index of/admin"

  6. allintitle:"index of/root"

  7. allintitle:restricted filetype:doc site:gov

  8. allintitle:restricted filetype :mail

  9. allintitle:sensitive filetype:doc

  10.  

  11. allinurl:/bash_history

  12. allinurl:winnt/system32/ (get cmd.exe)

  13.  

  14. ext:ini eudora.ini

  15. ext:pwd inurl:(service|authors|administrators |users) "# -FrontPage-"

  16.  

  17. filetype:bak inurl:"htaccess|passwd|shadow|htusers"

  18. filetype:conf slapd.conf

  19. filetype:ctt "msn"

  20. filetype:mdb inurl:"account|users|admin|administrators|passwd|password"

  21. filetype:mdb inurl:users.mdb

  22. filetype:QDF QDF

  23. filetype:pdf "Host Vulnerability Summary Report" "Assessment Report"

  24. filetype:sql ("passwd values ****" | "password values ****" | "pass values ****" )

  25. filetype:xls inurl:"email.xls"

  26. filetype:user eggdrop user

  27.  

  28. "Index of /admin"

  29. "Index of /" +.htaccess

  30. "Index of /mail"

  31. "Index of /" "Parent Directory" "WS_FTP.ini" filetype:ini

  32. "Index of /" +passwd

  33. "Index of /password"

  34. "Index of /" +password.txt

  35. intext:"BiTBOARD v2.0" "BiTSHiFTERS Bulletin Board"

  36. intext:centreware inurl:status

  37. intext:"MOBOTIX M1"

  38. intext:"MOBOTIX M10"

  39. intext:"Open Menu"

  40. intext:"powered by Web Wiz Journal"

  41. intext:"Tobias Oetiker" "traffic analysis"

  42.  

  43. intitle:index.of "Apache/1.3.28 Server at"

  44. intitle:index.of "Apache/2.0 Server at"

  45. intitle:index.of "Apache/* Server at"

  46. intitle:index.of "HP Apache-based Web Server/*"

  47. intitle:index.of "IBM _ HTTP _ Server/* * Server at"

  48. intitle:index.of "Microsoft-IIS/4.0 Server at"

  49. intitle:index.of "Microsoft-IIS/5.0 Server at"

  50. intitle:index.of "Microsoft-IIS/6.0 Server at"

  51. intitle:index.of "Microsoft-IIS/* Server at"

  52. intitle:index.of "Netscape/* Server at"

  53. intitle:index.of "Oracle HTTP Server/* Server at"

  54. intitle:index.of "Red Hat Secure/*"

  55.  

  56. intitle:"Apache::Status" (inurl:server-status | inurl:status.html | inurl:apache.html)

  57. intitle:"Welcome to IIS 4.0!"

  58. intitle:"Welcome to Windows 2000 Internet Services"

  59. intitle:"Welcome to Windows XP Server Internet Services"

  60. intitle:"Welcome to Your New Home Page!"

  61. intitle:"Test Page for Apache Installation" "It worked!" "this Web site!"

  62. intitle:"Test Page for Apache Installation" "Seeing this instead"

  63. intitle:"Test Page for Apache Installation" "You are free"

  64. intitle:"Test Page for the Apache Http Server on Fedora Core"

  65. intitle:"Test Page for the Apache Web Server on RedHat Linux"

  66. intitle:"Test Page for the SSL/TLS-aware Apache Installation" "Hey, it worked!"

  67.  

  68. intitle:"index of" .bash_history

  69. intitle:"index of" etc/shadow

  70. intitle:"index.of" finances.xls

  71. intitle:"index of" htpasswd

  72. intitle:"Index Of" inurl:maillog

  73. intitle:"index of" master.passwd

  74. intitle:"index of" members OR accounts

  75. intitle:"index.of" mystuff.xml

  76. intitle:"index of" passwd

  77. intitle:"index of" people.lst

  78. intitle:"index of" pwd.db

  79. intitle:"Index of" pwd.db

  80. intitle:"Index of" .sh_history

  81. intitle:"index of" spwd

  82. intitle:"index.of" trillian.ini

  83. intitle:"index of" user_carts OR user_cart

  84. intitle:"active webcam page"

  85. intitle:"ASP Stats Generator *.*" "ASP Stats Generator" "2003-2004 weppos"

  86. intitle:"curriculum vitae" "phone * * *" "address *"

  87. intitle:"Dell Laser Printer" ews

  88. intitle:"EvoCam" inurl:"webcam.html"

  89. intitle:liveapplet inurl:LvAppl

  90. intitle:"Multimon UPS status page"

  91. intitle:"my webcamXP server!" inurl:":8080"

  92. intitle:"statistics of" "advanced web statistics"

  93. intitle:"System Statistics" +"System and Network Information Center"

  94. intitle:"Terminal Services Web Connection"

  95. intitle:"Usage Statistics for" "Generated by Webalizer"

  96. intitle:"VNC Desktop" inurl:5800

  97. intitle:"Web Server Statistics for ****"

  98. inurl:admin filetype:db

  99. inurl:admin inurl:backup intitle:index.of

  100. inurl:"auth_user_file.txt"

  101. inurl:"/axs/ax-admin.pl" -script

  102. inurl:"/cricket/grapher.cgi"

  103. inurl:hp/device/this.LCDispatcher

  104. inurl:iisadmin

  105. inurl:indexFrame.shtml Axis

  106. inurl:"main.php" "phpMyAdmin" "running on"

  107. inurl:passwd filetype:txt

  108. inurl:"printer/main.html" intext:"settings"

  109. inurl:server-info "Apache Server Information"

  110. inurl:"ViewerFrame?Mode="

  111. inurl:"wvdial.conf" intext:"password"

  112. inurl:"wwwroot/*."

  113.  

  114. site:gov confidential

  115. site:mil confidential

  116. site:mil "top secret"

  117. "Copyright (c) Tektronix, Inc." "printer status"

  118. "Host Vulnerability Summary Report"

  119. "http://*:*@www"

  120. "Network Vulnerability Assessment Report"

  121. "not for distribution"

  122. "Output produced by SysWatch *"

  123. "These statistics were produced by getstats"

  124. "This file was generated by Nessus"

  125. "This report was generated by WebLog"

  126. "This summary was generated by wwwstat"

  127. "Generated by phpSystem"

  128. "Host Vulnerability Summary Report"

  129.  "my webcamXP server!"

  130.  sample/LvAppl/

  131. "TOSHIBA Network Camera - User Login"

  132. /home/homeJ.html

  133. /ViewerFrame?Mode=Motion

  134. This reveals mySQL database dumps. These database dumps list the structure and content of databases, which can reveal many different types of sensitive information. http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22%23mysql+dump%22+filetype%3Asql&btnG=Search

  135.  

  136. These log files record info about the SSH client PUTTY. These files contain usernames, site names, IP addresses, ports and various other information about the SSH server connected to. http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=filetype%3Alog+username+putty

  137.  

  138. These files contain cleartext usernames and passwords, as well as the sites associated with those credentials. Attackers can use this information to log on to that site as that user. http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=filetype%3Alog+inurl%3A%22password.log%22

  139.  

  140. This file contains port number, version number and path info to MySQL server. http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=intitle%3A%22index+of%22+mysql.conf+OR+mysql_config

  141.  

  142. This search reveals sites which may be using Shockwave (Flash) as a login mechanism for a site. The usernames and passwords for this type of login mechanism are often stored in plaintext inside the source of the .swl file. http://www.google.com/search?hl=en&lr=&q=inurl%3Alogin+filetype%3Aswf+swf

  143.  

  144. These are oulook express email files which contain emails, with full headers. The information in these emails can be useful for information gathering about a target. http://www.google.com/search?hl=en&lr=&q=filetype%3Aeml+eml+%2Bintext%3A%22Subject%22+%2Bintext%3A%22From%22+%2Bintext%3A%22To%22

  145.  

  146. This google search reveals users names, pop3 passwords, email addresses, servers connected to and more. The IP addresses of the users can also be revealed in some cases. http://www.google.com/search?num=100&hl=en&lr=&q=filetype%3Areg+reg+%2Bintext%3A%22internet+account+manager

  147.  

  148.  

  149.  

  150.  

  151. Footprinting Websites and Information Gathering Resources

  152.  

  153. A hacker or pen tester  may also do a Google search or a site search to locate information about employees. Some sites useful to find more information about an organization and its employees include:

  154.  

  155. www.trula.com - real estate

  156.  

  157. www.zillow.com - real estate

  158.  

  159. www.netronline.com - real estate

  160.  

  161. www.whosarat.com - informants

  162.  

  163. www.zabaseach.com - name, address, location info

  164.  

  165. www.zoominfo.com - person & company data

  166.  

  167. www.vitalrec.com - people info

  168.  

  169. www.pipl.com - people search

  170.  

  171. www.skipease.com/blog/ - people search

  172.  

  173. www.pretrieve.com - people search

  174.  

  175. www.publicdata.com - people search

  176.  

  177. www.urapi.com - people search

  178.  

  179. https://addons.mozilla.org/en-US/firefox/addon/1912 (who is this person)

  180.  

  181. www.nndb.com – people activity tracker

  182.  

  183. www.willyancey.com/finding.htm  online info

  184.  

  185. www.courthousedirect.com  - property records

  186.  

  187. www.turboscout.com - multisearch engine tool

  188.  

  189. www.theultimates.com - phone number lookup

  190.  

  191. http://skipease.whitepages.com/reverse_address - address lookup

  192.  

  193. www.thevault.com - company search / profile

  194.  

  195. www.blogsearchengine.com - search blogs for info or person

  196.  

  197. www.ccrs.info - China based company search /profile

  198.  

  199. www.hoovers.com - company search / profile

  200.  

  201. www.lexisnexis.com - company search / profile

  202.  

  203. www.topix.net - region specific news articles

  204.  

  205. www.pacer.uscourts.gov/natsuit.html - Court records

  206.  

  207. www.oihweb.com - online investigation techniques

  208.  

  209. www.linkedin.com - business person's network

  210.  

  211.  

  212. Footprinting Links

  213.  

  214. Google Hacking Database

  215. A search that finds password hashes

  216. Nessus Reports from Google

  217. More Passwords from Google

  218. Google Hacks Volume III by Halla

  219. G-Zapper Blocks the Google Cookie to Search Anonymously

  220. SiteDigger 2.0 searches Google’s cache to look for vulnerabilities

  221. BeTheBot - View Pages as the Googlebot Sees Them

  222. An experts-exchange page to demonstrate the Googlebot

  223. HTTP Header Viewer

  224. Masquerading Your Browser

  225. User Agent Switcher :: Firefox Add-ons

  226. Modify Headers :: Firefox Add-ons

  227. User Agent Sniffer for Project 1

  228. GNU Wget - Tool to Mirror Websites

  229. Teleport Pro - Tool to Mirror Websites

  230. Google Earth

  231. Finding Subdomains (Zone Transfers)

  232. Dakota Judge rules that Zone Transfers are Hacking

  233. Internet Archive - Wayback Machine

  234. Wikto - Web Server Assessment Tool - With Google Hacking

  235. VeriSign Whois Search from VeriSign, Inc.

  236. whois.com

  237. ARIN: WHOIS Database Search

  238. Border Gateway Protocol (BGP) and AS Numbers

  239. Internic | Whois - the only one that finds hackthissite.org

  240. Teenager admits eBay domain hijack

  241. NeoTrace

  242. VisualRoute traceroute: connection test, trace IP address, IP trace, IP address locations