Google for Intelligence
Many beginners tend to ignore the need to gather information and aim to attack the target system or person without any training. Those with more experience understand that the more we know about the goal, the more likely we are to succeed. In addition, for every minute we spend collecting information about our target, we save about 3 minutes of wasted time trying exploits, applying social engineering methods that, if they work, are very shaky. Therefore, the collection of information - requires the contribution of some time, but it's worth it.
This is often referred to as "passive reconnaissance" because we are not in contact with the target.
Since this is an advanced course, I'm assuming most of you are familiar with Google's advanced features, but for those of you who aren't, this will be a brief introduction.
As you all know, Google operates the most widely used search engine on the Internet. It crawls almost every web page, every website and creates a huge database with all the information collected. Most people then use this to search for keywords related to their web pages, and Google selects the most relevant websites based on their algorithm.
Few people know that Google has special keywords and operators that help us extract specific information from their huge database. For both hackers and social engineers, this database can provide invaluable information about the targets they are looking for.
Let's take a look at some of these keywords and what they do.
Note that for Google keywords, a colon (:) is required between the keyword and the search terms, for example, intitle: hakin9.
Although, for an exhaustive list, here are some of the most widely used Google keywords;
If you use the allinanchor keyword, Google will restrict your search to web pages that have ALL of the terms you specify in their link text.
If you use the allintext keyword, Google will restrict your search to pages that have ALL of the terms you specify in the page text.
If you use the allintitle keyword, Google will restrict your search to pages that have ALL of the terms you specify that appear in the page title.
If you use the allinurl keyword, Google will restrict your search to pages that have ALL of the terms you specify that are present in the page's URL. filetype
If you use the filetype keyword, Google will restrict your search to pages that have the filetype you specify. For example, to search for an Adobe PDF file, you can use the file type: pdf
If you use the inachor keyword, Google will restrict your search to pages that have your search terms in the page link text.
If you use the intext keyword, Google will restrict your search to pages that have your search terms in the page text.
If you use the intitle keyword, Google will restrict your search to pages that have your search terms in the page title.
If you use the inurl keyword, will restrict your search to pages that have your search terms specified in the page's URL.
When you use the link keyword followed by a URL, it will show you all the sites that link to the specified URL.
If you use the site keyword, Google will limit your search to the specified site or domain.
Let's look at some examples of how you can use search operators to find relevant websites and files.
As you know, many firms store important financial and other information in Excel files. We could use a Google search, by file type .xls
We can be a little more selective and combine the Google keywords for finding Excel files on government websites (using a site with a .gov top-level domain) with the word "contact" in our URL. This will hopefully lead to web pages with government contact lists that can become a treasure trove of social engineers.
►typefile: xlssite: gov inurl: contact
If I were to search for an excel file with email addresses, I could use the following
►typefile: xls inurl: email.xls
Some Google operators may find useful files that are designed to hack a particular application. For example, the Oracle database has connections called TNSNames. We could search for these names by:
►typefile: ora tnsnames
Many PHP applications are vulnerable to SQL injection and other attacks. We can search for these types of web applications with:
►Inurl: index.php? id=
Some other Google queries that may provide interesting results include:
►intitle: "site admin: please login"
If I was conducting a social engineering attack and wanted to gather useful information about my target, I could use:
►intitle: "curriculum vitae", typefile: doc
Some firms post their vulnerability scan reports - on the Internet, for employees to view, not even knowing that the whole world will be able to view them. If I can view this report, I will know what vulnerabilities exist in their network, and then it will be relatively easy to crack it. For example, if we were looking for a Retina scan report (Retina is the main vulnerability scanning product), we could use:
►intitle: "Retina Report" "Confidential Information"
Or we could find a Nessus scanner with;
►intitle: "Nessus Report" "Confidential Information"
Some of the more interesting Google searches involve looking for vulnerable webcams.
►intitle: Axis inurl: "/admin/admin.shtml"
When we click on one of the search results, we access the administration panel of those cameras.
Some other cool Google hacks that might bring interesting results to a hacker;=
►site: edu admin ratings
►inurl: main.php Welcome to phpMyAdmin
Proficiency with Google search operators is a key skill that every hacker/social engineer should know. In many cases, this can provide information about our target, which can save us hours or even days in using it.