Ready to Start Your Career?
May 10, 2019
Google Hacking Techniques for 2019
May 10, 2019
Google has been a powerful tool in the cybersecurity industry for a long time. Specialized searches can be used to gather information that is publicly available, but searches can also be used to compromise security systems. Many technologies, including web hosting, are becoming reliant on live web pages that can be accessed through specialized Google searches. Exploits are often patched and prevented, but new exploits are constantly being discovered and utilized. Hackers and cybersecurity professionals rely on working Google exploits to access and gather information. This section will explore different types of search exploits through some of the latest Google hacks.inurl:/za/login.doThis hack is pretty simple. The search relies on the “inurl:” operator, anything typed directly after the colon must be included in the webpage’s URL. In this case, the search collects URLs for login pages. Hackers will use this search to collect targets and then utilize other techniques to gain access/credentials. Other examples include “inurl:F5Networks-SSO-Req?” and “inurl:/adfs/services/trust”. These rely on commonly used login URLs. Patterns emerge in URL addresses as many sites rely on the same technologies.intitle:"Home-CUPS" intext:printers -mugsWhile some searches are designed to find login pages to access websites, other searches are designed to access physical devices that rely on webpages. Just as many online services rely on online control panels, many wireless and remote devices rely on live pages. This search produces pages that grant access to control of online printers. Other online devices can be accessed with searches like “intitle:"Home-CUPS" intext:printers –mugs” and “intitle:ProFTPD Admin - V1.04” are also used to access online devices. Printers, locks, cameras, power supplies, climate controls, web servers, and many other systems are controlled by live web pages that can be accessed with Google searches.inurl:/uploads/wc-logs/This search is a bit more indirect than the others, its main purpose is to gather log information. Websites store logs in a format that can be accessed online, and access to these pages can grant access to the entire server storage system. This search will yield links to online logs of various websites. The data listed in the log itself may or may not be useful, but navigation to parent directories can grant access to the entire site. In most cases you cannot edit the content of the server, so this search is mostly useful for gathering information. Other log searches include “inurl:/files/_log/ filetype:log” and “inurl:"/cgi-bin/WS_FTP.LOG"”.allinurl:"wp-content/plugins/wordpress-popup/views/admin/"This search is very similar to the log directory search, but it targets different parts of site directories. Using “allinurl:” guarantees that everything contained within quotes is included in the URL. In this case, the search will return admin directories on WordPress sites. Other searches like “allintitle:"Index of /Admin/Common" | allintext:"Parent Directory"” and “index of /etc/certs/” will yield similar results. While log searches rely specifically on detecting public log pages, these searches rely on various points of access to gain entry to web server directories. Google hacking involves staying updated on the latest exploits and a lot of trial and error. Many of the pages yielded by these searches will yield blocked or null results. These searches are often carried out and aggregated on a large scale, yielding a fraction of targets that are both accessible and workable. As proof of concept, it is not hard for anyone to carry out a Google hack and yield useful results. However, it takes skill and knowledge to utilize exploits that are unpatched and undetected.TL;DRGoogle hacking has been around a long time, but a lot of useful source material has since been patched and outdated. Successful Google hacking requires keeping up with the latest exploits and techniques. This section explores some of the latest Google hacking techniques for 2019 along with their underlying mechanics.