00:07
This is Dean Pompilio.
00:10
And in this demo, we're going to be looking at some Google hacking techniques.
00:16
Uh, just going to be an introduction to some of the things you can do theirs
00:21
a an entire universe of information out there about how to use Google
00:28
uh, to assist in in, uh,
00:31
doing very targeted searches of certain kinds of information.
00:37
Other search engines can work as well. For instance, you could use something like Start Page because it'll act as a proxy to Google.
00:45
And that's actually a better choice in a lot of ways, because it's an SSL
00:51
search engine and it's not tracking your
00:58
anyway, so we'll start off by going to support dot google dot com.
01:04
You could find other references for the search operators, but this is a good one.
01:10
This is an official Google reference, at least,
01:14
and so let's review some of these because they are important when you're using the engine and you want to do it efficiently.
01:26
could be used to search Google. Plus,
01:30
Ah, the at sign could be used to find Ah,
01:34
you're someone's Twitter handle or, um
01:38
or other instances of the at symbol.
01:42
Also, the dollar sign the pound sign
01:45
for finding hashtags
01:48
so those might be useful if you're If you're, uh, social engineering effort is trying to identify
01:57
social media Loggins or our ideas that the target is using.
02:01
Another really useful item is the dash.
02:07
This basically removes or negates
02:09
that item from your search. So we see in the example,
02:15
trying to find results of for Jaguar that relate to the car and not the animal.
02:22
So you're rather the animal, not the car. You could remove references that that describe a Jaguar car. Hopefully, filtering goes out so you can see the ones that relate to the animal
02:34
double quotes. This is pretty self explanatory when you want to search for exactly this text.
02:39
If you don't use a double quotes than you may get a bunch of other partial matches, which of course, will
02:46
increased the number of results you have to filter through in order to find something useful
02:53
the asterisk as a wild card.
02:58
and then, lastly, is the double dots, which can used for
03:02
to finding numeric ranges
03:06
so in this case showing ah
03:08
ranges for a price or it could be documents that have certain numbered ranges. So those air are both useful instances.
03:17
All right, Now the main search operators,
03:22
we start with sight.
03:23
So in this case, you're specifying the exact website that you want to search. In this case, NBC dot com is being searched for the word Olympics.
03:32
It's pretty straightforward.
03:35
You can also look for links to a certain website,
03:39
So these air links that would be existing on other websites
03:45
that contain a link to a youtube dot com. In this case,
03:50
the related link also are related. Operator, also very useful.
03:54
If you were searching for a
03:58
are investigating a target
04:00
website, you might want to try some different related searches
04:02
to see what else comes up.
04:04
Some of the other tools that were demonstrated for this course also
04:10
use a similar technique doing things like looking for your I p neighbor
04:14
on so on. But related can show you things that
04:18
you might not have expected to have a relationship to. The main site that you're looking for are investigating. So these air potentially useful
04:30
you can use the logical or
04:34
for obvious reasons you wantto
04:36
search for this or that or that.
04:42
Then we have the info operator.
04:45
This will help you find cash versions of Web pages, which could be useful
04:53
You can effectively get the
04:55
the cash page from Google
04:57
without having to actually touch the target website.
05:00
So that's an interesting technique
05:02
to be able to look at a Web page without having your traffic recorded up at the target's system.
05:14
And then you can specify exactly the cash that you want. Thio refer to
05:19
looking for a particular website to see if
05:24
you can retrieve the last cached version of that page.
05:30
Okay, so that's the basic overview. A couple other things to point out,
05:35
you can go to the advanced search page
05:40
and this will for those of you who are just beginning to use these operators. Maybe don't feel like
05:46
typing them all in. You could go to the advanced search page
05:49
and be able thio do everything on a form such as this,
05:55
and this makes it real easy because you can see all of your options in front of you
06:01
and you don't have to remember
06:03
the names of all the search operators.
06:06
My advice would be to try to learn the search operators, however,
06:11
since this is much faster
06:13
and it's gonna be more useful if you wanted,
06:17
run some scripts to automate
06:19
certain aspects of your research.
06:23
That's that's typically what,
06:25
what you'd want to d'oh!
06:33
there's a couple of examples that I'd like to share,
06:40
are pretty interesting.
06:43
Assuming that you have a social engineer
06:47
could be an organization could be an individual.
06:51
But let's say it's an organization, and
06:55
you're trying to figure out if if there are possibilities
06:59
for identifying something like a log in portal,
07:03
this is a good choice, right? Because
07:05
if you can find a log in portal for the organization,
07:10
the social engineer, as part of the pen test, might be able to gain access to that environment.
07:15
Perhaps with stolen credentials sniff credentials. They might be able to do it also with
07:24
social engineering techniques directly, if you can.
07:27
If the engineer can trick
07:28
the target into revealing their their information or
07:31
or doing something like
07:33
tricking a help desk person into re setting a password.
07:38
Now, the social engineer or the pen tester might be able to gain access to the environment
07:43
with those credentials.
07:46
So I'm just gonna copy and paste some items into
07:49
the search field here,
07:51
save me the trouble of typing these in.
07:54
In this case, we're looking for Citrix and met a frame
08:03
So if I do a search here,
08:07
this is going to show me
08:11
organizations that are using a Citrix meta frame setup for their remote access.
08:18
And what do we get? Over 1000 results.
08:22
And of course, this relies on a very particular version of
08:26
of the software that displays this text in the Earl.
08:31
If you were security minded, of course, you could reconfigure that
08:35
and obvious, Kate, This this information somehow so wouldn't show up in a search like this.
08:41
But obviously, this is the log in portal that these that these members of these organizations use.
08:50
some of them appeared to not have any authentication whatsoever. And look at all this great information.
08:56
If you were trying to get into this site,
09:00
you know what Web server using you could see what version of open SSL What version of PHP
09:07
and not going to browse these folders, but they are on the public Internet. So
09:16
very little expectation of
09:18
of privacy. When you've got your systems, configure it in this way.
09:24
So there's plenty of plenty of options here. This is just one log in portal example. I'll show you another one.
09:33
uh, perhaps if you were targeting
09:37
an organization that was related to education, like a university or something of that nature,
09:43
What we're going to do in this case is specify a site,
09:48
and dot e d u r dot org's site. Notice that we can use the pipe character here
09:58
to those of you who are more familiar with regular expressions and computer coding. In general,
10:03
the pipe is a little bit easier deal with
10:05
than typing the word or get's visually easier as well.
10:11
You're actually just looking at the coat.
10:15
So we're looking for the site we're going to add to that we're gonna contaminate.
10:18
That's what the plus sign going to do here.
10:22
We're also gonna look for a girl
10:24
that has the exact phrase
10:28
faculty log in dot a S p
10:33
And since that's encased in double quotes,
10:35
it will be evaluated as one piece, and then the or in the middle will swap out the Thea
10:48
so we can see that we found some.
10:52
It's like a health care institute,
10:54
some other organizations.
11:00
So some kind of faculty log in.
11:01
And this relies on the fact that this faculty log in Dottie S P is a well known component of certain,
11:11
website configurations, if you will.
11:18
So in order for these searches to truly be useful, you would have to narrow things down to the target organization. Right? You for the site,
11:28
target company dot edu you or target company dot or GE,
11:35
it's more specific. I'm just showing that the broad appeal of using certain searches
11:41
for information gathering
11:48
to take after you have identified an administrative portal will cover some of those in the advanced social engineering course, will do
11:54
some more demos of penetration of systems,
11:58
and that will get give the practitioner a little bit better idea on how these these tools could be could be utilised more fully.
12:07
Okay, so let's go back
12:09
and think about some other things. If you were,
12:13
for instance, searching for your
12:16
for more information about your target,
12:18
you might have some information that says, Okay, this this person,
12:26
appears to be using an iPhone. Let's say you've had some physical contact.
12:31
You might be able to
12:33
do some searches related to
12:37
the use of the iPhone or people that are taking pictures with maybe uploading things to iCloud.
12:43
There's lots of different angles you could approach this this this target from
12:48
and this particular search
12:50
This is looking for an index,
12:54
so we use the entitle. So the title of the page itself index of.
13:01
And then there's text within the page.
13:03
We're looking for iCloud photos
13:13
And these these three terms here are typical for a lot of
13:18
devices that you hook to your computer. When you when you automatically
13:22
load photos from your phone or load photos from a camera onto your laptop, for instance, you might get one of these text
13:30
items created as the default folder.
13:35
So we run this query.
13:37
This does exactly what you would expect it to do. We can see that there are
13:48
or rather uploaded to some website.
13:54
of you were looking for images that would be useful for the for the social engineering audit
14:01
you would have to go through and,
14:03
you know, individually investigate these photos to see if any of them contain anything useful.
14:11
It could be photos of people that are related to the target people. They work with
14:16
locations where certain activities air happy, maybe pictures taken at work. All these could be useful for the social engineering audit.
14:26
There's another example of a
14:31
search that will help you find photos.
14:39
This is one that looks for D. C. I am.
14:43
And if I'm not mistaken, I believe that is
14:46
something that gets associated with cannon
14:50
I'm not mistaken, really. It's Sony is one of the two.
14:54
It could be multiple manufacturers. I'd do this, but
15:00
You're looking at people that have probably dumped their their phone pictures
15:07
to a server that they that they interact with that they might not be thinking about
15:11
the fact that that information is reachable
15:15
from the public Internet.
15:18
So this is an excellent reasons to be very careful about how you
15:24
treat your your personal information.
15:26
Because if you're putting it on a server, think, you know, I'm just gonna keep it there and then I can go get it later. You might not realize that that content is searchable and crawl a ble, and therefore Google confined it.
15:41
So these are some interesting ideas.
15:45
As you can see, there's quite a few choices.
15:48
This this kind of overlaps a little bit with some of the search capabilities that we considered
15:56
I did a show Dan demo,
16:02
very useful searches. You could do a lot of the same things with Google.
16:10
All right, so it's a little bit more information.
16:12
Uh, it could be that
16:15
you want to find some vulnerability information about a website or maybe try to see if you can get get the site to display some debugging information.
16:26
Lots of sources of this.
16:29
You may be wondering where I'm getting all of these ideas and I'll cover that in just a moment.
16:37
Thought in this case, we've got a
16:38
messaging board crazy. Www board
16:42
and there's a file called Crazy WW board dot c g I. So we're looking for that in the Earl
16:52
and then text in that page asking about detailed debugging information.
17:00
So these are other websites that are using this same software,
17:07
okay, we've got a message about a database not being licensed. Okay, that one's dead end
17:17
Looks like a few of them are like that. But you get the idea. We're We're still digging deeper into
17:23
that the target company
17:30
to see if there's more information about their systems about their applications
17:37
Some of you may have heard of the retina scanner. This is a vulnerability scanner. That's very useful.
17:45
So in this case, we're gonna look for
17:48
a title page called Retina Report
17:52
and then confidential information, as as being in the title as well.
17:59
So let's see, we confined here
18:04
We got a good match at the top.
18:07
So this is an actual audit report
18:15
and this shows quite a bit of information about the network
18:21
I P Range's number of hosts ever scanned
18:25
the name of the file that we're actually looking at,
18:30
and then it gives us details
18:33
about vulnerabilities, even with I p addresses.
18:37
So this is typical that you want to produce this kind information if you're doing security scanning within your environment. What's not typical, however,
18:45
is allowing this information to be visible
18:48
on the public Internet.
18:53
So we've even got names of the vulnerabilities and so on. This is
18:57
if you were targeting an organization, you were able to find this kind of information. You can see how tremendously useful that would be.
19:08
Well, let me get off that page. Okay?
19:15
some of the other things to think about for Google hacking if you really want to
19:21
thio to dig in and and learn Maur and figure out how to
19:26
do some interesting things, like I mentioned
19:29
being able to get the code from a a Web page with through Google instead of it actually hitting the Web site directly.
19:37
a very important objective if you were trying to remain stealthy,
19:45
the exploit database
19:48
exploit dash d b dot com. This is where you want to spend some time.
19:52
It's waiting for the page to lowers. We conceive, they've got 34,000
19:57
exploits already documented,
20:00
and these go back quite a long ways back to, like the
20:07
the late eighties, early nineties, even.
20:10
And so if we scroll down, we can see that there's some exploits by category, remote access,
20:18
privilege, escalations,
20:26
shell code. And they have also have a nice selection of security papers.
20:30
So these could be really useful to build up your knowledge,
20:36
what I wanted to to ah, look at when there are the different sections for exploits.
20:41
But the Google Hacking database
20:45
is where I found all the examples that I've that I've shown you today.
20:52
Bye bye date. We can see we've got some that have just come out
20:59
and we can search by categories,
21:03
you might be looking for files that contain user names. You could also put a search
21:08
item here or just hit search by itself and you'll get just the category.
21:21
As we can see, there are quite a few examples
21:36
If you select one of the items that basically gives you the text in a large, nice large formats, you can copy and paste it.
21:45
There's also this item, this term called Google Dork,
21:48
and what this means is it's It's a pre formatted search string like you see here, and it's
21:55
it's basically trying to
22:00
people that have or systems that have too much information being available to the public Internet.
22:07
I believe Johnny Long was the one who
22:11
If you do too many searches, Google may force you to
22:18
authenticate yourself to make sure that you're not a but
22:21
so you might have to do a some recapture information here.
22:26
Oh, I won't actually didn't work
22:30
after all that trouble,
22:34
but you get the idea. So there are lots of choices just for files that contain user names.
22:42
Other things that are interesting
22:45
files containing juicy info files with passwords
22:51
sensitive shopping online info
22:53
again. If you have a lot of details about your target,
22:59
the websites they use, the website that they that they might have is part of their organization.
23:06
These different areas of searching can produce little bits of data that you can aggregate together to help achieve the pen testing goal,
23:17
Social engineering pen testing goal.
23:19
But there's a referencing, well known,
23:26
shopping cart software. This one's kind of interesting.
23:30
You can search ups dot com trying to find an exact match for a
23:36
package tracking number.
23:41
The idea here would be that you might be able to,
23:45
find that information,
23:49
and then craft an email with different information that gets sent to the target
23:56
for whatever purposes it. It could be that
23:59
the package needs to be intercepted or
24:06
of activity related to the pen test.
24:11
It was pretty useful,
24:14
and I recommend spending time,
24:18
reading some of the papers on this website as well
24:27
as you can see there's 1100 papers, and this gives you
24:34
that you can use to further your knowledge and grow your skill set.
24:40
And so people just put this work together
24:42
for the benefit of the pen testing community.
24:45
Obviously, it's for the benefit of the hacking community as well, but
24:49
we're talking about white hat activities here.
24:56
Okay, so I hope you've enjoyed this introduction to Google hacking.
25:02
I know it's a lot of information to take in all at once. But I think if you start to practice these techniques
25:07
get on a website such as exploit TB.
25:11
There's plenty of other sites you confined similar information, but this happens to be my favorite,
25:17
and you'll be well on your way to gathering information for your next social engineering audit.
25:22
I hope you enjoyed the video. See you next time. Thank you.