Google Hacking Lab | Cybrary

Video Activity

Create Free Account

In this lab, Subject Matter Expert Dean Pompilio discusses Google hacking techniques and presents an introduction to some of the things you can do when gathering information for a Social Engineering audit. SME Pompilio discusses how to use Google specifically to do targeted searches. (Although this demonstration refers to the search engine Google, ...

Sign up with

Or

Already have an account? Sign In »

Time

3 hours 55 minutes

Difficulty

Advanced

CEU/CPE

5

Create Free Account

In this lab, Subject Matter Expert Dean Pompilio discusses Google hacking techniques and presents an introduction to some of the things you can do when gathering information for a Social Engineering audit. SME Pompilio discusses how to use Google specifically to do targeted searches. (Although this demonstration refers to the search engine Google, the search engine StartPage may be a better choice for a search engine for privacy purposes). A review of the various search operators and their uses covers the following:

main search operators such as sites and links
related search operators
special search operators such as info and cached
use of the advanced search function page

SME Pompilio presents several examples of how to obtain confidential information about a target when you want to find some vulnerability information about a Web site, or you want to reveal a site's debugging information. A Social Engineer can search for vulnerabilities of information that should not be available on the public Internet. There is a considerable amount of confidential information that is available deep in the public Internet that a target probably does not know is available and that will allow you to dig deeper into the environment in which the target company operates; you will learn more info about the company's systems, applications, and people. It is suggested that Social Engineers should spend time on exploitdb.com to have access to a large database of exploits organized by category. There also are more than one thousand security papers on this site that can be accessed to further your knowledge and increase your skill set. (This is the site that Dean Pompilio used to present the examples in this demonstration). SME Pompilio also presents other aspects of Google hacking that will allow you to get the code of a page through Google without going directly to the Web page, and he discusses Google Dork, which is a preformatted search string that identifies systems that have too much information available on the public internet.

00:06

Hello, everyone.

00:07

This is Dean Pompilio.

00:10

And in this demo, we're going to be looking at some Google hacking techniques.

00:16

Uh, just going to be an introduction to some of the things you can do theirs

00:21

a an entire universe of information out there about how to use Google

00:26

specifically,

00:28

uh, to assist in in, uh,

00:31

doing very targeted searches of certain kinds of information.

00:37

Other search engines can work as well. For instance, you could use something like Start Page because it'll act as a proxy to Google.

00:45

And that's actually a better choice in a lot of ways, because it's an SSL

00:51

search engine and it's not tracking your

00:56

I P address

00:58

anyway, so we'll start off by going to support dot google dot com.

01:04

You could find other references for the search operators, but this is a good one.

01:10

This is an official Google reference, at least,

01:14

and so let's review some of these because they are important when you're using the engine and you want to do it efficiently.

01:23

So the plus sign

01:26

could be used to search Google. Plus,

01:30

Ah, the at sign could be used to find Ah,

01:34

you're someone's Twitter handle or, um

01:38

or other instances of the at symbol.

01:42

Also, the dollar sign the pound sign

01:45

for finding hashtags

01:48

so those might be useful if you're If you're, uh, social engineering effort is trying to identify

01:55

the

01:57

social media Loggins or our ideas that the target is using.

02:01

Another really useful item is the dash.

02:07

This basically removes or negates

02:09

that item from your search. So we see in the example,

02:15

um,

02:15

trying to find results of for Jaguar that relate to the car and not the animal.

02:22

So you're rather the animal, not the car. You could remove references that that describe a Jaguar car. Hopefully, filtering goes out so you can see the ones that relate to the animal

02:34

double quotes. This is pretty self explanatory when you want to search for exactly this text.

02:39

If you don't use a double quotes than you may get a bunch of other partial matches, which of course, will

02:46

increased the number of results you have to filter through in order to find something useful

02:52

and also use the

02:53

the asterisk as a wild card.

02:55

Very useful

02:58

and then, lastly, is the double dots, which can used for

03:02

to finding numeric ranges

03:06

so in this case showing ah

03:08

ranges for a price or it could be documents that have certain numbered ranges. So those air are both useful instances.

03:17

All right, Now the main search operators,

03:22

we start with sight.

03:23

So in this case, you're specifying the exact website that you want to search. In this case, NBC dot com is being searched for the word Olympics.

03:32

It's pretty straightforward.

03:35

You can also look for links to a certain website,

03:39

So these air links that would be existing on other websites

03:45

that contain a link to a youtube dot com. In this case,

03:50

the related link also are related. Operator, also very useful.

03:54

If you were searching for a

03:58

are investigating a target

04:00

website, you might want to try some different related searches

04:02

to see what else comes up.

04:04

Some of the other tools that were demonstrated for this course also

04:10

use a similar technique doing things like looking for your I p neighbor

04:14

on so on. But related can show you things that

04:18

you might not have expected to have a relationship to. The main site that you're looking for are investigating. So these air potentially useful

04:28

areas to discover

04:30

you can use the logical or

04:34

for obvious reasons you wantto

04:36

search for this or that or that.

04:42

Then we have the info operator.

04:45

This will help you find cash versions of Web pages, which could be useful

04:49

if you find a cash

04:51

page.

04:53

You can effectively get the

04:55

the cash page from Google

04:57

without having to actually touch the target website.

05:00

So that's an interesting technique

05:02

to be able to look at a Web page without having your traffic recorded up at the target's system.

05:14

And then you can specify exactly the cash that you want. Thio refer to

05:19

looking for a particular website to see if

05:24

you can retrieve the last cached version of that page.

05:30

Okay, so that's the basic overview. A couple other things to point out,

05:35

you can go to the advanced search page

05:40

and this will for those of you who are just beginning to use these operators. Maybe don't feel like

05:46

typing them all in. You could go to the advanced search page

05:49

and be able thio do everything on a form such as this,

05:55

and this makes it real easy because you can see all of your options in front of you

06:01

and you don't have to remember

06:03

the names of all the search operators.

06:06

My advice would be to try to learn the search operators, however,

06:11

since this is much faster

06:13

and it's gonna be more useful if you wanted,

06:16

perhaps

06:17

run some scripts to automate

06:19

certain aspects of your research.

06:23

That's that's typically what,

06:25

what you'd want to d'oh!

06:30

Okay, so

06:33

there's a couple of examples that I'd like to share,

06:38

and these are

06:40

are pretty interesting.

06:43

Assuming that you have a social engineer

06:46

Target

06:47

could be an organization could be an individual.

06:51

But let's say it's an organization, and

06:55

you're trying to figure out if if there are possibilities

06:59

for identifying something like a log in portal,

07:03

this is a good choice, right? Because

07:05

if you can find a log in portal for the organization,

07:10

the social engineer, as part of the pen test, might be able to gain access to that environment.

07:15

Perhaps with stolen credentials sniff credentials. They might be able to do it also with

07:24

social engineering techniques directly, if you can.

07:27

If the engineer can trick

07:28

the target into revealing their their information or

07:31

or doing something like

07:33

tricking a help desk person into re setting a password.

07:38

Now, the social engineer or the pen tester might be able to gain access to the environment

07:43

with those credentials.

07:46

So I'm just gonna copy and paste some items into

07:49

the search field here,

07:51

save me the trouble of typing these in.

07:54

In this case, we're looking for Citrix and met a frame

08:00

Expedia text

08:01

in the girl.

08:03

So if I do a search here,

08:07

this is going to show me

08:07

several different

08:11

organizations that are using a Citrix meta frame setup for their remote access.

08:18

And what do we get? Over 1000 results.

08:22

And of course, this relies on a very particular version of

08:26

of the software that displays this text in the Earl.

08:31

If you were security minded, of course, you could reconfigure that

08:35

and obvious, Kate, This this information somehow so wouldn't show up in a search like this.

08:41

But obviously, this is the log in portal that these that these members of these organizations use.

08:50

Um,

08:50

some of them appeared to not have any authentication whatsoever. And look at all this great information.

08:56

If you were trying to get into this site,

09:00

you know what Web server using you could see what version of open SSL What version of PHP

09:07

and not going to browse these folders, but they are on the public Internet. So

09:13

there there is

09:16

very little expectation of

09:18

of privacy. When you've got your systems, configure it in this way.

09:24

So there's plenty of plenty of options here. This is just one log in portal example. I'll show you another one.

09:31

This one looks,

09:33

uh, perhaps if you were targeting

09:37

an organization that was related to education, like a university or something of that nature,

09:43

What we're going to do in this case is specify a site,

09:46

uh,

09:48

and dot e d u r dot org's site. Notice that we can use the pipe character here

09:54

as an or

09:56

replacement

09:58

to those of you who are more familiar with regular expressions and computer coding. In general,

10:03

the pipe is a little bit easier deal with

10:05

than typing the word or get's visually easier as well.

10:11

You're actually just looking at the coat.

10:15

So we're looking for the site we're going to add to that we're gonna contaminate.

10:18

That's what the plus sign going to do here.

10:22

We're also gonna look for a girl

10:24

that has the exact phrase

10:28

faculty log in dot a S p

10:30

or

10:31

dot PHP.

10:33

And since that's encased in double quotes,

10:35

it will be evaluated as one piece, and then the or in the middle will swap out the Thea

10:43

alternate extension

10:48

so we can see that we found some.

10:52

It's like a health care institute,

10:54

uh,

10:54

some other organizations.

11:00

So some kind of faculty log in.

11:01

And this relies on the fact that this faculty log in Dottie S P is a well known component of certain,

11:09

um,

11:11

website configurations, if you will.

11:18

So in order for these searches to truly be useful, you would have to narrow things down to the target organization. Right? You for the site,

11:26

you would have

11:28

target company dot edu you or target company dot or GE,

11:31

In order to

11:33

make this,

11:35

it's more specific. I'm just showing that the broad appeal of using certain searches

11:41

for information gathering

11:46

the steps to AH

11:48

to take after you have identified an administrative portal will cover some of those in the advanced social engineering course, will do

11:54

some more demos of penetration of systems,

11:58

and that will get give the practitioner a little bit better idea on how these these tools could be could be utilised more fully.

12:07

Okay, so let's go back

12:09

and think about some other things. If you were,

12:13

for instance, searching for your

12:16

for more information about your target,

12:18

you might have some information that says, Okay, this this person,

12:24

um,

12:26

appears to be using an iPhone. Let's say you've had some physical contact.

12:31

You might be able to

12:33

do some searches related to

12:37

the use of the iPhone or people that are taking pictures with maybe uploading things to iCloud.

12:43

There's lots of different angles you could approach this this this target from

12:48

and this particular search

12:50

This is looking for an index,

12:54

so we use the entitle. So the title of the page itself index of.

13:01

And then there's text within the page.

13:03

We're looking for iCloud photos

13:05

or my photo stream

13:11

or camera roll.

13:13

And these these three terms here are typical for a lot of

13:18

devices that you hook to your computer. When you when you automatically

13:22

load photos from your phone or load photos from a camera onto your laptop, for instance, you might get one of these text

13:30

items created as the default folder.

13:35

So we run this query.

13:37

This does exactly what you would expect it to do. We can see that there are

13:43

pictures

13:43

that people have

13:46

downloaded

13:48

or rather uploaded to some website.

13:52

And of course,

13:54

of you were looking for images that would be useful for the for the social engineering audit

14:01

you would have to go through and,

14:03

you know, individually investigate these photos to see if any of them contain anything useful.

14:11

It could be photos of people that are related to the target people. They work with

14:16

locations where certain activities air happy, maybe pictures taken at work. All these could be useful for the social engineering audit.

14:26

There's another example of a

14:31

search that will help you find photos.

14:39

This is one that looks for D. C. I am.

14:43

And if I'm not mistaken, I believe that is

14:46

something that gets associated with cannon

14:48

cameras.

14:50

I'm not mistaken, really. It's Sony is one of the two.

14:54

It could be multiple manufacturers. I'd do this, but

14:58

same idea.

15:00

You're looking at people that have probably dumped their their phone pictures

15:07

to a server that they that they interact with that they might not be thinking about

15:11

the fact that that information is reachable

15:15

from the public Internet.

15:18

So this is an excellent reasons to be very careful about how you

15:24

treat your your personal information.

15:26

Because if you're putting it on a server, think, you know, I'm just gonna keep it there and then I can go get it later. You might not realize that that content is searchable and crawl a ble, and therefore Google confined it.

15:41

So these are some interesting ideas.

15:45

As you can see, there's quite a few choices.

15:48

This this kind of overlaps a little bit with some of the search capabilities that we considered

15:54

for

15:56

showed him.

15:56

I did a show Dan demo,

15:58

and it has some

16:02

very useful searches. You could do a lot of the same things with Google.

16:10

All right, so it's a little bit more information.

16:12

Uh, it could be that

16:15

you want to find some vulnerability information about a website or maybe try to see if you can get get the site to display some debugging information.

16:26

Lots of sources of this.

16:29

You may be wondering where I'm getting all of these ideas and I'll cover that in just a moment.

16:37

Thought in this case, we've got a

16:38

messaging board crazy. Www board

16:42

and there's a file called Crazy WW board dot c g I. So we're looking for that in the Earl

16:49

this file here

16:52

and then text in that page asking about detailed debugging information.

17:00

So these are other websites that are using this same software,

17:06

and

17:07

okay, we've got a message about a database not being licensed. Okay, that one's dead end

17:17

Looks like a few of them are like that. But you get the idea. We're We're still digging deeper into

17:22

the environment

17:23

that the target company

17:26

is operating within

17:30

to see if there's more information about their systems about their applications

17:33

about their people.

17:37

Some of you may have heard of the retina scanner. This is a vulnerability scanner. That's very useful.

17:45

So in this case, we're gonna look for

17:48

a title page called Retina Report

17:52

and then confidential information, as as being in the title as well.

17:59

So let's see, we confined here

18:03

looks like a

18:04

We got a good match at the top.

18:07

So this is an actual audit report

18:11

done back in 2013

18:15

and this shows quite a bit of information about the network

18:21

I P Range's number of hosts ever scanned

18:25

the name of the file that we're actually looking at,

18:30

and then it gives us details

18:33

about vulnerabilities, even with I p addresses.

18:37

So this is typical that you want to produce this kind information if you're doing security scanning within your environment. What's not typical, however,

18:45

is allowing this information to be visible

18:48

on the public Internet.

18:53

So we've even got names of the vulnerabilities and so on. This is

18:57

if you were targeting an organization, you were able to find this kind of information. You can see how tremendously useful that would be.

19:08

Well, let me get off that page. Okay?

19:14

All right. So

19:15

some of the other things to think about for Google hacking if you really want to

19:21

thio to dig in and and learn Maur and figure out how to

19:26

do some interesting things, like I mentioned

19:29

being able to get the code from a a Web page with through Google instead of it actually hitting the Web site directly.

19:36

That's certainly a

19:37

a very important objective if you were trying to remain stealthy,

19:44

but the

19:45

the exploit database

19:48

exploit dash d b dot com. This is where you want to spend some time.

19:52

It's waiting for the page to lowers. We conceive, they've got 34,000

19:57

exploits already documented,

20:00

and these go back quite a long ways back to, like the

20:07

the late eighties, early nineties, even.

20:10

And so if we scroll down, we can see that there's some exploits by category, remote access,

20:15

lev applications,

20:18

privilege, escalations,

20:22

no service

20:26

shell code. And they have also have a nice selection of security papers.

20:30

So these could be really useful to build up your knowledge,

20:34

but in particular

20:36

what I wanted to to ah, look at when there are the different sections for exploits.

20:41

But the Google Hacking database

20:45

is where I found all the examples that I've that I've shown you today.

20:51

These are ranked

20:52

Bye bye date. We can see we've got some that have just come out

20:59

and we can search by categories,

21:02

so

21:03

you might be looking for files that contain user names. You could also put a search

21:08

item here or just hit search by itself and you'll get just the category.

21:21

As we can see, there are quite a few examples

21:25

rude, etc. Password

21:26

in text for home.

21:36

If you select one of the items that basically gives you the text in a large, nice large formats, you can copy and paste it.

21:45

There's also this item, this term called Google Dork,

21:48

and what this means is it's It's a pre formatted search string like you see here, and it's

21:55

it's basically trying to

21:57

identify

22:00

people that have or systems that have too much information being available to the public Internet.

22:07

I believe Johnny Long was the one who

22:10

created that.

22:11

If you do too many searches, Google may force you to

22:18

authenticate yourself to make sure that you're not a but

22:21

so you might have to do a some recapture information here.

22:26

Oh, I won't actually didn't work

22:30

after all that trouble,

22:34

but you get the idea. So there are lots of choices just for files that contain user names.

22:42

Other things that are interesting

22:45

files containing juicy info files with passwords

22:51

sensitive shopping online info

22:53

again. If you have a lot of details about your target,

22:59

the websites they use, the website that they that they might have is part of their organization.

23:06

These different areas of searching can produce little bits of data that you can aggregate together to help achieve the pen testing goal,

23:17

Social engineering pen testing goal.

23:19

But there's a referencing, well known,

23:23

uh,

23:26

shopping cart software. This one's kind of interesting.

23:30

You can search ups dot com trying to find an exact match for a

23:36

package tracking number.

23:41

The idea here would be that you might be able to,

23:45

uh,

23:45

find that information,

23:48

get a displayed

23:49

and then craft an email with different information that gets sent to the target

23:56

for whatever purposes it. It could be that

23:59

the package needs to be intercepted or

24:03

some other

24:04

type of AH

24:06

of activity related to the pen test.

24:11

It was pretty useful,

24:14

and I recommend spending time,

24:17

um,

24:18

reading some of the papers on this website as well

24:27

as you can see there's 1100 papers, and this gives you

24:33

good information

24:34

that you can use to further your knowledge and grow your skill set.

24:40

And so people just put this work together

24:42

for the benefit of the pen testing community.

24:45

Obviously, it's for the benefit of the hacking community as well, but

24:49

we're talking about white hat activities here.

24:56

Okay, so I hope you've enjoyed this introduction to Google hacking.

25:02

I know it's a lot of information to take in all at once. But I think if you start to practice these techniques

25:07

get on a website such as exploit TB.

25:11

There's plenty of other sites you confined similar information, but this happens to be my favorite,

25:17

and you'll be well on your way to gathering information for your next social engineering audit.

25:22

I hope you enjoyed the video. See you next time. Thank you.

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

CEO of SteppingStone Solutions