Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lab, Subject Matter Expert Dean Pompilio discusses Google hacking techniques and presents an introduction to some of the things you can do when gathering information for a Social Engineering audit. SME Pompilio discusses how to use Google specifically to do targeted searches. (Although this demonstration refers to the search engine Google, the search engine StartPage may be a better choice for a search engine for privacy purposes). A review of the various search operators and their uses covers the following:

  • main search operators such as sites and links
  • related search operators
  • special search operators such as info and cached
  • use of the advanced search function page

SME Pompilio presents several examples of how to obtain confidential information about a target when you want to find some vulnerability information about a Web site, or you want to reveal a site's debugging information. A Social Engineer can search for vulnerabilities of information that should not be available on the public Internet. There is a considerable amount of confidential information that is available deep in the public Internet that a target probably does not know is available and that will allow you to dig deeper into the environment in which the target company operates; you will learn more info about the company's systems, applications, and people. It is suggested that Social Engineers should spend time on exploitdb.com to have access to a large database of exploits organized by category. There also are more than one thousand security papers on this site that can be accessed to further your knowledge and increase your skill set. (This is the site that Dean Pompilio used to present the examples in this demonstration). SME Pompilio also presents other aspects of Google hacking that will allow you to get the code of a page through Google without going directly to the Web page, and he discusses Google Dork, which is a preformatted search string that identifies systems that have too much information available on the public internet.

Video Transcription

00:06
Hello, everyone.
00:07
This is Dean Pompilio.
00:10
And in this demo, we're going to be looking at some Google hacking techniques.
00:16
Uh, just going to be an introduction to some of the things you can do theirs
00:21
a an entire universe of information out there about how to use Google
00:26
specifically,
00:28
uh, to assist in in, uh,
00:31
doing very targeted searches of certain kinds of information.
00:37
Other search engines can work as well. For instance, you could use something like Start Page because it'll act as a proxy to Google.
00:45
And that's actually a better choice in a lot of ways, because it's an SSL
00:51
search engine and it's not tracking your
00:56
I P address
00:58
anyway, so we'll start off by going to support dot google dot com.
01:04
You could find other references for the search operators, but this is a good one.
01:10
This is an official Google reference, at least,
01:14
and so let's review some of these because they are important when you're using the engine and you want to do it efficiently.
01:23
So the plus sign
01:26
could be used to search Google. Plus,
01:30
Ah, the at sign could be used to find Ah,
01:34
you're someone's Twitter handle or, um
01:38
or other instances of the at symbol.
01:42
Also, the dollar sign the pound sign
01:45
for finding hashtags
01:48
so those might be useful if you're If you're, uh, social engineering effort is trying to identify
01:55
the
01:57
social media Loggins or our ideas that the target is using.
02:01
Another really useful item is the dash.
02:07
This basically removes or negates
02:09
that item from your search. So we see in the example,
02:15
um,
02:15
trying to find results of for Jaguar that relate to the car and not the animal.
02:22
So you're rather the animal, not the car. You could remove references that that describe a Jaguar car. Hopefully, filtering goes out so you can see the ones that relate to the animal
02:34
double quotes. This is pretty self explanatory when you want to search for exactly this text.
02:39
If you don't use a double quotes than you may get a bunch of other partial matches, which of course, will
02:46
increased the number of results you have to filter through in order to find something useful
02:52
and also use the
02:53
the asterisk as a wild card.
02:55
Very useful
02:58
and then, lastly, is the double dots, which can used for
03:02
to finding numeric ranges
03:06
so in this case showing ah
03:08
ranges for a price or it could be documents that have certain numbered ranges. So those air are both useful instances.
03:17
All right, Now the main search operators,
03:22
we start with sight.
03:23
So in this case, you're specifying the exact website that you want to search. In this case, NBC dot com is being searched for the word Olympics.
03:32
It's pretty straightforward.
03:35
You can also look for links to a certain website,
03:39
So these air links that would be existing on other websites
03:45
that contain a link to a youtube dot com. In this case,
03:50
the related link also are related. Operator, also very useful.
03:54
If you were searching for a
03:58
are investigating a target
04:00
website, you might want to try some different related searches
04:02
to see what else comes up.
04:04
Some of the other tools that were demonstrated for this course also
04:10
use a similar technique doing things like looking for your I p neighbor
04:14
on so on. But related can show you things that
04:18
you might not have expected to have a relationship to. The main site that you're looking for are investigating. So these air potentially useful
04:28
areas to discover
04:30
you can use the logical or
04:34
for obvious reasons you wantto
04:36
search for this or that or that.
04:42
Then we have the info operator.
04:45
This will help you find cash versions of Web pages, which could be useful
04:49
if you find a cash
04:51
page.
04:53
You can effectively get the
04:55
the cash page from Google
04:57
without having to actually touch the target website.
05:00
So that's an interesting technique
05:02
to be able to look at a Web page without having your traffic recorded up at the target's system.
05:14
And then you can specify exactly the cash that you want. Thio refer to
05:19
looking for a particular website to see if
05:24
you can retrieve the last cached version of that page.
05:30
Okay, so that's the basic overview. A couple other things to point out,
05:35
you can go to the advanced search page
05:40
and this will for those of you who are just beginning to use these operators. Maybe don't feel like
05:46
typing them all in. You could go to the advanced search page
05:49
and be able thio do everything on a form such as this,
05:55
and this makes it real easy because you can see all of your options in front of you
06:01
and you don't have to remember
06:03
the names of all the search operators.
06:06
My advice would be to try to learn the search operators, however,
06:11
since this is much faster
06:13
and it's gonna be more useful if you wanted,
06:16
perhaps
06:17
run some scripts to automate
06:19
certain aspects of your research.
06:23
That's that's typically what,
06:25
what you'd want to d'oh!
06:30
Okay, so
06:33
there's a couple of examples that I'd like to share,
06:38
and these are
06:40
are pretty interesting.
06:43
Assuming that you have a social engineer
06:46
Target
06:47
could be an organization could be an individual.
06:51
But let's say it's an organization, and
06:55
you're trying to figure out if if there are possibilities
06:59
for identifying something like a log in portal,
07:03
this is a good choice, right? Because
07:05
if you can find a log in portal for the organization,
07:10
the social engineer, as part of the pen test, might be able to gain access to that environment.
07:15
Perhaps with stolen credentials sniff credentials. They might be able to do it also with
07:24
social engineering techniques directly, if you can.
07:27
If the engineer can trick
07:28
the target into revealing their their information or
07:31
or doing something like
07:33
tricking a help desk person into re setting a password.
07:38
Now, the social engineer or the pen tester might be able to gain access to the environment
07:43
with those credentials.
07:46
So I'm just gonna copy and paste some items into
07:49
the search field here,
07:51
save me the trouble of typing these in.
07:54
In this case, we're looking for Citrix and met a frame
08:00
Expedia text
08:01
in the girl.
08:03
So if I do a search here,
08:07
this is going to show me
08:07
several different
08:11
organizations that are using a Citrix meta frame setup for their remote access.
08:18
And what do we get? Over 1000 results.
08:22
And of course, this relies on a very particular version of
08:26
of the software that displays this text in the Earl.
08:31
If you were security minded, of course, you could reconfigure that
08:35
and obvious, Kate, This this information somehow so wouldn't show up in a search like this.
08:41
But obviously, this is the log in portal that these that these members of these organizations use.
08:50
Um,
08:50
some of them appeared to not have any authentication whatsoever. And look at all this great information.
08:56
If you were trying to get into this site,
09:00
you know what Web server using you could see what version of open SSL What version of PHP
09:07
and not going to browse these folders, but they are on the public Internet. So
09:13
there there is
09:16
very little expectation of
09:18
of privacy. When you've got your systems, configure it in this way.
09:24
So there's plenty of plenty of options here. This is just one log in portal example. I'll show you another one.
09:31
This one looks,
09:33
uh, perhaps if you were targeting
09:37
an organization that was related to education, like a university or something of that nature,
09:43
What we're going to do in this case is specify a site,
09:46
uh,
09:48
and dot e d u r dot org's site. Notice that we can use the pipe character here
09:54
as an or
09:56
replacement
09:58
to those of you who are more familiar with regular expressions and computer coding. In general,
10:03
the pipe is a little bit easier deal with
10:05
than typing the word or get's visually easier as well.
10:11
You're actually just looking at the coat.
10:15
So we're looking for the site we're going to add to that we're gonna contaminate.
10:18
That's what the plus sign going to do here.
10:22
We're also gonna look for a girl
10:24
that has the exact phrase
10:28
faculty log in dot a S p
10:30
or
10:31
dot PHP.
10:33
And since that's encased in double quotes,
10:35
it will be evaluated as one piece, and then the or in the middle will swap out the Thea
10:43
alternate extension
10:48
so we can see that we found some.
10:52
It's like a health care institute,
10:54
uh,
10:54
some other organizations.
11:00
So some kind of faculty log in.
11:01
And this relies on the fact that this faculty log in Dottie S P is a well known component of certain,
11:09
um,
11:11
website configurations, if you will.
11:18
So in order for these searches to truly be useful, you would have to narrow things down to the target organization. Right? You for the site,
11:26
you would have
11:28
target company dot edu you or target company dot or GE,
11:31
In order to
11:33
make this,
11:35
it's more specific. I'm just showing that the broad appeal of using certain searches
11:41
for information gathering
11:46
the steps to AH
11:48
to take after you have identified an administrative portal will cover some of those in the advanced social engineering course, will do
11:54
some more demos of penetration of systems,
11:58
and that will get give the practitioner a little bit better idea on how these these tools could be could be utilised more fully.
12:07
Okay, so let's go back
12:09
and think about some other things. If you were,
12:13
for instance, searching for your
12:16
for more information about your target,
12:18
you might have some information that says, Okay, this this person,
12:24
um,
12:26
appears to be using an iPhone. Let's say you've had some physical contact.
12:31
You might be able to
12:33
do some searches related to
12:37
the use of the iPhone or people that are taking pictures with maybe uploading things to iCloud.
12:43
There's lots of different angles you could approach this this this target from
12:48
and this particular search
12:50
This is looking for an index,
12:54
so we use the entitle. So the title of the page itself index of.
13:01
And then there's text within the page.
13:03
We're looking for iCloud photos
13:05
or my photo stream
13:11
or camera roll.
13:13
And these these three terms here are typical for a lot of
13:18
devices that you hook to your computer. When you when you automatically
13:22
load photos from your phone or load photos from a camera onto your laptop, for instance, you might get one of these text
13:30
items created as the default folder.
13:35
So we run this query.
13:37
This does exactly what you would expect it to do. We can see that there are
13:43
pictures
13:43
that people have
13:46
downloaded
13:48
or rather uploaded to some website.
13:52
And of course,
13:54
of you were looking for images that would be useful for the for the social engineering audit
14:01
you would have to go through and,
14:03
you know, individually investigate these photos to see if any of them contain anything useful.
14:11
It could be photos of people that are related to the target people. They work with
14:16
locations where certain activities air happy, maybe pictures taken at work. All these could be useful for the social engineering audit.
14:26
There's another example of a
14:31
search that will help you find photos.
14:39
This is one that looks for D. C. I am.
14:43
And if I'm not mistaken, I believe that is
14:46
something that gets associated with cannon
14:48
cameras.
14:50
I'm not mistaken, really. It's Sony is one of the two.
14:54
It could be multiple manufacturers. I'd do this, but
14:58
same idea.
15:00
You're looking at people that have probably dumped their their phone pictures
15:07
to a server that they that they interact with that they might not be thinking about
15:11
the fact that that information is reachable
15:15
from the public Internet.
15:18
So this is an excellent reasons to be very careful about how you
15:24
treat your your personal information.
15:26
Because if you're putting it on a server, think, you know, I'm just gonna keep it there and then I can go get it later. You might not realize that that content is searchable and crawl a ble, and therefore Google confined it.
15:41
So these are some interesting ideas.
15:45
As you can see, there's quite a few choices.
15:48
This this kind of overlaps a little bit with some of the search capabilities that we considered
15:54
for
15:56
showed him.
15:56
I did a show Dan demo,
15:58
and it has some
16:02
very useful searches. You could do a lot of the same things with Google.
16:10
All right, so it's a little bit more information.
16:12
Uh, it could be that
16:15
you want to find some vulnerability information about a website or maybe try to see if you can get get the site to display some debugging information.
16:26
Lots of sources of this.
16:29
You may be wondering where I'm getting all of these ideas and I'll cover that in just a moment.
16:37
Thought in this case, we've got a
16:38
messaging board crazy. Www board
16:42
and there's a file called Crazy WW board dot c g I. So we're looking for that in the Earl
16:49
this file here
16:52
and then text in that page asking about detailed debugging information.
17:00
So these are other websites that are using this same software,
17:06
and
17:07
okay, we've got a message about a database not being licensed. Okay, that one's dead end
17:17
Looks like a few of them are like that. But you get the idea. We're We're still digging deeper into
17:22
the environment
17:23
that the target company
17:26
is operating within
17:30
to see if there's more information about their systems about their applications
17:33
about their people.
17:37
Some of you may have heard of the retina scanner. This is a vulnerability scanner. That's very useful.
17:45
So in this case, we're gonna look for
17:48
a title page called Retina Report
17:52
and then confidential information, as as being in the title as well.
17:59
So let's see, we confined here
18:03
looks like a
18:04
We got a good match at the top.
18:07
So this is an actual audit report
18:11
done back in 2013
18:15
and this shows quite a bit of information about the network
18:21
I P Range's number of hosts ever scanned
18:25
the name of the file that we're actually looking at,
18:30
and then it gives us details
18:33
about vulnerabilities, even with I p addresses.
18:37
So this is typical that you want to produce this kind information if you're doing security scanning within your environment. What's not typical, however,
18:45
is allowing this information to be visible
18:48
on the public Internet.
18:53
So we've even got names of the vulnerabilities and so on. This is
18:57
if you were targeting an organization, you were able to find this kind of information. You can see how tremendously useful that would be.
19:08
Well, let me get off that page. Okay?
19:14
All right. So
19:15
some of the other things to think about for Google hacking if you really want to
19:21
thio to dig in and and learn Maur and figure out how to
19:26
do some interesting things, like I mentioned
19:29
being able to get the code from a a Web page with through Google instead of it actually hitting the Web site directly.
19:36
That's certainly a
19:37
a very important objective if you were trying to remain stealthy,
19:44
but the
19:45
the exploit database
19:48
exploit dash d b dot com. This is where you want to spend some time.
19:52
It's waiting for the page to lowers. We conceive, they've got 34,000
19:57
exploits already documented,
20:00
and these go back quite a long ways back to, like the
20:07
the late eighties, early nineties, even.
20:10
And so if we scroll down, we can see that there's some exploits by category, remote access,
20:15
lev applications,
20:18
privilege, escalations,
20:22
no service
20:26
shell code. And they have also have a nice selection of security papers.
20:30
So these could be really useful to build up your knowledge,
20:34
but in particular
20:36
what I wanted to to ah, look at when there are the different sections for exploits.
20:41
But the Google Hacking database
20:45
is where I found all the examples that I've that I've shown you today.
20:51
These are ranked
20:52
Bye bye date. We can see we've got some that have just come out
20:59
and we can search by categories,
21:02
so
21:03
you might be looking for files that contain user names. You could also put a search
21:08
item here or just hit search by itself and you'll get just the category.
21:21
As we can see, there are quite a few examples
21:25
rude, etc. Password
21:26
in text for home.
21:36
If you select one of the items that basically gives you the text in a large, nice large formats, you can copy and paste it.
21:45
There's also this item, this term called Google Dork,
21:48
and what this means is it's It's a pre formatted search string like you see here, and it's
21:55
it's basically trying to
21:57
identify
22:00
people that have or systems that have too much information being available to the public Internet.
22:07
I believe Johnny Long was the one who
22:10
created that.
22:11
If you do too many searches, Google may force you to
22:18
authenticate yourself to make sure that you're not a but
22:21
so you might have to do a some recapture information here.
22:26
Oh, I won't actually didn't work
22:30
after all that trouble,
22:34
but you get the idea. So there are lots of choices just for files that contain user names.
22:42
Other things that are interesting
22:45
files containing juicy info files with passwords
22:51
sensitive shopping online info
22:53
again. If you have a lot of details about your target,
22:59
the websites they use, the website that they that they might have is part of their organization.
23:06
These different areas of searching can produce little bits of data that you can aggregate together to help achieve the pen testing goal,
23:17
Social engineering pen testing goal.
23:19
But there's a referencing, well known,
23:23
uh,
23:26
shopping cart software. This one's kind of interesting.
23:30
You can search ups dot com trying to find an exact match for a
23:36
package tracking number.
23:41
The idea here would be that you might be able to,
23:45
uh,
23:45
find that information,
23:48
get a displayed
23:49
and then craft an email with different information that gets sent to the target
23:56
for whatever purposes it. It could be that
23:59
the package needs to be intercepted or
24:03
some other
24:04
type of AH
24:06
of activity related to the pen test.
24:11
It was pretty useful,
24:14
and I recommend spending time,
24:17
um,
24:18
reading some of the papers on this website as well
24:27
as you can see there's 1100 papers, and this gives you
24:33
good information
24:34
that you can use to further your knowledge and grow your skill set.
24:40
And so people just put this work together
24:42
for the benefit of the pen testing community.
24:45
Obviously, it's for the benefit of the hacking community as well, but
24:49
we're talking about white hat activities here.
24:56
Okay, so I hope you've enjoyed this introduction to Google hacking.
25:02
I know it's a lot of information to take in all at once. But I think if you start to practice these techniques
25:07
get on a website such as exploit TB.
25:11
There's plenty of other sites you confined similar information, but this happens to be my favorite,
25:17
and you'll be well on your way to gathering information for your next social engineering audit.
25:22
I hope you enjoyed the video. See you next time. Thank you.

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor