This is Dean Pompilio.
And in this demo, we're going to be looking at some Google hacking techniques.
Uh, just going to be an introduction to some of the things you can do theirs
a an entire universe of information out there about how to use Google
uh, to assist in in, uh,
doing very targeted searches of certain kinds of information.
Other search engines can work as well. For instance, you could use something like Start Page because it'll act as a proxy to Google.
And that's actually a better choice in a lot of ways, because it's an SSL
search engine and it's not tracking your
anyway, so we'll start off by going to support dot google dot com.
You could find other references for the search operators, but this is a good one.
This is an official Google reference, at least,
and so let's review some of these because they are important when you're using the engine and you want to do it efficiently.
could be used to search Google. Plus,
Ah, the at sign could be used to find Ah,
you're someone's Twitter handle or, um
or other instances of the at symbol.
Also, the dollar sign the pound sign
for finding hashtags
so those might be useful if you're If you're, uh, social engineering effort is trying to identify
social media Loggins or our ideas that the target is using.
Another really useful item is the dash.
This basically removes or negates
that item from your search. So we see in the example,
trying to find results of for Jaguar that relate to the car and not the animal.
So you're rather the animal, not the car. You could remove references that that describe a Jaguar car. Hopefully, filtering goes out so you can see the ones that relate to the animal
double quotes. This is pretty self explanatory when you want to search for exactly this text.
If you don't use a double quotes than you may get a bunch of other partial matches, which of course, will
increased the number of results you have to filter through in order to find something useful
the asterisk as a wild card.
and then, lastly, is the double dots, which can used for
to finding numeric ranges
so in this case showing ah
ranges for a price or it could be documents that have certain numbered ranges. So those air are both useful instances.
All right, Now the main search operators,
we start with sight.
So in this case, you're specifying the exact website that you want to search. In this case, NBC dot com is being searched for the word Olympics.
It's pretty straightforward.
You can also look for links to a certain website,
So these air links that would be existing on other websites
that contain a link to a youtube dot com. In this case,
the related link also are related. Operator, also very useful.
If you were searching for a
are investigating a target
website, you might want to try some different related searches
to see what else comes up.
Some of the other tools that were demonstrated for this course also
use a similar technique doing things like looking for your I p neighbor
on so on. But related can show you things that
you might not have expected to have a relationship to. The main site that you're looking for are investigating. So these air potentially useful
you can use the logical or
for obvious reasons you wantto
search for this or that or that.
Then we have the info operator.
This will help you find cash versions of Web pages, which could be useful
You can effectively get the
the cash page from Google
without having to actually touch the target website.
So that's an interesting technique
to be able to look at a Web page without having your traffic recorded up at the target's system.
And then you can specify exactly the cash that you want. Thio refer to
looking for a particular website to see if
you can retrieve the last cached version of that page.
Okay, so that's the basic overview. A couple other things to point out,
you can go to the advanced search page
and this will for those of you who are just beginning to use these operators. Maybe don't feel like
typing them all in. You could go to the advanced search page
and be able thio do everything on a form such as this,
and this makes it real easy because you can see all of your options in front of you
and you don't have to remember
the names of all the search operators.
My advice would be to try to learn the search operators, however,
since this is much faster
and it's gonna be more useful if you wanted,
run some scripts to automate
certain aspects of your research.
That's that's typically what,
what you'd want to d'oh!
there's a couple of examples that I'd like to share,
are pretty interesting.
Assuming that you have a social engineer
could be an organization could be an individual.
But let's say it's an organization, and
you're trying to figure out if if there are possibilities
for identifying something like a log in portal,
this is a good choice, right? Because
if you can find a log in portal for the organization,
the social engineer, as part of the pen test, might be able to gain access to that environment.
Perhaps with stolen credentials sniff credentials. They might be able to do it also with
social engineering techniques directly, if you can.
If the engineer can trick
the target into revealing their their information or
or doing something like
tricking a help desk person into re setting a password.
Now, the social engineer or the pen tester might be able to gain access to the environment
with those credentials.
So I'm just gonna copy and paste some items into
the search field here,
save me the trouble of typing these in.
In this case, we're looking for Citrix and met a frame
So if I do a search here,
this is going to show me
organizations that are using a Citrix meta frame setup for their remote access.
And what do we get? Over 1000 results.
And of course, this relies on a very particular version of
of the software that displays this text in the Earl.
If you were security minded, of course, you could reconfigure that
and obvious, Kate, This this information somehow so wouldn't show up in a search like this.
But obviously, this is the log in portal that these that these members of these organizations use.
some of them appeared to not have any authentication whatsoever. And look at all this great information.
If you were trying to get into this site,
you know what Web server using you could see what version of open SSL What version of PHP
and not going to browse these folders, but they are on the public Internet. So
very little expectation of
of privacy. When you've got your systems, configure it in this way.
So there's plenty of plenty of options here. This is just one log in portal example. I'll show you another one.
uh, perhaps if you were targeting
an organization that was related to education, like a university or something of that nature,
What we're going to do in this case is specify a site,
and dot e d u r dot org's site. Notice that we can use the pipe character here
to those of you who are more familiar with regular expressions and computer coding. In general,
the pipe is a little bit easier deal with
than typing the word or get's visually easier as well.
You're actually just looking at the coat.
So we're looking for the site we're going to add to that we're gonna contaminate.
That's what the plus sign going to do here.
We're also gonna look for a girl
that has the exact phrase
faculty log in dot a S p
And since that's encased in double quotes,
it will be evaluated as one piece, and then the or in the middle will swap out the Thea
so we can see that we found some.
It's like a health care institute,
some other organizations.
So some kind of faculty log in.
And this relies on the fact that this faculty log in Dottie S P is a well known component of certain,
website configurations, if you will.
So in order for these searches to truly be useful, you would have to narrow things down to the target organization. Right? You for the site,
target company dot edu you or target company dot or GE,
it's more specific. I'm just showing that the broad appeal of using certain searches
for information gathering
to take after you have identified an administrative portal will cover some of those in the advanced social engineering course, will do
some more demos of penetration of systems,
and that will get give the practitioner a little bit better idea on how these these tools could be could be utilised more fully.
Okay, so let's go back
and think about some other things. If you were,
for instance, searching for your
for more information about your target,
you might have some information that says, Okay, this this person,
appears to be using an iPhone. Let's say you've had some physical contact.
You might be able to
do some searches related to
the use of the iPhone or people that are taking pictures with maybe uploading things to iCloud.
There's lots of different angles you could approach this this this target from
and this particular search
This is looking for an index,
so we use the entitle. So the title of the page itself index of.
And then there's text within the page.
We're looking for iCloud photos
And these these three terms here are typical for a lot of
devices that you hook to your computer. When you when you automatically
load photos from your phone or load photos from a camera onto your laptop, for instance, you might get one of these text
items created as the default folder.
So we run this query.
This does exactly what you would expect it to do. We can see that there are
or rather uploaded to some website.
of you were looking for images that would be useful for the for the social engineering audit
you would have to go through and,
you know, individually investigate these photos to see if any of them contain anything useful.
It could be photos of people that are related to the target people. They work with
locations where certain activities air happy, maybe pictures taken at work. All these could be useful for the social engineering audit.
There's another example of a
search that will help you find photos.
This is one that looks for D. C. I am.
And if I'm not mistaken, I believe that is
something that gets associated with cannon
I'm not mistaken, really. It's Sony is one of the two.
It could be multiple manufacturers. I'd do this, but
You're looking at people that have probably dumped their their phone pictures
to a server that they that they interact with that they might not be thinking about
the fact that that information is reachable
from the public Internet.
So this is an excellent reasons to be very careful about how you
treat your your personal information.
Because if you're putting it on a server, think, you know, I'm just gonna keep it there and then I can go get it later. You might not realize that that content is searchable and crawl a ble, and therefore Google confined it.
So these are some interesting ideas.
As you can see, there's quite a few choices.
This this kind of overlaps a little bit with some of the search capabilities that we considered
I did a show Dan demo,
very useful searches. You could do a lot of the same things with Google.
All right, so it's a little bit more information.
Uh, it could be that
you want to find some vulnerability information about a website or maybe try to see if you can get get the site to display some debugging information.
Lots of sources of this.
You may be wondering where I'm getting all of these ideas and I'll cover that in just a moment.
Thought in this case, we've got a
messaging board crazy. Www board
and there's a file called Crazy WW board dot c g I. So we're looking for that in the Earl
and then text in that page asking about detailed debugging information.
So these are other websites that are using this same software,
okay, we've got a message about a database not being licensed. Okay, that one's dead end
Looks like a few of them are like that. But you get the idea. We're We're still digging deeper into
that the target company
to see if there's more information about their systems about their applications
Some of you may have heard of the retina scanner. This is a vulnerability scanner. That's very useful.
So in this case, we're gonna look for
a title page called Retina Report
and then confidential information, as as being in the title as well.
So let's see, we confined here
We got a good match at the top.
So this is an actual audit report
and this shows quite a bit of information about the network
I P Range's number of hosts ever scanned
the name of the file that we're actually looking at,
and then it gives us details
about vulnerabilities, even with I p addresses.
So this is typical that you want to produce this kind information if you're doing security scanning within your environment. What's not typical, however,
is allowing this information to be visible
on the public Internet.
So we've even got names of the vulnerabilities and so on. This is
if you were targeting an organization, you were able to find this kind of information. You can see how tremendously useful that would be.
Well, let me get off that page. Okay?
some of the other things to think about for Google hacking if you really want to
thio to dig in and and learn Maur and figure out how to
do some interesting things, like I mentioned
being able to get the code from a a Web page with through Google instead of it actually hitting the Web site directly.
a very important objective if you were trying to remain stealthy,
the exploit database
exploit dash d b dot com. This is where you want to spend some time.
It's waiting for the page to lowers. We conceive, they've got 34,000
exploits already documented,
and these go back quite a long ways back to, like the
the late eighties, early nineties, even.
And so if we scroll down, we can see that there's some exploits by category, remote access,
shell code. And they have also have a nice selection of security papers.
So these could be really useful to build up your knowledge,
what I wanted to to ah, look at when there are the different sections for exploits.
But the Google Hacking database
is where I found all the examples that I've that I've shown you today.
Bye bye date. We can see we've got some that have just come out
and we can search by categories,
you might be looking for files that contain user names. You could also put a search
item here or just hit search by itself and you'll get just the category.
As we can see, there are quite a few examples
If you select one of the items that basically gives you the text in a large, nice large formats, you can copy and paste it.
There's also this item, this term called Google Dork,
and what this means is it's It's a pre formatted search string like you see here, and it's
it's basically trying to
people that have or systems that have too much information being available to the public Internet.
I believe Johnny Long was the one who
If you do too many searches, Google may force you to
authenticate yourself to make sure that you're not a but
so you might have to do a some recapture information here.
Oh, I won't actually didn't work
after all that trouble,
but you get the idea. So there are lots of choices just for files that contain user names.
Other things that are interesting
files containing juicy info files with passwords
sensitive shopping online info
again. If you have a lot of details about your target,
the websites they use, the website that they that they might have is part of their organization.
These different areas of searching can produce little bits of data that you can aggregate together to help achieve the pen testing goal,
Social engineering pen testing goal.
But there's a referencing, well known,
shopping cart software. This one's kind of interesting.
You can search ups dot com trying to find an exact match for a
package tracking number.
The idea here would be that you might be able to,
find that information,
and then craft an email with different information that gets sent to the target
for whatever purposes it. It could be that
the package needs to be intercepted or
of activity related to the pen test.
It was pretty useful,
and I recommend spending time,
reading some of the papers on this website as well
as you can see there's 1100 papers, and this gives you
that you can use to further your knowledge and grow your skill set.
And so people just put this work together
for the benefit of the pen testing community.
Obviously, it's for the benefit of the hacking community as well, but
we're talking about white hat activities here.
Okay, so I hope you've enjoyed this introduction to Google hacking.
I know it's a lot of information to take in all at once. But I think if you start to practice these techniques
get on a website such as exploit TB.
There's plenty of other sites you confined similar information, but this happens to be my favorite,
and you'll be well on your way to gathering information for your next social engineering audit.
I hope you enjoyed the video. See you next time. Thank you.