2. @Chapma
n
Hi, I’m Stephen!
• Search engine geek
• Founder of SecuriSearch
• Freelance writer
• Musician, gamer, Redditor, and digital DIY guy
• Always looking to meet new people and
network, so come and say “hello!”
• 2600 reader since 1998
http://securisearch.cstephen@securisearch.
12. @Chapma
n
How is this even possible?
The ever-increasing power and number of Web crawlers
+
careless and/or clueless admins
+
end-user ignorance or stupidity
=
a serious problem.
http://securisearch.cstephen@securisearch.
13. @Chapma
n
Web crawlers and their power
• Google, Bing, Yandex, Baidu, and countless
niche search engines (FTP, document, etc.)
• Custom Web crawlers, like 80legs.com
• Not just indexing data, but also identifying and
understanding data within data
• The more connected everything becomes, the
more there will be to find and index
• Search engine companies don’t care about what
they index, so long as they’re able to index
http://securisearch.cstephen@securisearch.
20. @Chapma
n
A quick primer
• intitle: (Looks in the title of a page)
• inurl: (Looks in the URL of a page)
• intext: (Looks in the text of a page)
• filetype: or ext: (Searches by file type)
• site: (Limits results to a specified site)
• OR or | (Searches for multiple terms separately)
• “” or . (Forms a specific search phrase)
• * (Wildcard)
• - (Negates specified terms)
• () (Groups multiple terms together)
http://securisearch.cstephen@securisearch.
21. @Chapma
n
Throw the kitchen sink at it
• Don’t give up if a search query yields no
results, or unintended results
• Start thinking in terms of things that don’t
make sense, then modify queries accordingly
• Operators can be extremely fickle –
especially if used with other operators
• Take time to think queries through, or just do
what I do: jump right in and go to town!
http://securisearch.cstephen@securisearch.
22. @Chapma
n
What do you want to find?
• Private videos and photographs
• Confidential and proprietary information
• Databases (SQL, MDB, plain-text dumps, etc.)
• Back-ups (Email, drives, etc.)
• Virtual machines
• Custom application files (code, scripts, extensions, plug-ins, etc.)
• Usernames and passwords (VPN credentials, bank accounts, email,
memberships, etc.)
• Apps, games, pr0n, etc.
• Credit/debit cards/numbers (pictures, scans, text files, etc.)
• Social Security cards/numbers (pictures, scans, text files, etc.)
• Passports, licenses, birth certificates, etc. (pictures and scans)
• Tax and financial documents, bills, etc.
http://securisearch.cstephen@securisearch.
30. @Chapma
n
Awesome Firefox Add-ons
• Remove Google Redirects: http://
goo.gl/Gqyek
• Unlinker: http://unlinker.com/
• Docs Online Viewer: http://goo.gl/rVuHh
• FireFTP: http://fireftp.net/
• Google Image Search:
http://goo.gl/uU0mO
http://securisearch.cstephen@securisearch.
31. @Chapma
n
Just the tip of the iceberg
• Google Diggity: http://goo.gl/F6jGJ
• Google Hacking for Pen Testers:
http://goo.gl/jqAys
• YouTube: Stach and Liu, Johnny Long
• Online documents: http://goo.gl/c7Ef2
• /r/opendirectories: http://goo.gl/B2YL8
• Bing Query Language: http://goo.gl/TyO2T
• Other search engines: Bing, Shodan, Docstoc,
Pastebin, etc.
• GHDB: http://goo.gl/0mTLb
http://securisearch.cstephen@securisearch.