SlideShare a Scribd company logo

google dork.pdf

ā€¢
ā€¢
M
Mahesh Pradhan

A Google dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website. Google dorking, also known as Google hacking, can return information that is difficult to locate through simple search queries.

Education
1 of 170
Download to read offline
Google Hacking for Penetration Testers Using Google as a Security Testing Tool Johnny Long johnny@ihackstuff.com
What weā€™re doing ā€¢ I hate pimpinā€™, but weā€™re covering many techniques covered in the ā€œGoogle Hackingā€ book. ā€¢ For much more detail, I encourage you to check out ā€œGoogle Hacking for Penetration Testersā€ by Syngress Publishing.
Advanced Operators Before we can walk, we must run. In Googleā€™s terms this means understanding advanced operators.
Advanced Operators ā€¢ Google advanced operators help refine searches. ā€¢ They are included as part of a standard Google query. ā€¢ Advanced operators use a syntax such as the following: operator:search_term ā€¢ Thereā€™s no space between the operator, the colon, and the search term!
Does search work in Operator Purpose Mixes with other operators? Can be used alone? Web Images Groups News intitle Search page title yes yes yes yes yes yes allintitle Search page title no yes yes yes yes yes inurl Search URL yes yes yes yes not really like intitle allinurl Search URL no yes yes yes yes like intitle filetype Search specific files yes no yes yes no not really allintext Search text of page only not really yes yes yes yes yes site Search specific site yes yes yes yes no not really link Search for links to pages no yes yes no no not really inanchor Search link anchor text yes yes yes yes not really yes numrange Locate number yes yes yes no no not really daterange Search in date range yes no yes not really not really not really author Group author search yes yes no no yes not really group Group name search not really yes no no yes not really insubject Group subject search yes yes like intitle like intitle yes like intitle msgid Group msgid search no yes not really not really yes not really Some operators can only be used to search specific areas of Google, as these columns show. In other cases, mixing should be avoided. Advanced operators can be combined in some cases. Advanced Operators at a Glance
Crash course in advanced operators Some operators search overlapping areas. Consider site, inurl and filetype. SITE: Site can not search port. INURL: Inurl can search the whole URL, including port and filetype. FILETYPE: Filetype can only search file extension, which may be hard to distinguish in long URLs.
numrange:99999-100000 intext:navigate intitle:ā€I hack stuffā€ filetype:php Advanced Google Searching There are many ways to find the same page. These individual queries could all help find the same page.
Advanced Google Searching Put those individual queries together into one monster query and you only get that one specific result. Adding advanced operators reduces the number of results adding focus to the search.
Google Hacking Basics INURL:orders INURL:admin FILETYPE:php Putting operators together in intelligent ways can cause a seemingly innocuous queryā€¦
Google Hacking Basics Customer names Order Amounts Payment details! ā€¦can return devastating results!
Google Hacking Basics Letā€™s take a look at some basic techniques: Anonymous Googling Special Characters
Anonymous Googling The cache link is a great way to grab content after itā€™s deleted from the site. The question is, where exactly does that content come from?
Anonymous Googling ā€¢ Some folks use the cache link as an anonymizer, thinking the content comes from Google. Letā€™s take a closer look. This line from the cached pageā€™s header gives a clue as to whatā€™s going onā€¦
Anonymous Googling 21:39:24.648422 IP 192.168.2.32.51670 > 64.233.167.104.80 21:39:24.719067 IP 64.233.167.104.80 > 192.168.2.32.51670 21:39:24.720351 IP 64.233.167.104.80 > 192.168.2.32.51670 21:39:24.731503 IP 192.168.2.32.51670 > 64.233.167.104.80 21:39:24.897987 IP 192.168.2.32.51672 > 82.165.25.125.80 21:39:24.902401 IP 192.168.2.32.51671 > 82.165.25.125.80 21:39:24.922716 IP 192.168.2.32.51673 > 82.165.25.125.80 21:39:24.927402 IP 192.168.2.32.51674 > 82.165.25.125.80 21:39:25.017288 IP 82.165.25.125.80 > 192.168.2.32.51672 21:39:25.019111 IP 82.165.25.125.80 > 192.168.2.32.51672 21:39:25.019228 IP 192.168.2.32.51672 > 82.165.25.125.80 21:39:25.023371 IP 82.165.25.125.80 > 192.168.2.32.51671 21:39:25.025388 IP 82.165.25.125.80 > 192.168.2.32.51671 21:39:25.025736 IP 192.168.2.32.51671 > 82.165.25.125.80 21:39:25.043418 IP 82.165.25.125.80 > 192.168.2.32.51673 21:39:25.045573 IP 82.165.25.125.80 > 192.168.2.32.51673 21:39:25.045707 IP 192.168.2.32.51673 > 82.165.25.125.80 21:39:25.052853 IP 82.165.25.125.80 > 192.168.2.32.51674 This tcpdump output shows our network traffic while loading that cached page. This is Google. This is Phrack. We touched Phrackā€™s web server. Weā€™re not anonymous.
Anonymous Googling ā€¢ Obviously we touched the site, but why? ā€¢ Hereā€™s more detailed tcpdump output: 0x0040 0d6c 4745 5420 2f67 7266 782f 3831 736d .lGET./grfx/81sm 0x0050 626c 7565 2e6a 7067 2048 5454 502f 312e blue.jpg.HTTP/1. 0x0060 310d 0a48 6f73 743a 2077 7777 2e70 6872 1..Host:.www.phr 0x0070 6163 6b2e 6f72 670d 0a43 6f6e 6e65 6374 ack.org..Connect 0x0080 696f 6e3a 206b 6565 702d 616c 6976 650d ion:.keep-alive. 0x0090 0a52 6566 6572 6572 3a20 6874 7470 3a2f .Referer:.http:/ 0x00a0 2f36 342e 3233 332e 3136 312e 3130 342f /64.233.161.104/ 0x00b0 7365 6172 6368 3f71 3d63 6163 6865 3a4c search?q=cache:L 0x00c0 4251 5a49 7253 6b4d 6755 4a3a 7777 772e BQZIrSkMgUJ:www. 0x00d0 7068 7261 636b 2e6f 7267 2f2b 2b73 6974 phrack.org/++sit 0x00e0 653a 7777 772e 7068 7261 636b 2e6f 7267 e:www.phrack.org 0x00f0 2b70 6872 6163 6b26 686c 3d65 6e0d 0a55 +phrack&hl=en..U An image loaded!
Anonymous Googling This line spells it out. Letā€™s click this link and sniff the connection againā€¦.
Anonymous Googling 23:46:53.996067 IP 192.168.2.32.52912 > 64.233.167.104.80 23:46:54.025277 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.025345 IP 192.168.2.32.52912 > 64.233.167.104.80 23:46:54.025465 IP 192.168.2.32.52912 > 64.233.167.104.80 23:46:54.094007 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.124930 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.127202 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.128762 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.128836 IP 192.168.2.32.52912 > 64.233.167.104.80 23:47:54.130200 IP 192.168.2.32.52912 > 64.233.167.104.80 23:47:54.154500 IP 64.233.167.104.80 > 192.168.2.32.52912 23:47:54.154596 IP 192.168.2.32.52912 > 64.233.167.104.80 This time, the entire conversation was between us (192.168.2.32) and Google (64.233.167.104)
Anonymous Googling ā€¢ What made the difference? Letā€™s compare the two URLS: ā€¢ Original: http://64.233.187.104/search?q=cache:Z7FntxDMrMIJ:www.phrack.org/hardcover62/+phrack+h ardcover62&hl=en ā€¢ Cached Text Only: http://64.233.187.104/search?q=cache:Z7FntxDMrMIJ:www.phrack.org/hardcover62/+phrack+h ardcover62&hl=en&lr=&strip=1 Adding &strip=1 to the end of the cached URL only shows Googleā€™s text, not the targetā€™s.
Anonymous Googling ā€¢ Anonymous Googling can be helpful, especially if combined with a proxy. Hereā€™s a summary. Perform a Google search. Right-click the cached link and copy the link to the clipboard. Paste the URL to the address bar, add &strip=1, hit return. Youā€™re only touching Google nowā€¦
Special Search Characters ā€¢ Weā€™ll use some special characters in our examples. These characters have special meaning to Google. ā€¢ Always use these characters without surrounding spaces! ā€¢ ( + ) force inclusion of something common ā€¢ ( - ) exclude a search term ā€¢ ( ā€œ ) use quotes around search phrases ā€¢ ( . ) a single-character wildcard ā€¢ ( * ) any word ā€¢ ( | ) boolean ā€˜ORā€™ ā€¢ Parenthesis group queries (ā€œmaster cardā€ | mastercard)
Googleā€™s PHP Blocker: ā€œWeā€™re Sorry..ā€ ā€¢ Google has started blocking queries, most likely as a result of worms that slam Google with ā€˜evil queries.ā€™ This is a query for Inurl:admin.php
Google Hackerā€™s workaround ā€¢ Our original query looks like this: http://www.google.com/search?q=inurl:admin.php&hl=en&lr=&c2coff=1&start=10&sa=N ā€¢ Stripped down, the query looks like this: http://www.google.com/search?q=inurl:admin.php&start=10 ā€¢ We can modify our query (inurl:something.php is bad) by changing the case of the file extension, like so: http://www.google.com/search?q=inurl:admin.PHP&start=10 http://www.google.com/search?q=inurl:admin.pHp&start=10 http://www.google.com/search?q=inurl:admin.PhP&start=10 This works in the web interface as well.
Pre-Assessment There are many things to consider before testing a target, many of which Google can help with. One shining example is the collection of email addresses and usernames.
Trolling for Email Addresses ā€¢ A seemingly simple search uses the @ sign followed by the primary domain name. The ā€œ@ā€ sign doesnā€™t translate wellā€¦ But we can still use the resultsā€¦
Automated Trolling for Email Addresses ā€¢ We could use a lynx to automate the download of the search results: lynx -dump http://www.google.com/search?q=@gmail.com > test.html ā€¢ We could then use regular expressions (like this puppy by Don Ranta) to troll through the results: [a-zA-Z0-9._-]+@(([a-zA-Z0-9_-]{2,99}.)+[a-zA-Z]{2,4})|((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1- 9][0-9]|[1-9]).(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9]).(25[0-5]|2[0-4][0-9]|1[0-9][0- 9]|[1-9][0-9]|[1-9]).(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])) ā€¢ Run through grep, this regexp would effectively find email addresses (including addresses containing IP numbers)
More Email Automation ā€¢ The ā€˜email minerā€™ PERL script by Roelof Temmingh at sensepost will effectively do the same thing, but via the Google API: This searches the first ten Google resultsā€¦ with only one hit against your API key.
More Email Automation movabletype@gmail.com fakubabe@gmail.com lostmon@gmail.com label@gmail.com charlescapps@gmail.com billgates@gmail.com ymtang@gmail.com tonyedgecombe@gmail.com ryawillifor@gmail.com jruderman@gmail.com itchy@gmail.com gramophone@gmail.com poojara@gmail.com london2012@gmail.com bush04@gmail.com fengfs@gmail.com username@gmail.com madrid2012@gmail.com somelabel@gmail.com bartjcannon@gmail.com fillmybox@gmail.com silverwolfwsc@gmail.com all_in_all@gmail.com mentzer@gmail.com kerry04@gmail.com presidentbush@gmail.com prabhav78@gmail.com Running the tool through 50 results (with a 5 parameter instead of 1) finds even more addresses.
More email address locations These queries locate email addresses in more ā€œinterestingā€ locationsā€¦
More email address locations These queries locate email addresses in more ā€œinterestingā€ locationsā€¦
Network Mapping Google is an indispensable tool for mapping out an Internet-connected network.
Basic Site Crawling ā€¢ the site: operator narrows a search to a particular site, domain or subdomain. site: microsoft.com One powerful query lists every Google result for a web site!
Basic Site Crawling Most often, a site search makes the obvious stuff float to the top. As a security tester, we need to get to the less obvious stuff. www.microsoft.com is way too obviousā€¦
Basic Site Crawling ā€¢ To get rid of the more obvious crap, do a negative search. site: microsoft.com -site:www.microsoft.com Notice that the obvious ā€œwwwā€ is missing, replaced by more interesting domains.
Basic Site Crawling ā€¢ Repeating this process of site reduction, tracking what floats to the top leads to nasty big queries like: site:microsoft.com -site:www.microsoft.com -site:msdn.microsoft.com -site:support.microsoft.com -site:download.microsoft.com -site:office.microsoft.com ā€¦
Basic Site Crawling ā€¢ The results of such a big query reveal more interesting resultsā€¦ Research pageā€¦ HTTPS pageā€¦ Eventually weā€™ll run into a 32 query limit, and this process tends to be tedious.
Intermediate Site Crawling Using lynx to capture the Google results pageā€¦ ..and sed and awk to process the HTMLā€¦ ..returns the same results.
So what? ā€¢ Well, honestly, host and domain enumeration isnā€™t new, but weā€™re doing this without sending any packets to the target weā€™re analyzing. ā€¢ This has several benefits: ā€“ Low profile. The target canā€™t see your activity. ā€“ Results are ā€œrankedā€ by Google. This means that the most public stuff floats to the top. Some more ā€œinteresting stuffā€ trolls near the bottom. ā€“ ā€œHintsā€ for follow-up recon. You arenā€™t just getting hosts and domain names, you get application information just by looking at the snippet returned from Google. One results page can be processed for many types of info.. Email addresses, names, etc.. More on this later onā€¦ ā€“ Since weā€™re getting data from several sources, we can focus on non obvious relationships. This is huge! ā€¢ Some down sides: ā€“ In some cases it may be faster and easier as a good guy to use traditional techniques and tools that connect to the target, but remember- the bad guys can still find and target you via Google!
Advanced Site Crawling ā€¢ Google frowns on automation, unless you use tools written with their API. Know what youā€™re running unless you donā€™t care about their terms of service. ā€¢ We could easily modify our lynx retrieval command to pull more results, but in many cases, more results wonā€™t equal more unique hosts. ā€¢ So, we could also use another technique to locate hostsā€¦ plain old fashion common word queries.
Advanced Site Crawling Searching for multiple common words like ā€œwebā€, ā€œsiteā€, ā€œemailā€, and ā€œaboutā€ along with siteā€¦ appended to a fileā€¦
Advanced Site Crawling Sifting through the ouput from those queries, we find many more interesting hits.
Advanced Site Crawling Roelof Temmingh from sensepost.com coded this technique into a PERL (API- based) script called dns-mine.pl to achieve much more efficient results. Weā€™ll look more at coding laterā€¦
Too much noise, not enough signalā€¦ ā€¢ Getting lists of hosts and (sub)domains is great. It gives you more targets, but thereā€™s another angle. ā€¢ Most systems are only as secure as their weakest link. ā€¢ If a poorly-secured company has a trust relationship with your target, thatā€™s your way in. ā€¢ Question: How can we determine site relationships with Google? ā€¢One Answer: the ā€œlinkā€ operator.
Raw Link Usage link: combined with the name of a site showsā€¦ sites that link to that site. link: has limits though. See mapquest here?
Link has limits ā€¦combining link: with site: doesnā€™t seem to workā€¦
Link has limits Link: gets treated like normal search text (not a search modifier) when combined with other operators.
Link has other limits Knowing that these sites link to www.microsoft.com is great, but how relevant is this information? Do we necessarily care about Google-ranked relationships? How do we get to REAL relationships?
Non-obvious site relationships ā€¢ Sensepost to the rescue again! =) ā€¢ BiLE (the Bi-directional Link Extractor), available from http://www.sensepost.com/garage_portal.html helps us gather together links from Google and piece together these relationships. ā€¢ Thereā€™s much more detail on this process in their whitepaper, but letā€™s cover the basicsā€¦
Non-obvious site relationships ā€¢ A link from a site weighs more than a link to a site ā€“ Anyone can link to a site if they own web space (which is free to all) ā€¢ A link from a site with a lot of links weighs less that a link from a site with a small amount of links ā€“ This means specifically outbound links. ā€“ If a site has few outbound links, is is probably lighter. ā€“ There are obvious exceptions like link farms.
Non-obvious site relationships ā€¢ A link to a site with a lot of links to the site weighs less that a link to a site with a small amount of links to the site. ā€“ If external sources link to a site, it must be important (or more specifically popular) ā€“ This is basically how Google weighs a site. ā€¢ The site that was given as input parameter need not end up with the highest weight ā€“ a good indication that the provided site is not the central site of the organization.ā€ ā€“ If after much research, the site you are investigating doesnā€™t weight the most, youā€™ve probably missed the targetā€™s main site.
Who is Sensepost? Relying on Googleā€™s 6400+ results can be dauntingā€¦ and misleading.
Non-obvious site relationships ā€¢ It seems dizzying to pull all this together, but BiLE does wonders. Letā€™s point it at sensepost.com: This is the extraction phase. BiLE is looking for links to www.sensepost.com (via Google) and writing the results to a file called ā€œoutā€ā€¦
Non-obvious site relationships ā€¢ This is the weigh phase. BiLE takes the output from the extraction phaseā€¦ And weighs the results using the four main criteria of weighing discussed aboveā€¦ aided primarily by Google searches. This shows the strongest relationships to our target site first, which during an assessment equate to secondary targets, especially for information gathering.
The next stepā€¦ Letā€™s say weā€™re looking at NASAā€¦. We could use ā€˜googleturdā€™ searches, like site:nasa to locate typos which may be real sitesā€¦ How can we verifiy these???
Host verificationā€¦ ā€¢ Cleaning the names and running DNS lookups is one wayā€¦ Pay dirt! Now what??? We could further expand on these IP ranges via DNS queries as wellā€¦
Expanding outā€¦ ā€¢ Once armed with a list of sites and domains, we could expand out the list in several ways. DNS queries are helpful, but what else can we do to get more names to try? ā€¢ From whatever source, letā€™s say we get two names from verizon, ā€˜foundationā€™ and investorā€™ā€¦
Google Sets ā€¢ Although this is a simple example, we can throw these two words into Google Setsā€¦.
Expanding ā€¢ Then, we can take all these words and perform DNS host lookups against each of these combinations: ..this leads to a new hit, ā€˜business.verizon.comā€™. Google sets allows you to expand on a list once you run out of options.
Fuzzing ā€¢ Given hosts with numbers and ā€œpredictableā€ names, we could fuzz the numbers, performing DNS lookups on those namesā€¦ ā€¢ Iā€™ll let Roelof at sensepost discuss this topic, howeverā€¦ =)
Limitless mapping possibilitiesā€¦ ā€¢ Once you get rolling with Google mapping, especially automated recursive mapping, youā€™ll be AMAZED at how deep you can dig into the layout of a target.
Port scanning ā€¢ Although crude, there are ways to do basic ā€œportscanningā€ with Google. ā€¢ First, combine inurl searches for a port with the name of a service that commonly listens on that portā€¦ (optionally combined with the site operator)
Inurl -intext scanning ā€¢ Antoher way to go is to use a port number with inurl, combined with a negative intext search for that port number. This search locates servers listening on port 8080.
Third party scanners ā€¢ When all else fails, Google for servers that can do your portscan for you!
Document Grinding and Database Digging Documents and databases contain a wealth of information. Letā€™s look at ways to foster abuse of SQL databases with Google.
SQL Usernames ā€œAccess denied for userā€ ā€œusing passwordā€
SQL Schemas ā€¢ Entire SQL Database dumps ā€œ# Dumping data for tableā€ Adding ā€˜usernameā€™ or ā€˜passwordā€™ to this query makes things really interesting.
SQL injection hints "ORA-00933: SQL command not properly ended" Improper command termination can be abused quite easily by an attacker. "Unclosed quotation mark before the character string"
SQL source ā€¢ Getting lines of SQL source can aid an attacker. intitle:"Error Occurred" "The error occurred in"
Going after SQL passwords filetype:inc intext:mysql_connect Include files with cleartext passwordsā€¦
More SQL Passwords ā€¢ Question: Whatā€™s the SQL syntax that can be used to set a passwords? ā€¢ (TWO WORDS) ā€¢One Answer: ā€œIdentified byā€
More SQL Passwords ā€¢ The slightly more hardcore versionā€¦
Various database detection queries SQL dump detection Database detection
Automation Page Scraping in Perl API querying in Perl
Page Scraping with Perl ā€¢ Thie Perl code, by James Foster, provides a good framework for ā€œpage scrapingā€ Google results. ā€¢ This method relies on manually querying Google, and searching the resultant HTML for the ā€œinteresting stuff.ā€ #!/usr/bin/perl -w use IO::Socket; #Section 2 $query = '/search?hl=en&q=dog'; $server = 'www.google.com'; $port = 80; We will be making socket calls. We need IO::Socket. We hardcode our query (which we can make aparameter later), our Google server and our port number.
Page Scraping with Perl sub socketInit() { $socket = IO::Socket::INET->new( Proto => 'tcp', PeerAddr => $server, PeerPort => $port, Timeout => 10, ); unless($socket) { die("Could not connect to $server:$port"); } $socket->autoflush(1); } Next we have a very generic socket initialization subroutine.
Page Scraping with Perl sub sendQuery($) { my ($myquery) = @_; print $socket ("GET $myquery HTTP/1.0nn"); while ($line = <$socket>) { if ($line =~ /Results.*ofsabout/) { return $line; } } } This subroutine sends the Google query (hardcoded above) and accepts one parameter, the Google query. Google returned HTML is processed, and the line containing ā€œof aboutā€ (our result line) is returned from this routine.
Page Scraping with Perl sub getTotalHits($) { my ($ourline) = @_; $hits=""; $index = index($ourline, "of about"); $str = substr($ourline, $index, 30); @buf=split(//,$str); for ($i = 0; $i < 30; $i++) { if ($buf[$i] =~ /[0-9]/) { $hits=$hits.$buf[$i]; } } return $hits; } This subroutine takes one parameter (the results line from the Sendquery) ā€œof about is locatedā€ā€¦ ā€¦the next 30 characters are grabbedā€¦ ā€¦ all the digits are removedā€¦. ā€¦stored in $hitsā€¦ ā€¦and returned.
Page Scraping with Perl socketInit(); $string = sendQuery($query); $totalhits = getTotalHits($string); #Printing to STDOUT the Total Hits Retrieved from Google print ($totalhits); This piece of code drives all the subroutines. The socket is initializedā€¦ ā€¦the query is sentā€¦ ā€¦the total hits are determinedā€¦ ā€¦and printed out.
CGI Scanning /iisadmpwd/ /iisadmpwd/achg.htr /iisadmpwd/aexp.htr /iisadmpwd/aexp2.htr /iisadmpwd/aexp2b.htr intitle:index.of /iisadmpwd/ intitle:index.of /iisadmpwd/achg.htr intitle:index.of /iisadmpwd/aexp.htr intitle:index.of /iisadmpwd/aexp2.htr intitle:index.of /iisadmpwd/aexp2b.htr inurl:/iisadmpwd/ inurl:/iisadmpwd/achg.htr inurl:/iisadmpwd/aexp.htr inurl:/iisadmpwd/aexp2.htr inurl:/iisadmpwd/aexp2b.htr Another automation example might involve chopping up a CGI scannerā€™s vulnerability fileā€¦ ā€¦ converting the checks into Google queries, sending these queries to a Google scanner.
Web Servers, Login Portals, Network Hardware Network devices can be soooo much fun to Google forā€¦
Web File Browser ā€¢ This program allows directory walking, file uploading, and more.
VNC Servers (with client) ā€¢ VNC (Virtual Network Computing) allows you to control a workstation remotely. The search is very basic These sites launch a VNC Java client so you can connect! Even if password protected, the client reveals the server name and port. Thanks to lester for this one!
Symantec Anti-Virus SMTP Gateways
Axis Print Servers Print server administration, Google-style! Thanks to murfie for this one!
Xenix, Sweex, Orite Web Cams Thanks to server1 for this one! One query, many brands of live cams!
Active WebCam Thanks klouw!
Toshiba Network Cameras intitle:"toshiba network camera - User Login" Found by WarriorClown!
Speedstream DSL Routers ā€¢ Home broadband connectivityā€¦ Googled. Who do you want to disconnect today? Found by m00d!
Belkin Routers ā€¢ Belkin routers have become a household name in connected households. The management interface shouldnā€™t show up on Googleā€¦ but it does. Thanks to darksun for this one!
Printers ā€¢ Trolling printers through Google can be fun, especially when you can see and download what others are printingā€¦ Religionā€¦ And aphrodisiacs? Hrmmmā€¦ Thanks JimmyNeutron!
Firewalls - Smoothwall Uh ohā€¦ this firewall needs updatingā€¦ Thanks Milkman!
Firewalls - IPCop Uh ohā€¦ this one needs updating too! Thanks Jimmy Neutron!
IDS Data: ACID ā€¢ SNORT IDS data delivered graphically, served up fresh ACID ā€by Roman Danyliw" filetype:php
Open Cisco Devices Thanks Jimmy Neutron!
Cisco Switches Thanks Jimmy Neutron!
Wide Open PHP Nuke Sites ā€¢ PHP Nuke allows for the creation of a full-featured web site with little effort. Too lazy to install PHP Nuke? Own someone elseā€™s site instead! Thanks to arrested for this beauty!
Open PHP Nukeā€¦ another wayā€¦ Click here, create superuser!
Security Cameras ā€¢ Although many cameras are multi-purpose, certain brands tend to be used more for security work. Thanks stonersavant!
Security Cameras Not sure what ā€œWoodieā€ is, but Iā€™m not clicking itā€¦. Thanks murfie!
Time-lapse video recorders ā€¢ A staple of any decent security system, these camera control units have gotten high-tech.. And Googlableā€¦ The search is no big dealā€¦ Then thereā€™s the pesky login boxā€¦
Time lapse video recorders ā€¦multiple live security camera viewsā€¦ ā€¦and historical records of recorded video feeds Even doofus hackers know how to use default passwords to getā€¦ Thanks to stonersavant for this beauty!
UPS Monitors Getting personal with Power System monitorsā€¦ Thanks yeseins!
UPS Monitors Oh wait.. Wrong kind of UPSā€¦this is package tracking hackingā€¦ =P Thanks Digital Spirit!
Hacking POWER Systems! ā€¢ Ainā€™t technology grand? This product allows web management of power outlets! Google search locates login page. What does any decent hacker do to a login page?
Hacking Power Systems! Thanks to JimmyNeutron for this beauty! Who do you want to power off today?
Google Phreaking ā€¢ Questionā€¦ Which is easier to hack with a web browser? QuickTimeā„¢ and a TIFF (Uncompressed) decompressor are needed to see this picture. QuickTimeā„¢ and a TIFF (Uncompressed) decompressor are needed to see this picture. B: Vintage 1970ā€™s Rotary Phone A: Sipura SPA 2000 IP Telephone
Sipura SPA IP Telephone How about Googling for the last number your friend dialed? Or the last number that dialed them? Thanks stonersavant!!!
Videoconferencing Who do you want to disconnect today? Thanks yeseins!!!
PBX Systems ā€¢ Web-based management interfaces open the door for a creative Google Hacker. See the ā€œlogoutā€? Weā€™re already logged in! We donā€™t need no steenkin password!
PBX Systems No password required. Even a novice web surfer can become a ā€œPBX hackerā€. =) Thanks to stonersavant for this great find!
Usernames, Passwords and Secret Stuff, oh my! Thereā€™s all sorts of stuff out there that people probably didnā€™t mean to make public. Letā€™s take a look at some examplesā€¦
DCIM Whatā€™s DCIM? Digital camera image dumpsā€¦. Thanks xlockex!
MSN Contact Lists MSN contact lists allow an attacker to get ā€˜personalā€™ Thanks to harry-aac!
Old School! Fingerā€¦ Thanks to Jimmy Neutron! Google Hacking circa 1980!!?!?
Norton AntiVirus Corporate Passwords Encrypted, but yummy (and crackable)! Thanks MILKMAN!
Open SQL servers Already logged in, no hacking required! Thanks Quadster!
ServU FTP Passwords ServU FTP Daemon passwords, super encrypto! =P Thanks to vs1400 for this one!
Netscape History Files Oops.. POP email passwords! Thanks to digital.revolution for this one!
IPSec Final Encryption Keys I only skimmed ā€˜Applied Cryptographyā€™.. But this looks badā€¦ Thanks MILKMAN!
Explorer. EXPLORER!?!?! Thanks JimmyNeutron! What do you want to delete today???
More Explorers?!?! Why hack when you canā€¦ click? =) Thanks MacUK!
More Explorers?!?! Thanks JimmyNeutron! sighā€¦
Sensitive Government Documents ā€¢ Question: Are sensitive, non-public Government documents on the web? ā€¢ Answer: Yes. Once these documents hit the Net, the media has a feeding frenzy, and people start copying and posting the docsā€¦
FOUO Documents Although unclassified, this document was obviously not meant to be posted online.
FOUO Documents FOUO ā€œPrevention Guidesā€, like this 19 page beauty, can give bad guys horrible ideas.
Locked out! ā€¢ Some sites lock down sensitive data.. ā€¢ However, the Google cache image still remains.
Credit card info on the web? ā€¢ How can this happen? Letā€™s take a tour of some of the possibilitiesā€¦
Court Documents ā€¢ Court cases sometimes give TONS of detail about cases, especially fraud.
Court Documents
Court Documents ā€¢ How much detail is too much detail? =)
Court Documents ā€¢ Of course, fraud accounts are closed pretty quickly, no?
A tale of a corn snake ā€¢ Is this for real? Either way itā€™s pretty sad...
Getting shell.. the easy way ā€¢ Now Iā€™ve heard the term ā€˜using your credit card onlineā€™ but this is ridiculous!
Some people just donā€™t get itā€¦.
Getting serialzā€¦ wha-hay!! and MORE! ā€¢ This is a very generous person. Heā€™s willing to give his software serial numbers and his credit card info to the whole world. Generosity like this could change the world.
Police Crime reports ā€¢ Two questions: ā€¢ Are police reports public record? ā€¢ YES. ā€¢ Are they on the web? ā€¢ YES. ā€¢ Many states have begun placing campus police crime reports on the web. Students have a right to know what crimes take place on campus.
Crime shouldnā€™t payā€¦ ā€¢ Iā€™m thinking there should be a process for filtering these reports. ā€¢ A few might fall through the cracksā€¦.
Expense Reports ā€¢ Itā€™s not uncommon for expense reports to be generated. This one is for a county.
Expense Reports ā€¢ Bank account numbersā€¦.
Expense Reports ā€¢ Bank loan informationā€¦ $20,000 + transactions
Expense Reports ā€¢ Oh boyā€¦
Expense Reportsā€¦ ā€¢ Somebody has to pay for all this stuffā€¦.
Expense Reports ā€¢ Thatā€™s one heck of a video seriesā€¦. $300+
Credit cardsā€¦ Google hackerā€™s goldā€¦ ā€¢ The legend of finding credit cards online is trueā€¦ ā€¢ I just get bored sifting through them allā€¦.
Credit card listings
Credit Listings ā€œ ā€
More Credit Cards onlineā€¦
More Credit Cards Online
More Credit Cards Online
More Credit Cards Online
Pick a card any cardā€¦ ā€¦pick a card. We take ā€˜em all!
Credit Validation Question: What keeps someone from using a pilfered credit card number and expiration date to make an online purchase? ā€¢ Answer: That little code on the back of the card. ā€¢ Bonus question: Whatā€™s that code called? ā€¢ Answer: A ā€œCVVā€ code.
Credit Card Numbers, Expiration Date and CVV numbers, oh my!
Thatā€™s not allā€¦. ā€¢ Credit cards are sooo 1990ā€™s =)
Getting more personal ā€¢ Question: Whatā€™s the one 9 digit number you shouldnā€™t give to ANYONE? ā€¢ Answer: SSN ā€¢ Bonus question: What can you do with someoneā€™s SSN? ā€¢ Answer: Steal their identity. ā€¢ How do SSNā€™s get on the web? Letā€™s take a look at some possibilities.
SSNā€™s in source code ā€¢ Well, they could be hardcoded into a healthcare systemā€¦ and uhmmmā€¦ put on the webā€¦
Crime shouldnā€™t payā€¦ ā€¢ Remember the police reports? Since the credit card accounts in them are no good, maybe we should troll them some moreā€¦.
SSNā€™s - Police Reports
SSNā€™s ā€¢ Students have a right to knowā€¦
Social Security Numbers ā€¢ Many privacy violations are self-inflictedā€¦ ā€œ ā€
Social Security Numbers ā€¢ Schools are notoriousā€¦ Grades posted w/ studentā€™s SSNā€™s ā€œ ā€
Social Security Numbers ā€¢ Once you get a lock on a grade list, the results fan out as you explore the site. ā€œ ā€
Social Security Numbers Thereā€™s no shortage of examplesā€¦
Social Security Numbers ā€¢ In order to steal someoneā€™s identity, you need names. SSNā€™s with names are usually blockedā€¦ arenā€™t they?
Social Security Numbers ā€œ ā€ Googleā€™s cache says otherwiseā€¦
A tale of one city ā€¢ A city document outlining residents who are in debt to the cityā€¦ A little report of names, addresses, amount owed and SSN numbersā€¦
A tale of one city ā€¢ Or perhaps more than a little reportā€¦ ā€œ ā€
A tale of one city ā€¢ Hundreds of city residentsā€™ personal information posted to the webā€¦ 90% including SSN and address. ā€œ ā€
What weā€™ve doneā€¦ ā€¢ Weā€™ve skimmed ā€œGoogle Hacking for Penetration Testersā€ by Syngress Publishing, which doesnā€™t seem to suck. ā€¢ Weā€™ve looked at some great tools by Roelof Temmingh. Check out Sensepost.com. ā€¢ Weā€™ve invaded the privacy of millions. ā€¢ Weā€™re all still awake. Right?
Thanks! ā€¢ Thanks to God for the gift of life. ā€¢ Thanks to my family for the gift of love. ā€¢ Thanks to my friends for filling in the blanks. ā€¢ Thanks to the moderators of ihackstuff.com: Murfie, Jimmy Neutron, ThePsyko, Wasabi, l0om, Stonersavant ā€¢ Thanks to Roelof T for the great code, and to the current Google Masters: murfie, jimmyneutron, klouw, l0om, stonersavant, MILKMAN, ThePsyko, cybercide, yeseins, wolveso, Deadlink, crash_monkey, zoro25, digital.revolution, Renegade334, wasabi, urban, sfd, mlynch, Peefy, Vipsta, noAcces, brasileiro, john, Z!nCh

Recommended

Neural Search Comes to Apache Solr
Neural Search Comes to Apache SolrNeural Search Comes to Apache Solr
Neural Search Comes to Apache SolrSease
Ā 
Cč؀čŖžć®å®£č؀čŖ­ćæę–¹č¬›åŗ§
Cč؀čŖžć®å®£č؀čŖ­ćæę–¹č¬›åŗ§Cč؀čŖžć®å®£č؀čŖ­ćæę–¹č¬›åŗ§
Cč؀čŖžć®å®£č؀čŖ­ćæę–¹č¬›åŗ§tetra_cat
Ā 
Best Practices for Building and Deploying Data Pipelines in Apache Spark
Best Practices for Building and Deploying Data Pipelines in Apache SparkBest Practices for Building and Deploying Data Pipelines in Apache Spark
Best Practices for Building and Deploying Data Pipelines in Apache SparkDatabricks
Ā 
ćƒ•ćƒ©ćƒƒćƒˆćŖPHPć‹ć‚‰ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æćø
ćƒ•ćƒ©ćƒƒćƒˆćŖPHPć‹ć‚‰ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æćøćƒ•ćƒ©ćƒƒćƒˆćŖPHPć‹ć‚‰ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æćø
ćƒ•ćƒ©ćƒƒćƒˆćŖPHPć‹ć‚‰ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćøMasao Maeda
Ā 
Word2Vec model to generate synonyms on the fly in Apache Lucene.pdf
Word2Vec model to generate synonyms on the fly in Apache Lucene.pdfWord2Vec model to generate synonyms on the fly in Apache Lucene.pdf
Word2Vec model to generate synonyms on the fly in Apache Lucene.pdfSease
Ā 
Smart Join Algorithms for Fighting Skew at Scale
Smart Join Algorithms for Fighting Skew at ScaleSmart Join Algorithms for Fighting Skew at Scale
Smart Join Algorithms for Fighting Skew at ScaleDatabricks
Ā 
BigQueryģ˜ ėŖØė“  ź²ƒ(źø°ķšģž, ė§ˆģ¼€ķ„°, ģ‹ ģž… ė°ģ“ķ„° ė¶„ģ„ź°€ė„¼ ģœ„ķ•œ) ģž…ė¬øķŽø
BigQueryģ˜ ėŖØė“  ź²ƒ(źø°ķšģž, ė§ˆģ¼€ķ„°, ģ‹ ģž… ė°ģ“ķ„° ė¶„ģ„ź°€ė„¼ ģœ„ķ•œ) ģž…ė¬øķŽøBigQueryģ˜ ėŖØė“  ź²ƒ(źø°ķšģž, ė§ˆģ¼€ķ„°, ģ‹ ģž… ė°ģ“ķ„° ė¶„ģ„ź°€ė„¼ ģœ„ķ•œ) ģž…ė¬øķŽø
BigQueryģ˜ ėŖØė“  ź²ƒ(źø°ķšģž, ė§ˆģ¼€ķ„°, ģ‹ ģž… ė°ģ“ķ„° ė¶„ģ„ź°€ė„¼ ģœ„ķ•œ) ģž…ė¬øķŽøSeongyun Byeon
Ā 
Tutorial: Context-awareness In Information Retrieval and Recommender Systems
Tutorial: Context-awareness In Information Retrieval and Recommender SystemsTutorial: Context-awareness In Information Retrieval and Recommender Systems
Tutorial: Context-awareness In Information Retrieval and Recommender SystemsYONG ZHENG
Ā 

Recommended

Neural Search Comes to Apache Solr
Neural Search Comes to Apache SolrNeural Search Comes to Apache Solr
Neural Search Comes to Apache SolrSease
Ā 
Cč؀čŖžć®å®£č؀čŖ­ćæę–¹č¬›åŗ§
Cč؀čŖžć®å®£č؀čŖ­ćæę–¹č¬›åŗ§Cč؀čŖžć®å®£č؀čŖ­ćæę–¹č¬›åŗ§
Cč؀čŖžć®å®£č؀čŖ­ćæę–¹č¬›åŗ§tetra_cat
Ā 
Best Practices for Building and Deploying Data Pipelines in Apache Spark
Best Practices for Building and Deploying Data Pipelines in Apache SparkBest Practices for Building and Deploying Data Pipelines in Apache Spark
Best Practices for Building and Deploying Data Pipelines in Apache SparkDatabricks
Ā 
ćƒ•ćƒ©ćƒƒćƒˆćŖPHPć‹ć‚‰ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æćø
ćƒ•ćƒ©ćƒƒćƒˆćŖPHPć‹ć‚‰ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æćøćƒ•ćƒ©ćƒƒćƒˆćŖPHPć‹ć‚‰ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æćø
ćƒ•ćƒ©ćƒƒćƒˆćŖPHPć‹ć‚‰ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćøMasao Maeda
Ā 
Word2Vec model to generate synonyms on the fly in Apache Lucene.pdf
Word2Vec model to generate synonyms on the fly in Apache Lucene.pdfWord2Vec model to generate synonyms on the fly in Apache Lucene.pdf
Word2Vec model to generate synonyms on the fly in Apache Lucene.pdfSease
Ā 
Smart Join Algorithms for Fighting Skew at Scale
Smart Join Algorithms for Fighting Skew at ScaleSmart Join Algorithms for Fighting Skew at Scale
Smart Join Algorithms for Fighting Skew at ScaleDatabricks
Ā 
BigQueryģ˜ ėŖØė“  ź²ƒ(źø°ķšģž, ė§ˆģ¼€ķ„°, ģ‹ ģž… ė°ģ“ķ„° ė¶„ģ„ź°€ė„¼ ģœ„ķ•œ) ģž…ė¬øķŽø
BigQueryģ˜ ėŖØė“  ź²ƒ(źø°ķšģž, ė§ˆģ¼€ķ„°, ģ‹ ģž… ė°ģ“ķ„° ė¶„ģ„ź°€ė„¼ ģœ„ķ•œ) ģž…ė¬øķŽøBigQueryģ˜ ėŖØė“  ź²ƒ(źø°ķšģž, ė§ˆģ¼€ķ„°, ģ‹ ģž… ė°ģ“ķ„° ė¶„ģ„ź°€ė„¼ ģœ„ķ•œ) ģž…ė¬øķŽø
BigQueryģ˜ ėŖØė“  ź²ƒ(źø°ķšģž, ė§ˆģ¼€ķ„°, ģ‹ ģž… ė°ģ“ķ„° ė¶„ģ„ź°€ė„¼ ģœ„ķ•œ) ģž…ė¬øķŽøSeongyun Byeon
Ā 
Tutorial: Context-awareness In Information Retrieval and Recommender Systems
Tutorial: Context-awareness In Information Retrieval and Recommender SystemsTutorial: Context-awareness In Information Retrieval and Recommender Systems
Tutorial: Context-awareness In Information Retrieval and Recommender SystemsYONG ZHENG
Ā 
Jak přejĆ­t z Universal Analytics na GA4 / Marek Čech
Jak přejĆ­t z Universal Analytics na GA4 / Marek ČechJak přejĆ­t z Universal Analytics na GA4 / Marek Čech
Jak přejĆ­t z Universal Analytics na GA4 / Marek ČechMarketingovĆ” Plzeň
Ā 
A Rusty introduction to Apache Arrow and how it applies to a time series dat...
A Rusty introduction to Apache Arrow and how it applies to a time series dat...A Rusty introduction to Apache Arrow and how it applies to a time series dat...
A Rusty introduction to Apache Arrow and how it applies to a time series dat...Andrew Lamb
Ā 
Improving PySpark performance: Spark Performance Beyond the JVM
Improving PySpark performance: Spark Performance Beyond the JVMImproving PySpark performance: Spark Performance Beyond the JVM
Improving PySpark performance: Spark Performance Beyond the JVMHolden Karau
Ā 
[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø
[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø
[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†ØNAVER D2
Ā 
Apache Solr Workshop
Apache Solr WorkshopApache Solr Workshop
Apache Solr WorkshopSaumitra Srivastav
Ā 
Incremental View Maintenance with Coral, DBT, and Iceberg
Incremental View Maintenance with Coral, DBT, and IcebergIncremental View Maintenance with Coral, DBT, and Iceberg
Incremental View Maintenance with Coral, DBT, and IcebergWalaa Eldin Moustafa
Ā 
DocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer Simon
DocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer SimonDocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer Simon
DocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer Simonlucenerevolution
Ā 
Presto best practices for Cluster admins, data engineers and analysts
Presto best practices for Cluster admins, data engineers and analystsPresto best practices for Cluster admins, data engineers and analysts
Presto best practices for Cluster admins, data engineers and analystsShubham Tagra
Ā 
ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)
ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)
ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)Osori Hanyang
Ā 
Clean code presentation
Clean code presentationClean code presentation
Clean code presentationBhavin Gandhi
Ā 
The Parquet Format and Performance Optimization Opportunities
The Parquet Format and Performance Optimization OpportunitiesThe Parquet Format and Performance Optimization Opportunities
The Parquet Format and Performance Optimization OpportunitiesDatabricks
Ā 
On Improving Broadcast Joins in Apache Spark SQL
On Improving Broadcast Joins in Apache Spark SQLOn Improving Broadcast Joins in Apache Spark SQL
On Improving Broadcast Joins in Apache Spark SQLDatabricks
Ā 
Whoops, The Numbers Are Wrong! Scaling Data Quality @ Netflix
Whoops, The Numbers Are Wrong! Scaling Data Quality @ NetflixWhoops, The Numbers Are Wrong! Scaling Data Quality @ Netflix
Whoops, The Numbers Are Wrong! Scaling Data Quality @ NetflixDataWorks Summit
Ā 
Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†
Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†
Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†Takayuki Shimizukawa
Ā 
Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³
Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³
Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³Salesforce Developers Japan
Ā 
WTM-2023-Looker Studio.pdf
WTM-2023-Looker Studio.pdfWTM-2023-Looker Studio.pdf
WTM-2023-Looker Studio.pdfPyariKumaran
Ā 
Python Advanced ā€“ Building on the foundation
Python Advanced ā€“ Building on the foundationPython Advanced ā€“ Building on the foundation
Python Advanced ā€“ Building on the foundationKevlin Henney
Ā 
źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜
źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜
źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜Seongyun Byeon
Ā 
Multiplayer Game Sync Techniques through CAP theorem
Multiplayer Game Sync Techniques through CAP theoremMultiplayer Game Sync Techniques through CAP theorem
Multiplayer Game Sync Techniques through CAP theoremSeungmo Koo
Ā 
Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)
Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)
Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)hkh
Ā 
Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101Sais Abdelkrim
Ā 
ki
kiki
kimartin
Ā 

More Related Content

What's hot

Jak přejĆ­t z Universal Analytics na GA4 / Marek Čech
Jak přejĆ­t z Universal Analytics na GA4 / Marek ČechJak přejĆ­t z Universal Analytics na GA4 / Marek Čech
Jak přejĆ­t z Universal Analytics na GA4 / Marek ČechMarketingovĆ” Plzeň
Ā 
A Rusty introduction to Apache Arrow and how it applies to a time series dat...
A Rusty introduction to Apache Arrow and how it applies to a time series dat...A Rusty introduction to Apache Arrow and how it applies to a time series dat...
A Rusty introduction to Apache Arrow and how it applies to a time series dat...Andrew Lamb
Ā 
Improving PySpark performance: Spark Performance Beyond the JVM
Improving PySpark performance: Spark Performance Beyond the JVMImproving PySpark performance: Spark Performance Beyond the JVM
Improving PySpark performance: Spark Performance Beyond the JVMHolden Karau
Ā 
[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø
[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø
[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†ØNAVER D2
Ā 
Incremental View Maintenance with Coral, DBT, and Iceberg
Incremental View Maintenance with Coral, DBT, and IcebergIncremental View Maintenance with Coral, DBT, and Iceberg
Incremental View Maintenance with Coral, DBT, and IcebergWalaa Eldin Moustafa
Ā 
DocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer Simon
DocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer SimonDocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer Simon
DocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer Simonlucenerevolution
Ā 
Presto best practices for Cluster admins, data engineers and analysts
Presto best practices for Cluster admins, data engineers and analystsPresto best practices for Cluster admins, data engineers and analysts
Presto best practices for Cluster admins, data engineers and analystsShubham Tagra
Ā 
ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)
ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)
ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)Osori Hanyang
Ā 
Clean code presentation
Clean code presentationClean code presentation
Clean code presentationBhavin Gandhi
Ā 
The Parquet Format and Performance Optimization Opportunities
The Parquet Format and Performance Optimization OpportunitiesThe Parquet Format and Performance Optimization Opportunities
The Parquet Format and Performance Optimization OpportunitiesDatabricks
Ā 
On Improving Broadcast Joins in Apache Spark SQL
On Improving Broadcast Joins in Apache Spark SQLOn Improving Broadcast Joins in Apache Spark SQL
On Improving Broadcast Joins in Apache Spark SQLDatabricks
Ā 
Whoops, The Numbers Are Wrong! Scaling Data Quality @ Netflix
Whoops, The Numbers Are Wrong! Scaling Data Quality @ NetflixWhoops, The Numbers Are Wrong! Scaling Data Quality @ Netflix
Whoops, The Numbers Are Wrong! Scaling Data Quality @ NetflixDataWorks Summit
Ā 
Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†
Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†
Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†Takayuki Shimizukawa
Ā 
Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³
Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³
Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³Salesforce Developers Japan
Ā 
WTM-2023-Looker Studio.pdf
WTM-2023-Looker Studio.pdfWTM-2023-Looker Studio.pdf
WTM-2023-Looker Studio.pdfPyariKumaran
Ā 
Python Advanced ā€“ Building on the foundation
Python Advanced ā€“ Building on the foundationPython Advanced ā€“ Building on the foundation
Python Advanced ā€“ Building on the foundationKevlin Henney
Ā 
źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜
źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜
źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜Seongyun Byeon
Ā 
Multiplayer Game Sync Techniques through CAP theorem
Multiplayer Game Sync Techniques through CAP theoremMultiplayer Game Sync Techniques through CAP theorem
Multiplayer Game Sync Techniques through CAP theoremSeungmo Koo
Ā 
Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)
Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)
Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)hkh
Ā 

What's hot (20)

Jak přejĆ­t z Universal Analytics na GA4 / Marek Čech
Jak přejĆ­t z Universal Analytics na GA4 / Marek ČechJak přejĆ­t z Universal Analytics na GA4 / Marek Čech
Jak přejĆ­t z Universal Analytics na GA4 / Marek Čech
Ā 
A Rusty introduction to Apache Arrow and how it applies to a time series dat...
A Rusty introduction to Apache Arrow and how it applies to a time series dat...A Rusty introduction to Apache Arrow and how it applies to a time series dat...
A Rusty introduction to Apache Arrow and how it applies to a time series dat...
Ā 
Improving PySpark performance: Spark Performance Beyond the JVM
Improving PySpark performance: Spark Performance Beyond the JVMImproving PySpark performance: Spark Performance Beyond the JVM
Improving PySpark performance: Spark Performance Beyond the JVM
Ā 
[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø
[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø
[216]į„‚į…¦į„‹į…µį„‡į…„ į„€į…„į†·į„‰į…¢į†Ø į„‰į…”į„‹į…­į†¼į„Œį…”į„…į…³į†Æ į„†į…”į†«į„Œį…©į†Øį„‰į…µį„į…§į„…į…”! į„‹į…“į„ƒį…©į„‘į…”į„‹į…”į†Øį„€į…Ŗ į„‹į…“į„†į…µį„€į…„į†·į„‰į…¢į†Ø
Ā 
Apache Solr Workshop
Apache Solr WorkshopApache Solr Workshop
Apache Solr Workshop
Ā 
Incremental View Maintenance with Coral, DBT, and Iceberg
Incremental View Maintenance with Coral, DBT, and IcebergIncremental View Maintenance with Coral, DBT, and Iceberg
Incremental View Maintenance with Coral, DBT, and Iceberg
Ā 
DocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer Simon
DocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer SimonDocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer Simon
DocValues aka. Column Stride Fields in Lucene 4.0 - By Willnauer Simon
Ā 
Presto best practices for Cluster admins, data engineers and analysts
Presto best practices for Cluster admins, data engineers and analystsPresto best practices for Cluster admins, data engineers and analysts
Presto best practices for Cluster admins, data engineers and analysts
Ā 
ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)
ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)
ķ”„ė”œģ ķŠø źø°ķšģ„œ ė°œķ‘œ - ģ›¹ķ¬ė”¤ė§ (ķ•œģ–‘ėŒ€ ģ˜¤ķ”ˆģ†ŒģŠ¤ė™ģ•„ė¦¬)
Ā 
Clean code presentation
Clean code presentationClean code presentation
Clean code presentation
Ā 
The Parquet Format and Performance Optimization Opportunities
The Parquet Format and Performance Optimization OpportunitiesThe Parquet Format and Performance Optimization Opportunities
The Parquet Format and Performance Optimization Opportunities
Ā 
On Improving Broadcast Joins in Apache Spark SQL
On Improving Broadcast Joins in Apache Spark SQLOn Improving Broadcast Joins in Apache Spark SQL
On Improving Broadcast Joins in Apache Spark SQL
Ā 
Whoops, The Numbers Are Wrong! Scaling Data Quality @ Netflix
Whoops, The Numbers Are Wrong! Scaling Data Quality @ NetflixWhoops, The Numbers Are Wrong! Scaling Data Quality @ Netflix
Whoops, The Numbers Are Wrong! Scaling Data Quality @ Netflix
Ā 
Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†
Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†
Django ORM道堓ļ¼šć‚Æć‚ØćƒŖ恮åŸŗęœ¬ć‚’ęŠ¼ć•ćˆļ¼Œć‚ˆć‚Šč‰Æć„å½¢ć‚’čŗ«ć«ä»˜ć‘ć‚ˆć†
Ā 
Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³
Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³
Apexćƒ‡ć‚¶ć‚¤ćƒ³ćƒ‘ć‚æćƒ¼ćƒ³
Ā 
WTM-2023-Looker Studio.pdf
WTM-2023-Looker Studio.pdfWTM-2023-Looker Studio.pdf
WTM-2023-Looker Studio.pdf
Ā 
Python Advanced ā€“ Building on the foundation
Python Advanced ā€“ Building on the foundationPython Advanced ā€“ Building on the foundation
Python Advanced ā€“ Building on the foundation
Ā 
źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜
źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜
źø€ģ“°ėŠ” ź°œė°œģž ėŖØģž„, źø€ė˜
Ā 
Multiplayer Game Sync Techniques through CAP theorem
Multiplayer Game Sync Techniques through CAP theoremMultiplayer Game Sync Techniques through CAP theorem
Multiplayer Game Sync Techniques through CAP theorem
Ā 
Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)
Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)
Lab Seminar - Reading Wikipedia to Answer Open-Domain Questions (DrQA)
Ā 

Similar to google dork.pdf

Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101Sais Abdelkrim
Ā 
ki
kiki
kimartin
Ā 
Google Hacking Basic
Google Hacking BasicGoogle Hacking Basic
Google Hacking BasicOcim Nationalism
Ā 
Search-Friendly Web Development at RubyNation
Search-Friendly Web Development at RubyNationSearch-Friendly Web Development at RubyNation
Search-Friendly Web Development at RubyNationLuigi Montanez
Ā 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalRomania Testing
Ā 
SEO For Developers
SEO For DevelopersSEO For Developers
SEO For DevelopersDeepu S Nath
Ā 
SEO for Ecommerce: A Comprehensive Guide
SEO for Ecommerce: A Comprehensive GuideSEO for Ecommerce: A Comprehensive Guide
SEO for Ecommerce: A Comprehensive GuideAdam Audette
Ā 
JavaScript SEO Ungagged 2019 Patrick Stox
JavaScript SEO Ungagged 2019 Patrick StoxJavaScript SEO Ungagged 2019 Patrick Stox
JavaScript SEO Ungagged 2019 Patrick Stoxpatrickstox
Ā 
Demand Quest SEO training session 2
Demand Quest SEO training session 2Demand Quest SEO training session 2
Demand Quest SEO training session 2Nate Plaunt
Ā 
Stop Playing Hide and Seek with Google: Drupal SEO for Non-profits
Stop Playing Hide and Seek with Google: Drupal SEO for Non-profitsStop Playing Hide and Seek with Google: Drupal SEO for Non-profits
Stop Playing Hide and Seek with Google: Drupal SEO for Non-profitsDesignHammer
Ā 
Google power search
Google power searchGoogle power search
Google power searchMuhammed Shokr
Ā 
Google Hacking
Google HackingGoogle Hacking
Google HackingPim Piepers
Ā 
Advanced googling
Advanced googlingAdvanced googling
Advanced googlingsonuagain
Ā 
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your LogsSearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your LogsDistilled
Ā 
Demand Quest SEO Training - Session 2
Demand Quest SEO Training - Session 2Demand Quest SEO Training - Session 2
Demand Quest SEO Training - Session 2Nate Plaunt
Ā 
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your LogsSearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your LogsDistilled
Ā 

Similar to google dork.pdf (20)

Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101
Ā 
ki
kiki
ki
Ā 
Google Hacking Basic
Google Hacking BasicGoogle Hacking Basic
Google Hacking Basic
Ā 
Search-Friendly Web Development at RubyNation
Search-Friendly Web Development at RubyNationSearch-Friendly Web Development at RubyNation
Search-Friendly Web Development at RubyNation
Ā 
BrightonSEO
BrightonSEOBrightonSEO
BrightonSEO
Ā 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-final
Ā 
Google dorks
Google dorksGoogle dorks
Google dorks
Ā 
SEO For Developers
SEO For DevelopersSEO For Developers
SEO For Developers
Ā 
SEO for Ecommerce: A Comprehensive Guide
SEO for Ecommerce: A Comprehensive GuideSEO for Ecommerce: A Comprehensive Guide
SEO for Ecommerce: A Comprehensive Guide
Ā 
JavaScript SEO Ungagged 2019 Patrick Stox
JavaScript SEO Ungagged 2019 Patrick StoxJavaScript SEO Ungagged 2019 Patrick Stox
JavaScript SEO Ungagged 2019 Patrick Stox
Ā 
Demand Quest SEO training session 2
Demand Quest SEO training session 2Demand Quest SEO training session 2
Demand Quest SEO training session 2
Ā 
Stop Playing Hide and Seek with Google: Drupal SEO for Non-profits
Stop Playing Hide and Seek with Google: Drupal SEO for Non-profitsStop Playing Hide and Seek with Google: Drupal SEO for Non-profits
Stop Playing Hide and Seek with Google: Drupal SEO for Non-profits
Ā 
Google power search
Google power searchGoogle power search
Google power search
Ā 
Google Hacking
Google HackingGoogle Hacking
Google Hacking
Ā 
Advanced googling
Advanced googlingAdvanced googling
Advanced googling
Ā 
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your LogsSearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
Ā 
Google Dorks
Google DorksGoogle Dorks
Google Dorks
Ā 
Hacking
HackingHacking
Hacking
Ā 
Demand Quest SEO Training - Session 2
Demand Quest SEO Training - Session 2Demand Quest SEO Training - Session 2
Demand Quest SEO Training - Session 2
Ā 
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your LogsSearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
Ā 

Recently uploaded

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
Ā 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
Ā 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
Ā 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
Ā 
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļøcall girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø9953056974 Low Rate Call Girls In Saket, Delhi NCR
Ā 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
Ā 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
Ā 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
Ā 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
Ā 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
Ā 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
Ā 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
Ā 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
Ā 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
Ā 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
Ā 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
Ā 

Recently uploaded (20)

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
Ā 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
Ā 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
Ā 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
Ā 
Model Call Girl in Tilak Nagar Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Tilak Nagar Delhi reach out to us at šŸ”9953056974šŸ”Model Call Girl in Tilak Nagar Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Tilak Nagar Delhi reach out to us at šŸ”9953056974šŸ”
Ā 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
Ā 
CĆ³digo Creativo y Arte de Software | Unidad 1
CĆ³digo Creativo y Arte de Software | Unidad 1CĆ³digo Creativo y Arte de Software | Unidad 1
CĆ³digo Creativo y Arte de Software | Unidad 1
Ā 
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļøcall girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
call girls in Kamla Market (DELHI) šŸ” >ą¼’9953330565šŸ” genuine Escort Service šŸ”āœ”ļøāœ”ļø
Ā 
Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”
Ā 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Ā 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
Ā 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
Ā 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
Ā 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
Ā 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
Ā 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Ā 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
Ā 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
Ā 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
Ā 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
Ā 

google dork.pdf

  • 1. Google Hacking for Penetration Testers Using Google as a Security Testing Tool Johnny Long johnny@ihackstuff.com
  • 2. What weā€™re doing ā€¢ I hate pimpinā€™, but weā€™re covering many techniques covered in the ā€œGoogle Hackingā€ book. ā€¢ For much more detail, I encourage you to check out ā€œGoogle Hacking for Penetration Testersā€ by Syngress Publishing.
  • 3. Advanced Operators Before we can walk, we must run. In Googleā€™s terms this means understanding advanced operators.
  • 4. Advanced Operators ā€¢ Google advanced operators help refine searches. ā€¢ They are included as part of a standard Google query. ā€¢ Advanced operators use a syntax such as the following: operator:search_term ā€¢ Thereā€™s no space between the operator, the colon, and the search term!
  • 5. Does search work in Operator Purpose Mixes with other operators? Can be used alone? Web Images Groups News intitle Search page title yes yes yes yes yes yes allintitle Search page title no yes yes yes yes yes inurl Search URL yes yes yes yes not really like intitle allinurl Search URL no yes yes yes yes like intitle filetype Search specific files yes no yes yes no not really allintext Search text of page only not really yes yes yes yes yes site Search specific site yes yes yes yes no not really link Search for links to pages no yes yes no no not really inanchor Search link anchor text yes yes yes yes not really yes numrange Locate number yes yes yes no no not really daterange Search in date range yes no yes not really not really not really author Group author search yes yes no no yes not really group Group name search not really yes no no yes not really insubject Group subject search yes yes like intitle like intitle yes like intitle msgid Group msgid search no yes not really not really yes not really Some operators can only be used to search specific areas of Google, as these columns show. In other cases, mixing should be avoided. Advanced operators can be combined in some cases. Advanced Operators at a Glance
  • 6. Crash course in advanced operators Some operators search overlapping areas. Consider site, inurl and filetype. SITE: Site can not search port. INURL: Inurl can search the whole URL, including port and filetype. FILETYPE: Filetype can only search file extension, which may be hard to distinguish in long URLs.
  • 7. numrange:99999-100000 intext:navigate intitle:ā€I hack stuffā€ filetype:php Advanced Google Searching There are many ways to find the same page. These individual queries could all help find the same page.
  • 8. Advanced Google Searching Put those individual queries together into one monster query and you only get that one specific result. Adding advanced operators reduces the number of results adding focus to the search.
  • 9. Google Hacking Basics INURL:orders INURL:admin FILETYPE:php Putting operators together in intelligent ways can cause a seemingly innocuous queryā€¦
  • 10. Google Hacking Basics Customer names Order Amounts Payment details! ā€¦can return devastating results!
  • 11. Google Hacking Basics Letā€™s take a look at some basic techniques: Anonymous Googling Special Characters
  • 12. Anonymous Googling The cache link is a great way to grab content after itā€™s deleted from the site. The question is, where exactly does that content come from?
  • 13. Anonymous Googling ā€¢ Some folks use the cache link as an anonymizer, thinking the content comes from Google. Letā€™s take a closer look. This line from the cached pageā€™s header gives a clue as to whatā€™s going onā€¦
  • 14. Anonymous Googling 21:39:24.648422 IP 192.168.2.32.51670 > 64.233.167.104.80 21:39:24.719067 IP 64.233.167.104.80 > 192.168.2.32.51670 21:39:24.720351 IP 64.233.167.104.80 > 192.168.2.32.51670 21:39:24.731503 IP 192.168.2.32.51670 > 64.233.167.104.80 21:39:24.897987 IP 192.168.2.32.51672 > 82.165.25.125.80 21:39:24.902401 IP 192.168.2.32.51671 > 82.165.25.125.80 21:39:24.922716 IP 192.168.2.32.51673 > 82.165.25.125.80 21:39:24.927402 IP 192.168.2.32.51674 > 82.165.25.125.80 21:39:25.017288 IP 82.165.25.125.80 > 192.168.2.32.51672 21:39:25.019111 IP 82.165.25.125.80 > 192.168.2.32.51672 21:39:25.019228 IP 192.168.2.32.51672 > 82.165.25.125.80 21:39:25.023371 IP 82.165.25.125.80 > 192.168.2.32.51671 21:39:25.025388 IP 82.165.25.125.80 > 192.168.2.32.51671 21:39:25.025736 IP 192.168.2.32.51671 > 82.165.25.125.80 21:39:25.043418 IP 82.165.25.125.80 > 192.168.2.32.51673 21:39:25.045573 IP 82.165.25.125.80 > 192.168.2.32.51673 21:39:25.045707 IP 192.168.2.32.51673 > 82.165.25.125.80 21:39:25.052853 IP 82.165.25.125.80 > 192.168.2.32.51674 This tcpdump output shows our network traffic while loading that cached page. This is Google. This is Phrack. We touched Phrackā€™s web server. Weā€™re not anonymous.
  • 15. Anonymous Googling ā€¢ Obviously we touched the site, but why? ā€¢ Hereā€™s more detailed tcpdump output: 0x0040 0d6c 4745 5420 2f67 7266 782f 3831 736d .lGET./grfx/81sm 0x0050 626c 7565 2e6a 7067 2048 5454 502f 312e blue.jpg.HTTP/1. 0x0060 310d 0a48 6f73 743a 2077 7777 2e70 6872 1..Host:.www.phr 0x0070 6163 6b2e 6f72 670d 0a43 6f6e 6e65 6374 ack.org..Connect 0x0080 696f 6e3a 206b 6565 702d 616c 6976 650d ion:.keep-alive. 0x0090 0a52 6566 6572 6572 3a20 6874 7470 3a2f .Referer:.http:/ 0x00a0 2f36 342e 3233 332e 3136 312e 3130 342f /64.233.161.104/ 0x00b0 7365 6172 6368 3f71 3d63 6163 6865 3a4c search?q=cache:L 0x00c0 4251 5a49 7253 6b4d 6755 4a3a 7777 772e BQZIrSkMgUJ:www. 0x00d0 7068 7261 636b 2e6f 7267 2f2b 2b73 6974 phrack.org/++sit 0x00e0 653a 7777 772e 7068 7261 636b 2e6f 7267 e:www.phrack.org 0x00f0 2b70 6872 6163 6b26 686c 3d65 6e0d 0a55 +phrack&hl=en..U An image loaded!
  • 16. Anonymous Googling This line spells it out. Letā€™s click this link and sniff the connection againā€¦.
  • 17. Anonymous Googling 23:46:53.996067 IP 192.168.2.32.52912 > 64.233.167.104.80 23:46:54.025277 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.025345 IP 192.168.2.32.52912 > 64.233.167.104.80 23:46:54.025465 IP 192.168.2.32.52912 > 64.233.167.104.80 23:46:54.094007 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.124930 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.127202 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.128762 IP 64.233.167.104.80 > 192.168.2.32.52912 23:46:54.128836 IP 192.168.2.32.52912 > 64.233.167.104.80 23:47:54.130200 IP 192.168.2.32.52912 > 64.233.167.104.80 23:47:54.154500 IP 64.233.167.104.80 > 192.168.2.32.52912 23:47:54.154596 IP 192.168.2.32.52912 > 64.233.167.104.80 This time, the entire conversation was between us (192.168.2.32) and Google (64.233.167.104)
  • 18. Anonymous Googling ā€¢ What made the difference? Letā€™s compare the two URLS: ā€¢ Original: http://64.233.187.104/search?q=cache:Z7FntxDMrMIJ:www.phrack.org/hardcover62/+phrack+h ardcover62&hl=en ā€¢ Cached Text Only: http://64.233.187.104/search?q=cache:Z7FntxDMrMIJ:www.phrack.org/hardcover62/+phrack+h ardcover62&hl=en&lr=&strip=1 Adding &strip=1 to the end of the cached URL only shows Googleā€™s text, not the targetā€™s.
  • 19. Anonymous Googling ā€¢ Anonymous Googling can be helpful, especially if combined with a proxy. Hereā€™s a summary. Perform a Google search. Right-click the cached link and copy the link to the clipboard. Paste the URL to the address bar, add &strip=1, hit return. Youā€™re only touching Google nowā€¦
  • 20. Special Search Characters ā€¢ Weā€™ll use some special characters in our examples. These characters have special meaning to Google. ā€¢ Always use these characters without surrounding spaces! ā€¢ ( + ) force inclusion of something common ā€¢ ( - ) exclude a search term ā€¢ ( ā€œ ) use quotes around search phrases ā€¢ ( . ) a single-character wildcard ā€¢ ( * ) any word ā€¢ ( | ) boolean ā€˜ORā€™ ā€¢ Parenthesis group queries (ā€œmaster cardā€ | mastercard)
  • 21. Googleā€™s PHP Blocker: ā€œWeā€™re Sorry..ā€ ā€¢ Google has started blocking queries, most likely as a result of worms that slam Google with ā€˜evil queries.ā€™ This is a query for Inurl:admin.php
  • 22. Google Hackerā€™s workaround ā€¢ Our original query looks like this: http://www.google.com/search?q=inurl:admin.php&hl=en&lr=&c2coff=1&start=10&sa=N ā€¢ Stripped down, the query looks like this: http://www.google.com/search?q=inurl:admin.php&start=10 ā€¢ We can modify our query (inurl:something.php is bad) by changing the case of the file extension, like so: http://www.google.com/search?q=inurl:admin.PHP&start=10 http://www.google.com/search?q=inurl:admin.pHp&start=10 http://www.google.com/search?q=inurl:admin.PhP&start=10 This works in the web interface as well.
  • 23. Pre-Assessment There are many things to consider before testing a target, many of which Google can help with. One shining example is the collection of email addresses and usernames.
  • 24. Trolling for Email Addresses ā€¢ A seemingly simple search uses the @ sign followed by the primary domain name. The ā€œ@ā€ sign doesnā€™t translate wellā€¦ But we can still use the resultsā€¦
  • 25. Automated Trolling for Email Addresses ā€¢ We could use a lynx to automate the download of the search results: lynx -dump http://www.google.com/search?q=@gmail.com > test.html ā€¢ We could then use regular expressions (like this puppy by Don Ranta) to troll through the results: [a-zA-Z0-9._-]+@(([a-zA-Z0-9_-]{2,99}.)+[a-zA-Z]{2,4})|((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1- 9][0-9]|[1-9]).(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9]).(25[0-5]|2[0-4][0-9]|1[0-9][0- 9]|[1-9][0-9]|[1-9]).(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])) ā€¢ Run through grep, this regexp would effectively find email addresses (including addresses containing IP numbers)
  • 26. More Email Automation ā€¢ The ā€˜email minerā€™ PERL script by Roelof Temmingh at sensepost will effectively do the same thing, but via the Google API: This searches the first ten Google resultsā€¦ with only one hit against your API key.
  • 28. More email address locations These queries locate email addresses in more ā€œinterestingā€ locationsā€¦
  • 29. More email address locations These queries locate email addresses in more ā€œinterestingā€ locationsā€¦
  • 30. Network Mapping Google is an indispensable tool for mapping out an Internet-connected network.
  • 31. Basic Site Crawling ā€¢ the site: operator narrows a search to a particular site, domain or subdomain. site: microsoft.com One powerful query lists every Google result for a web site!
  • 32. Basic Site Crawling Most often, a site search makes the obvious stuff float to the top. As a security tester, we need to get to the less obvious stuff. www.microsoft.com is way too obviousā€¦
  • 33. Basic Site Crawling ā€¢ To get rid of the more obvious crap, do a negative search. site: microsoft.com -site:www.microsoft.com Notice that the obvious ā€œwwwā€ is missing, replaced by more interesting domains.
  • 34. Basic Site Crawling ā€¢ Repeating this process of site reduction, tracking what floats to the top leads to nasty big queries like: site:microsoft.com -site:www.microsoft.com -site:msdn.microsoft.com -site:support.microsoft.com -site:download.microsoft.com -site:office.microsoft.com ā€¦
  • 35. Basic Site Crawling ā€¢ The results of such a big query reveal more interesting resultsā€¦ Research pageā€¦ HTTPS pageā€¦ Eventually weā€™ll run into a 32 query limit, and this process tends to be tedious.
  • 36. Intermediate Site Crawling Using lynx to capture the Google results pageā€¦ ..and sed and awk to process the HTMLā€¦ ..returns the same results.
  • 37. So what? ā€¢ Well, honestly, host and domain enumeration isnā€™t new, but weā€™re doing this without sending any packets to the target weā€™re analyzing. ā€¢ This has several benefits: ā€“ Low profile. The target canā€™t see your activity. ā€“ Results are ā€œrankedā€ by Google. This means that the most public stuff floats to the top. Some more ā€œinteresting stuffā€ trolls near the bottom. ā€“ ā€œHintsā€ for follow-up recon. You arenā€™t just getting hosts and domain names, you get application information just by looking at the snippet returned from Google. One results page can be processed for many types of info.. Email addresses, names, etc.. More on this later onā€¦ ā€“ Since weā€™re getting data from several sources, we can focus on non obvious relationships. This is huge! ā€¢ Some down sides: ā€“ In some cases it may be faster and easier as a good guy to use traditional techniques and tools that connect to the target, but remember- the bad guys can still find and target you via Google!
  • 38. Advanced Site Crawling ā€¢ Google frowns on automation, unless you use tools written with their API. Know what youā€™re running unless you donā€™t care about their terms of service. ā€¢ We could easily modify our lynx retrieval command to pull more results, but in many cases, more results wonā€™t equal more unique hosts. ā€¢ So, we could also use another technique to locate hostsā€¦ plain old fashion common word queries.
  • 39. Advanced Site Crawling Searching for multiple common words like ā€œwebā€, ā€œsiteā€, ā€œemailā€, and ā€œaboutā€ along with siteā€¦ appended to a fileā€¦
  • 40. Advanced Site Crawling Sifting through the ouput from those queries, we find many more interesting hits.
  • 41. Advanced Site Crawling Roelof Temmingh from sensepost.com coded this technique into a PERL (API- based) script called dns-mine.pl to achieve much more efficient results. Weā€™ll look more at coding laterā€¦
  • 42. Too much noise, not enough signalā€¦ ā€¢ Getting lists of hosts and (sub)domains is great. It gives you more targets, but thereā€™s another angle. ā€¢ Most systems are only as secure as their weakest link. ā€¢ If a poorly-secured company has a trust relationship with your target, thatā€™s your way in. ā€¢ Question: How can we determine site relationships with Google? ā€¢One Answer: the ā€œlinkā€ operator.
  • 43. Raw Link Usage link: combined with the name of a site showsā€¦ sites that link to that site. link: has limits though. See mapquest here?
  • 44. Link has limits ā€¦combining link: with site: doesnā€™t seem to workā€¦
  • 45. Link has limits Link: gets treated like normal search text (not a search modifier) when combined with other operators.
  • 46. Link has other limits Knowing that these sites link to www.microsoft.com is great, but how relevant is this information? Do we necessarily care about Google-ranked relationships? How do we get to REAL relationships?
  • 47. Non-obvious site relationships ā€¢ Sensepost to the rescue again! =) ā€¢ BiLE (the Bi-directional Link Extractor), available from http://www.sensepost.com/garage_portal.html helps us gather together links from Google and piece together these relationships. ā€¢ Thereā€™s much more detail on this process in their whitepaper, but letā€™s cover the basicsā€¦
  • 48. Non-obvious site relationships ā€¢ A link from a site weighs more than a link to a site ā€“ Anyone can link to a site if they own web space (which is free to all) ā€¢ A link from a site with a lot of links weighs less that a link from a site with a small amount of links ā€“ This means specifically outbound links. ā€“ If a site has few outbound links, is is probably lighter. ā€“ There are obvious exceptions like link farms.
  • 49. Non-obvious site relationships ā€¢ A link to a site with a lot of links to the site weighs less that a link to a site with a small amount of links to the site. ā€“ If external sources link to a site, it must be important (or more specifically popular) ā€“ This is basically how Google weighs a site. ā€¢ The site that was given as input parameter need not end up with the highest weight ā€“ a good indication that the provided site is not the central site of the organization.ā€ ā€“ If after much research, the site you are investigating doesnā€™t weight the most, youā€™ve probably missed the targetā€™s main site.
  • 50. Who is Sensepost? Relying on Googleā€™s 6400+ results can be dauntingā€¦ and misleading.
  • 51. Non-obvious site relationships ā€¢ It seems dizzying to pull all this together, but BiLE does wonders. Letā€™s point it at sensepost.com: This is the extraction phase. BiLE is looking for links to www.sensepost.com (via Google) and writing the results to a file called ā€œoutā€ā€¦
  • 52. Non-obvious site relationships ā€¢ This is the weigh phase. BiLE takes the output from the extraction phaseā€¦ And weighs the results using the four main criteria of weighing discussed aboveā€¦ aided primarily by Google searches. This shows the strongest relationships to our target site first, which during an assessment equate to secondary targets, especially for information gathering.
  • 53. The next stepā€¦ Letā€™s say weā€™re looking at NASAā€¦. We could use ā€˜googleturdā€™ searches, like site:nasa to locate typos which may be real sitesā€¦ How can we verifiy these???
  • 54. Host verificationā€¦ ā€¢ Cleaning the names and running DNS lookups is one wayā€¦ Pay dirt! Now what??? We could further expand on these IP ranges via DNS queries as wellā€¦
  • 55. Expanding outā€¦ ā€¢ Once armed with a list of sites and domains, we could expand out the list in several ways. DNS queries are helpful, but what else can we do to get more names to try? ā€¢ From whatever source, letā€™s say we get two names from verizon, ā€˜foundationā€™ and investorā€™ā€¦
  • 56. Google Sets ā€¢ Although this is a simple example, we can throw these two words into Google Setsā€¦.
  • 57. Expanding ā€¢ Then, we can take all these words and perform DNS host lookups against each of these combinations: ..this leads to a new hit, ā€˜business.verizon.comā€™. Google sets allows you to expand on a list once you run out of options.
  • 58. Fuzzing ā€¢ Given hosts with numbers and ā€œpredictableā€ names, we could fuzz the numbers, performing DNS lookups on those namesā€¦ ā€¢ Iā€™ll let Roelof at sensepost discuss this topic, howeverā€¦ =)
  • 59. Limitless mapping possibilitiesā€¦ ā€¢ Once you get rolling with Google mapping, especially automated recursive mapping, youā€™ll be AMAZED at how deep you can dig into the layout of a target.
  • 60. Port scanning ā€¢ Although crude, there are ways to do basic ā€œportscanningā€ with Google. ā€¢ First, combine inurl searches for a port with the name of a service that commonly listens on that portā€¦ (optionally combined with the site operator)
  • 61. Inurl -intext scanning ā€¢ Antoher way to go is to use a port number with inurl, combined with a negative intext search for that port number. This search locates servers listening on port 8080.
  • 62. Third party scanners ā€¢ When all else fails, Google for servers that can do your portscan for you!
  • 63. Document Grinding and Database Digging Documents and databases contain a wealth of information. Letā€™s look at ways to foster abuse of SQL databases with Google.
  • 64. SQL Usernames ā€œAccess denied for userā€ ā€œusing passwordā€
  • 65. SQL Schemas ā€¢ Entire SQL Database dumps ā€œ# Dumping data for tableā€ Adding ā€˜usernameā€™ or ā€˜passwordā€™ to this query makes things really interesting.
  • 66. SQL injection hints "ORA-00933: SQL command not properly ended" Improper command termination can be abused quite easily by an attacker. "Unclosed quotation mark before the character string"
  • 67. SQL source ā€¢ Getting lines of SQL source can aid an attacker. intitle:"Error Occurred" "The error occurred in"
  • 68. Going after SQL passwords filetype:inc intext:mysql_connect Include files with cleartext passwordsā€¦
  • 69. More SQL Passwords ā€¢ Question: Whatā€™s the SQL syntax that can be used to set a passwords? ā€¢ (TWO WORDS) ā€¢One Answer: ā€œIdentified byā€
  • 70. More SQL Passwords ā€¢ The slightly more hardcore versionā€¦
  • 71. Various database detection queries SQL dump detection Database detection
  • 72. Automation Page Scraping in Perl API querying in Perl
  • 73. Page Scraping with Perl ā€¢ Thie Perl code, by James Foster, provides a good framework for ā€œpage scrapingā€ Google results. ā€¢ This method relies on manually querying Google, and searching the resultant HTML for the ā€œinteresting stuff.ā€ #!/usr/bin/perl -w use IO::Socket; #Section 2 $query = '/search?hl=en&q=dog'; $server = 'www.google.com'; $port = 80; We will be making socket calls. We need IO::Socket. We hardcode our query (which we can make aparameter later), our Google server and our port number.
  • 74. Page Scraping with Perl sub socketInit() { $socket = IO::Socket::INET->new( Proto => 'tcp', PeerAddr => $server, PeerPort => $port, Timeout => 10, ); unless($socket) { die("Could not connect to $server:$port"); } $socket->autoflush(1); } Next we have a very generic socket initialization subroutine.
  • 75. Page Scraping with Perl sub sendQuery($) { my ($myquery) = @_; print $socket ("GET $myquery HTTP/1.0nn"); while ($line = <$socket>) { if ($line =~ /Results.*ofsabout/) { return $line; } } } This subroutine sends the Google query (hardcoded above) and accepts one parameter, the Google query. Google returned HTML is processed, and the line containing ā€œof aboutā€ (our result line) is returned from this routine.
  • 76. Page Scraping with Perl sub getTotalHits($) { my ($ourline) = @_; $hits=""; $index = index($ourline, "of about"); $str = substr($ourline, $index, 30); @buf=split(//,$str); for ($i = 0; $i < 30; $i++) { if ($buf[$i] =~ /[0-9]/) { $hits=$hits.$buf[$i]; } } return $hits; } This subroutine takes one parameter (the results line from the Sendquery) ā€œof about is locatedā€ā€¦ ā€¦the next 30 characters are grabbedā€¦ ā€¦ all the digits are removedā€¦. ā€¦stored in $hitsā€¦ ā€¦and returned.
  • 77. Page Scraping with Perl socketInit(); $string = sendQuery($query); $totalhits = getTotalHits($string); #Printing to STDOUT the Total Hits Retrieved from Google print ($totalhits); This piece of code drives all the subroutines. The socket is initializedā€¦ ā€¦the query is sentā€¦ ā€¦the total hits are determinedā€¦ ā€¦and printed out.
  • 78. CGI Scanning /iisadmpwd/ /iisadmpwd/achg.htr /iisadmpwd/aexp.htr /iisadmpwd/aexp2.htr /iisadmpwd/aexp2b.htr intitle:index.of /iisadmpwd/ intitle:index.of /iisadmpwd/achg.htr intitle:index.of /iisadmpwd/aexp.htr intitle:index.of /iisadmpwd/aexp2.htr intitle:index.of /iisadmpwd/aexp2b.htr inurl:/iisadmpwd/ inurl:/iisadmpwd/achg.htr inurl:/iisadmpwd/aexp.htr inurl:/iisadmpwd/aexp2.htr inurl:/iisadmpwd/aexp2b.htr Another automation example might involve chopping up a CGI scannerā€™s vulnerability fileā€¦ ā€¦ converting the checks into Google queries, sending these queries to a Google scanner.
  • 79. Web Servers, Login Portals, Network Hardware Network devices can be soooo much fun to Google forā€¦
  • 80. Web File Browser ā€¢ This program allows directory walking, file uploading, and more.
  • 81. VNC Servers (with client) ā€¢ VNC (Virtual Network Computing) allows you to control a workstation remotely. The search is very basic These sites launch a VNC Java client so you can connect! Even if password protected, the client reveals the server name and port. Thanks to lester for this one!
  • 83. Axis Print Servers Print server administration, Google-style! Thanks to murfie for this one!
  • 84. Xenix, Sweex, Orite Web Cams Thanks to server1 for this one! One query, many brands of live cams!
  • 86. Toshiba Network Cameras intitle:"toshiba network camera - User Login" Found by WarriorClown!
  • 87. Speedstream DSL Routers ā€¢ Home broadband connectivityā€¦ Googled. Who do you want to disconnect today? Found by m00d!
  • 88. Belkin Routers ā€¢ Belkin routers have become a household name in connected households. The management interface shouldnā€™t show up on Googleā€¦ but it does. Thanks to darksun for this one!
  • 89.
  • 90. Printers ā€¢ Trolling printers through Google can be fun, especially when you can see and download what others are printingā€¦ Religionā€¦ And aphrodisiacs? Hrmmmā€¦ Thanks JimmyNeutron!
  • 91. Firewalls - Smoothwall Uh ohā€¦ this firewall needs updatingā€¦ Thanks Milkman!
  • 92. Firewalls - IPCop Uh ohā€¦ this one needs updating too! Thanks Jimmy Neutron!
  • 93. IDS Data: ACID ā€¢ SNORT IDS data delivered graphically, served up fresh ACID ā€by Roman Danyliw" filetype:php
  • 94. Open Cisco Devices Thanks Jimmy Neutron!
  • 96. Wide Open PHP Nuke Sites ā€¢ PHP Nuke allows for the creation of a full-featured web site with little effort. Too lazy to install PHP Nuke? Own someone elseā€™s site instead! Thanks to arrested for this beauty!
  • 97. Open PHP Nukeā€¦ another wayā€¦ Click here, create superuser!
  • 98. Security Cameras ā€¢ Although many cameras are multi-purpose, certain brands tend to be used more for security work. Thanks stonersavant!
  • 99. Security Cameras Not sure what ā€œWoodieā€ is, but Iā€™m not clicking itā€¦. Thanks murfie!
  • 100. Time-lapse video recorders ā€¢ A staple of any decent security system, these camera control units have gotten high-tech.. And Googlableā€¦ The search is no big dealā€¦ Then thereā€™s the pesky login boxā€¦
  • 101. Time lapse video recorders ā€¦multiple live security camera viewsā€¦ ā€¦and historical records of recorded video feeds Even doofus hackers know how to use default passwords to getā€¦ Thanks to stonersavant for this beauty!
  • 102. UPS Monitors Getting personal with Power System monitorsā€¦ Thanks yeseins!
  • 103. UPS Monitors Oh wait.. Wrong kind of UPSā€¦this is package tracking hackingā€¦ =P Thanks Digital Spirit!
  • 104. Hacking POWER Systems! ā€¢ Ainā€™t technology grand? This product allows web management of power outlets! Google search locates login page. What does any decent hacker do to a login page?
  • 105. Hacking Power Systems! Thanks to JimmyNeutron for this beauty! Who do you want to power off today?
  • 106. Google Phreaking ā€¢ Questionā€¦ Which is easier to hack with a web browser? QuickTimeā„¢ and a TIFF (Uncompressed) decompressor are needed to see this picture. QuickTimeā„¢ and a TIFF (Uncompressed) decompressor are needed to see this picture. B: Vintage 1970ā€™s Rotary Phone A: Sipura SPA 2000 IP Telephone
  • 107. Sipura SPA IP Telephone How about Googling for the last number your friend dialed? Or the last number that dialed them? Thanks stonersavant!!!
  • 108. Videoconferencing Who do you want to disconnect today? Thanks yeseins!!!
  • 109. PBX Systems ā€¢ Web-based management interfaces open the door for a creative Google Hacker. See the ā€œlogoutā€? Weā€™re already logged in! We donā€™t need no steenkin password!
  • 110. PBX Systems No password required. Even a novice web surfer can become a ā€œPBX hackerā€. =) Thanks to stonersavant for this great find!
  • 111. Usernames, Passwords and Secret Stuff, oh my! Thereā€™s all sorts of stuff out there that people probably didnā€™t mean to make public. Letā€™s take a look at some examplesā€¦
  • 113. MSN Contact Lists MSN contact lists allow an attacker to get ā€˜personalā€™ Thanks to harry-aac!
  • 114. Old School! Fingerā€¦ Thanks to Jimmy Neutron! Google Hacking circa 1980!!?!?
  • 115. Norton AntiVirus Corporate Passwords Encrypted, but yummy (and crackable)! Thanks MILKMAN!
  • 116. Open SQL servers Already logged in, no hacking required! Thanks Quadster!
  • 117. ServU FTP Passwords ServU FTP Daemon passwords, super encrypto! =P Thanks to vs1400 for this one!
  • 118. Netscape History Files Oops.. POP email passwords! Thanks to digital.revolution for this one!
  • 119. IPSec Final Encryption Keys I only skimmed ā€˜Applied Cryptographyā€™.. But this looks badā€¦ Thanks MILKMAN!
  • 121. More Explorers?!?! Why hack when you canā€¦ click? =) Thanks MacUK!
  • 123. Sensitive Government Documents ā€¢ Question: Are sensitive, non-public Government documents on the web? ā€¢ Answer: Yes. Once these documents hit the Net, the media has a feeding frenzy, and people start copying and posting the docsā€¦
  • 124. FOUO Documents Although unclassified, this document was obviously not meant to be posted online.
  • 125. FOUO Documents FOUO ā€œPrevention Guidesā€, like this 19 page beauty, can give bad guys horrible ideas.
  • 126. Locked out! ā€¢ Some sites lock down sensitive data.. ā€¢ However, the Google cache image still remains.
  • 127. Credit card info on the web? ā€¢ How can this happen? Letā€™s take a tour of some of the possibilitiesā€¦
  • 128. Court Documents ā€¢ Court cases sometimes give TONS of detail about cases, especially fraud.
  • 130. Court Documents ā€¢ How much detail is too much detail? =)
  • 131. Court Documents ā€¢ Of course, fraud accounts are closed pretty quickly, no?
  • 132. A tale of a corn snake ā€¢ Is this for real? Either way itā€™s pretty sad...
  • 133. Getting shell.. the easy way ā€¢ Now Iā€™ve heard the term ā€˜using your credit card onlineā€™ but this is ridiculous!
  • 134. Some people just donā€™t get itā€¦.
  • 135. Getting serialzā€¦ wha-hay!! and MORE! ā€¢ This is a very generous person. Heā€™s willing to give his software serial numbers and his credit card info to the whole world. Generosity like this could change the world.
  • 136. Police Crime reports ā€¢ Two questions: ā€¢ Are police reports public record? ā€¢ YES. ā€¢ Are they on the web? ā€¢ YES. ā€¢ Many states have begun placing campus police crime reports on the web. Students have a right to know what crimes take place on campus.
  • 137. Crime shouldnā€™t payā€¦ ā€¢ Iā€™m thinking there should be a process for filtering these reports. ā€¢ A few might fall through the cracksā€¦.
  • 138. Expense Reports ā€¢ Itā€™s not uncommon for expense reports to be generated. This one is for a county.
  • 139. Expense Reports ā€¢ Bank account numbersā€¦.
  • 140. Expense Reports ā€¢ Bank loan informationā€¦ $20,000 + transactions
  • 142. Expense Reportsā€¦ ā€¢ Somebody has to pay for all this stuffā€¦.
  • 143. Expense Reports ā€¢ Thatā€™s one heck of a video seriesā€¦. $300+
  • 144. Credit cardsā€¦ Google hackerā€™s goldā€¦ ā€¢ The legend of finding credit cards online is trueā€¦ ā€¢ I just get bored sifting through them allā€¦.
  • 147. More Credit Cards onlineā€¦
  • 148. More Credit Cards Online
  • 149. More Credit Cards Online
  • 150. More Credit Cards Online
  • 151. Pick a card any cardā€¦ ā€¦pick a card. We take ā€˜em all!
  • 152. Credit Validation Question: What keeps someone from using a pilfered credit card number and expiration date to make an online purchase? ā€¢ Answer: That little code on the back of the card. ā€¢ Bonus question: Whatā€™s that code called? ā€¢ Answer: A ā€œCVVā€ code.
  • 153. Credit Card Numbers, Expiration Date and CVV numbers, oh my!
  • 154. Thatā€™s not allā€¦. ā€¢ Credit cards are sooo 1990ā€™s =)
  • 155. Getting more personal ā€¢ Question: Whatā€™s the one 9 digit number you shouldnā€™t give to ANYONE? ā€¢ Answer: SSN ā€¢ Bonus question: What can you do with someoneā€™s SSN? ā€¢ Answer: Steal their identity. ā€¢ How do SSNā€™s get on the web? Letā€™s take a look at some possibilities.
  • 156. SSNā€™s in source code ā€¢ Well, they could be hardcoded into a healthcare systemā€¦ and uhmmmā€¦ put on the webā€¦
  • 157. Crime shouldnā€™t payā€¦ ā€¢ Remember the police reports? Since the credit card accounts in them are no good, maybe we should troll them some moreā€¦.
  • 159. SSNā€™s ā€¢ Students have a right to knowā€¦
  • 160. Social Security Numbers ā€¢ Many privacy violations are self-inflictedā€¦ ā€œ ā€
  • 161. Social Security Numbers ā€¢ Schools are notoriousā€¦ Grades posted w/ studentā€™s SSNā€™s ā€œ ā€
  • 162. Social Security Numbers ā€¢ Once you get a lock on a grade list, the results fan out as you explore the site. ā€œ ā€
  • 163. Social Security Numbers Thereā€™s no shortage of examplesā€¦
  • 164. Social Security Numbers ā€¢ In order to steal someoneā€™s identity, you need names. SSNā€™s with names are usually blockedā€¦ arenā€™t they?
  • 165. Social Security Numbers ā€œ ā€ Googleā€™s cache says otherwiseā€¦
  • 166. A tale of one city ā€¢ A city document outlining residents who are in debt to the cityā€¦ A little report of names, addresses, amount owed and SSN numbersā€¦
  • 167. A tale of one city ā€¢ Or perhaps more than a little reportā€¦ ā€œ ā€
  • 168. A tale of one city ā€¢ Hundreds of city residentsā€™ personal information posted to the webā€¦ 90% including SSN and address. ā€œ ā€
  • 169. What weā€™ve doneā€¦ ā€¢ Weā€™ve skimmed ā€œGoogle Hacking for Penetration Testersā€ by Syngress Publishing, which doesnā€™t seem to suck. ā€¢ Weā€™ve looked at some great tools by Roelof Temmingh. Check out Sensepost.com. ā€¢ Weā€™ve invaded the privacy of millions. ā€¢ Weā€™re all still awake. Right?
  • 170. Thanks! ā€¢ Thanks to God for the gift of life. ā€¢ Thanks to my family for the gift of love. ā€¢ Thanks to my friends for filling in the blanks. ā€¢ Thanks to the moderators of ihackstuff.com: Murfie, Jimmy Neutron, ThePsyko, Wasabi, l0om, Stonersavant ā€¢ Thanks to Roelof T for the great code, and to the current Google Masters: murfie, jimmyneutron, klouw, l0om, stonersavant, MILKMAN, ThePsyko, cybercide, yeseins, wolveso, Deadlink, crash_monkey, zoro25, digital.revolution, Renegade334, wasabi, urban, sfd, mlynch, Peefy, Vipsta, noAcces, brasileiro, john, Z!nCh