Google Dorks For Penetration Testing

Key Takeaways

hey guys hackersploit here back again with another video welcome to google hacking for pen testing um so in this video i'm gonna be showing you how to use google hacking or google docs for pen testing so i'll be showing you the various search operators and queries that you can use to find vulnerabilities and stuff like that so let's get started with understanding firstly what google hacking is or what google talking is so google hacking is a passive information gathering or footprinting technique that is used to discover vulnerabilities uh data exposure and security misconfigurations in websites now these mistakes or misconfigurations are usually made by web developers or system administrators and we'll actually take a look at that in in a short while after we've actually we actually understand what we're doing here so uh it involves using specialized search queries uh or search query operators to fine-tune results based on what you're looking for so again you can use these uh these search query operators to to fine-tune what you're looking for so you may be looking for a particular site or you may be looking for a particular file uh you know that is on a on a particular top level domain or a url stuff like that so here are some of the common google query operators that you can use when performing google hacking this is not a complete list i will have a write up where i'll actually have all of them on my on our blog at hsploit.com so uh some of the basic and the most common ones that are used are going to be site for example the site will narrow your results to a site or a specific top level domain so for example uh the the search query would be site and then you'd specify the site or the top level domain which is going to be in now in this case hspoi.com you then have in title which will restrict the results to the titles of web pages so for example if i wanted to look for all web pages that had the title hack exploit i would say in title hack exploit uh so the next one is in url all right so in url will restrict results to the url of a website so for example uh if i'm looking for a if i'm looking for a web page uh that belongs to particular domain or a top level domain so for example if i was looking for the about page from the website hsployed.com i out specify the in url search query operator now that's the other important thing to take into consideration here is that some of these operators cannot be combined with with others to give you a much better you know results or to fine-tune your results even more and we'll actually talk about that when we'll be taking a look at this in a practical sense the next one is very important and that is your file type so this will search for specific file types based on the extensions you specify so let's say i'm looking for a pdf file i can use the file type operator to specify that i'm only looking for pdf files if i'm looking for an iso file i would specify the extension or i would specify that particular suffix the next one is going to be link again very very important so this will search for pages linking to a spec a specified url or top level domain so for example this will display web pages that are all linked to this particular domain or website which is going to be hsplite.com that's very useful to find uh to find relationships between domains and whether they may they may have shared information before you then have your cache which searches for a cached copy of a web page when it was indexed by google so it will display the the the most recent uh the most recent cached version of the website when it was indexed by google this can be useful if you're looking for a older version of a web page however this is not the preferred method of doing so so let's take a look at the actual query operator structure right now i have a simple example here with hsploy.com and i'm going to be using the site in url and file type just to explain the example so for example the site would be hsploit.com and of course i have the protocol and it can also include the port that's very important the in url is the particular page that belongs to the site in this case it's it could be the upload url or the uploads page and then of course we have the file type which is uh going to be you you could be looking for a particular you know file with an extension in this case it's going to be just a normal it's just going to be called file.pdf so this is a simple example of how this is going to be structured and how it the they are different and what results they will bring out you know depending on what you specify so the site is the actual site or the top level domain the in url is going to be the url of a particular web page or a site in this case we're just using a simple example of the uploads page and then file.pdf is an example of how you can specify a file type and of course you can specify the name if you want to as well we'll be taking a look at all of that shortly we then have the google hacking database now this is very popular with pen testers because it is essentially a database or a collection of google search queries specifically crafted to find variabilities misconfigurations and data exposure and of course you you can use these with a various search engines this is currently being maintained by exploit db so you can check out this link we'll also be taking a look at it uh once we've actually gone through uh the various operators that i wanted to show you so this video is going to be focused on using google hacking or google docs for pen testing and how to find you know vulnerabilities data exposure stuff like that so without any further ado let's actually get started with a google hacking so i'll see you in the next step all right guys i'm back and let's get started so uh the first thing i want to actually take you through is the basics in case you're not familiar with them so let me just zoom in and we can get started so as i said uh the first thing we want to get started off with is taking a look at things like the site search query site uh the in url in title link etc so let's get started with the site so let's say i want to just well look at that look at the search results there so funny cat videos no that's not what you're looking for so if you want to restrict my searches to hsploit.com and i'm going to be using my website you know for obvious reasons um so you can see it essentially gives me all results based on that particular url or top level domain so i get tons of pages here that have been indexed by google and actually some of these pages don't even exist like for example groups uh you can see that if i click on groups here it should take me to the website and tell me yeah there we are page not found um so that's a very very simple uh search query uh query operator here so that will essentially limit your search your search results to a particular domain that's very useful when you're performing research on a company because you can actually go through the various pages whether they exist or not you can you can sort of explore that or play around with that let's say i wanted to get a particular web page or a specific specific url or in url from from this domain i would say in url and you can see i can actually combine these search operators so let's say i'm looking for the contact page on hsploy.com i would say contact and i hit enter and it it actually gives me the contact page so i can click open i can open that up and there you are so you can see that you can you really use uh this to advantage when looking for particular pages if you're looking for you know important pages for a company that you're performing a pen test on like their their hr pages uh the admin pages etc so for example if i say in url wordpress admin uh that hasn't been indexed that's because um the robots.txt file that i have actually disallows these pages from being indexed and that's something you guys should keep in mind as well when working or developing websites so again i can change this to something like forum for example and that should be allowed um for some reason google is telling me i can't actually i'm submitting too many results in one go but there we are so you can see that's the only page that has been indexed all right so that's how you can use it that way now i can also use uh the in title now the in title is great because um it'll allow me to to you know to look for particular pages that have a particular title and i can limit it again to a particular domain so i can say site let's try bbc.com and i say in uh in title and i can then say china for example right and that'll just display all the various pages that have the title china with it so that again can be used to to sift through results and display only what you're looking for so i can say for example uh chelsea right i can switch it chelsea and it gives me all the results there so you you get the idea the reason i'm covering this with basic examples first is just to give you a feel for how things work if you if you're not sure how it works already the next thing is of course link now the link operator as i mentioned will essentially display all pages that have a link to a particular domain or a website so for example i can say link hsploit.com and you'll see the difference in a second so not only does this display hsp.com the top level domain it also displays any other websites that have the link hsploy.com so you can see my youtube channel facebook page some some statistic website my linkedin page another statistic website github hackersplay.org cybury for some reason let's check the third page so you get the idea it essentially displays all the web pages that have a link to hsplay.com that again is very useful as i pointed out and finally we have the cache right so if i display the cache for ppc.com that'll display the last or the latest cache of this page so there we are so you can see this is google get this google's cache of bbc.com it's a snapshot of the pages it appeared on january 23rd 2020 and gives you the time uh you can view the text only version etc so again this is not really useful you can use the wayback machine or archive.org if you're looking for older web pages so for example if i say archive.org and i just click on that and let me just show you this right now so that i can actually cover it in one go this is a fairly simple so i can say you know pbc.com and i'll hit enter and we'll look for an old version of bbc.com from somewhere maybe in 2000 let's see how that website looks so if i click on the web page from the year 2000 we'll get the one in 7 50 a.m let's see how that looked uh how how that looked rather uh so there we are we can see uh let's see if it actually loads up that's quite an old website there we are so that was pretty i think pretty much one of the first versions of bbc.com and that that can be helpful if you're performing a pen test on a site they could be uh important information from that site so these are the basics now let's talk about some really really cool stuff that you can do and of course i'm gonna i'm gonna talk about the um the google the google hacking database in a second so let's just go back to google and let's talk about first of all um let's see what should we talk about first uh let's talk about directory listing right so if i want to look for websites that have a directory listing enabled i can say for example all i need to do is say in title and then i would use an operator here i sorry i'll pass on the strings that i want and i can say i can use the typical apache directory listing text so that would be index off and then i'll hit enter and that will give me essentially all websites with the indus the indexes publicly available so for example uh if we say index of dot co dot uk i'm not really sure what that is but it looks like sort of like a website here hacking webs i'm not really sure we have a various indexes here that are displaying what looks to be movie series uh weird stuff like that so yeah this this is quite illegal but uh this is you know simply a video where i demonstrate how you can use this and how powerful search engines are i've already covered how to use a search engine like showdown which is more aligned with pen testers but google can work uh out just fine as well so uh you can see that this will essentially just list an index uh it really doesn't list an index of particular files but i can i can actually um specify or provide a bit more of a context for this so for example if i wanted to display the index of the etsy directory i would say let me just go back and say index of etsy and i would hit enter and that will display the etsy directory if it is available to be browsed um so you this can be very helpful especially when you're looking for data so let's try and open up a random website by the way as i said this i'm going to be blurring out anything important so you can see this lists the contents of the sc directory here if we just check out a website that could be listing anything important let's see fort dot md whether that's listing anything important um yeah so that lists uh some some directories uh so there we have the password file and we can actually save it so you can see how dangerous this can become and i do actually pass caution uh this video is only for educational purposes so do keep that in mind you can also say password um and let's see whether we can actually get a password it'll be that'll be that'll be quite cool uh but of course not cool and look at this looks like we actually have uh access to i don't know why it's telling me that's in the password directory but uh we have an admin dot pl etsy shadow if we click on that that just takes us back we let's check out if we try and browse to the top level directory that takes us to a website looks like a russian domain uh but you you get the idea so you can pretty much scour through you know directory listings that you know of websites that have that actually have them uh enabled so these are common mis configurations that you'll find uh most web developers actually made quite a while ago but you can see the information that you can get is uh is very very useful and important let me just get rid of this capture here i'm using a vpn that's primarily why i think it's google is restricting my searches let's try it one more before we can start experimenting with the other queries so we have a mail directory here autoresponders can we go to the top level directory i know that just takes us back to the domain it looks like a japanese website all right so that is how you can you can essentially work with directory listing um now let's talk about let's talk about sql databases and you know the configuration files the php configuration files that will actually store the credentials to these to these databases so again to do this we say in title um and we're looking for uh we're looking for the we're looking for directory listing but we're looking for a configuration file so we say index uh sorry i want to get correct syntax on that so index off and then we say we can say config.php and hit enter and they'll list us give us all of these configuration files uh sorry let me just close that tab open that up in a new window but so let's see if we can find anything useful index of uh let's see config we can actually say yeah we can say config and then we can actually start off with file type sorry let's say this is php hit enter and let's see if we can actually get this and say config hit enter can we get anything useful here so nothing really useful here let's just go back to my previous search query so we just stick with config.php looks like we haven't been able to find anything useful yet uh let's try and check out this website here uh so there we are looks like we have the php folder php any file and this looks like the configuration uh for this particular website uh so nothing important there but if we try and switch this to maybe wordpress so we say wordpressconfig.php hit enter and yeah that gives us some at least one wordpress config file so yeah there we are so we can actually access the entire directory uh of the wordpress installation um so if we say it looks like we have quite a few wordpress configuration files do can we actually access them no that takes us directly up there can we go to a top level directory no we can't looks like we don't have sufficient permissions to actually access these files so that's a good thing at least to some to some extent so let's try this let's try another website before we test out some of the other queries so you can see that you can really get some very very juicy information or some very important information so there we are wordpressconfig.php um that looks like it is a misconfigured wordpress installation let's check out this last site before we actually move on it's been a long time since i've actually tried this out so uh there we are so wordpressconfig.php i think we can actually get it with wget but again that's beyond the scope of this video and i want to actually keep this video as legal as possible you know given the fact that youtube have been um have been really tightening up on their restrictions speaking of databases let's try and access some microsoft databases here um so we can say can we use entitle all in we can use the all in url search query which will essentially display or search you can actually see we have quite a few uh suggestions here that will actually give us the file that we're looking for but we're looking for the microsoft admin so we can say admin and we say file type is going to be microsoft database file so we're usually looking for the admin.mdb we hit enter and that gives us some microsoft admin file so let's see if we can access some here it'll probably prompt us to save the file so there we are we can actually download it so it's a microsoft access database or mdb file i usually find some very good information being stored in here let's see uh they're not really used anymore uh but you can actually see we have some sort of a login form here that's not really looking for let's talk about let's see what else we can access here i don't want to keep this video too long so let's try and access some other files what if we want to access a terminal web server or terminal service rather that we can let's see if we can actually do that so uh say in url ts web um so this will actually let's see if we can actually find one that we can access or one that's potentially open so we have one from get coin i'm not really sure what that is uh so this is essentially a terminal uh terminal web server where we can actually interact with a terminal uh that that doesn't look right um that's weird uh last time i tried this out quite a while ago it looked like we actually had a few sessions so there we are so we can actually if you do have credentials or you do actually find one of these panels exposed it can be really really helpful you can actually get a few sessions i remember trying it out back in the day uh quite a while ago you could actually get like anonymous access onto one of the windows servers where you can actually just log in and you have access to a machine like without any authentication at all so there we are looks do we have anything here now but in any case that was an old technique that i used to use quite a bit um so i've talked about that directory listing how about the the auth user files that was also quite uh quite cool back in the day so all in url url and then we can also say so you can see that we have various other ones that you can try out so i'll actually show you that with uh with the google hacking database so we can say auth say auth user file.txt that's the one and then this will display some you know usernames and passwords let's just add the colon there that's why i'm not getting the results so there we are looks like we have some or some off user user and passwords here let's see let's try and open this up so there we are we see we have the username passwords and the email to a particular user and you can actually use that domain to see if you can actually try and log in so these are pretty much old websites that have been you know configured incorrectly uh but nonetheless this can be quite helpful um so we have a postfix admin page here some of the websites don't even work so there you are so some some of them really don't work out um so yeah we've talked about that uh the other one i wanted to show you is uh yeah the storing of parcels so as you know many people like storing passwords or enterprises like storing passwords in spreadsheet files or xls files so we can actually you know use uh use the we can use a special google search query here so we can say log in and we say login um then we can say of course the password is going to be equal to uh let's say it's going to be equal to and then we specify the wildcard here and the file type is going to uh we'll say xls and we hit enter and uh we're still getting some of these capture requests here uh there we are so it looks like we have some passwords stored in xls files so i should actually display this should i do that where is this being stored by the way this is on hubspot.net we have another cycle passwords let's try this let's see what this is all about 2016 cycle passwords uh should i do this all right i'll probably blur the parcels but let's see if we can actually get some legitimate passwords here so i'll open that up uh yeah we get passwords uh that should be blood uh in case anyone is wondering um let's see let's see uh user request u.s bank all right you know what i'm going to stay away from that uh we're going to get myself into a lot of trouble here let's see mma passwords yeah so you you get the idea uh these are usually small companies and uh universities that usually are schools that usually store their websites like this um so i've pretty much covered quite a bit here uh if i covered file types quite a w uh if i cover them quite well so again file type is uh fairly simple um so for example i say site kali.org and then you can say file type iso and they'll display that's weird that's really weird is it kellylinux.org um let's say in title uh in in title file type iso does that display anything here nothing we can say in title kelly file type iso that doesn't give us any files that's weird if we change it to file or we can actually just try iso here instead of using that say iso yeah and that takes us to the download page that looks for the iso f uh the iso keyword there but there you go so that's those are some of the some of my my my most useful uh google hacking uh strings or the various uh keywords and operators that you can use if we take a look at the google hacking database you can see we have like tons of them that you can use to find vulnerabilities on particular websites so if i search for wordpress for wordpress for example you can see that this will display the wordpress backup files um it looks like we have again the password xls login and password files in text let's see let's actually try that that should give us some wordpress uh passwords um let's copy that and let's try that out right now there we are so it looks like we have some passwords at least here so we're not going to get into that because it's uh it's going to be quite illegal but again you get the idea so the google lacking database will pretty much give you what you're looking for so if you're looking for you know vulnerabilities with apache i can search for apache here you can go ahead and take a look at all of the various keywords that you can use to find uh vulnerabilities with apache or you know look for indexes so if you're looking for an index of a particular version of apache like for example apache 2.4.7 with ubuntu you can also change that to centos so for example we say ubuntu here or i can actually change that right now that's within one let's try that let's see if we can actually change that centos yeah there we are so it actually displays versions that are running centos uh let's try this one these are essentially just trackers i believe but you you get the idea so that's all i wanted to actually demonstrate in this video i know this video has been going for quite a while now but do let me know what you think i would love to hear what you guys have actually found if you have actually been experimenting with various strings to find a various search results and misconfigurations that's going to be it for this video and i'll be seeing you guys in the next video [Laughter] peace [Music] you