Darklevel | Google Enumeration / Hacks | Google, Search, Hacking, Results, Web

Donate

Google Enumeration / Hacks

Written by painted

Monday, 16 July 2007

Google Searching Basics

Google, a popular search engine, is probably the best searching resource tool on the World Wide Web. The Google search engine found at www.google.com offers many different features including language and document translation, web, image, newsgroups, catalog and news searches and more. Technique that have collectively been termed “Google hacking.”

Google is a fully automated search engine that uses software known as "spiders" to crawl the web on a regular basis to find sites to add to his index.

Google Web Interface

To start a simple search type into the address bar few descriptive words and click on the Search button to recieve relevant results list. In this example we are searching for Hacking Defined website.

As we can see from the results list. Google have been found for the specific key words "Hacking Defined" about 1,590,000 results in 0.03 seconds. Take a look at the first record that we have got, it is the main page of hacking defined web site.

Read the following follow up`s to get familiar with Google ranking technique.
- Google ranking tips
- The technology behind Google's great results

Building Google Queries

Building a query is very important start point. Keep in mind, there is no such a thing as an incorrect search. The keyword that you provide will be your solid base for your search results. In the next following sections you`ll learn how to choose the most accurate keywords for best search results and how to use basic and advanced Google operators.

(" ") quote	Use quotes around search keywords to group a string.	"hackingdefined"
plus ( + )	Exclude keyword from search criteria	hacking +defined
minus ( - )	Force inclusion of keyword	hacking -defined
Synonym ( ~ )	used to get guides, faq, tips, support, tutorials, helps nad other	~hacking

Advanced Operators

Google Advanced Operators are reserved words that have a special meaning to google`s engine. These words are typically used to modify search results in one way or the other, or even tell google to perform a totally different type of search.

Introduction To Google Advanced Operator

Operator	Description	Example
cache:	Will show the version of the web page that google has in its cache	cache:hackingdefind.com security
link:	List websites that have links pointing to Hacking Defined	link:hackingdefined.com
define:	This query provides definition of the word you enter.	define:hacking
site:	will restrict the results to the given websites	wep site:hackingdefined.com
allintitle:	Google will restrict the results to pages with the query words in their title`s	allintitle:hacking defined
allinurl:	Google will restrict the results to those with query words in the URL	allinurl:hacking defined

Boolean Search

The boolean operators named by George Boole one of the great Mathematician that this world ever knew. Invented the boolean math in the early 18th. quote: "The original Working Class Boy Made Good, Boole was born in the wrong time, in the wrong place, and definitely in the wrong class - he didn't have a hope of growing up to be a mathematical genius, but he did it anyway."

Boolean logic consists of three logical operators:

OR - Using the OR operator states a preference that either or both of your search terms appear in your results.
- Example:hack OR crack

AND - To specify a keyword that must appear in the result list use the AND operator.
- Example hack AND rss

NOT - The NOT (or AND NOT) operator forbids the word after it from appearing in the items resulting from your search
- Example:hack NOT crack

	Full Boolean	Implied Boolean	Template Terminology
OR	Hack or Crack	\|\|	any of these words can contain the words , should contain the words
AND	Hack AND RSS	+Hack +RSS	all of these words must contain the words
NOT	Hack NOT Crack	Hack -Crack	must not contain the words , should not contain the words

Locate a String Within a Page

Search Text Within a URL

Search For a Specific TXT File

Narrow Search Results

In the following Figure we are searching for an occurence of passwd and passwd.bak within pages with a title name that include the string "Index of"

KickStart Default Configuration File

Take a close look at the rootpw.

In this example we can see the power of a google advanced searcher. There are many box`s out in the wild that exposed to simple google queries.

Try to add additional operators to this query, you might find some interesting results.

Google Hacking Basics

Password Hacking Techniques

Finding Server/User Confidential Credentials

Web Servers

"Please log in"
inurl:/admin/login.asp
intitle:"Microsoft Outlook Web Access"
intitle:"Remote Desktop Web Connection"

Directory Listings

Directory listings are a great information source. Directory listings can reveal server information. In the next example we will see that the result returned record provides a link to a server "Apache/1.3.27 Server at ist.uwaterloo.ca Port 80". <<<<Add here few words>>>>>

C:\>ping ist.uwaterloo.ca
Pinging ist.uwaterloo.ca [129.97.108.150] with 32 bytes of data:
Ping statistics for 129.97.108.150:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Control-C
^C
C:\>

PRACTICE: Perform a search that will result by listing web servers with default page installation.

HINT: Default pages have costant strings in the title. Example:

Apache: "it worked"
XP: "Welcome to Windows XP Server Internet Services"
2000: "Welcome to Windows 2000 Internet Services"
IIS 4.0: "Welcome.to.IIS.4.0"

Traversal Techniques

Directory Listings.
<Edit this parag> Click the first directory link, it will take you to the directory above the current directory. If this directory contains another directory listing, you can simply click links from that page to explore other directories. If the parent directory does not display a directory listing, you might have to resort to a more difficult method, guessing directory names and adding them to the end of the parent directory’s URL. Alternatively, consider using site and inurl keywords in a Google search. <Edit this parag>

Exploits and Targets

Introduction

Exploit is a code that was designed to penetrate a target system by exploitation of a specific hole. Simple exploits could be easily found out in the wild, mostly old vulnerabilities that have been published in the hacking communities. With tons of code lines out in the wild and many websites that holds hacking tools google becomes a great tool for security researchers and hackers.

Locating Vulnerable Targets

Example Exploit : VP-ASP Shopping cart solution

For our next example we picked a tool named VP-ASP (Virtual Programming - ASP) this tool can be used to build any type of Internet shop and has all user needs to place up an internet store easily. VP-ASP won awards both in the US and France and it is now in use in more than 70 countries. It has been reported that the Shopping Cart Administration script is vulnerable to XSS and SQL injection, resulting in exposure of confidential customer information like credit card details.

First, we need to google for information about VP-ASP. We will use GHDB (Google Hacking Data Base) to find more information about the exploit and how we can implement it.

Google: VP-ASP site:johnny.ihackstuff.com/

Google: inurl:"shopadmin.asp" "Shop Administrators only"

inurl:"shopadmin.asp" "Shop Administrators only"

More information on this attack is available at: Security Tracker , VP-ASP Exploits

Google Search Here:::::

Automation Google Security API

What Is Google API

Google Application Programming Interface are a set of libraries which will enable software programmers to develop computer programs that can make queries to more than 8 billion web pages by using the SOAP (Simple Object Access Protocol) and WSDL (Web Services Description Language) standarts. The Google development kit was created with a limitation of 1000 queries per day and can be used from wide variety of programming environments.

Download Google API
Register a new Google API developer account.

Google Attack Libraries (Google Pen Testers)

Google attack libraries refer to (Google Pen Testers) code that has been created to aid in the development of education about applications and tools that query the Google database, retrieve results, and scrap through those results.

Google DNS sub domain miner

The script, called dns-mine.pl is listed below:
 
#!/usr/bin/perl
#
# Google DNS name / sub domain miner
# SensePost Research 2003
# 
 <script language='JavaScript' type='text/javascript'>
 <!--
 var prefix = '&#109;a' + 'i&#108;' + '&#116;o';
 var path = 'hr' + 'ef' + '=';
 var addy69174 = 'r&#111;&#101;l&#111;f' + '&#64;';
 addy69174 = addy69174 + 's&#101;ns&#101;p&#111;st' + '&#46;' + 'c&#111;m';
 document.write( '<a ' + path + '\'' + prefix + ':' + addy69174 + '\'>' );
 document.write( addy69174 );
 document.write( '<\/a>' );
 //-->\n </script><script language='JavaScript' type='text/javascript'>
 <!--
 document.write( '<span style=\'display: none;\'>' );
 //-->
 </script>This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
 <script language='JavaScript' type='text/javascript'>
 <!--
 document.write( '</' );
 document.write( 'span>' );
 //-->
 </script>
#
# Assumes the GoogleSearch.wsdl file is in same directory
#
 
#Section 1
use SOAP::Lite;
if ($#ARGV<0){die "perl dns-mine.pl domainname\ne.g. perl dns-mine.pl
cnn.comn";}
my $company = $ARGV[0];
 
####### You want to edit these four lines: ##############
$key = "----YOUR GOOGLE API KEY HERE----";
@randomwords=("site","web","document","internet","link","about",$company);
my $service = SOAP::Lite->service('file:./GoogleSearch.wsdl');
my $numloops=3; #number of pages - max 100
#########################################################
 
#Section 2
## Loop through all the words to overcome Google's 1000 hit limit
foreach $randomword (@randomwords){
print "nAdding word [$randomword]n";
 
#method 1
my $query = "$randomword $company -www.$company";
push @allsites,DoGoogle($key,$query,$company);
 
#method 2
my $query = "-www.$company $randomword site:$company";
push @allsites,DoGoogle($key,$query,$company);
}
 
#Section 3
## Remove duplicates
@allsites=dedupe(@allsites);
print STDOUT "n---------------nDNS names:n---------------n";
foreach $site (@allsites){
print STDOUT "$siten";
}
 
#Section 4
## Check for subdomains
foreach $site (@allsites){
my $splitter=".".$company;
my ($frontpart,$backpart)=split(/$splitter/,$site);
if ($frontpart =~ /\./){
@subs=split(/\./,$frontpart);
my $temp="";
for (my $i=1; $i<=$#subs; $i++){
$temp=$temp.(@subs[$i].".");
}
push @allsubs,$temp.$company;
}
}
print STDOUT "n---------------nSub domains:n---------------n";
@allsubs=dedupe(@allsubs);
foreach $sub (@allsubs){
print STDOUT "$subn";
}
 
#Section 5
############------subs-------##########
sub dedupe{
my (@keywords) = @_;
my %hash = ();
foreach (@keywords) {
$_ =~ tr/[A-Z]/[a-z]/;
chomp;
if (length($_)>1){$hash{$_} = $_;}
}
return keys %hash;
}
#Section 6
 
sub parseURL{
my ($site,$company)=@_;
if (length($site)>0){
if ($site =~ /:\/\/([\.\w]+)[\:\/]/){
my $mined=$1;
if ($mined =~/$company/){
return $mined;
}
}
}
return "";
}
#Section 7
 
sub DoGoogle{
my ($GoogleKey,$GoogleQuery,$company)=@_;
my @GoogleDomains="";
for ($j=0; $j<$numloops; $j++){
print STDERR "$j ";
my $results = $service
->
doGoogleSearch($GoogleKey,$GoogleQuery,(10*$j),10,"true","","true","","latin
1","latin1");
my $re=(@{$results->{resultElements}});
foreach my $results(@{$results->{resultElements}}){
my $site=$results->{URL};
380 Chapter 12 • Automating Google Searches
my $dnsname=parseURL($site,$company);
if (length($dnsname)>0){
push @GoogleDomains,$dnsname;
}
}
if ($re !=10){last;}
}
return @GoogleDomains;
}

PERL: Automate Custom Querying on Google

GOOGLE_PERL.PL
SOURCE
#Section 1
#Google Hacking in Perl
#Written by Foster
#!/usr/bin/perl -w
use IO::Socket;
#Section 2
$query = '/search?hl=en&q=dog';
$server = 'www.google.com';
$port = 80;
#Section 3
#############################
sub socketInit()
{
$socket = IO::Socket::INET->new(
Proto => 'tcp',
PeerAddr => $server,
PeerPort => $port,
Timeout => 10,
);
unless($socket)
{
die("Could not connect to $server:$port");
}
$socket->autoflush(1);
}
#Section 4
############################
sub sendQuery($)
{
my ($myquery) = @_;
print $socket ("GET $myquery HTTP/1.0\n\n");
while ($line = <$socket>)
{
if ($line =~ /Results.*ofsabout/)
{
return $line;
}
}
}
#Section 5
############################
sub getTotalHits($)
{
my ($ourline) = @_;
$hits="";
$index = index($ourline, "of about");
$str = substr($ourline, $index, 30);
@buf=split(//,$str);
for ($i = 0; $i < 30; $i++)
{
if ($buf[$i] =~ /[0-9]/)
{
$hits=$hits.$buf[$i];
}
}
return $hits;
}
############################
#Section 6
socketInit();
$string = sendQuery($query);
$totalhits = getTotalHits($string);
#Printing to STDOUT the Total Hits Retrieved from Google
print ($totalhits);
Output
When you execute the previous Perl script with the embedded Google Attack
Libraries, you will receive the following standard out (STDOUT).The output
represents the total number of Google pages that are returned with the submitted
query:
%GABE% perl google_perl.pl

Python: Google Query Library

#Google Hacking in Python
#Written by Foster
 
#Section 1
import socket
import sys
import re #Regular Expression Module
 
#Section 2
HOST = 'www.google.com' # The remote host
PORT = 80 # The same port as used by the server
s = None
query = "/search?hl=en&q=dog"
 
#Section 3
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC,
socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
s = socket.socket(af, socktype, proto)
except socket.error, msg:
s = None
continue
try:
s.connect(sa)
except socket.error, msg:
s.close()
s = None
continue
break
if s is None:
print 'could not open socket'
sys.exit(1)
 
#Section 4
s.send("GET " +query+ " HTTP/1.0\n\n")
myindex = 0
while myindex < 1:
data = s.recv(8096)
myindex = data.find("about")
s.close()
#Section 5
mysubstr = data[ myindex : myindex + 30 ]
regexObj = re.compile('\d')
list = regexObj.findall(mysubstr)
totalHits = ''.join(list)
print totalHits
Output
 
The following output represents the corresponding total hits retrieved from
Google:53500000

C#: Google Hacking

//Google Hacking in C#
//Written by the master BW
 
using System;
using System.Text;
using System.Text.RegularExpressions;
using System.Net;
using System.Net.Sockets;
 
namespace ConsoleApplication2
{
class GoogleQuery
{
//Required Socket Variables
private const string query = "/search?hl=en&q=dog";
private const string server = "www.google.com";
private const int port = 80;
private Socket socket;
//Method #1
public void SocketInit()
{
socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream,
ProtocolType.Tcp);
IPHostEntry ipHostInfo = Dns.Resolve(server);
IPAddress ipAddress = ipHostInfo.AddressList[0];
socket.Connect(new IPEndPoint(ipAddress, port));
}
//Method #2
public void SendQuery()
{
socket.Send(ASCIIEncoding.ASCII.GetBytes(string.Format("GET {0}
HTTP/1.0\n\n", query)));
}
//Method #3
public string GetTotalHits()
{
// receive the total page
byte[] buffer = null;
byte[] chunk = new byte[4096];
try
{
while (socket.Receive(chunk) > 0)
{
byte[] tmp = new byte[(buffer == null ? 0 : buffer.Length)
+ chunk.Length];
if (buffer != null)
buffer.CopyTo(tmp, 0);
chunk.CopyTo(tmp, buffer != null ? buffer.Length : 0);
buffer = tmp;
}
}
catch
{
if (buffer == null)
throw new Exception("No data read from host");
}
// find the total hits
string text = System.Text.ASCIIEncoding.ASCII.GetString(buffer);
Regex regex = new Regex(@"of about <b>(?<count>[0-9,]+)");
Match m = regex.Match(text);
if (m.Success == false)
throw new Exception("Parse error");
return m.Groups["count"].Value;
}
}
/// <summary>
/// Summary description for Class1.
/// </summary>
class AppClass
{
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
{
GoogleQuery gq = new GoogleQuery();
gq.SocketInit();
gq.SendQuery();
Console.WriteLine("Total Hits {0}", gq.GetTotalHits());
}
}
}