Google Hacking

19 September 2013
Updated August 2015
 #s
Google's cache is over 95 Petabytes

Google crawls 300 cached entries per host by

default
(If the site's SEO ranking is higher, then Google
crawls deeper)
Getting Google To Scan For You
If a site isn't being crawled for some reason, (like it doesn't have a
DNS entry) you can solve this problem by:
a) Adding a DNS entry for the site publicly
b) Creating a Custom Search under a Google user account

If you create a custom search and add the IP, the

site will be indexed within 7 days
 #s
Numbers From Sept 2013
.com sites: 25,270,000,000 .gov sites: 207,000,000
.org sites: 2,510,000,000 .us sites: 178,000,000
.jp sites: 15,550,000,000 .mil sites: 5,600,000
.cn sites: 1,610,000,000 .ny.us: 4,870,000
.ru sites: 1,560,000,000 .mn.us: 3,430,000
.uk sites: 982,000,000 .ca.us: 3,070,000
.ca sites: 400,000,000 .nd.us: 711,000
Numbers From Aug 2015
.com sites: 25,270,000,000 .gov sites: 814,000,000
.org sites: 6,560,000,000 .us sites: 178,000,000
.jp sites: 633,000,000 .mil sites: 42,300,000
.cn sites: 336,000,000   .ny.us: 8,610,000
.ru sites: 1,070,000,000   .mn.us: 15,100,000
.uk sites: 2,130,000,000 .ca.us: 28,200,000
.ca sites: 1,070,000,000 .nd.us: 306,000
 Common Functions
1.site:
2.intitle:
3.inurl:
4.filetype:
 Examples from 2013

site:gov filetype:log 205,000 site:gov filetype:mdb 274

site:gov filetype:ini 40,200 site:gov filetype:sql 7,880
site:gov filetype:conf 11,400 site:mil filetype:sql 1
site:gov filetype:xls 3,740,000 site:mil filetype:mdb 4
site:gov filetype:xlsx 137,000 (1 in cache)
site:gov filetype:doc 12,200,000 site:mil filetype:ini 9
site:gov filetype:docx 818,000 site:mil filetype:txt 696,000
site:mil noforn 95,800

filetype:rdp username 774

inurl:allstathomehealth.com/Users
filetype:xls visa "12/13"
filetype:xls SSN DOB 1965 filetype:rdp password

inurl:https://mail.piginc.net/bidforms/LF18/115 Bldg. LF-18 NETWARCOM/Badging/

site:s3.amazonaws.com filetype:xls yourcompanyname
 A Word of Caution
Hackers love pulling practical jokes on each other. What
constitutes a practical joke is a personal decision that can range
from a funny message, a 'like a sir' image, or deleting your
computer.
You should always hack on a
machine that's useless and
and on a separate network than
Machines containing sensitive
Data.
A Word of Caution
 Rigging a Sweepstakes

Lotteries are fun and all... but they're considerably more

fun when you win. Let's see if we can increase our odds!
Rigging a Sweepstakes
Rigging a Sweepstakes
 Rigging a Sweepstakes
So those numbers count up with each entry, eh? I wonder what
happens when they hit “41/41” ...

Winner!!!

Now tomorrow, we can just watch the entries txt file, wait until it
gets close, and enter when we know we'll win!
 Something Sinister
While searching the same site, I stumbled upon this:
Something Sinister
 Something Sinister
That is an admin for a link manager. They have links across their
site that point to the ID numbers. This software tracks the clicks,
then forwards the client on to the destination.
So if we edit the destinations to our phishing sites, visitors would
book a hotel through our phony site!

Thanks for the CC#s!

 Amazon Wispernet
Kindles, Cloud Storage, etc
 Kindle

Steps to add file to Kindle:

1. Email file to [email protected]
2. Wait for file to show up on your Kindle
3. File is automatically stored on Amazon S3
 Amazon Wisper
List of consultants in a company
 Amazon Wispernet
● Doctor Roster
Amazon is a treasure trove of company users, emails,
and social engineering info.

Try it yourself:
site:s3.amazonaws.com filetype:xls
S/NOFORN

Government
 Disclaimer
Mining for classified, restricted, or interesting military
and government data without written authorization is
likely to lead to incarceration.
City Govt – Rib Cookoff
City Gov – Employee Census
The Census
 State Auditors – CC#
Document unfortunately taken down
State Gov't – HIPAA Viloation
Think of the Children...
Over 1000 Children...
 The above slides were unrelated
● The 2nd was from Texas
●http://socialsecuritynumerology.com Will help you
identify the social security number's prefix if you know
the state and year that the person was born.
 Research Labs
Government Research labs have some of the worst
security worldwide.
CERN
Nat'l Lab Directory Traversal
FNAL Fail
Linux Logs
I said the worst right?
The Military
GPS From an Carrier
DARPA Conference
DARPA Conference
Detail
FOIA Request List
 Are you Human?
This is when Google starts asking if I'm actually
human:
Fly me to the moon...
Military Plane Crashes
Including UAV
 We lost your picture...

Document  of  over  100,000  service  members,  their  contact  numbers,  loca6on  in  the  world,  and    the  
branch.  Because  their  ID  pictures  were  lost  and  need  to  be  re-­‐taken.  Now  I  have  a  list  of  who  doesn’t  
have  a  picture,  and  I  know  where  they  are…  
Known Terrorist DB
Military Jobsite internal Code
Databases in Google
 Taliban Suspect List anyone?

Came with a Secret/NOFORN clearance

On an Australian Military Site...
NASA SQL Files
Voicemail
 You know what'd be convenient? A list of recent
recruits who maybe haven't set up their voicemail yet...
 Snoop onto them...
As they snoop onto us!
 Obviously these are security problems. Someone
should tell DISA so they can assist in remediation...
Other stupid things that shouldn't be in Google.
2100 Employee Records
Physical Security Data
Contractor Door Card Pass
RDP File to directly login
To a BANK
Canadian Finance Group Trash Files
Canadian Finance Group's Logs
HIPAA Who?
Nursing Home
Nursing 2
More RDP
HR Database
Wordpress - OpenInviter
Stupidest....
2015 Updated Content
Access to Source Code allows attackers to create exploits much faster.
Subversion (SVN) repositories may also leak passwords and other
sensitive information by mistake.
SolarWinds Database Logs
This  data  is  on  a  Military  University  website.  The  log  is  showing  not  only  internal  directory  
informa6on,  but  that  data  is  being  linked  externally.  The  medpix.50megs.com  site  no  longer  exists.  I  
can  register  it  myself  and  replace  these  images  with  ones  containing  exploit  code.  When  the  images  
are  pulled  up  by  users  they  may  get  infected.  
 Switching to Gov’t sites since .mil doesn’t have nearly as much as it
used to. That likely means its being monitored more as well and I don’t
want to get arrested…
Htacess  files  are  used  in  Linux  and  Unix  systems  to  control  directory  permissions  on  web  
servers.  These  can  contain  passwords,  usernames,  or  as  seen  below,  internal  IP  addresses  
allowed  to  access  the  folder.  If  we  know  what  this  scien6st  is  working  on,  we  now  know  which  
internal  machine  is  his  and  the  IP’s  of  co-­‐workers  working  on  the  same  project.  Excellent  
targe6ng  informa6on  to  gather  before  breaking  into  the  network.  Its  good  that  he  has  this  set,  
because  his  en6re  profile  and  saved  documents  is  publically  available  on  the  internet....  
The  previous  slide  showed  an  example  of  Directory  Traversal.  This  is  when  a  directory  on  a  
webserver  is  not  locked  down,  and  an  unauthorized  user  can  browse  files.  Desired  behavior  would  
be  to  show  a  “you  are  not  authorized”  error  message.  Being  able  to  traverse  directories  allows  us  
to  find  files  we  really  shouldn’t  have  access  to.  To  reliably  locate  directory  traversal  aSack  points,  
use  the  following  search.  
Directory  traversal  is  specifically  disallowed  on  any  DISA  STIG/SRG  compliance  webserver.  
Loca6ng  any  server  with  this  allowed  is  showing  us  a  list  of  unhardened  targets  
This  is  very  not  good.  
This  is  the  log  file  found  in  the  previous  slide.  Note  that  the  username,  failed  password,  
and  IP  address  is  logged.  The  IP  shows  that  this  system  is  accessible  over  the  internet.  
Users  oYen  fat-­‐finger  passwords,  and  as  such  if  I  download  this  file  and  pull  all  
passwords  for  the  user,  I  will  likely  see  the  common  misspells  and  be  able  to  guess  the  
real  password  reliably  before  the  account  is  locked  out.    
 
If  the  user  logs  in  from  home  I  can  also  target  his  home  network,  which  will  have  
significantly  less  security  than  the  military  networks.  I  hope.  
To  break  into  a  system  we  oYen  need  a  username  and  a  password.  Usernames  are  some6mes  more  
difficult  to  locate  than  passwords,  since  we  have  password  lists  that  can  guess.  Its  useless  and  6me  
consuming  to  guess  usernames  as  well  as  passwords.  So  if  we  can  find  a  list  of  known  users  of  a  
system,  then  half  of  the  authen6ca6on  challenge  has  been  solved.    
The  following  is  an  interes6ng  security  vulnerability  in  MicrosoY  Sharepoint  which  has  never  
officially  been  disclosed.  This  would  be  considered  a  feature  except  that  it  can  have  devisa6ng  
effect.  Sharepoint  has  users,  and  is  oYen  6ed  to  MicrosoY  Ac6ve  Directory.  To  setup  users  in  
Sharepoint,  an  admin  goes  to  a  page  called  aclinv.aspx.  Unfortunately  any  authen6cated  user  
can  view  this  page,  they  just  can’t  setup  users.  This  can  disclose  a  lot  of  internal  user  
informa6on  such  as  name,  email,  phone  number,  6tle,  internal  usrid,  etc.  For  the  en6re  
organiza6on.  The  big  problem  is  that  many  organiza6ons  allow  external  visitors  to  create  an  
account  to  login  and  make  them  have  “guest”  or  low-­‐level  access.  Sharepoint  doesn’t  
recognize  the  custom  permissions,  which  allows  someone  from  the  internet  to  login  and  
interrogate  your  Ac6ve  Directory.  This  is  a  good  example  of  using  inurl  to  locate  known  
vulnerable  websites.  

aclinv.aspx  
Below  is  a  German  site  which  allows  user  crea6on  and  then  guest  access