Gathering confidential data using GOOGLE DORK

Google makes it possible to reach not just publicly available Internet resources, but also some that should never have been revealed.The right query can yield some quite remarkable results.In previous Post we discussed about Google advanced search operators. In this article will discuss about how to use them to collect confidential information.

How to use Google to find sources of personal information and other confidential data

Suppose that a vulnerability is discovered in a popular application – let's say it's the Microsoft IIS server version 5.0 – and a hypothetical attacker decides to find a few computers running this software in order to attack them. He could of course use a scanner of some description, but he prefers Google, so he just enters the query "Microsoft-IIS/5.0 Server at" intitle:index.of and obtains links to the servers he needs.

This works because in its standard configuration, IIS adds banners containing its name and version to some dynamically generated pages. It's a typical example of information which seems quite harmless, so is frequently ignored and remains in the standard configuration. Unfortunately, it is also information which in certain circumstances can be most valuable to a potential attacker. More sample Google queries for typical Web servers are given bellow.

Google queries for locating various Web servers

Query	Server
"Apache/1.3.28 Server at" intitle:index.of	Apache 1.3.28
"Apache/* Server at" intitle:index.of	any version of Apache
"Microsoft-IIS/6.0 Server at" intitle:index.of	Microsoft Internet Information Services 6.0
"Microsoft-IIS/* Server at" intitle:index.of	any version of Microsoft Internet Information Services
"Oracle HTTP Server/* Server at" intitle:index.of	any version of Oracle HTTP Server
"IBM _ HTTP _ Server/* * Server at" intitle:index.of	any version of IBM HTTP Server
"Red Hat Secure/*" intitle:index.of	any version of the Red Hat Secure server
"Netscape/* Server at" intitle:index.of	any version of Netscape Server

How to find information about vulnerable systems and Web services

Practically all attacks on IT systems require preparatory target reconnaissance, usually involving scanning computers in an attempt to recognise running services, operating systems and specific service software. Network scanners such as Nmap or amap are typically used for this purpose, but another possibility also exists. Many system administrators install Web-based applications which generate system load statistics, show disk space usage or even display system logs.

All this can be valuable information to an intruder. Simply querying Google for statistics generated and signed by the phpSystem application using the query

 "Generated by phpSystem" 

will result in a whole list of pages which are generated by php .

This method offers numerous possibilities - Given Table shows sample queries for finding statistics and other information generated by several popular applications. So if you decide to use Web applications to monitor computer resources, make sure access to them is password-protected.

Querying for application-generated system reports

Query	Type Of Information
"This summary was generated by wwwstat"	web server statistics, system file structure
"This report was generated by WebLog"	web server statistics, system file structure
inurl:server-info "Apache Server Information"	web server version and configuration, operating system type, system file structure
intitle:"ASP Stats Generator *.*" "ASP Stats Generator"	web server activity, lots of visitor information
intitle:"Multimon UPS status page"	UPS device performance statistics

How to locate publicly available network devices using Google.

Many administrator downplay the importance of securing such devices as network printers or webcams. However, an insecure printer can provide an intruder with a foothold that can later be used as a basis for attacking other systems in the same network or even other networks. Webcams are, of course, much less dangerous, so hacking them can only be seen as entertainment, although it's not hard to imagine situations where data from a webcam could be useful (industrial espionage, robberies etc.).

Given table contains sample queries revealing printers and webcams.

Query	Device
"Copyright (c) Tektronix, Inc." "printer status"	PhaserLink printers
inurl:"printer/main.html" intext:"settings"	Brother HL printers
intitle:"Dell Laser Printer" ewss	Dell printers with EWS technology
intext:centreware inurl:status	Xerox Phaser 4500/6250/8200/8400 printers
inurl:indexFrame.shtml Axis	Axis webcams
allintitle:Brains, Corp. camera	webcams accessible via mmEye

Google queries for advanced search and for vulnerability testers

A web search engine is a software application which crawls the web to index it and provides the information based on the user search query. Some search engines go beyond that and also extract information from various open databases. Usually the search engines provide real-time results based upon the backend crawling and data analysis algorithm they use. The results of a search engine are usually represented in the form of URLs with an abstract.

Apart from usual web search engines, some search engines also index data from various forums, and other closed portals (require login). Some search engines also collect search results from various different search engines and provide it in a single interface.Google is one of the most widely used search engines and is the starting point for web exploration for most of us.

Google is now worth billions and has its own place within the Oxford English Dictionary as a verb, but it took two men with a big dream to turn a small idea into a reality that has made a significant contribution to how the world uses the internet. Larry Page and Sergey Brin were both PhD candidates when they met in 1996 at Stanford and came up with the concept for a search engine that they were going to name BackRub,Google is now worth billions and has its own place within the Oxford English Dictionary as a verb, but it took two men with a big dream to turn a small idea into a reality that has made a significant contribution to how the world uses the internet. Larry Page and Sergey Brin were both PhD candidates when they met in 1996 at Stanford and came up with the concept for a search engine that they were going to name BackRub, on the 14th September 1997 Google.com was officially registered as a domain name.


Google serves some 80 percent of all search queries on the Internet, making it by far the most popular search engine. Its popularity is due not only to excellent search effectiveness, but also extensive querying capabilities. Google makes it possible to reach not only the publicly available information resources, but also gives access to some of the most confidential information that should never have been revealed.


Here is a summary of the most important and most useful query operators along with their descriptions.The right query can yield some quite remarkable results.

site:

Restricts results to sites within the specified domain

site:papersboot.blogspot.com fox will find all sites containing the word fox, located within the *papersboot.blogspot.com domain

site:papersboot.blogspot.com

intitle

Restricts results to documents whose title contains the specified phrase

intitle:facebook fire will find all sites with the word fox in the title and fire in the text

intitle:facebook

inurl

Restricts results to sites whose URL contains the specified phrase

inurl:papersboot fire will find all sites containing the word fire in the text and fox in the URL

inurl:papersboot

filetype

Restricts results to documents of the specified type

filetype:pdf fire will return PDFs containing the word fire, while filetype:xls fox will return Excel spreadsheets with the word fox

filetype:pdf

ext

Restricts results to documents of the specified type

ext:pdf fire will return PDFs containing the word fire, while ext:xls fox will return Excel spreadsheets with the word fox

ext:pdf

numrange

Restricts results to documents containing a number from the specified range

numrange:1-100 fire will return sites containing a number from 1 to 100 and the word fire. The same result can be achieved with 1..100 fire

numrange:1-100 fire

link

Restricts results to sites containing links to the specified location

link: papersboot.blogspot.com will return documents containing one or more links to papersboot.blogspot.com

link: papersboot.blogspot.com

anchor

Restricts results to sites containing links with the specified phrase in their descriptions

anchor: download will return documents with links whose description contains the word download (that's the actual link text, not the URL indicated by the link)

anchor: download

allintext

Restricts results to documents containing the specified phrase in the text, but not in the title, link descriptions or URLs

allintext:"papersboot" will return documents which contain the phrase papersboot in their text only

allintext:"papersboot"

+

specifies that a phrase should occur frequently in results

+papersboot will order results by the number of occurrences of the word papersboot

+papersboot

-

specifies that a phrase must not occur in results

-fire will return documents that don't contain the word fire

-fire

" "

delimiters for entire search phrases (not single words)

"fire fox" will return documents containing the phrase fire fox

"fire fox"

.

wildcard for a single character

fire.fox will return documents containing the phrases fire fox, fireAfox, fire1fox, fire-fox etc.

fire.fox

*

wildcard for a single word

fire * fox will return documents containing the phrases fire the fox, fire in fox, fire or fox etc.

fire * fox

|

logical OR

"fire fox" | firefox will return documents containing the phrase fire fox or the word firefox

"firefox" | firefox

info:

The info operator provides information what Google has on a specific domain. Links to different types of information are present in the results, such as cache, similar websites, etc.

info:google.com

This is not all, sometimes Google also shows relevant information related to global events as and when they happen; for example, Cricket World Cup.
The operators we discussed are certainly very useful for anyone who needs to find out some information on the web, but the InfoSec community has certainly taken it to next level. These simple and innocent operators we just discussed are widely used in the cyber security industry to find and demonstrate how without even touching the target system, critical and compromising information can be retrieved. This technique of using Google search engine operators to find such information is termed as "Google Hacking."