Category Archives: #pub - Page 2

National Cyber Security Awareness Month

Posted by on October 2, 2012 No comments

Did you know that October is the National Cyber Security Awareness Month? Well you may not have known prior to this September but, due to the heavy press coverage of the event this year, you do now!

The National Cyber Security Awareness Month is celebrating its 9th year of existence with online talks and lectures to help spread public awareness of online safety issues. The event is hosted by the Department of Homeland Security (DHS), National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC; an organization that exists to provide governments worldwide in an advisory role).

MS-ISAC and their parent organization, the Center for Internet Security, is also offering a large number of IT security jobs covering project management, analysis and tech work. They also feature a pretty neat dashboard for sharing information gleaned from cyber attacks including common ports and IP addresses under attack, check the MS-ISAC Dashboard App for more information (while it doesn’t seem very extensive at the moment, it may be updated as time goes on).

NCSAM events are being hosted by a number of organizations and companies across the globe. Already we’ve seen some cool Facebook activity in the form of interactive lectures. For more official evvents check out the NCSAM calender here (note that many of the online events aren’t listed. For those be sure to check Twitter #NCSAM or watch related hashtags and tweets on Twitterfall).

For more information from the Department of Homeland Security please visit this website:

http://www.dhs.gov/national-cyber-security-awareness-month

In the spirit of NCSAM, security & compliance firm InfoSight Inc. just posted a link to one of their interesting YouTube videos on their Twitter account. The video debunks popular computer safety myths. Feel free to check out that video below:

https://www.youtube.com/watch?v=V2rBbmQOCTI

(All rights for the video belong to InfoSight Inc. and were provided for your viewing pleasure by embedding as is allowed by the Standard YouTube License regarding published public videos. I highly recommend checking InfoSight’s other Youtube videos if you’re new to internet security.)

As always you can check the Neuralhub’s navigation system or the blog’s tag cloud to find topics of interest to you. Also visit the Neuralhub post entitled “Computer Security Resources” for a list of security links to sites I find interesting.

World is Too Slow to Adopt Two-Factor Authentication

Posted by on September 25, 2012 No comments

Here’s the deal: you do a lot of business online. Amazon purchases, you check your X-Box account, access social networking sites and so on. And as I’ve said time and again, man in the middle attacks are at an all time high. So you needed a way of securing your online accounts beside using just a password.

While some sites like Facebook, Google and Dropbox have implemented forms of two-factor authentication, many sites do not (to my knowledge Apple and  Amazon have not implemented TFA security). SSL alone doesn’t protect customers from online threats.  Amazon AWS does support multi-factor authentication but, at the time of writing this, their user accounts do not have this feature (upon asking their technical support why they didn’t use TFA, I was told “SSL was secure” and not to worry).

For those left out of the loop, TFA relies on either texting you an ever changing security key or displaying one using a token generator (such as the great Google Authenticator for Android). Logging into a website from an unknown computer (one where a former cached login could not be found) results in a page asking you to confirm a key displayed on your token generator.

The way it works now if you don’t remember your password? A reset email can be mailed to you… not such great security. It sends an email to the account you registered with. If your email account is compromised to begin with, your other accounts can be too. All the SSL in the world doesn’t amount to a hill of beans if you don’t have better security practices for users that want to make use of them.

Social engineering attacks can also be used to get companies to change your passwords by phone. Apple and Amazon have already been caught doing this. For more information see my post entitled “Apple’s Social Engineering Crisis.

So why don’t sites adopt TFA? They don’t want to be bothered implementing it. Really. That’s the only excuse I can think of since, if companies follow Google’s example, you have to manually opt in to using it in the first place.

So enough is enough. Start telling the companies that you do business with online to enact TFA now.

Related Articles (Better than this rant)

Please Turn on Two-Factor Authentication.” Curts, Matt @ Lifehacker.

Two-Factor Authentication: The Big List Of Everywhere You Should Enable It Right Now.” Gordon, Whitson @ Lifehacker Australia.

“XBox GM Talks Xbox Live Security.” Frederiksen, Eric. July 19,2012. See: http://www.technobuffalo.com/gaming/platform-gaming/xbox-upgrading-security/

Products of Note

Google Authenticator for Android

Google Authenticator for iOS

SolidPass Two-Factor Authentication Token (Used in many places)

Related Blog Posts

Public Wi-Fi? Be Mindful of Session Hijacking

Janet Napolitano on Cybersecurity @ ASIS 2012

Posted by on September 14, 2012 No comments

Awesome keynote speech by Janet Napolitano, Secretary of Homeland Security, at ASIS 2012 in PA on the importance of cyber security.

Video embedded here for your viewing pleasure. Originally posted publicly on YouTube by ASIS International. For more videos please see the  ASIS YouTube page.

Poll – iPhone 5 Released. Will You Get It?

Posted by on September 13, 2012 No comments

The specs are in for the new iPhone 5. Compare them now with a few new Androids on the market on Mashable here:

https://mashable.com/2012/09/12/iphone-5-compared/

Details on the iPhone 5 can be found on the following sites:

Mashable Review iPhone 5 Review
Tech Radar Review iPhone 5 Review
NY Times Review by David Pogue

Concerned with battery life? Check out the Cult of Mac article discussing it. Yet the truth is that, although the iPhone 5 iPhone  boasts 8 hours for 4G (LTE) web browsing (or 10 hours for video play back without web browsing, or 8 hours of just talk time), the Motorola Razr Maxx still boasts a 3,300mAh battery capable of providing up to 17.6 hours of talk time! The new Motorola Razr HD features an impressive 21 hours talk time/data use over 3G.

Court rivals can still be friends right? Check out how the iPhone 5 stacks up against its biggest rival, the Samsung Galaxy S III here.

Does the fact that the iPhone 5 still doesn’t have an SD card slot while the new Samsung Galaxy S III has a 2 TB capacity for multimedia? Any other gripes? Feel free to chime in on the poll and/or comment let me know what you think!

Access Your Virtualized Linux Box Anywhere

Posted by on September 10, 2012 No comments

Have you ever wanted access to a Linux box on your mobile device? Sure, you could just SSH into secure shell but what if you wanted the entire experience on your portable computer or at a friend’s house? Virtualization + RAS = true OS freedom (or… well, for geeky fun anyway). The technique is used on a regular basis but there may be some out there that may not know how to take advantage of it.

In this blog article I’ll explain how to get access to your Linux box from any platform or device. Keep in mind that if your host is already Linux you can skip the virtualization section and head right down to configuring the remote access software.

This setup can be and should be used on a Windows host machine running a Linux Guest environment.

Remote Access on Your Mobile

There’s been a lot of advancements in the fields of virtualization and remote access software, but it never ceases to amaze me how few all-in-one packages there are for manipulating virtual environments via mobile devices. This is because writing mobile devices is often tricky and the few software options out there are kind of crappy. The software I’ll be using in this post are the iOS iPad versions of TeamViewer HD Free for iPad and VMware View (also free but the host-side software is a 60-day trial). But I’ll only be providing the in-depth setup for TeamViewer as to do both would be too exhaustive.

Downloading TV or VMware View on Your Mobile

TeamViewer For Remote Control (Android OS)

TeamViewer HD for iPad (iOS/iPad)

VMware View for Android (Android OS)

VMware View for iPad (iOS/iPad)

Your RAS software is the key to accessing your virtualized session so select RAS that is usable on the desired mobile device. The RAS determines manipulation to a “T” so select wisely or YMMV. Similarly you can opt for VNC variations and swap out the RAS selections I’ve used.

As such, you’ll probably need to review the release notes on your mobile RAS to ensure that it’ll function correctly on your specific mobile device. For example, I’ve used TeamViewer for Android on my Motorola Razor without any problems. But I wouldn’t expect speedy results on an older android without a dual-core processor.

Host Machine

Obviously it goes without saying (but I will) that your host needs to be on if you want to access your virtualized box. The critical components here are:

  • RAM
  • Bandwidth

I’ll be using ~1.5-2 gigs dedicated to the virtual sessions but keep in mind that this is the bare minimum needed for most X environments to work efficiently under pressure (and therefore in a virtual environment). Your success will be based on how much RAM you a lot the virtualization on the host machine: some operating systems X environments are resource hogs. Keeping that in mind, I’ll be using Bodhi Linux as it’s a lightweight E17 distribution. Minimalism is critical if you are tight on RAM.

(If you’re interested in Bodhi Linux you can pick up the distro here: http://www.bodhilinux.com/)

It goes without saying that 3D hardware acceleration needs to be enabled on the host but what you’ll see on the mobile client may also vary, this means having a fairly new GPU. But this is Linux we’re talking about… in all likelihood you’ll be fine so long as you aren’t doing anything too graphically intense. I’m using an XFX HD 6670 with 1 GB of DDR5 so you don’t need anything fancy (keep in mind everything on my system is bottlenecked due to an old Pentium D processor, so any modern system should be able to do well). If the virtual environment plays fine on your host you are set in that department.

Bandwidth is critical. I’m pulling 45/35 on a fiber line for the host. You don’t want your host machine to slow you down (use Wi-fi on the client-side as opposed to 3G or 4G if the network is fast enough). Let’s be honest. We’re using RAS (slow) and virtualization (potentially slow), you don’t want a bandwidth problem factored in. Nothing sucks more than remote access lag.

Host Software

This is broken up into two parts. 1) The virtual environment creator and player (can be the same in the case of VMware Workstation or VirtualBox), and 2) The RAS setup within the virtualized Linux session.

This post will be focusing on the latter. You should already know how to setup a virtual environment in VMware or Oracle VM VirtualBox. Read the documentation associated with either virtualizaton software package you decide to use (keeping in mind, of course, that VirtualBox and VMware Player are free while VMware Workstation is an expensive investment; the free former alternative is best for creating and playing environments without having to purchase VMware Workstation).

Oracle VM VirtualBox can be downloaded here: https://www.virtualbox.org/
VMware Workstation can be sampled for 30-days here: http://www.vmware.com/products/workstation/overview.html
VMware Player (not a v creator) can be downloaded here: http://www.vmware.com/products/player/

The last note here would be to use NAT as your network adapter preference to allow the host to share the IP address (my VPN configured through my host machine also worked well with this configuration).

Virtualization’s RAS

TeamViewer or VMware View 5.0 are ideal since they are well documented and exist on nearly any platform you need. You need to have created your virtual environment flawlessly for this to work which means installing and being able to use Linux as a whole.

As far as the virtualization’s RAS is concerned, if you did use Bodhi you can download the Debian archive for TeamViewer for Linux or use Synaptic to automate the process (using this method is the easiest with TeamViewer7).

Configuring Your RAS (TeamViewer Example)

Upon starting TeamViewer for the first time you’ll get a notice about software configuring Wine to run the remote desktop accordingly.

I would create an account on TeamViewer to be able to save frequently accessed computers.

Once it starts up you’ll want to copy down your 9-digit ID number. If you want to perform unattended sign in disregard the attended password on the main page (keeping in mind that your Linux guest box and TeamViewer software needs to be running).

To configure the unattended password head over to the Options/Security Tab and choose a complex password for logging in (the combination of your 9-digit ID and your unattended password will allow you remote access to your virtualized Linux session).

Then head over to your mobile TeamViewer app (or the program you are trying to connect from) and add the Linux guest’s ID and unattended password in the “Computers & Contacts” section of the client.

Then go ahead and connect resting assured the connection is secure (even if you’re connecting over an insecure wi-fi).

Closing Notes

Bodhi Linux Guest VMware / Bodhi on iPad 1

It’s highly unlikely that any RAS is going to offer stunning visuals but different software can provide different results (TeamViewer isn’t known for graphical prowess). Regardless, feel free to play around with the general concepts explored in this post to achieve a suitable result. In the end the goal was to create a decent remotely accessible Linux virtualization as opposed to accessing your Linux box through a CLI and, to that end, it worked.

LOIC DDoS & The Nature of Anonymous Attacks

Posted by on September 7, 2012 No comments

One of the most impressive and dangerous Denial of Service tools is named, jokingly, as Low Orbit Ion Cannon (LOIC). The tool has gained public notice after being repeatedly used in successful attacks against high value web servers such as those belonging to the Church of Scientology during Project Chanology, the Recording Industry Association of America (RIAA), groups opposing MegaUpload and WikiLeaks as the mega-group’s enemies.

While I won’t get into the ideological arguments expressed by either Anonymous or their opposition, I’d like to take a moment to explain LOIC and provide some interesting links to sites containing more information.

As I always state:  I’m merely an individual interested in security for the sake of learning, if you have a vested interest in any of the ideologies either for or against the attacks check the links below for protections or ways to get more involved in the LOIC project.

Background

LOIC, originally written in C# by Praetox Technologies, has been since coded into an independent JavaScript program known as JS LOIC (hosted by HiveMind, linked below). As such there’s even a web version of the DoS tool!

When the project was first released I managed a DDoS (Distributed Denial of Service) attack against my own test box using a 5 PC networked LOIC attack triggered using UltraVNC (akin to a botnet), it worked extremely well. The method could even be used to trigger remotely using an iPad or any device running the appropriate RAS software. If a given server or network is susceptible to LOIC attacks, a DDoS against that server or network can be extremely potent.

Details and Protection

LOIC works by flooding a specified target server with TCP or UDP packets. The attack relies on the principles inherent to most forms of DoS attacks. As such it’s surprisingly easy to protect against. Many servers should have been well-protected against DoS attacks to begin but, as we know from real world IT, what’s best isn’t always what’s done.

Firewall rule-sets can be enacted which filter out the over abundance of packets coming from any one IP address long before something like this becomes a problem. To my knowledge ISPs on a larger scale can protect against DoS traffic by filtering out the appropriate UDP and ICMP packets before they reach their intended targets.

It should be common knowledge for server administrators to contact their ISPs to ensure measures are in place to protect them at that level. Then appropriate measures should be taken to draft appropriate network firewall rules.

But many of the attacks are difficult to trace…

The Nature of Anonymous Attacks

ARP Poisoning, as previously mentioned on fork(), can be used to make attacks appear to be launched from within your own network (or attacks against your network can be made by attackers who gain special accessing by spoofing their way into your network). Such attacks can be used to incite various man-in-the-middle (MITM) attacks and/or DoS/DDoS attacks. For more examples see this blog’s article on session hijacking.

A good intrusion detection system monitoring ARP tables can alert the network administrator of changes or additions and thus possibly thwarting spoofed MITM attacks before they occur. The article by Busschers cited below discusses spoofed/reflected attacks and how they can be conducted.

Sources

My blog isn’t funded by any corporations or governments and as such I’m fully willing to give all sides to an argument. So, I’ve constructed a list of  sources I used when writing this post as well as some sites that may interest those wanting to learn more:

If you’d like to contribute to the C# original LOIC project please check out the LOIC project page here: https://github.com/NewEraCracker/LOIC/

Additionally you can check the more frequently updated SourceForge page for JS LOIC designed by HiveMind: http://sourceforge.net/projects/loic/

The HiveMind web version is located here: https://code.google.com/p/lowc/

Server Fault (Stack Exchange) Topic in regards to preventing LOIC DDoS posed by a user in 2010: http://serverfault.com/questions/211135/how-to-prevent-a-loic-ddos-attack

“4 Best Practices for Mitigating DDoS Effects,” by ES Enterprise Systems, February 6, 2012. Article discusses DDoS damage mitigation here: http://esj.com/articles/2012/02/06/best-practices-mitigating-ddos.aspx

“Effectiveness of Defense Methods Against DDoS Attacks by Anonymous,” Busschers, Rik. University of Twente, NL. This is a great article detailing the Anonymous Chanology & Operation Payback attacks, those recent attacks against PayPal, MasterCard and more. Check it out here: http://referaat.cs.utwente.nl/TSConIT/download.php?id=1085 (It’s also an excellent article for learning more about the type of attacks used and how such things as SYN packet flooding work. If the article ever goes off-line I’ll re-upload it.)

Another great source detailing spoofed DDoS attacks: http://www.skullbox.net/spoofeddos.php

ARP Poisoning/Spoofing in detail can be further explored here: http://www.irongeek.com/i.php?page=security/arpspoof

Network Research Group (NRG)’s ARP Watch can be found here: http://www-nrg.ee.lbl.gov/

ASIS 2012 is coming!

Posted by on September 6, 2012 No comments

The 58th Annual ASIS International Seminar will bring Philadelphia its countless vendor exhibits to learning sessions brought to you by top security companies from across the globe. The seminar and exhibits will be held from September 10th to the 13th.

Be sure to check the presentation on VIP security and protection to be given on the 11th by ARSEC co-founder, Mr. Oren Raz. I’ll also be in attendance providing technical assistance during the presentation. ARSEC is comprised of specialists at providing both government and private sector clients with in-depth security solutions and training. For more information on them, please visit their website here: http://www.arsec-corp.com/

Exhibition-only tickets are free to be sure to register soon, at the door they’re $75. Ticket costs for those wanting to attend the keynote speaker addresses and luncheons can be found on the ASIS homepage.

If you’d like to use the nifty mobile app for ASIS you can download one for your mobile device by clicking here. The mobile device will let you view photos & videos of the presentations, organize your contacts, check the schedule, access an interactive map of the event and more.

Check out the ASIS 2012 site here: http://www.asis2012.org

9/06 Edit: If you’re interested in Dignitaries Under Fire and its coverage of VIP protection, this is the schedule’s information:

Dignitaries Under Fire
Speaker: Mr. Oren Raz
ARSEC Co-Founder
Former Head of Security for Israeli Embassies
Tuesday, September 11, 2012 1:45 PM - 3:00 PM
Location: PCC 109-B

Links – PGP Security

Posted by on August 30, 2012 No comments

If you use PGP, as I do, you’ll want to read an old but useful article on pgp.net: “Security Questions” @ pgp.net as it covers a whole slew of topics ranging from how secure asymmetric cryptography can be to possible security threats arising from using PGP. Essentially if you have a good passphrase you’re better off than folks without one.

Similarly, this article explains passphrase safety tips: http://www.wowarea.com/english/help/pwd.htm — similar to the previous article mentioned which mentions TEMPEST*, this discusses things like a hidden microphone, camera, stolen swap files, access to your hard disk or other medium where private keys are stored, not using drive wiping technologies, key loggers, recovery software and EM microscopes on junked hard drives, viruses, Trojans and more.

* Some useful sites dealing with information on the old TEMPEST attack can be found using these sites:

http://en.wikipedia.org/wiki/Tempest_(codename)
http://www.surasoft.com/articles/tempest.php

With modern technologies and, being a regular citizen as opposed to an enemy of the state, your probably safe!

While it wasn’t designed specifically for asymmetric key passphrases, the GRC’s Haystack Password checker can be used as a starting point for developing safe habits: https://www.grc.com/haystack.htm

Also, in GPG anyway, if you ever find yourself needing to explain what a particular encrypted message is you can always perform a session key override:

--show-session-key (file)

Followed by:

--override-session-key (session key hash) (file)

The former will reveal a unique encrypted session key string, which is derived from your public key but is different than your secret key. The latter will enable you to decrypt a single text/file without you having to give any sensitive information. This is very useful if you have a naggy wife (or husband)!

Lastly Schneier’s article regarding the flaws of public key infrastructure is a must read.

The sites above make for some good reading and could help you safeguard your data appropriately.

EDIT: If you are subscribed to the blog, sorry for the multiple emails for the same post. Seems to have been some sort of problem with the CSS but it seems to be fixed now.

Google Searching & Subversion

Posted by on August 26, 2012 No comments

Google can be an extremely powerful tool to have at your disposal. You can use advanced operators appended to Google search strings to enhance your searching. Using this method you can find (almost) anything.

The fun thing about playing with Google operators is that there’s no limit to what you can do. The potential grows greater with time as different sites introduce different technologies which react differently to Google’s search spiders. Consider the ability to use Google to find images taken from security cameras! This is an extremely powerful exploit using a very legitimate method. Security professionals should take note. But right now we’re going to go over some basics for all the folks that don’t care about exploitation…

Operators and Symbol/Special Word Usage

If you’re not quite aware of Google’s power try using mathematical operators in your search string. Operators are:

^ + - * / are basic operators
% of - as in, "percent of."
in - as in, "340 lbs in kg."

As such these can be seen in the string:

(36+3) * 2

At which case the answer will calculate to 78, showing a neat on-screen calculator and adhering to the rules of PEMDAS (quite like your Python interpreter). By the way, if words are injected into the search, you’ll get a search for the words and numbers as opposed to getting a sum of the math (such as asking Google, “What is the sum of (36+3) * 2?”)

Symbols and Special Words with examples can include (text being modified is in blue for ease of reading):

- meaning  not the next word; exhaust -cars    
 + must include the next word; "cats" "dogs" "ducks"
 ~ find word references of all sorts; dishonest ~dictionary (or wherever you want to search)
" " search exact phrase on page together; example "cats" + "dogs"
... range search; Dan Brown 1990...2012
AND  such as "ducks" and "goats"
OR you probably get the point

Advanced Search Techniques/Operators

Okay cool, so we know how to say that we want to search for ducks and chickens but only if they occur on the same page so long as hens aren’t mentioned! But what else can you do?

Some advanced operators for use in the search bar can include:

book searches the content of an entire book on Google Books
define, what is, what are these are all types of definition queries
cache:* will give you the last recorded cached page for a specified URL; note there are cache archives out there as well.
id: or info: gives you information about a specified URL
related: will attempt to give you related web pages to the specified URL.
movie: 007; common sense.
site: can be used to search only on a specific domain
filetype: or ext: searches documents of a specific types such as PDFs.
link: searches pages that are linked to a specified URL (very cool feature)
stocks: looks up stock quotes
weather: (state, zip, etc) can result in giving you weather reports
allinanchor: specifies a word which, when found in the alt or anchor will trigger. Useful to find sites that refer to other sites by a certain name or word.
inanchor: specifies a word that must appear in an anchor otherwise it isn't listed in the search results.
allintext: or intext: does the same as the two above except the word can or must be within the text of the page.
allinurl: or inurl: term must be listed within the URL.
allintitle: or intitle: refers to the title line usually shown about the file menu bar in the browser.

For more cache sites please see a list of repositories.

Okay that’s enough for now… each of Google’s Services also have their own set of advanced searches but such goes beyond the scope of this blog entry.

So by now you realize you can mix and match results. But what else can we learn? First a word of warning…

Google’s Data Retention

Before you try and pull the wool over anybody’s eyes make sure you’re not logged into Google. Data typed into Google and with an account associated with such information will be kept indefinitely. Anonymous data collection – if you’re not logged in – will include your IP address, search string and time and date the search was made (as well as the results so that Google can monitor their search algorithms and generate statistics).

Within a certain amount of time the IP addresses are stripped from the search so that only the search words, date, time and results remain (I forgot how long, it was actually on an MSNBC documentary… what?? I don’t work for Google!).

If you’re worried about privacy use a proxy and/or VPN solution. Plain and simple.

Analyzing the Browser URL/Parameters and Google Hacking

On your browser you can get a lot of information by looking at your URL bar. You can tell where on the internet you’re going (duh)! So at its base Google may say: http://www.google.com/

Found a neat cheat sheet for reading the various parameters here: http://cdn.yoast.com/wp-content/uploads/2007/07/google-url-parameters.pdf — but what this means is essentially there’s a lot of code in there when you actually search that you probably don’t need to know.

But altering the URL line, or at least understanding it is a key to any successful “Google hack.” When we say “google hacking” we essentially mean directing or using Google search to perform tasks that we wish the search engine to accomplish. People call these “Google dorks.”

There are also exploits which can be triggered against a remote machine by using Google’s search engine. One such example is SQL Injection via Google which can be used by exploiting database code on a remote server in hopes of gaining useful information.

A great guide to Google SQL Injection can be found here @ breakthesecurity.com.

What Google hacking isn’t: Google hacks do not access restricted data on Google’s own servers. You aren’t “hacking into Google,” so if that’s what you’re looking for you should go seek psychiatric help. There’s nothing wrong with using Google dorks to accomplish tasks which would otherwise be difficult to do. However, exploiting any remote system to gain access which would otherwise be restricted to you is subject to federal and state laws. If in doubt, don’t do it.

Lastly you can also use Google searches to pull up completely benign but useful information. Such information can include a person’s entire background or even default router gateway UI login information (dlink + model # + default username and other such combines can be extremely useful at this form of recon).

Consider the fact that many popular cross-platform password managers save their username/password database files with the same .db extension. Some people actually upload their db files right to their web server for safe keeping. Proper awareness of these security concerns are needed.

Happy hunting. The sky’s the limit!

Google Dorks

There are Google dorks for everything from searching for specific types of photos to accessing content which would otherwise be restricted to you on a remote system. Google is a public search engine and as such provides access to everything that its spiders have access to. This can be used for positive and negative gain.

Offensive Security’s Exploit DB covers Google Hacks extensively here and can be located here: http://www.exploit-db.com/google-dorks/

One popular dork is:

"index of /etc/passwd"

Which will attempt to show you password files on systems that are also running active web servers. In this case you’d enter that text directly into the Google Search field. It’ll find pages with that content displayed chiefly on it.

Another is the ability to look up and remotely control TrackerCam security cameras using Google but by manipulating your search bar.

https://encrypted.google.com/search?num=100&hl=en&lr=&safe=off&q=intitle%3A%28%22TrackerCam+Live+Video%22%29|%28%22TrackerCam+Application+Login%22%29|%28%22Trackercam+Remote%22%29+-trackercam.com&btnG=Search

Similarly you can search using key words if you know which words a specific system uses. Consider the TrackerCam example. We know that such sites use Trackercam Live Video, TrackerCam Application Login, Trackercam Live Video in the page’s title. So utilize the intitle option to search such pages.

The operation can be best illustrated by asking Google to search for:

intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com

As you can see, the pipe can be used to separate multiple intitle search options, following similar rules as any computer command line or program interpreter. Using common sense you can master these techniques to give you a desired outcome.

For sake of exhausting this example you can also make up something along the lines of…

inurl:log.txt intext:"password" -com

Searching log files on web servers looking for the phrase “password” found within those text files but only displaying sites ending in the .com suffix. Using that and/or replacing “password” with “username,” you can typically find information stating when a specific user does things which are log worthy (such as a web server software upgrade).

Google dorks is about using your imagination and testing it. Keep in mind though all of your actions will be retained via Google in conjunction with your external IP address!

But the purpose of this post isn’t to show you how to “exploit” Google or any other web server. My goal is to help reinforce the need for companies worldwide to study their technologies and ensure that the loopholes such technologies present are within reason. A wise man once said, “knowing is half the battle.” For that reason I’ll let you, the reader, explore new Google dorks of your own.

cDc’s Goolag Dorks Scanner

One of the coolest tools I’ve ever had the chance to play with has got to be Cult of the Dead Cow‘s Goolag Scanner, or gS for short. Although the tool is rather dated, it allows you to scan for Google-related exploits on a designated domain of your choice. gS will run exploits ranging from data retention/cache tests to Google dork exploration.

To find the scanner you should search around the ‘net, again, it’s really old!

In Closing

Google is an amazing tool which puts all the services of the internet at your fingertips. But service providers and technology producers alike must routinely check for exploits to their own system. Part of this is to regularly “test” search engine accessibility. Not merely for efficient optimization techniques but to ensure their systems can’t be exploited.

I hope that you’ve also learned a thing or two about advanced Google searching. Whether you’re an investigator  or every-day-user, you can use the techniques discussed here to improve your search experience online.