Google can be an extremely powerful tool to have at your disposal. You can use advanced operators appended to Google search strings to enhance your searching. Using this method you can find (almost) anything.
The fun thing about playing with Google operators is that there’s no limit to what you can do. The potential grows greater with time as different sites introduce different technologies which react differently to Google’s search spiders. Consider the ability to use Google to find images taken from security cameras! This is an extremely powerful exploit using a very legitimate method. Security professionals should take note. But right now we’re going to go over some basics for all the folks that don’t care about exploitation…
Operators and Symbol/Special Word Usage
If you’re not quite aware of Google’s power try using mathematical operators in your search string. Operators are:
^ + - * / are basic operators % of - as in, "percent of." in - as in, "340 lbs in kg."
As such these can be seen in the string:
(36+3) * 2
At which case the answer will calculate to 78, showing a neat on-screen calculator and adhering to the rules of PEMDAS (quite like your Python interpreter). By the way, if words are injected into the search, you’ll get a search for the words and numbers as opposed to getting a sum of the math (such as asking Google, “What is the sum of (36+3) * 2?”)
Symbols and Special Words with examples can include (text being modified is in blue for ease of reading):
- meaning not the next word; exhaust -cars + must include the next word; "cats" "dogs" "ducks" ~ find word references of all sorts; dishonest ~dictionary (or wherever you want to search) " " search exact phrase on page together; example "cats" + "dogs" ... range search; Dan Brown 1990...2012 AND such as "ducks" and "goats" OR you probably get the point
Advanced Search Techniques/Operators
Okay cool, so we know how to say that we want to search for ducks and chickens but only if they occur on the same page so long as hens aren’t mentioned! But what else can you do?
Some advanced operators for use in the search bar can include:
book searches the content of an entire book on Google Books define, what is, what are these are all types of definition queries cache:* will give you the last recorded cached page for a specified URL; note there are cache archives out there as well. id: or info: gives you information about a specified URL related: will attempt to give you related web pages to the specified URL. movie: 007; common sense. site: can be used to search only on a specific domain filetype: or ext: searches documents of a specific types such as PDFs. link: searches pages that are linked to a specified URL (very cool feature) stocks: looks up stock quotes weather: (state, zip, etc) can result in giving you weather reports allinanchor: specifies a word which, when found in the alt or anchor will trigger. Useful to find sites that refer to other sites by a certain name or word. inanchor: specifies a word that must appear in an anchor otherwise it isn't listed in the search results. allintext: or intext: does the same as the two above except the word can or must be within the text of the page. allinurl: or inurl: term must be listed within the URL. allintitle: or intitle: refers to the title line usually shown about the file menu bar in the browser.
For more cache sites please see a list of repositories.
Okay that’s enough for now… each of Google’s Services also have their own set of advanced searches but such goes beyond the scope of this blog entry.
So by now you realize you can mix and match results. But what else can we learn? First a word of warning…
Google’s Data Retention
Before you try and pull the wool over anybody’s eyes make sure you’re not logged into Google. Data typed into Google and with an account associated with such information will be kept indefinitely. Anonymous data collection – if you’re not logged in – will include your IP address, search string and time and date the search was made (as well as the results so that Google can monitor their search algorithms and generate statistics).
Within a certain amount of time the IP addresses are stripped from the search so that only the search words, date, time and results remain (I forgot how long, it was actually on an MSNBC documentary… what?? I don’t work for Google!).
If you’re worried about privacy use a proxy and/or VPN solution. Plain and simple.
Analyzing the Browser URL/Parameters and Google Hacking
On your browser you can get a lot of information by looking at your URL bar. You can tell where on the internet you’re going (duh)! So at its base Google may say: http://www.google.com/
Found a neat cheat sheet for reading the various parameters here: http://cdn.yoast.com/wp-content/uploads/2007/07/google-url-parameters.pdf — but what this means is essentially there’s a lot of code in there when you actually search that you probably don’t need to know.
But altering the URL line, or at least understanding it is a key to any successful “Google hack.” When we say “google hacking” we essentially mean directing or using Google search to perform tasks that we wish the search engine to accomplish. People call these “Google dorks.”
There are also exploits which can be triggered against a remote machine by using Google’s search engine. One such example is SQL Injection via Google which can be used by exploiting database code on a remote server in hopes of gaining useful information.
A great guide to Google SQL Injection can be found here @ breakthesecurity.com.
What Google hacking isn’t: Google hacks do not access restricted data on Google’s own servers. You aren’t “hacking into Google,” so if that’s what you’re looking for you should go seek psychiatric help. There’s nothing wrong with using Google dorks to accomplish tasks which would otherwise be difficult to do. However, exploiting any remote system to gain access which would otherwise be restricted to you is subject to federal and state laws. If in doubt, don’t do it.
Lastly you can also use Google searches to pull up completely benign but useful information. Such information can include a person’s entire background or even default router gateway UI login information (“dlink“ + “model #“ + “default username“ and other such combines can be extremely useful at this form of recon).
Consider the fact that many popular cross-platform password managers save their username/password database files with the same .db extension. Some people actually upload their db files right to their web server for safe keeping. Proper awareness of these security concerns are needed.
Happy hunting. The sky’s the limit!
Google Dorks
There are Google dorks for everything from searching for specific types of photos to accessing content which would otherwise be restricted to you on a remote system. Google is a public search engine and as such provides access to everything that its spiders have access to. This can be used for positive and negative gain.
Offensive Security’s Exploit DB covers Google Hacks extensively here and can be located here: http://www.exploit-db.com/google-dorks/
One popular dork is:
"index of /etc/passwd"
Which will attempt to show you password files on systems that are also running active web servers. In this case you’d enter that text directly into the Google Search field. It’ll find pages with that content displayed chiefly on it.
Another is the ability to look up and remotely control TrackerCam security cameras using Google but by manipulating your search bar.
https://encrypted.google.com/search?num=100&hl=en&lr=&safe=off&q=intitle%3A%28%22TrackerCam+Live+Video%22%29|%28%22TrackerCam+Application+Login%22%29|%28%22Trackercam+Remote%22%29+-trackercam.com&btnG=Search
Similarly you can search using key words if you know which words a specific system uses. Consider the TrackerCam example. We know that such sites use Trackercam Live Video, TrackerCam Application Login, Trackercam Live Video in the page’s title. So utilize the intitle option to search such pages.
The operation can be best illustrated by asking Google to search for:
intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com
As you can see, the pipe can be used to separate multiple intitle search options, following similar rules as any computer command line or program interpreter. Using common sense you can master these techniques to give you a desired outcome.
For sake of exhausting this example you can also make up something along the lines of…
inurl:log.txt intext:"password" -com
Searching log files on web servers looking for the phrase “password” found within those text files but only displaying sites ending in the .com suffix. Using that and/or replacing “password” with “username,” you can typically find information stating when a specific user does things which are log worthy (such as a web server software upgrade).
Google dorks is about using your imagination and testing it. Keep in mind though all of your actions will be retained via Google in conjunction with your external IP address!
But the purpose of this post isn’t to show you how to “exploit” Google or any other web server. My goal is to help reinforce the need for companies worldwide to study their technologies and ensure that the loopholes such technologies present are within reason. A wise man once said, “knowing is half the battle.” For that reason I’ll let you, the reader, explore new Google dorks of your own.
cDc’s Goolag Dorks Scanner
One of the coolest tools I’ve ever had the chance to play with has got to be Cult of the Dead Cow‘s Goolag Scanner, or gS for short. Although the tool is rather dated, it allows you to scan for Google-related exploits on a designated domain of your choice. gS will run exploits ranging from data retention/cache tests to Google dork exploration.
To find the scanner you should search around the ‘net, again, it’s really old!
In Closing
Google is an amazing tool which puts all the services of the internet at your fingertips. But service providers and technology producers alike must routinely check for exploits to their own system. Part of this is to regularly “test” search engine accessibility. Not merely for efficient optimization techniques but to ensure their systems can’t be exploited.
I hope that you’ve also learned a thing or two about advanced Google searching. Whether you’re an investigatorĀ or every-day-user, you can use the techniques discussed here to improve your search experience online.