- Leverage the power of Google for recon through advanced search operators

- Pioneered by Johnny Long

- [Google Hacking for Penetration Testers, Third Edition](https://www.amazon.com/Google-Hacking-Penetration-Testers-Third/dp/0128029641)

- [Google Hacking Database](https://www.exploit-db.com/google-hacking-database/)

- Search functionality needs improvement

- Good for viewing categories

- <https://github.com/JohnTroony/Google-dorks/blob/master/google-dorks.txt>

- Good for overall search

- After we learn a search operator, search here for other applications

- Level: All

- Course [Notes](https://sts.show/google-hacking-1) and [Errata](https://sts.show/google-hacking-1-errata)

- Focus on search operators in practical situations

- Not every Google search operator will be covered

- Examples

- Phishing campaign simulation

- Leveraging financial documents from Board Of Director's meetings

- Searching nginx logs for error responses while adjusting for output variability

- How to find admin area source code (or other functionality)

- Search timestamp ranges within PHP error logs

- From a recon perspective, why is Google hacking advantageous?

- Passive

- Hard to trace

- Google makes the connection to the site, not you

- Search for `Google Dorking`

- Synonymous with Google Hacking

- Helpful websites

- <http://www.googleguide.com/contents/>

- <https://www.google.com/advanced_search>

- Not as powerful

- Can leverage if you need to get going ASAP

- Scenario

- Phishing campaign will be aimed at

- State employees who recently got a raise through the budgeting process

- "confidential employees"

- State employees who have access to privileged information

- Phish email from "HR"

- "Due to your recent salary adjustment, we need to confirm your banking information. Click <span class="underline">here</span> to confirm your bank account on file"

- Link will redirect to a fake employee portal that steals login credentials

- Social Engineering

- Trust is implicitly built through disclosure of sensitive information

- This information is commonly found via Google Dorks

- `filetype:(doc | pdf | xls | txt | rtf | odt | ppt ) intext:(confidential salary` `| "salary schedule")`

- `()`

- Logical grouping

- `OR`

- Note the uppercase

- AKA `|`

- If there isn't an explicit `|`, an `AND` is implied

- Within text

- Googling `WPA2 KRACK Vulnerability`

- Adjacent search operators

- `filetype:(doc | pdf | xls | txt | rtf | odt | ppt ) intext:(confidential salary` `| "salary schedule")`

- NOT

- `filetype: (doc | pdf | xls | txt | rtf | odt | ppt)`

- True for all operators

- [Common file formats indexed by Google](https://support.google.com/webmasters/answer/35287?hl=en)

- Can search for file extensions not on this list

- Ex: `filetype:md`

- Q: Why would this be useful?

- `filetype:(doc | pdf | xls | txt | rtf | odt | ppt ) intext:(confidential salary` `| "salary schedule")`

- `filetype:pdf`

- Will return

- this-is-actually-a-pdf.txt

- [Common file formats indexed by Google](https://support.google.com/webmasters/answer/35287?hl=en)

- Extensions on this list are guaranteed to have this special property

- this-isn't-a-pdf.pdf

- this-is-a-pdf.pdf

- `filetype:(doc | pdf | xls | txt | rtf | odt | ppt ) intext:(confidential salary` `| "salary schedule")`

- Helpful for constraining a search to a document's body

- Regular Google search can match page titles, items in the url path, etc.

- `intext:(confidential salary | "salary schedule")`

- Has `confidential` AND `salary` somewhere in the text body

- `"salary schedule"`

- Exact match

- We leave this search relatively vague to capture other results of interest

- We don't do `intext:("confidential employee" | "salary schedule")`

- Problems

- Look at query

- Too many false positives

- `filetype:(doc | pdf | xls | txt | rtf | odt | ppt ) intext:(confidential

salary |` `"salary schedule") inurl:(confidential "board approved */*/17")`

- `confidential`

- Must be in the url

- `"board approved */*/17"`

- Can be in the url or anywhere within the document

- `*` is expanded to one or more words

- Cross-check via bold in the results output

- Search Ex.

- Doesn't work well for non-words

- Ex: `inurl:"sid=*"`

- `sid` is for a PHP session

- Through a proxy log dork, we can find sensitive urls/url parameters

1. URL Data leakage

- Common for all GET requests/responses to be logged at the proxy layer

- Best practice is to place sensitive information within the POST body

- Ex: session id, sensitive tokens, SSNs, etc.

- Often placed within a GET request

- Ex: <https://example.com/256993ac-ba65-11e7-8e6d-0242ac110003/profile>

- Ex: <https://example.com/profile?sid=256993ac-ba65-11e7-8e6d-0242ac110003>

2. Abnormal response codes

- <https://en.wikipedia.org/wiki/List_of_HTTP_status_codes>

- Example in next slide

- `TERM 1` `AROUND(2)` `TERM 2`

- `TERM 1` is within 2 words of `TERM 2`

- Capitalize `AROUND` for more consistent results

- Useful for searching documents where the ordering of terms can be customized

- Ex: Logs

- Nginx Log Ex:

- `- - - - "GET / HTTP/1.1" STATUS_CODE - - -`

- Put `-` to simplify

- `filetype:log inurl:(access.log | error.log) intext:("HTTP/" AROUND(5) 500)` `-site:github.com`

- Scopes a search to a particular domain

- Can even be a TLD

- `site:.net`

- `site:github.com`

- Will match `github.com` and `*.github.com`

- Leave out `www` to ensure search of all subdomains

- `filetype:log inurl:(access.log | error.log) intext:("HTTP/" AROUND(5) 500)` `-site:github.com`

- `-site:github.com`

- Helps us remove example logs that are false positives

- Or are they?

- For targeted search don't discard

- Stackoverflow for recon

- Review Ex.

- `-site:github.com -next -last -reply -"I want to leave this out"`

- Make sure search results don't contain a given&#x2026;

- operator

- word

- `-next` will help negate help forum results

- phrase

- Finds a given number range

- `warning error on line php filetype:log 2015..2017`

- Search php error logs for a given timestamp

- Ex.

- Finds text within a link/anchor

- `inanchor:admin site:hackthissite.org`

- Great way to find admin portals

- How can we remove some of the clutter from the results?

- Ex.

- Searches through page titles

- `inanchor:admin site:hackthissite.org -intitle:"view topic"`

- Why did the source code come up in the results?

- Ex.

- Overall Google functionality

- <http://www.googleguide.com/contents/>

- Operators

- <https://support.google.com/websearch/answer/2466433?hl=en>

- `cache:`

- Tools

- <https://github.com/Ekultek/Zeus-Scanner>

- Dork lists

- [Google Hacking Database](https://www.exploit-db.com/google-hacking-database/)

- <https://github.com/JohnTroony/Google-dorks/blob/master/google-dorks.txt>

version: "3"

services:

node:

build:

context: .

dockerfile: node-dockerfile

image: "securingthestack/injection-fundamentals-1"

user: "node"

working_dir: /home/node/app

environment:

- NODE_ENV=dev

- NPM_CONFIG_LOGLEVEL=info

volumes:

- ./src:/home/node/app/src

command: ["./node-dockerfile-wrapper.sh", "$EX_NUM", "$EXEC_MODE"]

FROM node

# For simplicity, we're keeping this Dockerfile very small.

# From a security perspective, this Dockerfile shouldn't

# be considered "production ready".

ARG NODE_PATH=/home/node/app/

COPY package.json $NODE_PATH

COPY sensitive-file.txt $NODE_PATH

COPY src $NODE_PATH/src

COPY node-dockerfile-wrapper.sh $NODE_PATH

RUN apt-get update && apt-get install -y python3 \

&& cd $NODE_PATH \

&& chown node:node node-dockerfile-wrapper.sh \

&& chmod +x node-dockerfile-wrapper.sh \

&& npm install

CMD ["bash"]

EX_NUM=$1

EXEC_MODE=$2

ENV_SECRET="This is a secret"

if [[ -z "${EX_NUM// }" ]]; then

echo "Please set EX_NUM"

echo "Ex: EX_NUM=1 docker-compose up"

echo "Additional help: https://sts.tools/setup"

exit 1

python -m SimpleHTTPServer 8081 &

status=$?

if [ $status -ne 0 ]; then

echo "Failed to start python: $status"

exit $status

npx "${EXEC_MODE:-nodemon}" "src/${EX_NUM}/${FILE:-app.js}"

status=$?

if [ $status -ne 0 ]; then

echo "Failed to start Node: $status"

exit $status

while /bin/true; do

ps aux | grep nodemon | grep -q -v grep

PROCESS_1_STATUS=$?

ps aux | grep python | grep -q -v grep

PROCESS_2_STATUS=$?

# If the greps above find anything, they will exit with 0 status

# If they are not both 0, then something is wrong

if [ $PROCESS_1_STATUS -ne 0 -o $PROCESS_2_STATUS -ne 0 ]; then

echo "One of the processes has already exited."

exit -1

fi

sleep 60

{

"name": "securingthestack",

"version": "1.0.0",

"description": "Interactive Examples",

"main": "",

"scripts": {

"test": "echo \"Error: no test specified\" && exit 1"

},

"repository": {

"type": "git",

"url": "git+https://github.com/SecuringTheStack/tutorials.git"

},

"author": "Zach Roof",

"license": "SEE LICENSE IN license.org",

"bugs": {

"url": "https://github.com/SecuringTheStack/tutorials/issues"

},

"homepage": "https://github.com/SecuringTheStack/tutorials#readme",

"devDependencies": {

"nodemon": "^1.12.7"

}

}