Google Dork
Penetration tests usually require a set of special utilities, but one of them is available to everyone and always at hand - this is the Google search engine. You just need to know how to use it. Google Dork Queries are tricky queries to search engines that help shed light on publicly available, but hidden from prying eyes, data.
Useful Google commands
Among all the Google advanced search operators, we are mainly interested in four:
- site - search for a specific site;
- inurl - a pointer to the fact that the search words should be part of the web address itself;
- intitle - search operator in the header of web pages;
- ext orfiletype-search for files of a certain type by extension.
Also, when making a query, you need to remember several operators that are set with special characters.
- | - vertical slash, also known as the or operator (logical or). Specifies that results should be displayed that contain at least one of the words listed in the query.
- "" quotation marks. Indicates the search for an exact match.
- - - minus sign. It is used to clear the search results and exclude results with words specified after the minus sign.
- * - asterisk, or asterisk. It is used as a mask and means "anything".
Password hunting
Credentials from various web services are a tasty morsel for a hacker. Sometimes you can get them in just one click. More precisely, one request to Google. For example, like this primitive:
Code:
ext:pwd (administrators | users | lamers | service)
This query will find all files with the extension .pwdthat contain at least one of the words specified in parentheses. However, there will be a lot of garbage in the search results. Therefore, you can clean it by removing users and other Lamers. As an option:
Code:
inurl:_vti_pvt/administrators.pwd
Pay attention to the domain.
This is already a targeted request. It will find files with the correct name on servers with FrontPage Extensions. The editor of the same name has sunk into Oblivion, but its server extensions are still in use. The data of b accounts is administrators.pwdencrypted using the DES algorithm. They can be opened using John the Ripper or one of the cloud password search services.
Administrators.pwd
With FTP, everything is the same, only you need to search for configuration files .cfgor .ini. They often store usernames in the public domain and passwords in weakly encrypted form. For example, this simple query will give you a bunch of Asian sites that are popular for local-made leaky FTP.
inurl:"[FFFTP]" ext:ini
FTP passwords
On the one hand, in the default settings, it uses AES encryption in CBC mode with the SHA-1 hashing function. On the other hand, the implementation of cryptographic procedures is weakened, and there is
a ready-made utility for brute-forcing such passwords.
Web exploration
Sometimes it is useful to study the structure of a site by getting a list of files on it. If the site is built on the WordPress engine, the file repair.phpstores the names of other PHP scripts. The tag inurltells Google to search for the first word in the link body. If we had written allinurlit, then the search would have taken place all over the link body, and the search output would have been more littered. Therefore, it is enough to make a request of this type:
Code:
inurl:/maint/repair.php?repair=1
As a result, you will get a list of sites on WP where you can view the structure via repair.php.
Studying the site structure on WP
A lot of problems for administrators are caused by WordPress with undetected configuration errors. From the open log, you can find out at least the names of scripts and uploaded files.
Code:
inurl:"wp-content/uploads/file-manager/log.txt"
In our experiment, the simplest query allowed us to find a direct link to the backup in the log and download it.
We find valuable information in the WP logs
A lot of valuable information can be extracted from the logs. It is enough to know what they look like and how they differ from the mass of other files. For example, an open source interface for the database called pgAdmin creates a service file pgadmin.log. It often contains user names, database column names, internal addresses, and so on. The log is found by an elementary request:
PgAdmin log
There is an opinion that open source is secure code. However, open source itself means only the ability to explore them, and the goals of such research are not always good. For example, Symfony Standard Edition is a popular web application development framework . When deployed, it automatically creates /app/config/a file in the directoryparameters.yml, where it stores the database name, as well as the username and password. You can find this file by making the following request:
Code:
inurl:app/config/ intext:parameters.yml intitle:index.of
PgAdmin log
Of course, the password may have been changed later, but most often it remains the same as it was set at the deployment stage.
The open source utility
UniFi API browser tool is increasingly used in the corporate environment. It is used to manage segments of wireless networks created on the principle of "seamless Wi-Fi". That is, in an enterprise network deployment scheme where multiple access points are managed from a single controller.
The utility is designed to display data requested via Ubiquiti's UniFi Controller API. It allows you to easily view statistics, information about connected clients, and other server performance information via the UniFi API.
The developer honestly warns: «Please do keep in mind this tool exposes A LOT OF the information available in your controller, so you should somehow restrict access to it! There are no security controls built into the tool…». But many people don't seem to take these warnings seriously.
If you know about this feature and make one more specific request, you will see a lot of service data, including application keys and passphrases.
Code:
inurl:"/api/index.php" intitle:UniFi
WPA PSK, app key and password
General search rule: first, we define the most specific words that characterize the selected goal. If this is a log file, what makes it different from other logs? If this is a file with passwords, then where and in what form can they be stored? Marker words are always located in a specific place — for example, in the title of a web page or its address. By limiting the search area and setting precise markers, you will get raw search results. Then you clean it of garbage, specifying the request.
NAS for us
Home and office network storage is now popular. The NAS function is supported by many external drives and routers. Most of their owners do not bother with protection and do not even change the default passwords like admin/admin. You can find popular NAS's by looking at their typical web page headers. For example, the request
Code:
intitle:"Welcome to QNAP Turbo NAS"
displays a list of QNAP NAS IP devices. It remains only to find among them a weakly protected one.
One of the NAS
The QNAP cloud service (like many others) has the function of sharing files via a private link. The problem is that it is not so closed.
This simple request shows files shared through the QNAP cloud. You can view them directly from the browser or download them for more detailed information.
Finding shared files
Looking for IP cameras, media servers, and other web admins
In addition to the NAS, you can use advanced Google queries to find a lot of other network devices that are managed via the web interface. Most often, CGI scripts are used for this, so the file main.cgiis a promising target. However, they can meet anywhere, so it's better to clarify the request. For example, by adding a typical call to it ?next_file. As a result, we get a dork of the form
Code:
inurl:"img/main.cgi?next_file"
This is most often how IP cameras are located. Read more about their detection and use in the article "
Keep your eyes open. How IP and web cameras are hacked and how to protect yourself from it."
We found one of the IP cameras
In addition to cameras, there are also media servers that are open to everyone in this way. This is especially true for the Twonky servers produced by Lynx Technology. They have a very recognizable name and the default port is 9000. For cleaner search results, it is better to specify the port number in the URL and exclude it from the text part of web pages. The request takes the form
Code:
intitle:"twonky server" inurl:"9000" -intext:"9000"
Usually, a Twonky server is a huge media library that shares content via UPnP. Authorization on them is often disabled "for convenience".
Video library by year
Big data - big vulnerabilities
Big data is on the rise right now: it is believed that if you add Big Data to anything, it will magically work better. In reality, there are very few real experts on this topic, and with the default configuration, big data leads to large vulnerabilities. Hadoop is one of the simplest ways to compromise tera-and even petabytes of data. This open source platform contains well-known headers, port numbers, and service pages that make it easy to find the nodes it manages.
Code:
intitle:"Namenode information" AND inurl:":50070/dfshealth.html"
With this concatenated query, we get a search output with a list of vulnerable hadoop-based systems. You can browse the HDFS file system directly from the browser and download any file.
Big Data? Big vulnerabilities!
HDFS browser
Conclusions
Google Dork Queries (GDQ) is a set of queries designed to identify the most serious security holes. Anything that isn't properly hidden from search robots. For the sake of brevity, such requests are simply called dorks, just like those admins whose resources were hacked using GDQ. The most interesting dorks are fresh, and the freshest ones are those that you found yourself. However, if you get too involved in experiments, you will be banned from Google... before entering the captcha.
Thank you for reading this!
