Google a Hackers Dream come true


****************************** ComSec ***********************************
================================================================

article by: ComSec

date: 25.5.2003

Simplified



INTRO

a week or so back i had an e-mail from a friend (FLW) asking me if i had any info on google search tips

he was surprised on the amount of info available and open via google...this got me thinking , well i have seen many various search strings in several papers....so i thought i would put them all together on the one page...and up-date as new one are discovered...so if i missed any to be added to the list please let me know and i shall add some more....

i hold no responsibility for what you do via the information supplied here...this is for educational purpose only , use at your own risk you have been warned

thanks

ComSec aka ZSL


SUMMERY

Everyone knows google in the security sector...and what a powerful tool it is , just by entering certain search strings you can gain a vast amount of knowledge and information of your chosen target...often revealing sensitive data...this is all down to badly configured systems...brought on by sloppy administration allowing directory indexing and accessing , password files , log entrys , files , paths ,etc , etc


Search Tips

so how do we start ?

the common search inputs below will give you an idea...for instance if you want to search for the an index of "root"

in the search box put in exactly as you see it in bold

===================

example 1:


allintitle: "index of/root"


result:

http://www.google.com/search?hl=en&ie=ISO-...G=Google+Search

what it reveals is 2,510 pages that you can possible browse at your will...

====================

example 2


inurl:"auth_user_file.txt"

http://www.google.com/search?num=100&hl=en...G=Google+Search

this result spawned 414 possible files to access

here is an actual file retrieved from a site and edited , we know who the admin is and we have the hashes thats a job for JTR (john the ripper)

txUKhXYi4xeFs|master|admin|Worasit|Junsawang|xxx@xxx|on
qk6GaDj9iBfNg|tomjang||Bug|Tom|xxx@xxx|on

with the many variations below, it should keep you busy for a long time mixing them reveals many different permutations

*************************************

SEARCH PATHS more to be added

*************************************

"Index of /admin"
"Index of /password"
"Index of /mail"
"Index of /" +passwd
"Index of /" +password.txt
"Index of /" +.htaccess
index of ftp +.mdb allinurl:/cgi-bin/ +mailto

administrators.pwd.index
authors.pwd.index
service.pwd.index
filetype:config web
gobal.asax index

allintitle: "index of/admin"
allintitle: "index of/root"
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov

inurl:passwd filetype:txt
inurl:admin filetype:db
inurl:iisadmin
inurl:"auth_user_file.txt"
inurl:"wwwroot/*."


top secret site:mil
confidential site:mil

allinurl: winnt/system32/ (get cmd.exe)
allinurl:/bash_history

intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
intitle:"index of" members OR accounts
intitle:"index of" user_carts OR user_cart

ALTERNATIVE INPUTS

_vti_inf.html
service.pwd
users.pwd
authors.pwd
administrators.pwd
shtml.dll
shtml.exe
fpcount.exe
default.asp
showcode.asp
sendmail.cfm
getFile.cfm
imagemap.exe
test.bat
msadcs.dll
htimage.exe
counter.exe
browser.inc
hello.bat
default.asp\
dvwssr.dll
cart32.exe
add.exe
index.jsp
SessionServlet
shtml.dll
index.cfm
page.cfm
shtml.exe
web_store.cgi
shop.cgi
upload.asp
default.asp
pbserver.dll
phf
test-cgi
finger
Count.cgi
jj
php.cgi
php
nph-test-cgi
handler
webdist.cgi
webgais
websendmail
faxsurvey
htmlscript
perl.exe
wwwboard.pl
www-sql
view-source
campas
aglimpse
glimpse
man.sh
AT-admin.cgi
AT-generate.cgi
filemail.pl
maillist.pl
info2www
files.pl
bnbform.cgi
survey.cgi
classifieds.cgi
wrap
cgiwrap
edit.pl
perl
names.nsf
webgais
dumpenv.pl
test.cgi
submit.cgi
guestbook.cgi
guestbook.pl
cachemgr.cgi
responder.cgi
perlshop.cgi
query
w3-msql
plusmail
htsearch
infosrch.cgi
publisher
ultraboard.cgi
db.cgi
formmail.cgi
allmanage.pl
ssi
adpassword.txt
redirect.cgi
cvsweb.cgi
login.jsp
dbconnect.inc
admin
htgrep
wais.pl
amadmin.pl
subscribe.pl
news.cgi
auctionweaver.pl
.htpasswd
acid_main.php
access.log
log.htm
log.html
log.txt
logfile
logfile.htm
logfile.html
logfile.txt
logger.html
stat.htm
stats.htm
stats.html
stats.txt
webaccess.htm
wwwstats.html
source.asp
perl
mailto.cgi
YaBB.pl
mailform.pl
cached_feed.cgi
global.cgi
Search.pl
build.cgi
common.php
show
global.inc
ad.cgi
WSFTP.LOG
index.html~
index.php~
index.html.bak
index.php.bak
print.cgi
register.cgi
webdriver
bbs_forum.cgi
mysql.class
sendmail.inc
CrazyWWWBoard.cgi
search.pl
way-board.cgi
webpage.cgi
pwd.dat
adcycle
post-query
help.cgi


there are two many people to thank for the bits of information cut and pasted and added to form this paper
most have been collected from various forums , txt , doc's etc...like to thank you all, its not intended to rip anyone
its just a combo of various search inputs...put on the one Paper to use as a reference.


EOF

====================================

http://comsec.governmentsecurity.org

http://governmentsecurity.org/forum

******* new members welcome ********

====================================

Thanks for that ComSec. A very informative post.

thanks....i was just killing sunday morning boredom.... google always turns up at every security forum simple search strings like this all help.......better than saying"go search google"...then wonder wtf is he on about

That's what i like so much about this site it's all quality information.

only the best for our members

Very intresting read thnx
i seen alot about google being a hackers best friend, wasnt google supposed to be blocking out all these kind of indexes- im sure there was a big article on this at some point

yeah so they say LiquidIce but for now its still ok ... no doubt another seach engine will replace google for this type of info

Great article. One of my fav google searches is to search for the exact phrase "username: guest"

You'd be surprised how many websites put a guest login and password out there.

Another good one is to search for your favorite web-enabled database login message.

much more informative than neworders article, thanks

1:Thanks for this.

2: I quoted what you had posted, what good would d/ling the cmd.exe do?

Doh! forgot to post the link the first time.....

for those interested in how it all began and how it works here´s
it, the complete anatomy of the beast

yooo man thanks u so much!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

and nice pic dude heheh BART IS A HACKER!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! and he seems so dumb.......

Hey lads.
I've got some additional searchcommands I'll post when I get home. I'm at work right now and It's a bit late fo rme to post anyways, I'll be posting in a few hrs.

Laters

T0bban, welcome. We look forward to your post.

First of all: Anything stated here is strictly educational, any use of these commands is on your own risk. Author is not to be held responsible for your actions.


Ok, I forgot. Sorry..
Now, to not disapoint you all, I'll post what I've got in my head and perhaps a few examples.

Google is known to most people as just any searchengine, but when you get into google, learn how it operates and get to know all those special searchstrings availble, but perhaps not listed, you learn to respect google.
Like stated above ( I think ) whenever someone says "Go search google.com" you should. Because google can find anything for you.
There's spiders out everywhere on the web, reporting back what sites and pages exist, which makes google.com a very mighty searchengine..
But enough of this bladder, let's cut to the chase here shall we.

Some theory on the google..
Specific filetypes are: *.xls, *.doc, *.db, *.mdb, *.cfg, *.pwd etc etc, use your emagination willya?

Commands you can use
Filetype:xls would bring only .xls (Excel files) in your results.
Filetype:mdb would bring only .mdb (MS Access) files in your results
etc etc, you get what I mean..

Inurl:admin would bring you a result where the word admin is in the URL
Inurl:webadmin.php would bring you a result where you can find some nice webadmin.php editors, many unprotected.

"Index of" root Would give you the index of root folder in a webserver.
"Index of" admin Yeah, guess..

Site:gov would bring up only .gov domains.
Site:co.uk should bring up only .co.uk domains..

Intitle:anyword would, guess what.., find pages with the anyword word in the title!

And now to combine these fine searchoptions
inurl:nasa.gov filetype:xls "restricted"
site:mil filetype:xls "password"
site:mil "index of" admin
- USE YOUR IMAGINATION!

Words to search for, which is probably a good bunch of words can be some of these:
password, passwords, uid, user, userid, username, pass, pwd, account, accounts, login, logins, secret, secrets. all followed by either .mdb, .db, .xls .doc or any other nice file extension.

Some theory and thoughts
Admin.cfg - is mostly a config file of some sort. It shouldnt be accesible via the web, but hey, it's the year of 2003, anything's possible..
try i.e. inurl:admin.cfg "index of"
or something like that.

webeditor.php - an official editor to edit the web page. Used by admins all over the world.
Searc for it and you might strike gold.. or not

Anyhow, this was what I could remember from reading an article about it somewhere.. I'll be updating you all in like a week or two, I've ordered the book "Google hacks" among with 4 other hacking/security books:
Anti hackers Toolkit
Hacking Exposed: Windows 2000
Web hacking
Linux Server Hacks

I hope to gain some elite knowledge about security here.

Final note; Greetings to the one who wrote the article on "Google, a hackers best friend" or whatever it was called.

Great post t0bban thanks

Yep yep, no problem. Just don't go hacking pentagon now willya?
Not that i think that's any use, cause their security rocks, second of all they'd come to your door with 5000 tanks and blow you away

lol wasn't it a british hacker that infected a hundred or so pentagon computers with a simple backdoor?

Yes, but as that happened, they tightened their security.
Sure they're penetratable, though probably not via google because they've got a few unsecured documents/files

So telnetting and entering "guest" for user and password is out of the question?

Excellent posts btw!

thanks t0bban very informative...

Thanks for the thanks's
Well no I don't think a telnet with Guest/Guest will do the trick, they've enhanced security, now you need to use SSH with Guest/Guest

Now I wonder if you could do targeted anonymous reconaisance (sp?) by having google do your dirty work. Submit a specific site or URL to Google that you want it to index and have google look for fun stuff without you ever having to lift a finger (or without having your IP logged).

Great stuff!

--j

Not only is it good for looking for weaknesses, but it's cool to know period, I spent hours upon hours getting cool things, simple stuff like "index of" vids, Movies, etc returns great results

Yeah it's more than great, this Google.com

Here's a few additions to my previous post regarding specialcommands/search strings:

__________________________________
Intitle restricts your search to titles of the web pages.
Allintitle does the same, but where all the words in the searchstring must be in the title.
intitle:"Gorge Bush"
allintitle:"money supply" economics

__________________________________
Inurl restricts your search to the URL of web pages.
Inurl:help
Inurl:Search Help

__________________________________
Intext searches only bodytext (Ignores link text, URLs and titles)
intext:"yahoo.com"
intext:html

__________________________________
Inanchor searches for a page's link anchors. A link anchor is the descriptive text of a link. For example in <a href="whatever.htm">A Cool Page</a> the anchor is "A Cool Page".
inanchor:"t0bban"

__________________________________
Site allows you to narrow down your search by either a site or a top level domain.
site:loc.gov
site:thomas.loc.gov
site:edu
site:nc.us

__________________________________
Link returns a list of pages linking to that specific URL.
Use link:www.google.com and you'll end up with a bunch of pages which all link to Google.com. (Don't bother to put http:// infront, google just disregards it)..
link:www.google.com

__________________________________
Cache finds a copy of the page that Google indexed even if that page is no longer availible at it's original URL or has since changed it's content completely. This is great for pages that changes often.
cache:www.google.com

__________________________________
Daterange limits your search to a particular date or range of dates that a page was indexed.
NOTE: It works with Julian, not Gregorian dates.
"George Bush" daterange:2452389-2452389
neurosurgery daterange:2452389-2452389

__________________________________
Filetype searches the suffices of filename extensions.
As long as the site isn't hiding behind proxy'ing stuff, or redirection, this is great.
filetype:pdf homeschooling
"leading economic indicators" filetype:ppt

__________________________________
Related as you might expect, finds pages that are related to the specified page. This is a good way to find categories of pages; a search for related:google.com would return a variety of searchengines, including HotBot, Yahoo! and Northern light.
related:www.yahoo.com
related:www.cnn.com

__________________________________
Info provides a page of links to more information about a specified URL. Information includes a link to the URL's cache, a list of pages that links to thar URL, pages related to that URL, and pages containing that URL.
NOTE: This works only if google.com has indexed the page(s).
info:www.oreilly.com
info:www.nytimes.com/technology

__________________________________
Phonebook as you might expect, looks up phonenumbers.
phonebook:John Doe CA
phonebook(510) 555-1212


There, that's what i've got this time. Hope you find it interesting

Well, did you find that information useful? (So I know if I should keep posting google tips and tricks

(I seperated them with underlines to make it easier to read...)

very nice t0bban

i think this thread has the making of a damn good paper...make a nice pdf for the forum members..just a thought

the more there is the easier it gets

Good Job t0bban...

Good work. (And yes keep it up your doing great )

Thanks lads.
I hope it's good info I'm providing.
I've learnt most of it from "Google Hacks" from O'Reilly. It's a great book and I recommend it to anyone searchaddicted
It has code examples of creating custom made applications to query google, howto bypass certain stuff etc etc.
I'll post my Google-Console-Query program when it's done (If it gets done)

good book only glanced through it but it's interesting to what i glanced through it with...

Yeah, it's really something.
I'm reaading 5 books at the same time, and working 8/24, 5/7. And play golf.. I don't know how I can find the time to all this.. Anyways, the other books are as follows:
Anti-Hacker toolkit
Web Hacking
Linux Server Hacks
Hacking -Windows 2000- Exposed.
Great books

I'll soon be posting a bit of dirrefent tutorials around here.

Haha. How true ;P

LOL

Interesting read thx

Query: "running on localhost as root@localhost"
What it finds: PHPMyAdmin server public access left on by stupid admins.

Well that was a very interesting read. I didn't know you could do ALL that on google. Google just got a whole lot more fun

Hehe yeah.
Knowledge is power. Or so they say
I've used these tricks to get to different stuff, a bulgarian bank with homeadresses, emails, fullnames and social security numbers.. I mean, wtf..
IN an ACCESS DB! How oldtech are they?
So I mailed the bank's helpdesk and told them the prob and now it's tightened up..

And btw;
You might find a few .MDB files using google, and many is passwordprotected, no worries.. There's plenty of tools for breaking into mdb files =)

Very interesting and i have been playing about
for a few hours now!

Thanks and ill get back to you on this one

Cause i am having too many ideas on this one!

-=[HaRRo]=-

Hehe, sure.

If you find anything good, let me know hu? :-)

Yup, those are fine methods, i used it ealier to get int hacking site(advisories if ya preffer ), as the were all blocked, the later to get proxies etc...
But the real advantage is getting the info wanted without going to the site
use the cache (an easy thing to do in cafes without trouble)

yeh google rox so does this forum

great stuff...i´m shocked and pleased
google is hackers best friend

Yeeep, google is fun, google is great, google is what scared bill gates.

just started looking around....and found a fantastic post over google

what should i say......

THANKS

Yeah google is the only tool you need (Right, I wish).
I'm sorry for not keeping my promise about posting new stuff on my tutorials and on the google side.. My MCAD education is taking up quite alot of time so I'll have it hard to find time for it now..
But if I do get an afternoon free or something, I'll be sure to post something up =)

I dont have much time to kill ATM but i will try some later, is there any way to get some shell usernames or passwords out of this, skim reading it looks so. Maybe i will look into that.

google has gone haloween, i love the way they change that logo

Hehe yeah it's nice how they alter the logo depending on what happens.

ah the flexibility of google never stops to surprise me =)
this was some really nice information.
i knew that there were lots of strings i could use.. but not this many..

thanks a lot for sharing your wisdom with us thirsting for it =)