Google Dorking is the technique that
hackers can use to find information that
might have been accidentally exposed to
the Internet today we'll check out some
advanced googling techniques on this
episode of cyber weapons lab
[Music]
[Applause]
[Music]
when most people think about finding
vulnerable devices on the internet they
may think about showed an now show dan
is famous for finding all kinds of
things that might have been accidentally
connected to the Internet and leaking
too much information but it turns out we
don't actually need to use showdown in
order to do this we can just use Google
Dorking instead
now Google Dorking uses some of Google's
innate abilities to locate various
things that we can find via specific
search strings and this can be log files
air files things like webcams that are
exposed directly to the internet and
even administration panels that allowed
us to get into a device that doesn't
require a password now this is a great
way to use a simple browser and a Google
search to find devices that are
vulnerable and we'll go through a couple
different google dorks today that can
lead us to all sorts of different things
that might be kind of surprising now one
thing I need to point out is that
although this is a powerful technique we
need to make sure that we're not logging
into anything that requires a password
even if that password is shown in plain
text because that's a line at which it
becomes illegal access to a device that
we don't have permission to use if you
have any problems doing this you can
check out the null-void article link in
the description for troubleshooting and
other general advice once you have a web
browser connected to the Internet then
you're ready to go now this might not be
the page you think of when you think of
hacking but what if I told you you could
probably get the login and password to a
server on the internet using just a
Google search in a matter of seconds
well that is using dorking and we're
going to get into what that is today
because it's kind of related to what
we've already covered about using search
operators but instead the goal is to use
those search operators to go after a
specific type of target now we cover
things that are useful like removing
search results and looking for specific
file types but if we really want to go
crazy we need to actually target
specific things that we know are
vulnerable and can be used to dig deeper
into a system now these are going to be
things like accidentally exposed logs
which might include
attempts to log in and that failed this
could reveal usernames and passwords we
can see configuration files that show us
all sorts of details that aren't
supposed to be made public so let's get
into this by exploring some of the most
basic ones first and most basic let's
say we just want to see an older version
of a website
this simple operator you might be
familiar with and is just cached and
then whichever site you want let's do no
bite and we'll see previous older
versions of the no bite site great sort
of useful but what can we really get
going
well okay let's step it up and start
looking for log files rather than just
files that might have been deleted or
taken off the internet we can go ahead
and type all in text and username and
then file type log and a colon now this
combination will actually go hon that's
my article
now this combination will actually go
ahead and search for any log type files
which contain the username string and
that could be a problem depending on
whether or not this log file is exposing
other credentials now let's go ahead and
jump in and see what one of them looks
like so we can see this is a one that
doesn't actually contain anything
interesting but if we combine that with
a limiter for the last year
we can actually begin to search through
this log file for juicy things like
passwords or anything else that might
pique our interest
now by digging around I can virtually
guarantee we're going to find some sort
of username or password because that's
just kind of the nature of these exposed
logs and this is also a really good way
to find usernames which trust me will
greatly narrow down the number of
passwords you have to spray at a target
if you are doing a brute-force attack
that's because typically these sorts of
logins could have basically any user
name associated so you would need to go
through a complete list of every
possible username and every possible
password that you want to actually
attempt to brute-force the system with
which can lead up to a whole bunch of
results so you can dramatically cut that
down by locating usernames for various
systems and then just kind of hanging
out and looking for there we go web dead
passwords so this word of information
can be really really helpful
you might need to dig around and attempt
to find this but you will generally be
able to find usernames and passwords in
these sorts of files okay so what else
can we find well let's go ahead and try
another one which is in URL slash PR OC
slash self slash CWD
now if you want to find FTP servers we
can type in in URL I'm sorry in title
index of and then in URL FTP now what
this should do is index any index pages
that are associated with the FTP server
and here we can see that we might be
able to download files or find some
internal directories on the server which
could be useful if we need to know about
the manual for a why am i downloading a
PDF for Oh bigger two nine five zero
when and especially useful if we want it
to be completely in Chinese all right so
moving on from there of course we can do
things that kind of are associated with
services like shodhan like find webcams
via the specific string that they will
expose to Google if they're accidentally
put just facing the internet with no
sorts of restrictions at all now an
example might be for a webcam in title
webcam xp5 so this is the type of webcam
which when exposed we should be able to
just click on I actually haven't seen
the mobile version
that's not gonna work as a man
installing flash on the sketchy thing
but let's see if we can find something
how about this where are we what do we
see there we go
we got some beautiful boats bobbing in
the water somewhere where it is day I
have no idea whoa
what is this something's happening oh my
god this camera wheels around whoa okay
we've got a lot of contacts close I
don't know what's happening this place
is crazy
they've got flying bushes they got boats
they got everything so we're gonna get
out of here cuz it what's moving again
okay I don't know if they know that
we're in but we're getting out all right
a truly showed and like experience so
aside from locating cameras some of
which are whipping around we can also
locate some sensitive things in the data
pieces that actually contain passwords
using a dork that was written by a
friend of mine named Sven so this is
just DB underscore password and then
file type env now as you can instantly
see that from the preview we have
successfully found the username and
password to a whole bunch of databases
so this is exactly what we're looking
for let's say if we wanted to just
harvest who cars 1 2 3 exclamation point
house secured oh and it's for a SeaWorld
cars.com see that never as hard as you
think so this could be let's say if you
wanted to be someone who's putting
together a word list of common passwords
that are just exposed to the Internet
this is how password lists surveyed
these dorks are extremely powerful I
feel like I say that a lot and are able
to bring you the passwords for a variety
of services that might currently be up
and running so I'm gonna try in the past
year and oh god that's a lot still of
just things we could probably log into
which you absolutely should not do
because you don't have permission but
hey look at this secure password they
really took their security sir seriously
bye
exposing this directly to the Internet
all right so that is a brief overview of
cameras I also wanted to show you a
couple oh sorry a brief overview of the
various works you can run in order to
get passwords I wanted to show you a
couple others that I found that are
really interesting so this one is for
websites that are hosted on github or
are using git repository you can go
ahead and get into some of the code that
you're not supposed to and start looking
for things that might be able to get you
deeper in the system this is one that
exposes PHP variables which could allow
us to get into again more information
that we might not suppose to be able to
access that is accidentally exposed
that's kind of a theme here accidentally
accidentally exposed files that lead us
to be able to divulge more than we're
supposed to I'm getting out of here
here we can see that there is a let's
see some more Apache server
configuration files which could lead us
into all sorts of interesting stuff I'm
Chi saw a password variable there and
this is my favorite this is for people
who accidentally leave Nessus network
scan reports on the internet so it's an
in title we're looking for report and
then the name of one of these various
scanners Nessus is a great vulnerability
scanner so then we're filtering by oops
here we go we're filtering my file type
PDF so if we go ahead and let's see if I
can just filter by semi recent payment
card industry report like some bank
penetration testing report for bitcoin
exchange company wonderful someone did
our work for us so somebody already
knocked on the doors to this cyber
security company and gave it a D oh well
that's terrible well let's find out why
I don't care but if I was an attacker I
would probably want to see this pie
chart that tells me where this company
sucks at security that's pretty helpful
if I'm planning an attack because it
means that somebody has already got in
there and I I'm I'm not gonna say too
much about the way companies typically
respond to penetration testing reports
but let's just say
that they don't always do what they're
supposed to do so here I can see that
this wonderful business of tamp demo
account okay well maybe not this one is
vulnerable or not vulnerable in a couple
specific ways but being able to look up
log files that are just exposed to give
people an idea of where company is weak
is a great way to let everybody who
wants to break in your company know how
you failed your last security audit with
the right Google dorks search terms you
can find log files and configuration
files directly exposed to the internet
that dump plaintext passwords to massive
databases this and other things might be
tempting to log into but in general you
should be aware that the limit is if you
find something on the internet and it
doesn't require a password to log in
you're fine but even if you find
plaintext passwords to a server or
something like that resist the
temptation to log in because that is the
limit at which you do not have
permission to join and thus you're
actually possibly committing a crime
depending on where you live now it's
important to keep that in mind because
do Google dorking turns up all sorts of
interesting things
so along your travels make sure that you
do connect to webcams that allow you to
without a password but do not that use
perhaps a default password that is easy
to guess if you have any trouble with
this and you need some more instructions
or some troubleshooting you can also
check out the null byte article linked
in the description that's all we have
for this episode of cyberweapons lab
make sure to LIKE comment and subscribe
and if you have any ideas for future
episodes send me a message on Twitter
because I'd love to hear from you we'll
see you next time