Google Hacking

This is by far the easiest hack of all. It really is extraordinary what you can find in Google’s index. And here’s Newsflash #1: you can find a wealth of actual usernames and passwords using search strings.

Copy and paste these into Google:

inurl:passlist.txt
inurl:passwd.txt

…and this one is just priceless…
“login: *” “password= *” filetype:xls

Such strings return very random results, and are of little use for targeted attacks. Google hacking will primarily be used for finding sites with vulnerabilities. If a hacker knows that, say, SQL Server 2000 has certain exploits, and he knows a unique string pushed out by that version in results, you can hone in on vulnerable websites.

For specific targets Google can return some exceptionally useful information: full server configurations, database details (so a good hacker knows what kind of injections might work), and so forth. You can find any amount of SQL database dumps as well (fooling around with a Google hack while preparing this article, I stumbled across a dump for a top-tier CMS developer’s website). And a vast amount more besides.

 

%d bloggers like this: