Google hacking

Google hacking involves using operators in the Google search engine to locate specific sections of text on websites that are evidence of vulnerabilities, for example specific versions of vulnerable Web applications. A search query with intitle:admbook intitle:Fversion filetype:php would locate PHP web pages with the strings "admbook" and "Fversion" in their titles, indicating that the PHP based guestbook Admbook is used, an application with a known code injection vulnerability. It is normal for default installations of applications to include their running version in every page they serve, for example, "Powered by XOOPS 2.2.3 Final", which can be used to search for websites running vulnerable versions.

Devices connected to the Internet can be found. A search string such as inurl:"Mode=" will find public web cameras.

The concept of "Google hacking" dates back to August 2002, when Chris Sullo included the "nikto_google.plugin" in the 1.20 release of the Nikto vulnerability scanner.{{Cite web |title=nikto-versions/nikto-1.20.tar.bz2 at master · sullo/nikto-versions |url=https://github.com/sullo/nikto-versions/blob/master/nikto-1.20.tar.bz2 |access-date=2023-08-30 |website=GitHub |language=en |archive-date=August 30, 2023 |archive-url=https://web.archive.org/web/20230830140742/https://github.com/sullo/nikto-versions/blob/master/nikto-1.20.tar.bz2 |url-status=live }} In December 2002 Johnny Long began to collect Google search queries that uncovered vulnerable systems and/or sensitive information disclosures – labeling them googleDorks.{{cite web|url=http://johnny.ihackstuff.com/security/googleDorks.shtml |title=googleDorks created by Johnny Long |publisher=Johnny Long |access-date=December 8, 2002 |url-status=dead |archive-url=https://web.archive.org/web/20021208144443/http://johnny.ihackstuff.com/security/googleDorks.shtml |archive-date=December 8, 2002 }}

The list of Google Dorks grew into a large dictionary of queries, which were eventually organized into the original Google Hacking Database (GHDB) in 2004.{{cite web|url=http://johnny.ihackstuff.com/blog/my-blog-like-thing/google-hacking-database.html |title=Google Hacking Database (GHDB) in 2004 |publisher=Johnny Long |access-date=October 5, 2004 |url-status=dead |archive-url=https://web.archive.org/web/20070707185932/http://johnny.ihackstuff.com/blog/my-blog-like-thing/google-hacking-database.html |archive-date=July 7, 2007 }}{{cite book |title=Google Hacking for Penetration Testers, Volume 1 |year=2005 |publisher=Johnny Long |isbn=1931836361 }}

Concepts explored in Google hacking have been extended to other search engines, such as Bing{{cite web |url=http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/#bing-hacking-database---bhdb-v2 |title=Bing Hacking Database (BHDB) v2 |date=July 15, 2013 |publisher=Bishop Fox |access-date=August 27, 2014 |archive-date=June 8, 2019 |archive-url=https://web.archive.org/web/20190608014128/http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/#bing-hacking-database---bhdb-v2 |url-status=live }} and Shodan.{{cite web |url=http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/#shodan-hacking-database---shdb |title=Shodan Hacking Database (SHDB) - Part of SearchDiggity tool suite |publisher=Bishop Fox |access-date=June 21, 2013 |archive-date=June 8, 2019 |archive-url=https://web.archive.org/web/20190608014128/http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/#shodan-hacking-database---shdb |url-status=live }} Automated attack tools{{cite web |url=http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/#searchdiggity |title=SearchDiggity - Search Engine Attack Tool Suite |date=July 15, 2013 |publisher=Bishop Fox |access-date=August 27, 2014 |archive-date=June 8, 2019 |archive-url=https://web.archive.org/web/20190608014128/http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/#searchdiggity |url-status=live }} use custom search dictionaries to find vulnerable systems and sensitive information disclosures in public systems that have been indexed by search engines.{{cite web |url=http://www.bishopfox.com/resources/tools/google-hacking-diggity/google-hacking-history/ |title=Google Hacking History |date=July 15, 2013 |publisher=Bishop Fox |access-date=August 27, 2014 |archive-date=June 3, 2019 |archive-url=https://web.archive.org/web/20190603025255/http://www.bishopfox.com/resources/tools/google-hacking-diggity/google-hacking-history/ |url-status=dead }}

Google Dorking has been involved in some notorious cybercrime cases, such as the Bowman Avenue Dam hack{{cite news |title=Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector |url=https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged |publisher=UNITED STATES DEPARTMENT OF JUSTICE |access-date=March 27, 2023 |archive-date=September 24, 2023 |archive-url=https://web.archive.org/web/20230924092759/https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged |url-status=live }} and the CIA breach where around 70% of its worldwide networks were compromised.{{cite news |last1=Gallagher |first1=Sean |title=How did Iran find Cia Spies? They googled it |url=https://arstechnica.com/tech-policy/2018/11/how-did-iran-find-cia-spies-they-googled-it/ |publisher=Ars Technica |access-date=March 27, 2023 |archive-date=October 18, 2023 |archive-url=https://web.archive.org/web/20231018103413/https://arstechnica.com/tech-policy/2018/11/how-did-iran-find-cia-spies-they-googled-it/ |url-status=live }} Star Kashman, a legal scholar, has been one of the first to study the legality of this technique.{{cite journal |last1=Kashman |first1=Star |title=GOOGLE DORKING OR LEGAL HACKING: FROM THE CIA COMPROMISE TO YOUR CAMERAS AT HOME, WE ARE NOT AS SAFE AS WE THINK |journal=Wash. J. L. Tech. & Arts |date=2023 |volume=18 |issue=2}} Kashman argues that while Google Dorking is technically legal, it has often been used to carry out cybercrime and frequently leads to violations of the Computer Fraud and Abuse Act.{{cite journal |last1=Kashman |first1=Star |title=GOOGLE DORKING OR LEGAL HACKING: FROM THE CIA COMPROMISE TO YOUR CAMERAS AT HOME, WE ARE NOT AS SAFE AS WE THINK |journal=Washington Journal of Law, Technology & Arts |date=2023 |volume=18 |issue=2 |page=1 |url=https://digitalcommons.law.uw.edu/wjlta/vol18/iss2/1 |access-date=March 27, 2023 |archive-date=October 23, 2023 |archive-url=https://web.archive.org/web/20231023091719/https://digitalcommons.law.uw.edu/wjlta/vol18/iss2/1/ |url-status=live }} Her research has highlighted the legal and ethical implications of this technique, emphasizing the need for greater attention and regulation to be applied to its use.

Robots.txt is a well known file for search engine optimization and protection against Google dorking. It involves the use of robots.txt to disallow everything or specific endpoints (hackers can still search robots.txt for endpoints) which prevents Google bots from crawling sensitive endpoints such as admin panels.

{{Reflist}}

• [https://web.archive.org/web/20140822191407/http://www.boris-koch.de/wp-content/uploads/2011/01/Liste-Google-Hacking.pdf "Google Hacking: .pdf Document"], boris-koch.de (printable, .pdf)
• [https://www.google.com/help/cheatsheet.html "Google Help: Cheat Sheet"], Google (printable)
• [https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf Google Hacking for Penetration] - Using Google as a Security Testing Tool, Introduction by Johnny Long
• [https://www.dorksearch.com/ Search Engine]- Google Dorking Search Engine, for newbies.

{{Google LLC}}

Category:Computer security procedures

hacking