You don’t need me to tell you, that the Google search engine is a vast and powerful tool. Or that, Tor aside, it pretty much holds the whole of the Internet in the palm of its hand. What you may not know, is that the Google behemoth might have more information about your websites than you do (or at least, more than you would like it to).
But the good news is, using a technique known as Google Hacking, it’s quite simple to leverage Google’s extensive resources to your advantage. Effectively turning the search giant into a quick, cheap and easy tool to detect vulnerabilities, and alert you to malicious activity on your websites.
Google Hacking – What is it?
Don’t be put off by the flamboyant name; Google Hacking is actually just making clever use of Google’s built in Advanced Operators, to search for telltale signs of abuse, vulnerabilities, or just information you’d prefer wasn’t publicly accessible.
Is it Legal?
Against domains for which you are the administrator, or are otherwise appropriately authorised, Google Hacking is definitely legal (in the UK at least). Beyond that, we would strongly discourage you from trying these techniques out on other websites. If in doubt, always ere on the side of caution.
One thing to note at this point; making repeated searches using advanced operators can appear suspicious, and is likely to trigger Google’s own security alerts. While experimenting, expect to solve a captcha (to prove you’re not a bot) every now and then.
How can I use it?
Google operators are added as part (or even the entirety) of a search query, and use the following syntax:
Different operators can be combined, possibly along with a keyword search, to create a very specific overall search.
An important step to start with, is to narrow your search to a specific domain. This is achieved by using the ‘site:’ operator, for example:
Will do a search for the word ‘exam’, but only on pages in the example.ox.ac.uk domain.
Replace the word ‘exam’ with the name of a common, branded pharmaceutical product, for instance; and you have a convenient way of checking whether any of your sites have been hacked and defaced with references to the aforementioned drug. Often, these defacements are done in such a way that they only become obvious when the site is accessed with the Google user agent, meaning you could visit the site normally via a browser every day and never find the problem.
The ‘inurl’ operator, predictably, searches for a term within the URL. This can be especially useful for turning up pages you’d rather weren’t Internet-facing. Because if Google can find it, so can anyone who might just fancy trying to brute force an inadequate password, such as in the example below:
Another way to make use of Google hacking is to search for old (and vulnerable) web platforms. For example, the following could turn up webservers running IIS 5.0, based on their error messages:
site:example.ox.ac.uk intext:”404 Object Not Found” Microsoft-IIS/5.0
This post only covers a few examples of what can be achieved, but hopefully it will give you enough to get started and begin to see some results!
What else can I search for?
Apart from experimenting with your own searches, the Google Hacking Database is an excellent resource. Many of the examples in this post come, in whole or in part, from this website. Google searches are recorded here under useful and faintly entertaining categories, such as ‘Files containing passwords’ and ‘Sensitive Online Shopping Info’.