Pen Testing the Web

with Firefox: Google

Hacking
Michael “theprez98” Schearer
Google hacking
n Complex search engine queries to filter through
large amounts of search results for information
n Combination of advanced operators and specific
search terms
n Possibly locate private, sensitive information about
others, such as credit card numbers, site
vulnerabilities, usernames and passwords

4
General search basics
n Every word matters
n Searches are case-insensitive
n Punctuation is generally ignored
n Think how the page you are looking for will be written
n Describe what you need in as few terms as possible
n Choose descriptive words

5
Special search characters
n ( “this text” ) Phrase search; proper names
n ( + ) Force inclusion of certain words
n ( - ) Find results without certain words
n ( ~ ) Find synonyms
n ( | ) boolean ‘OR’
n ( .. ) Find results in a specific number range
n ( * ) Fill in the blanks (whole word wildcard)
Google advanced operators
n Query words that have special meaning to
Google
n These operators modify the search in
some way, or tell Google to do a totally
different type of search
n Not all of Google’s advanced operators
are documented

7
inanchor:
n Restricts the results to pages containing
the query terms you specify in the
anchor text or links to the page

allinanchor:
nRestricts results to pages containing all
query terms you specify in the anchor text
on links to the page
intext:
n Restricts results to documents containing
the search term in the text

allintext:
Restricts results to those containing all the
query terms you specify in the text of the
page
intitle:
n Restricts results to documents containing
the search term in the title

allintitle:
Restricts results to those with all of the
query words in the title
inurl:
n Restricts results to documents containing
that word in the url

allinurl:
Restricts results to those with all of the
query words in the url
 intitle, allintitle

inurl, allinurl

intext, allintext
inanchor, allinanchor
author:
n Restrict your Google Groups results to
include newsgroup articles by the author
you specify
n can be a full or partial name or email
address
cache:
n Display Google’s cached version of a web
page instead of the current version of
the page
n Google will highlight terms in your query
that appear after the cache: search
operator
images loaded
no images
Greasemonkey
n Allows you to customize the way a
webpage displays using small bits of
JavaScript
n Thousands of installable scripts are
located at userscripts.org
n Google Cache Continue Redux inserts
cache links on Google cache pages
define:
n Shows definitions from pages on the web
for the term that follows
n Useful for finding definitions of words,
phrases, and acronyms
filetype:
n Restrict the results to pages whose names
end in the extension you specify
n ext: is the same as filetype:
group:
n Restrict your Google Groups results to
newsgroup articles from certain groups
info:
n Presents information about the
corresponding web page
n id: is the same as info:
insubject:
n restrict articles in Google Groups to those
that contain the terms you specify in the
subject
link:
n Shows pages that point to the specified url
n You cannot combine a link: search with a
regular keyword search
location:
n Specific to Google News
n Returns only articles from the location you
specify
movie:
n Find movie-related information
n Entering a location will provide showtimes
and theater locations
phonebook:
n Shows all public U.S. residence telephone
listings (name, address, phone number)
for the person you specify
related:
n lists web pages that are similar to the web
page you specify
n Do not include a space between the
related: and the web page url
site:
n Restricts results to those websites in a
given domain
source:
n Specific to Google News
n restrict your search to articles from the
news source with the ID you specify
n
weather
n Returns the current weather and forecast
when followed by a city, location name,
or ZIP code
Advanced Dork
n Gives quick access to Google's Advanced Operators directly
from the context menu
n Right click anywhere on the page with no text selected to be
provided with the active pages HTML title for use with
Google's intitle Operator, and the active pages HTML ALT
tags for use with Google's allintext Operator
n Right click on a link and choose from site: links domain, link:
this link, and cache: this link
n Right click the URL Bar and choose from site, inurl, link, and
cache; inurl works with the highlighted portion of text only
n Selecting an option will open the relevant Google search in a
new tab
Google Hacking Database
n The Google Hacking Database is a
collection of saved searches using
Google Advanced Operators that locate
private information including usernames,
passwords and other sensitive data
n Johnny Long’s GHDB is the most
(in)famous, but not the only one
“nacnac06”
Authors and add-ons
n Nancy Blachman (www.googleguide.com)
n Johnny Long’s Google Hacking Database (
www.hackersforcharity.com/ghdb/)
n CP (Advanced Dork)
n Anthony Lieuallen, Aaron Boodman, Johan
Sundström (Greasemonkey)
n Jeffery To (Google Cache Continue Redux)
Questions?
Try these searches…
n google chuck norris -> I’m Feeling Lucky
n Google Suggest:
 why is there
 google is
 i want
 chuck norris can
 norway is