Google Hacking

[John]

Google hacking
How to protect your data on the Web

Warning:

Some of the information described in the document, might be used not on the good will. Hence, it is our obligation to state that the information can be found elsewhere in the internet AND hence we are not the initiators of this content(information).Some of the websites described below have been target of legal cases, in the years. Although they are still operating on a federal level and on a state level, hence we find it perfectly legal to describe their content. If you however find the information below inappropriate, please contact the administrators of the specific websites listed below AND don't contact us, since we stated our obligations clearly.

I remember, back then in the early days of hacking, it was all about viruses. Evil geniuses were writing viruses, trojans, smurfs, wardialers and many others in order to steal private information, destroy systems, stuck the traffic. But this was in the 80's and early 90's. Websites like T E X T F I L E S D O T C O M contain rich information about these early days. In the present however, with companies investing billions in antiviruses like Norton, Kaspersky the impact of the viruses is not obvious. Not only that but people became very suspicious. Imagine in the 1995 you can simply open any email and think "wow, how powerful the net is, I am going to study and follow anything described in those email". Now in 2008, I doubt that you are going to open some spam email and "study" everything described herein . Hence, the viruses might not be dead, but their impact is tremendously weakened. So what happened after the viruses??? Well, the bad "hackers" found another way: Social Engineering. Behind those fancy name is a very simple approach: A social engineering is just a way to defraud the society. It is a way to defraud somebody in order to achieve some information. Kevin Mitnick, perhaps the most notorious hacker was perhaps and the "best" social engineer. In one of his books he says that a large software company might invest millions of dollars in order to protect its systems from hackers, but even then the company will miss one extremely important aspect: That its employees won't be that able to protect data as on the other hand the computers are. So, in other words a computer is hard to be scammed, but humans tend to believe many things. Hence, the social engineer comes...he lies about anything, about his occupation for example and he gets what he wants from the employees in a large software company. But..the social engineering is also too old. The large software companies realized that they can not only invest money in the computers, but and in the training of their employees. Also, people don't trust that easy "investors from Nigeria" nowadays . And, then...if the software engineering and the powerful C++ viruses aren't that powerful anymore, how can you "get" information today? The answer is pretty simple: Google.

Google started about 1995 by Larry Page and Sergey Brin, two students from Stanford. By that time, Yahoo was already popular, but the Larry and Sergey were sure that people need a better way for sorting results in the search engines. Hence, they invested some amount of money and designed the "page rank" a simple software concept, according to it, when a page receives more hits from other sources then this page should stay above other pages on the search results. Not only that, but the success of Google is thanks to its clear design and extremely large amount of data indexed. I remember several years ago when on the main page of google was stated the amount of webpages indexed...it reached over 10 billions. And the funny part is that although most people don't realize...but Google indexes only 30% of all online documents, this is known merely as the spider effect and the invisible web. You can "google" these for more information .

Now, at the moment you know that Google is extremely powerful and that social engineering and viruses aren't that effective. Now what is a google hacking?

A google hacking is simply...a way to get information from google, using an extremely powerful google queries with the google operators. Let's start our examples and later more importantly show you how you can protect your data.

1. Example number one: Get information of the social security numbers of some of the riches people in the United States:.

Google hacking query to be used:

site:secinfo.com "S.S. or IRS Identification" - Google Search

The link above shows all you need in order to dig the information about social security numbers of some of the riches people in the States. Now, you can alternately of course open google and type the following on the search form and then hit "search":

site:secinfo.com "S.S. or IRS Identification"

Results:

"Results 1 - 10 of about 1,590,000 from secinfo.com for "S.S. or IRS Identification". (0.04 seconds)"

However this code isn't the best that we can do, let's illustrate it and later we will modify it in order to achieve even better results. But now let's explain in detail what the heck that is...

You already know that Google hacking is a way to get secret information on the google searches. You perhaps know and what a SSN is(social security number: A unique number to any person in the USA, with these personal private numbers, people can get credit or access their bank account...just a few uses of the SSN). Now we explain what the purpose of the code above is:

First open google and type that:

site:secinfo.com

Or just click on that link for shorter:

site:secinfo.com - Google Search

You should receive about that amount of results:

Results 1 - 10 of about 13,200,000 from secinfo.com. (0.02 seconds)

What you just did with this query was to search for documents from the site SEC Info - the best EDGAR online database of Securities and Exchange Commission filings & IPOs(site:secinfo.com). This site keeps track of companies that have securities. The documents on that website are in HTML without a database, so it's extremely easy for google to index every part of that documents. Now let's add the following code to our query: "S.S. or IRS identification".

site:secinfo.com "S.S. or IRS Identification" - Google Search

What do we have now? We have results only from the website secinfo.com that contain the text s.s. or irs identification .The goal behind this is that every document that contains such text will have immediately after this, the SSN or IRS exact number of some company or person.

Now we can find the ssn of Bill gates using this way:

1. http://www.google.com/search?hl=en&safe=off&q=site%3Asecinfo.com++%22S.S .+or+IRS+Identification%22+william++gates&btnG=Sea rch
2. http://www.secinfo.com/dr643.927.htm
3. The SSN of Bill Gates:




So, voila...now you have the SSN of Bill gates.

His SSN is though publicly listed via his website. We suppose that B.Gates has changed his SSN in effect of numerous malicious attempts of some bad hackers to steal his SSN.

However, as you can see this query(site:secinfo.com "S.S. or IRS Identification") gives you SSN only one time in about 20 documents. On most of the time it returns only the IRS. Why is that? Because most files hide the SSNs after September 11 2001, according to a federal law.

However we can modify the query to get even better results. We will do this, assuming that every SSN must start with a certain SSN code. For example we know that the SSNs in California have the code 545, thus we add to our code 545. But even then we can't be sure that the query will return god results, so we add values one after another to the 545 SSN code. We do this just typing any value and waiting to see if such queries return ssn numbers. Just try any of the queries described below, about 5 of them MUST return a full SSN:

site:secinfo.com "S.S. or IRS Identification" 545-00 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-01 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-02 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-03 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-04 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-05 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-06 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-07 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-08 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-09 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-10 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-11 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-12 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-13 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-14 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-15 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-16 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-17 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-18 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-19 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-20 - Google Search
site:secinfo.com "S.S. or IRS Identification" 545-21 - Google Search

2. Using Google hacking to return pages containing secret security cameras:

Yes, Google can find many webpages that contain direct links to their security cameras. You can even get many webpages tha lead you to computer clubs and you can stare what some people do on their computers.

Here is a set of google queries that lead you to such:

inurl:axis-cgi - Google Search
site:.viewnetcam.com -www.viewnetcam.com - Google òúðñåíå
inurl:wrcontrollite - Google Search
inurl:start.htm?scrw= - Google Search
inurl:setdo.cgi intext:"Set DO OK" - Google Search
inurl:JPGLogin.htm - Google Search
inurl:indexFrame.shtml Axis - Google Search
inurl:cgi-bin/guestimage.html - Google Search
inurl:"ViewerFrame?Mode=" office - Google Search
intitle:liveapplet inurl:LvAppl - Google Search
intitle:"WJ-NT104 Main Page" - Google Search
intitle:"SNC-RZ30 HOME" -demo - Google Search
intitle:"EvoCam" inurl:"webcam.html" - Google Search
intitle:"active webcam page" - Google Search

Example of what we have found with some queries (for security purposes I don't show the url to the company sites on the screenshots below):

Google: "Display Cameras" intitle:"Express6 Live Image"



Other cameras found with Google:





How to protect yourself against Google hacking???:

If you suspect that your website has been included in Google and it doesn't have to be there, go on the Google webpage where you can drop your webpage from Google:

Go here and follow the instructions:

Preventing content from appearing in Google search results

What else you can do:

1. If you have sensible information use power archiver to zip your data and set password to it. Then upload it on your webserver.

2. Use long password on your archived .zip content.

3. Use dynamic content on all of your pages. In other words use PHP or ASP.NET. Google and other crawlers find it hard to index dynamic content.

4. Use MySQL database. Do NOT use "Access".

5. Learn more about the "robots.txt" file. Please note: The robots.txt is NOT a guarantee. You better use some other ways...though sometimes the robots file does the job...

6. Check if your webpage has been indexed in the internet archive: http://archive.org.

If you think that you have specific content here that you don't want to be here...write the webmasters of the website to remove it.

[DevilsCharm]

I've seen this before, at least, the thing about finding security cameras. It's amazing how many crazy things you can find in Google.

[marwex89]

Now I've seen this too... A co-admin posting hacker-tutorials
Nice tutorial, though.. Let's hack!

[TcM]

I knew the security cameras one, it's not actually a hacking guide.. but let's say.. google tricks.

Ever saw a moderator posting cracking tutorials?
Cracking an Application Method One (PART 1)
Cracking an Application Method One (PART 2)

And a hacking script posted by the Admin:
Joomla! Hacking Script

Lol. Hey, to secure your own stuff, first you need to know how it is hacked...

[marwex89]

Yeah I guess

[TcM]

Don't guess... just brute force.

[marwex89]

lol