Security

Google hacking: It's all about the dorks

Google Search shows no bias. It will help anyone find anything, including vulnerable Internet-connected devices. You just need to know what to ask.

Type a specific term into Google search, hit enter, and magically, a veritable treasure-trove of Internet-connected devices are at your beckoning. Don't believe me? Enter:

hp photosmart status "product serial number" "product model number"

Into Google Search, and marvel at all the hits you get. For more of the same, check out my post: "HP Officejet All-in-One: An unlikely spy tool".

More is better

The power and pervasiveness of Google Search is not lost on those wanting to exploit all possible Internet flaws, and in the shortest possible time.

To that end, someone determined how to automate the process using botnets. Imperva, in its August Trend Report:

"Although Google hacking has been around - in name - for some time, some new innovations by hackers require another, closer look. Specifically, Google, and other search engines, put in place anti-automation measures to stop hackers from search abuse.

However, by using distributed bots, hackers take advantage of bot's dispersed nature, giving search engines the impression that individuals are performing a routine search. The reality? Hackers are conducting cyber reconnaissance on a massive scale."

In this case, using botnets will definitely improve the ROI.

How do they know?

A nagging sensation came back while I was reading the Imperva report. I remembered not understanding how they knew what to type in the search field when I wrote the Officejet piece. Quite frankly, I still don't.

I wasn't going to make the same mistake again. I decided to connect up with Johnny Long, regarded as a leading authority on Google hacking. Between his speaking engagements and returning to Uganda, Long found time to straighten out my misperceptions.

Kassner: Many have high regard for your expertise in the realm of digital security, including Andy Greenberg of Forbes, who wrote about your prowess in the post, "No-Tech Hacker". Would you share a few examples? Long: I wouldn't call myself a no-tech hacker, but I coined the phrase for the book of the same title. No-tech hacking is basically subverting high-tech security systems and gaining access to sensitive information without relying on technology.

In the years I've spent as a professional hacker, I've learned that the simplest approach is usually the best. As hackers, we tend to get down into the weeds, focusing on technology, not realizing there may be non-technical methods at our disposal that work as well or better than their high-tech counterparts.

One of my favorite situations revolved around a mentor I worked with named Vince. Part of our assignment was to breach a highly-secure building. After casing the place, Vince spotted a vulnerability right at the front door. It was protected with an advanced security system; including proximity-card readers, heavy-duty construction, advanced magnetic locks. And, the door was monitored by a well-trained and armed security force.

Vince noticed that employees were exiting the building without using their badges, a common practice required for safety reasons. In the event of a fire or some other threat, employees could exit the building even if the security systems were engaged.

I thought Vince was going to leverage a high-tech attack against something like the prox read. Instead, he focused on the touch bars installed inside the front doors. He noticed the bars disengaged the locks when someone touched the bar.

His approach astounded me and taught me a valuable lesson. He built a tool using a coat hanger and wet washcloth. Next, Vince fed the tool through the crack between the front doors, touched the bar with the washcloth and disengaged the locks.

He defeated an advanced and expensive security system with common household items. My approach to hacking changed that day. I always kept an eye out for the simplest solution to advanced challenges.

Kassner: Your book, Google Hacking for Penetration Testers (I recommend it) goes into great depth on ways to exploit web-facing devices using Google Search. How would you define Google hacking? Long: Google hacking has nothing to do with breaking into Google's databases or systems. Rather, it is uncovering sensitive information that is often locked behind firewalls and security systems using only Google-search queries. Kassner: The book introduced me to "dorks". Or, should I say, reintroduced me. I remember being called one during my formative years. Google hacking and Google dorking are seemingly interchangeable? Are they the same thing? Long: It's semantics. Google hacking usually describes the process of thinking actively about search queries and their application to information security. Google "dorks" are the actual search query entries. The term resulted from a comment I made early on. I called people who left security open enough so their data could be exposed by a search engine, "dorks". Kassner: You maintain the Google Hacking Database (GHDB). It sounds sinister. How does it work? Long: The database is a collection of vulnerability-related search queries discovered by a community of researchers. It would be sinister were it a secret. But, the database is open. So, individuals -- such as security administrators -- can learn how to protect their data. The GHDB is currently a part of the larger Exploit Database and can be found at http://www.exploit-db.com/google-dorks. Kassner: Recently, the tech media focused significant attention on how easy it was to obtain names and Social-Security numbers of 43,000 people associated with Yale -- just using Google search. This letter to the New Hampshire Attorney General from Yale's Associate General Counsel made the exploit seem like an error in judgment. Would it still be considered a Google dork? Long: Nearly all Google dorks are an error in judgment. At some point, someone makes a choice that exposes data. Very few people actually decide to make the front page and risk their lives or their careers to put sensitive data online. Oh, wait. WikiLeaks. Kassner: Rather than someone associated with Yale using Google to find links associated with their name, is it possible that one of the entries in the GHDB could have been used to find that particular file? Long: Possibly. It's too hard to tell. Our queries could get people close, but it's not the fault of the database or the researchers that discovered the query, even if Yale decided to try to make it someone else's fault. Kassner: Can you think of any other examples of where attackers used Google Search to advance their exploit? Long: There are, but I don't have a list handy. Researchers release Google dorks for web-based vulnerabilities all the time. Kassner: I also wanted to let you discuss a non-profit that is near and dear to you: "Hackers for Charity is a non-profit organization that leverages the skills of technologists. We solve technology challenges for various non-profits and provide food, equipment, job training, and computer education to the world's poorest citizens."

Long: There's a misconception about hackers -- that we're all evil. It's simply not true. There's a criminal element in every community. Ours is no different, but we get lots of press. The term hacker was originally coined to describe someone passionate about technology -- regularly pushing its limits.

Inventors are hackers. Thomas Edison was a hacker. Today, computer security is one of the most difficult elements of technology -- probably why we are drawn to it. Offensively and defensively it's a real challenge. Since the term is used so often to describe the criminal element of our community, we are all cast as evil.

But when violence and oppression occur, hackers -- time and time again -- give of themselves. They offer their money, their time, and their skill. Whether they are writing a check to the Red Cross or deploying amateur radio and packet systems in the wake of disasters like hurricane Katrina.

Hackers for Charity is "our" charity. It's a way of branding and consolidating the good works we do. So people will see we're really not all criminals. We're passionate technologists trying to make a difference; plying our trade not only to keep systems safe, but to provide a positive path through technology for the planet's most disadvantaged citizens.

Final thoughts

I asked Long if he would like to add anything. I think his comment is a fitting "Final thoughts".

Long: Thanks. It's safe to say that the same community that put Google hacking into the limelight and brought it to the attention of the masses is the same community that started Hackers for Charity. I say this because the point of releasing Google hacks was not to wreak havoc, but rather to help people realize the importance of the problem and to see it addressed.

We've seen improvement since the creation of the Google Hacking Database. Despite the fact the amount of information available has exploded since the earlier days, vulnerabilities are not. Google has implemented scanners, actively removing content and queries that dig up the most sensitive stuff.

I can now say that Google is not the problem like they used to be. The responsibility now firmly lies with individuals and organizations that release information to the web.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

41 comments
AnsuGisalas
AnsuGisalas

*It provides help with information security to nonprofits where lives can literally depend on data remaining secure (think of nonprofits operating in drug cartel areas for instance, they might rely on keeping their data in a different location, but that won't help them if their systems can be cracked). *It provides training opportunities to let talented amateurs and fresh graduates grow into experienced professionals *It provides training opportunities to let seasoned professionals grow into experienced instructors *It provides infosec companies with a widened contact with their field, and with a great recruitment base *It creates an instant peer network for the entire infosec field, letting people exchange ideas and test them Of all the proposals on how to boost the number of "cyber warriors", this is the only one which seems to have the mechanics to succeed. This machine, if it gets to work, could have what it takes to take on the criminal networks.

realvarezm
realvarezm

The meaning is like putting Van Halen and Metallica in the same class of rock. In the core of the concept both are the same. Hackers and dorks in the new ecosystem created in the cyber world, one is the predator the other the victim and is all ok cause that???s the way of the world. The strong and cunning will take advantage of the weak. But remember that many hackers were dorks one time in their life, but overcome that way of thinking they achieved it trough hard study and perseverance. So stop being as dork! P.S. DORK what a funny word!

pgit
pgit

I gave up on trying to get people to use "cracker" for the black hat variety. I've had a bit more success getting people to think of "cyber criminals" as separate from "hackers," but deep down the true meaning has been buried by an ignorant press and forever tarnished in the average mind. Good luck with the charity. I hope you get the press you need to raise awareness to both glaring facts: the world needs a lot of help and computer systems are a heck of a lot more vulnerable than the average Joe is aware of. Hats off to you and all the other members... that would be a white hat. :)

apotheon
apotheon

> Google Search shows no bias. This is not accurate. It does, indeed, show bias. Consider for instance the news that UK government is trying to get Google to start sites that include copyright infringing material or refer to such material -- a move that Google rightly opposes, as it would destroy a lot of the search engine's utility (not just utility for copyright infringement, but general utility because such material may appear by accident or through the actions of users on sites that offer a lot of non-infringing information for users). The point here is not that Google refuses to block entire sites, though; it is that Google is perfectly willing to remove the specific pages of those sites that contain or refer to infringing materials from its database for generating search results. Whether you consider this bias justified or not has no effect on the fact it is a demonstrated bias. There are other such cases of bias in Google search results, too -- completely aside from the fact that it feeds the searcher's biases as well, due to the way it personalizes search results.

lshanahan
lshanahan

Since someone mentioned movies, we absolutely MUST give a nod toward "Sneakers".

lshanahan
lshanahan

I remember stumbling across the book "No-tech Hacking" in the bookstore. I started thumbing through it and wound up reading almost the whole thing then and there. Some of it is just downright *scary*. Really an eye-opener.

VytautasB
VytautasB

Very informative, never realised it could be so easy to get at this kind of information using Google. Thanks.

chris1217
chris1217

I tried the line in the blog in Bing and looked at a HP printer on the network with a private IP address.

seanferd
seanferd

People leave all sorts of stuff exposed to the web. Remember security cams? Kudos to Hackers for Charity. The world needs more groups like that.

AnsuGisalas
AnsuGisalas

Now, these movies are a rock-solid part of the danish cultural canon, but I have no idea if it's possible to get authorized full-length english-text or dubbed (the horror) versions... I would imagine Youtube will be able to provide some enlightening examples though (try with "Olsenbanden" if "Olsen Gang" doesn't give you anything). Anyway, one recurring element in these movies (apart from the gang's criminal mastermind exiting jail at the beginning of the movie, and going back to jail in the end) is defeating more or less complex security setups with highly unorthodox means. The coat hanger and washcloth is right up that alley. Here's a fun example, although it's not no-tech ;) : http://www.youtube.com/watch?v=4f7KmmwdC-I Bear in mind that this clip is from 1979! I should mention that it's a series of movies... 14 in total, plenty of tricks to be inspired by ;)

Neon Samurai
Neon Samurai

An interview with Mr Long? Oh, I'm all over that going strait into my library.

Michael Kassner
Michael Kassner

The success of Mr. Long's other non-profit gives heart to the success of the Infosec (without borders). .

Michael Kassner
Michael Kassner

Everyone has strong and weak points. In the past, I considered myself both. My son, will say I am still one of them. I'm not telling which. Dork's etymology is interesting to say the least.

Neon Samurai
Neon Samurai

I gotta share from his latest update talk. So he's in Uganda setting up computer labs for schools and all sorts of places when the Ugandan governemnt says "hey, your not a certified systems engineer and haven't even a university degree.. you are not qualified to do this kind of work" and they where going to revoke his papers and kick him out. When the local chief of police heard, he walked the renewal papers over to the imigration office and stood there while the guy signed them. "well, he's setup the computer school lab here in town and is teaching my police about computer security. sign the papers." hehe.. fantastic though you really should hear him tell it if you've not already. Mr Long is right up there with other real hackers like Mr Marlinspike and Mr Kaminsky.

Michael Kassner
Michael Kassner

Mr. Long has started another non-profit infosec (without borders). It also provides badly-needed help.

Michael Kassner
Michael Kassner

I see your point, and I suspect you see what I was alluding to. A do-over would be different, I suspect.

santeewelding
santeewelding

You are lost in the wilds of taxonomy and can't find your way out.

Michael Kassner
Michael Kassner

The classic hacker movies are forever. I just saw Moneyball. It also uses similar "outside the box" thinking -- the kind we all strive for.

Neon Samurai
Neon Samurai

The No Tech Hacking talk he gives is fantastic.

Michael Kassner
Michael Kassner

The first time I wrote about this, there were a lot more vulnerable sites. As Mr. Long mentioned, awareness is increasing.

Michael Kassner
Michael Kassner

I'm not positive, but I believe that the dorks work in all web browsers.

Neon Samurai
Neon Samurai

Now I gotta go dig out my copy of The Italian Job and re-watch it. (no.. not the recent "inspired by" movie.. the real old school slow moving crime crew flick ending with a bus stuck out the endge of a cliff.)

JCitizen
JCitizen

many of my fellow students called me a dork - behind my back. If they had only known, I would have said, "I think I resemble that remark!" :^0

AnsuGisalas
AnsuGisalas

actually means "not controlled". I wonder how the Ugandan government or authorities got involved in the first place... Or is that one of those wonderments best left unturned?

apotheon
apotheon

Your purpose here, so far as I've been able to determine over the years, is wholly negative.

seanferd
seanferd

Thanks for reminding me.

seanferd
seanferd

And these aren't hard to come by. I've never even noticed an exposed camera with a password, and I've screwed around with those a bit. Most are incredibly boring, but some have an interesting view. I suppose any could be interesting if you are a security cracker.

AnsuGisalas
AnsuGisalas

I actually had to check if it was a "fanfic" version or not, but it is the original.

AnsuGisalas
AnsuGisalas

These are two of my favorite articles, ever :) I updated my post above with a link to a clip, BTW. Homo Ludens is what makes the world go 'round ;)

Neon Samurai
Neon Samurai

The networks over there are getting hammered hard either for practice or offensive intentions towards Uganda. His Blackhat presentation this year gives a pretty solid update though it is a stark contrast to previous two presentations that have spread like wildfire. Mr Long, thank you for finding time between the end of the conference season and travel. (everyone remember to make a big noise when the "SANS" slides come up. :D )

Michael Kassner
Michael Kassner

Roger is one smart guy. Glad we have him working to secure our labs. He speaks all over the world, yet has time to keep me up to speed. That is priceless to me.

Michael Kassner
Michael Kassner

I had forgotten about shared folders. That's pretty much the keys to the kingdom.

seanferd
seanferd

If camera web servers are anything like routers, they probably all have default passwords (some routers have gotten better with this) and a fairly insecure UI access even with strong or unique passwords. "Open directories" are fun, too. What is really sort of scary are the home PCs used to serve up web pages, with the entire drive shared across the internet. Oops.

Michael Kassner
Michael Kassner

I do not personally know the exploit, but many camera web servers allow back end access with a little prodding.

Editor's Picks