Security

Google hacking: It's all about the dorks

Google Search shows no bias. It will help anyone find anything, including vulnerable Internet-connected devices. You just need to know what to ask.

Type a specific term into Google search, hit enter, and magically, a veritable treasure-trove of Internet-connected devices are at your beckoning. Don't believe me? Enter:

hp photosmart status "product serial number" "product model number"

Into Google Search, and marvel at all the hits you get. For more of the same, check out my post: "HP Officejet All-in-One: An unlikely spy tool".

More is better

The power and pervasiveness of Google Search is not lost on those wanting to exploit all possible Internet flaws, and in the shortest possible time.

To that end, someone determined how to automate the process using botnets. Imperva, in its August Trend Report:

"Although Google hacking has been around - in name - for some time, some new innovations by hackers require another, closer look. Specifically, Google, and other search engines, put in place anti-automation measures to stop hackers from search abuse.

However, by using distributed bots, hackers take advantage of bot's dispersed nature, giving search engines the impression that individuals are performing a routine search. The reality? Hackers are conducting cyber reconnaissance on a massive scale."

In this case, using botnets will definitely improve the ROI.

How do they know?

A nagging sensation came back while I was reading the Imperva report. I remembered not understanding how they knew what to type in the search field when I wrote the Officejet piece. Quite frankly, I still don't.

I wasn't going to make the same mistake again. I decided to connect up with Johnny Long, regarded as a leading authority on Google hacking. Between his speaking engagements and returning to Uganda, Long found time to straighten out my misperceptions.

Kassner: Many have high regard for your expertise in the realm of digital security, including Andy Greenberg of Forbes, who wrote about your prowess in the post, "No-Tech Hacker". Would you share a few examples? Long: I wouldn't call myself a no-tech hacker, but I coined the phrase for the book of the same title. No-tech hacking is basically subverting high-tech security systems and gaining access to sensitive information without relying on technology.

In the years I've spent as a professional hacker, I've learned that the simplest approach is usually the best. As hackers, we tend to get down into the weeds, focusing on technology, not realizing there may be non-technical methods at our disposal that work as well or better than their high-tech counterparts.

One of my favorite situations revolved around a mentor I worked with named Vince. Part of our assignment was to breach a highly-secure building. After casing the place, Vince spotted a vulnerability right at the front door. It was protected with an advanced security system; including proximity-card readers, heavy-duty construction, advanced magnetic locks. And, the door was monitored by a well-trained and armed security force.

Vince noticed that employees were exiting the building without using their badges, a common practice required for safety reasons. In the event of a fire or some other threat, employees could exit the building even if the security systems were engaged.

I thought Vince was going to leverage a high-tech attack against something like the prox read. Instead, he focused on the touch bars installed inside the front doors. He noticed the bars disengaged the locks when someone touched the bar.

His approach astounded me and taught me a valuable lesson. He built a tool using a coat hanger and wet washcloth. Next, Vince fed the tool through the crack between the front doors, touched the bar with the washcloth and disengaged the locks.

He defeated an advanced and expensive security system with common household items. My approach to hacking changed that day. I always kept an eye out for the simplest solution to advanced challenges.

Kassner: Your book, Google Hacking for Penetration Testers (I recommend it) goes into great depth on ways to exploit web-facing devices using Google Search. How would you define Google hacking? Long: Google hacking has nothing to do with breaking into Google's databases or systems. Rather, it is uncovering sensitive information that is often locked behind firewalls and security systems using only Google-search queries. Kassner: The book introduced me to "dorks". Or, should I say, reintroduced me. I remember being called one during my formative years. Google hacking and Google dorking are seemingly interchangeable? Are they the same thing? Long: It's semantics. Google hacking usually describes the process of thinking actively about search queries and their application to information security. Google "dorks" are the actual search query entries. The term resulted from a comment I made early on. I called people who left security open enough so their data could be exposed by a search engine, "dorks". Kassner: You maintain the Google Hacking Database (GHDB). It sounds sinister. How does it work? Long: The database is a collection of vulnerability-related search queries discovered by a community of researchers. It would be sinister were it a secret. But, the database is open. So, individuals — such as security administrators — can learn how to protect their data. The GHDB is currently a part of the larger Exploit Database and can be found at http://www.exploit-db.com/google-dorks. Kassner: Recently, the tech media focused significant attention on how easy it was to obtain names and Social-Security numbers of 43,000 people associated with Yale — just using Google search. This letter to the New Hampshire Attorney General from Yale's Associate General Counsel made the exploit seem like an error in judgment. Would it still be considered a Google dork? Long: Nearly all Google dorks are an error in judgment. At some point, someone makes a choice that exposes data. Very few people actually decide to make the front page and risk their lives or their careers to put sensitive data online. Oh, wait. WikiLeaks. Kassner: Rather than someone associated with Yale using Google to find links associated with their name, is it possible that one of the entries in the GHDB could have been used to find that particular file? Long: Possibly. It's too hard to tell. Our queries could get people close, but it's not the fault of the database or the researchers that discovered the query, even if Yale decided to try to make it someone else's fault. Kassner: Can you think of any other examples of where attackers used Google Search to advance their exploit? Long: There are, but I don't have a list handy. Researchers release Google dorks for web-based vulnerabilities all the time. Kassner: I also wanted to let you discuss a non-profit that is near and dear to you: "Hackers for Charity is a non-profit organization that leverages the skills of technologists. We solve technology challenges for various non-profits and provide food, equipment, job training, and computer education to the world's poorest citizens."

Long: There's a misconception about hackers — that we're all evil. It's simply not true. There's a criminal element in every community. Ours is no different, but we get lots of press. The term hacker was originally coined to describe someone passionate about technology — regularly pushing its limits.

Inventors are hackers. Thomas Edison was a hacker. Today, computer security is one of the most difficult elements of technology — probably why we are drawn to it. Offensively and defensively it's a real challenge. Since the term is used so often to describe the criminal element of our community, we are all cast as evil.

But when violence and oppression occur, hackers — time and time again — give of themselves. They offer their money, their time, and their skill. Whether they are writing a check to the Red Cross or deploying amateur radio and packet systems in the wake of disasters like hurricane Katrina.

Hackers for Charity is "our" charity. It's a way of branding and consolidating the good works we do. So people will see we're really not all criminals. We're passionate technologists trying to make a difference; plying our trade not only to keep systems safe, but to provide a positive path through technology for the planet's most disadvantaged citizens.

Final thoughts

I asked Long if he would like to add anything. I think his comment is a fitting "Final thoughts".

Long: Thanks. It's safe to say that the same community that put Google hacking into the limelight and brought it to the attention of the masses is the same community that started Hackers for Charity. I say this because the point of releasing Google hacks was not to wreak havoc, but rather to help people realize the importance of the problem and to see it addressed.

We've seen improvement since the creation of the Google Hacking Database. Despite the fact the amount of information available has exploded since the earlier days, vulnerabilities are not. Google has implemented scanners, actively removing content and queries that dig up the most sensitive stuff.

I can now say that Google is not the problem like they used to be. The responsibility now firmly lies with individuals and organizations that release information to the web.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox