Google Hacking for Penetration testers manual notes

Reference link: Advanced operators Referencegoogle Hacking database
Note: The following refers to a large number of reference charts , charts are in my album "Google hacking parameter query form"

The first chapter of Google search basic knowledge

1. Google Translate can be viewed as transparent proxy use: "Translate this page"

2. Golden rule:

Case insensitive

Wildcards * represent a word, not a single letter or a series of letters, using asterisks at the beginning or end of a word, and using the same words directly

Retain Query keyword rights

Force Search:
Quoted: "Words" or with Boolean notation and: "+word"
Note: no spaces between + and words to search

3. Use the wildcard * instead of some query words to break the limits of Google 32 query words

4. Boolean operator special characters

(and) +word Force search word, no spaces

(not)-word word that is ignored in a query

(or) |world find 1 or another keyword in search (| pipe character)

Example:

Intext:password|passcode Intext:username|userid|user Filetype:csv

"Finds pages in all documents that contain password or passcode text. On those pages, only those pages that contain Username,userid or user are required to be displayed.

For those pages, only the CSV file is required "

Google reads the query from left to right.

Google is blind to (), so the above example parentheses are easy to read:

Intext: (Password|passcode) Intext: (Username|userid|user) filetype:csv

5. Search reduction with Boolean symbols-

6.google URL Query
Construction Syntax: Www.google.com/search?hl=en&q=ihackstuff
Www.google.com/search for query scripts
Hl,q Parameters More Parameters View album "Google hacking parameter query form"

Note the difference:

LR Limited results Page language:

HL Display the results in the language, the found page has not been translated

Restrict Limited search returns a Web page for a specific region host

Chapter II Advanced operator Operators
Here are some common advanced operators for advanced queries to make search results more accurate, more operator Google, or refer to links at the top of the article. operator Syntax:operator, colon, no space between keywords the keyword is required to ensure that the operator, Colon, and the first quotation mark of the phrase is not empty barrackpore operators and special operators are still available, but cannot be placed between the operator and the colon usually start with the operator is not very good with other operators
Operator:Intitle and Allintitle: finding text in headings Intitle:keyword query returns a page with Keword in the title intitle: "Index of" is equivalent to Intitle:index.of (point matches any character) intitle : the "index of" private query header contains the index of the Web page anywhere (URL, title, text) containing the private page. Google put a blank space is considered the end of the advanced operator search keyword intitle: "Index of" "Backup Files" query title contains index of, the page anywhere (URL, title, text) contains backup files of the page. Google took the space as the end of the advanced operator search keyword allintitle: "Index of" "Backup Files" query title contains the page of index of and backup files Inurl and Allinurl: Finding text in URLsGoogle cannot effectively search the URL agreement section, such as the special characters contained in Http://url, and Google cannot process inurl:admin index return URL containing index in the page allinurl:admin index return URL contains index Admin's page. However, it is best to use the inurl two times instead of using allinurl at once, prone to unexpected errors. Filetype: Querying a document of the specified type, which means that Google can crawl any page with any extensionDocument type query: Http://filext.orgext operator and substitution filetype such as filetype:xls equivalent Ext:xls allintext: Returns a page with all keywords queriedDo not mix with other advanced operators to avoid mistaken keywords Site: Pinpoint search to specificAllow search of Web pages in a particular website or domain Google reads the server name from right to left, unlike normal human reading site:qq.com Link : Search with the current page from the linked pageCannot be mixed with other advanced operators link:linux.org inanchor: Finding text in link text
He searches for a link's text representation, not the actual URL. such as: Web site, to add a hyperlink to him, we search the URL of the word, non-physical address link DateRange: Querying for pages published within a specific dateThe parameter must be a date range, and the date is separated by a dash in the middle of the Julian calendar (Julian date) daterange:2452164-2456164 "key word" Numrange: Search for numbers, must provide minimum and maximum values of two query parameters, Check a value with a parameter that is equal to the minimum value. Numrange:min Max is equivalent to abbreviation min. Max is separated by a two period cache: Displays the cached version of the Web pagecache:blackhat.org info: Display Google summary informationInfo:qq.com Related: Show related sitesRelated:qq.com phonebook, Rphonebook, Bphonebook: Search (Residential, commercial, residential and commercial) telephone list. The parameter is name, address, roll call. Author: Search the author of newsgroup posts in Google forum groups Group: Search Google Forum title insubject: Search Google Forum subject line
  Msgid: To view posts in groups by ID, this may be replaced by As_msgid
  Stocks: Effective stock abbreviation When searching stock information parameters
  Define: Show the definition of a termMixed use of Operators table View my albums "Google hacking Technical manual parameter query"for mixed advanced operator use, do not extend the "paradox" rule. Common errors:Site:com site:edu can not be the URL suffix is com again Eduinanchor:click–click front need to include click behind and filtered, the final result is empty, contradictory allinurl:pdf allintitle:pdf Two all appear, very bad link:www.microsoft.com Linuxlink cannot be mixed with other operators, and this query results are consistent with the "link.www.microsoft.com" Linux results.

Chapter III Google Hacking Foundation

anonymous browsing with cache (only the cached text is displayed to be truly anonymous)

Cache link Address +&strip=1
Such as:
http://216.239.41.104/search?q= Cache:z7fntxdmrmij:www.phrack.org/hardcover62/++site:www.phrac K.org+inurl: Hardcover62&hl=en&strip=1

(Tip: Search proxy: inurl: "nph-proxy.cgi" "Start browsing" or "Cacheserverreport for", "This analysis is produced by Calamaris")

Replay Cache keyword Highlighting
In the base url/area, list the keywords you want to highlight, such as .....: www.xxx.com/key+word+one+two+. You can highlight Key,word,one,two

Find directory List
Intitle:index.of "Parent Directory" (to narrow the scope with the parent directory name size, etc.)

Find a specific directory
Intitle:index.of.admin
Intitle:index.of Inurl:admin

Find a specific file
Intitle:index.of Ws_ftp.log
Filetype:log Inurl:ws_ftp.log

Server version
Intitle:index.of "Server at"

Can further expand the query for the specified server

? intitle:index.of "apache/1.3.27 Server at"

Find specific servers by directory list: Look up a table in an album
Search for specific and hidden server versions: Look up tables in albums

Traverse

Intitle:index.of inurl: "/admin/*"
You can also use software to do these excavations, such as Libwhisker

Increment displacement
/gallery/wel008-1.jpg Change/gallery/wel008-2.jpg

Extended traversal

/docs/index.htm expands/docs/index.asp to expand/docs/index.php.bak Very important backup file, can view source code, author, etc. behind the scenes message.

the fourth Chapter document processing and data mining Google does not search for meta data. For example, property information for a Word document: Author, company, etc. Web Site configuration file: configuration files can reveal sensitive information to attackers Configuration files can be searched through the extension of the configuration file, such as INI conf config cfg, etc. log file: can also disclose sensitive information like an attacker, and is typically updated with information about the configuration file Search by extension name, such as log Office Documents: The common format is Pdf,doc,txt,xls each document has a different content, such as a string such as private,password,backup,admin, which means that sensitive filesDatabase Mining Login Entry , especially the default entry provided by the manufacturer, can be easily searched. Search for Words login,welcome,copyright statements It's a great way to find a portal.Software that is located on both the server side and the client has a help file that leaks the configuration and usage information of the application, and the contents of different error messages can be used to dissect the target, leaking many database contents

Database dumps:

You can rebuild the database if you get any dumps. Dumps have proven to be the most leaking information in all database discoveries because he includes full or partial database content. Can be found by searching the header string of the database dump. such as "#dumping data for Table"

The best combination of search files is: filetype:aaaa inurl:aaaa.aaa

Can be combined search: inurl:conf or Inurl:config or inurl:cfg

Effective reduction Techniques:
Create powerful basic searches using unique phrases in the configuration file
Filter out sample,example,test,howto,tutorial words to eliminate obvious sample files
Using-cvs to filter out CVS memory, they usually store the default configuration file
Filter out manpage,manual If you search UNIX files
Searches for the most frequently changed domain in the configuration file and reduces the search for that domain.

The following examples are in the album

Configuration File Search Example:

Sample log File Search:

Popular Office Document file types:

Sample query for search for potentially sensitive Office documents:

Query for search database pages:

Search the database Help file for queries:

Query to search for database error messages:

To search for a database dump query:

Search the database file for queries:

Fifth role of Google in the framework of information collection

This chapter capacity is larger, code more, knowledge is miscellaneous, not easy to note, want to learn to read, on-line download, on the skip.

Sixth chapter search exploit and find target

Search Exploit code

Simple searches such as remote exploit and vulnerable exploit exploits in the security community
Inurl:0day can be used as an old backup search
Inurl:sploit still has a good effect.
Search for public exploit sites:
Filetype:c Exploit
Detach a site from a search result
grep Cached Exp | Awk-f "-" ' {print $} ' | Sort-u

Search for exploits using common code strings:?

String Search source code Sample table:

Find code with Google Code search

Google Code search operator's descriptor:

Search the Google Code search query table for vulnerable code:

Search for malicious software and executables:
Http://metasploit.com/research/misc/mwsearch

Search for vulnerable targets
Use demo page information such as powered by AAAAA
Using the page source code
Sample tables for searching for vulnerable Web applications:
Search for targets with CGI scanning

Seventh. Simple and effective security search

Site

Intitle:index.of
Error|warning
Login|logon
Username|userid|employee.id| " Your name is "
Admin|adminstrator
-ext:html-ext:htm-ext:shtml-ext:asp-ext:php
Inurl:temp|inurl:tmp|inurl:backup|inurl:bak
Intranet|help.desk
Based on previous chapters, taste the above search

Eighth. Tracking Search Web server, login portal and network hardware

Locating and dissecting a Web server
Search for the default Apache installed query table:
To find a query table for a specific version of the IIS server:
Search the query table for the Netscape server:
More query tables for more servers:
Query table for querying default documents:
Search for the default program query table:

To locate the login entry:
Find query table for login entry:
Using Web tools to scan
Find a sample list of network reports:

Targeting network devices using the Web
Network Device query table:

Nineth. User name, password and other secret information

Search for a sample User name query table:
Query table for search password information:
Generic password-based information query:
Intext: (Password|passcode|pass) Intext: (Username|userid|user)

Search Financial Account:
Financial program file extension table:

Search for various sensitive information:

Tenth chapter hacking Google services
Slightly
The 11th chapter of Google hacking case
Slightly

This note, interested in a good study to read this manual "Google hacking for Penetration testers", Baidu a bit