Google-hacking made easy
Connecting state and local government leaders
Open source Goolag Scan automates Google search engine's capability to scan Web sites for vulnerabilities.
With a name like 'Cult of the Dead Cow' you know these guys are probably up to no good, and they are living up to expectations with the release of Goolag Scan, a tool to automate the use of search engines to scan for vulnerable applications, back doors and sensitive information on Web sites.
This is a technique called 'Google-hacking,' named for the Web's predominate search engine, and it isn't new. What's new is the improved tool that makes it easier to do the searches.
'I don't think they have anything new in terms of new capabilities,' said Amichai Shulman, chief technology officer of Imperva Inc. of Foster City, Calif., and head of the company's Application Defense Center. 'They do have a tool that makes Google hacking more accessible to script kiddies.'
Goolag Scan runs with Windows, has a good graphical interface along with a library of about 1,500 carefully crafted searches that can reveal sensitive information about or from queried Web sites. The tool is neutral; it can be used for penetration-testing by administrators and application owners to identify weaknesses or by hackers to find vulnerabilities to exploit.
'Tools like this scanner are a wake-up call for application owners,' Shulman said. 'And that is a good thing. The issue of data leakage into search engines is a big issue.'
The Cult of the Dead Cow has said much of its research in this area has been against government servers where it has been able to turn up sensitive information that has been unwittingly exposed.
"With a lot of script kiddies having this tool, I think the government can expect a rough period of headlines,' Shulman said.
The practice of using search engines to find sensitive information has been around for years. Johnny Long, a security researcher and penetration tester for Computer Sciences Corp. in El Segundo, Calif., wrote the book on the subject, 'Google Hacking for Penetration Testers,' in 2005. Government became acutely aware of the practice in the wake of the terrorist attacks in 2001, Long said. It is one of the reasons agencies began scrubbing Web sites of sensitive data following the attacks.
The primary difference between Google hacking and doing a Google search is the frame of mind because the search engine is being used as intended. It's all a matter of what queries are used and how the resulting hits are used.
For example, a Google hacker might ignore the content of the links returned in a search and focus instead on the names of the servers that responded. Or, through a properly constructed query, access a list of Social Security numbers along with the names and addresses of their holders.
Long compiled a catalog of more than 1,300 such queries that are used by legitimate developers of penetration-testing tools. Queries can return hits containing:
- Login pages for a variety of services and servers.
- Security logs from firewalls, honeypots and intrusion detection and prevention systems that can reveal a wealth of details on vulnerabilities.
- Lists of networked devices such as printers and cameras.
- Servers operating with default configurations, which could include default passwords.
NEXT STORY: Interior to integrate geospatial resources