Find Vulnerable Services Hidden Info Using Google Dorks Tutorial

Google Dorking is the technique that hackers can use to find information that might have been accidentally exposed to the Internet today we'll check out some advanced googling techniques on this episode of cyber weapons lab [Music] [Applause] [Music] when most people think about finding vulnerable devices on the internet they may think about showed an now show dan is famous for finding all kinds of things that might have been accidentally connected to the Internet and leaking too much information but it turns out we don't actually need to use showdown in order to do this we can just use Google Dorking instead now Google Dorking uses some of Google's innate abilities to locate various things that we can find via specific search strings and this can be log files air files things like webcams that are exposed directly to the internet and even administration panels that allowed us to get into a device that doesn't require a password now this is a great way to use a simple browser and a Google search to find devices that are vulnerable and we'll go through a couple different google dorks today that can lead us to all sorts of different things that might be kind of surprising now one thing I need to point out is that although this is a powerful technique we need to make sure that we're not logging into anything that requires a password even if that password is shown in plain text because that's a line at which it becomes illegal access to a device that we don't have permission to use if you have any problems doing this you can check out the null-void article link in the description for troubleshooting and other general advice once you have a web browser connected to the Internet then you're ready to go now this might not be the page you think of when you think of hacking but what if I told you you could probably get the login and password to a server on the internet using just a Google search in a matter of seconds well that is using dorking and we're going to get into what that is today because it's kind of related to what we've already covered about using search operators but instead the goal is to use those search operators to go after a specific type of target now we cover things that are useful like removing search results and looking for specific file types but if we really want to go crazy we need to actually target specific things that we know are vulnerable and can be used to dig deeper into a system now these are going to be things like accidentally exposed logs which might include attempts to log in and that failed this could reveal usernames and passwords we can see configuration files that show us all sorts of details that aren't supposed to be made public so let's get into this by exploring some of the most basic ones first and most basic let's say we just want to see an older version of a website this simple operator you might be familiar with and is just cached and then whichever site you want let's do no bite and we'll see previous older versions of the no bite site great sort of useful but what can we really get going well okay let's step it up and start looking for log files rather than just files that might have been deleted or taken off the internet we can go ahead and type all in text and username and then file type log and a colon now this combination will actually go hon that's my article now this combination will actually go ahead and search for any log type files which contain the username string and that could be a problem depending on whether or not this log file is exposing other credentials now let's go ahead and jump in and see what one of them looks like so we can see this is a one that doesn't actually contain anything interesting but if we combine that with a limiter for the last year we can actually begin to search through this log file for juicy things like passwords or anything else that might pique our interest now by digging around I can virtually guarantee we're going to find some sort of username or password because that's just kind of the nature of these exposed logs and this is also a really good way to find usernames which trust me will greatly narrow down the number of passwords you have to spray at a target if you are doing a brute-force attack that's because typically these sorts of logins could have basically any user name associated so you would need to go through a complete list of every possible username and every possible password that you want to actually attempt to brute-force the system with which can lead up to a whole bunch of results so you can dramatically cut that down by locating usernames for various systems and then just kind of hanging out and looking for there we go web dead passwords so this word of information can be really really helpful you might need to dig around and attempt to find this but you will generally be able to find usernames and passwords in these sorts of files okay so what else can we find well let's go ahead and try another one which is in URL slash PR OC slash self slash CWD now if you want to find FTP servers we can type in in URL I'm sorry in title index of and then in URL FTP now what this should do is index any index pages that are associated with the FTP server and here we can see that we might be able to download files or find some internal directories on the server which could be useful if we need to know about the manual for a why am i downloading a PDF for Oh bigger two nine five zero when and especially useful if we want it to be completely in Chinese all right so moving on from there of course we can do things that kind of are associated with services like shodhan like find webcams via the specific string that they will expose to Google if they're accidentally put just facing the internet with no sorts of restrictions at all now an example might be for a webcam in title webcam xp5 so this is the type of webcam which when exposed we should be able to just click on I actually haven't seen the mobile version that's not gonna work as a man installing flash on the sketchy thing but let's see if we can find something how about this where are we what do we see there we go we got some beautiful boats bobbing in the water somewhere where it is day I have no idea whoa what is this something's happening oh my god this camera wheels around whoa okay we've got a lot of contacts close I don't know what's happening this place is crazy they've got flying bushes they got boats they got everything so we're gonna get out of here cuz it what's moving again okay I don't know if they know that we're in but we're getting out all right a truly showed and like experience so aside from locating cameras some of which are whipping around we can also locate some sensitive things in the data pieces that actually contain passwords using a dork that was written by a friend of mine named Sven so this is just DB underscore password and then file type env now as you can instantly see that from the preview we have successfully found the username and password to a whole bunch of databases so this is exactly what we're looking for let's say if we wanted to just harvest who cars 1 2 3 exclamation point house secured oh and it's for a SeaWorld see that never as hard as you think so this could be let's say if you wanted to be someone who's putting together a word list of common passwords that are just exposed to the Internet this is how password lists surveyed these dorks are extremely powerful I feel like I say that a lot and are able to bring you the passwords for a variety of services that might currently be up and running so I'm gonna try in the past year and oh god that's a lot still of just things we could probably log into which you absolutely should not do because you don't have permission but hey look at this secure password they really took their security sir seriously bye exposing this directly to the Internet all right so that is a brief overview of cameras I also wanted to show you a couple oh sorry a brief overview of the various works you can run in order to get passwords I wanted to show you a couple others that I found that are really interesting so this one is for websites that are hosted on github or are using git repository you can go ahead and get into some of the code that you're not supposed to and start looking for things that might be able to get you deeper in the system this is one that exposes PHP variables which could allow us to get into again more information that we might not suppose to be able to access that is accidentally exposed that's kind of a theme here accidentally accidentally exposed files that lead us to be able to divulge more than we're supposed to I'm getting out of here here we can see that there is a let's see some more Apache server configuration files which could lead us into all sorts of interesting stuff I'm Chi saw a password variable there and this is my favorite this is for people who accidentally leave Nessus network scan reports on the internet so it's an in title we're looking for report and then the name of one of these various scanners Nessus is a great vulnerability scanner so then we're filtering by oops here we go we're filtering my file type PDF so if we go ahead and let's see if I can just filter by semi recent payment card industry report like some bank penetration testing report for bitcoin exchange company wonderful someone did our work for us so somebody already knocked on the doors to this cyber security company and gave it a D oh well that's terrible well let's find out why I don't care but if I was an attacker I would probably want to see this pie chart that tells me where this company sucks at security that's pretty helpful if I'm planning an attack because it means that somebody has already got in there and I I'm I'm not gonna say too much about the way companies typically respond to penetration testing reports but let's just say that they don't always do what they're supposed to do so here I can see that this wonderful business of tamp demo account okay well maybe not this one is vulnerable or not vulnerable in a couple specific ways but being able to look up log files that are just exposed to give people an idea of where company is weak is a great way to let everybody who wants to break in your company know how you failed your last security audit with the right Google dorks search terms you can find log files and configuration files directly exposed to the internet that dump plaintext passwords to massive databases this and other things might be tempting to log into but in general you should be aware that the limit is if you find something on the internet and it doesn't require a password to log in you're fine but even if you find plaintext passwords to a server or something like that resist the temptation to log in because that is the limit at which you do not have permission to join and thus you're actually possibly committing a crime depending on where you live now it's important to keep that in mind because do Google dorking turns up all sorts of interesting things so along your travels make sure that you do connect to webcams that allow you to without a password but do not that use perhaps a default password that is easy to guess if you have any trouble with this and you need some more instructions or some troubleshooting you can also check out the null byte article linked in the description that's all we have for this episode of cyberweapons lab make sure to LIKE comment and subscribe and if you have any ideas for future episodes send me a message on Twitter because I'd love to hear from you we'll see you next time