The last day of class we discussed a type of hacking called "Google hacking". A definition from Wikipedia defines Google Hacking as "refers to the art of creating complex search engine queries in order to filter through large amounts of search results for information related to computer security." The full article can be found here:
<http://en.wikipedia.org/wiki
The idea if Google hacking is that since Google does its best to find and index everything that is available on the Internet, use Google to find password and other sensitive data. From the results seen in class, with the proper technique, Google hacking can be very effective. The professor recommended a website: www.Johnny.ihackstuff.com <http://www.Johnny.ihackstuff
One technique that was demonstrated in class was to search for online web cameras. The search command in Google is: "Active Web Page" inurl:8080. This command will bring up a list of active web cameras and allow a random person to view various places using other people web cameras. A live demonstration of being able to use and see a random person's web camera on the Internet was very inspiring.
I have decided to test some additional commands from the Johnny.ihackstuff.com website. The command that I used this time was !Host=*.* intext:enc_UserPassword=* ext:pcf . This command lists tries to go out and get VPN passwords. With this command I managed to find some group passwords. One example that I found was this. The Penn State Group name is "pennstate" and the group password happens to also be "pennstate". Another example that I found using this command provided the password of "sushisushi". I thought that one was hilarious.
Another command that I tried was filetype:log inurl:"password.log". This search returned 18 results and the content of these files to unbelievable. These files contained the names and passwords of multiple users. But, as with anything, how useful is the information. When I started trying to use these usernames and passwords, none of them seemed to work. Additionally, then I tried to do the same for the VPN connections, none of them worked either. So, although Google might be the best at finding and indexing these files sometimes they aren’t worth very much. And if you’re looking for to hack something specific, it will be much harder to do with Google.
No comments:
Post a Comment