class="bi x0 y0 w0 h1"

Over the last few years, Syngress has published many best-selling and
critically acclaimed books, including Tom Shinder’s Configuring ISA
Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion
Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal
Packet Sniffing. One of the reasons for the success of these books has
been our unique program. Through this
site, we’ve been able to provide readers a real time extension to the
printed book.
As a registered owner of this book, you will qualify for free access to
our members-only program. Once you have
registered, you will enjoy several benefits, including:
■
Four downloadable e-booklets on topics related to the book.
Each booklet is approximately 20-30 pages in Adobe PDF
format. They have been selected by our editors from other
best-selling Syngress books as providing topic coverage that
is directly related to the coverage in this book.
■
A comprehensive FAQ page that consolidates all of the key
points of this book into an easy to search web page, pro-
viding you with the concise, easy to access data you need to
perform your job.
■
A “From the Author” Forum that allows the authors of this
book to post timely updates links to related sites, or addi-
tional topic coverage that may have been requested by
readers.
Just visit us at www.syngress.com/solutions and follow the simple
registration process. You will need to have this book with you when

Inc. Brands and product names mentioned in this book are trademarks or service marks of their
respective companies.
KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 FGDD458876
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Google Hacking for Penetration Testers
Copyright © 2005 by Syngress Publishing, Inc.All rights reserved. Printed in the United States
of America. Except as permitted under the Copyright Act of 1976, no part of this publication
may be reproduced or distributed in any form or by any means, or stored in a database or
retrieval system, without the prior written permission of the publisher, with the exception that
the program listings may be entered, stored, and executed in a computer system, but they may
not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-36-1
Publisher: Andrew Williams Page Layout and Art: Patricia Lupien
Acquisitions Editor: Jaime Quigley Copy Editor: Darlene Bordwell
Technical Editor: Alrik “Murf ” van Eijkelenborg Indexer: J. Edmund Rush

and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress
books in the Philippines.
A special thanks to Tim MacLellan and Darci Miller for their eternal patience and
expertise.
315_PTG_FM.qxd 11/22/04 6:50 PM Page v
315_PTG_FM.qxd 11/22/04 6:50 PM Page vi
vii
Author
Johnny Long has spoken on network security and Google hacking
at several computer security conferences around the world including
SANS, Defcon, and the Black Hat Briefings. During his recent
career with Computer Sciences Corporation (CSC), a leading global
IT services company, he has performed active network and physical
security assessments for hundreds of government and commercial
clients. His website, currently the Internet’s largest repository of
Google hacking techniques, can be found at ck-
stuff.com.
Alrik “Murf ” van Eijkelenborg is a systems engineer for MBH
Automatisering. MBH provides web applications, hardware, hosting,
network, firewall, and VPN solutions. His specialties include tech-
nical support and consulting on Linux, Novell and Windows net-
works. His background includes positions as a network
administrator for Multihouse, NTNT, K+V Van Alphen,
Oranjewoud and Intersafe Holding. Alrik holds a bachelor’s degree
from the Business School of Economics (HES) in Rotterdam,The
Netherlands. He is one of the main moderators for the Google
Hacking Forums and a key contributor to the Google Hacking
Database (GHDB).
Technical Editor

nents, Win32 application assessments, and reviews on commercial-
grade cryptography implementations.
Contributing Authors
315_PTG_FM.qxd 11/22/04 6:50 PM Page viii
ix
Foster is a seasoned speaker and has presented throughout North
America at conferences, technology forums, security summits, and
research symposiums with highlights at the Microsoft Security
Summit, Black Hat USA, Black Hat Windows, MIT Wireless
Research Forum, SANS, MilCon,TechGov, InfoSec World 2001,
and the Thomson Security Conference. He also is commonly asked
to comment on pertinent security issues and has been sited in
USAToday, Information Security Magazine, Baseline, Computer World,
Secure Computing, and the MIT Technologist. Foster holds an A.S.,
B.S., MBA and numerous technology and management certifications
and has attended or conducted research at the Yale School of
Business, Harvard University, the University of Maryland, and is cur-
rently a Fellow at University of Pennsylvania’s Wharton School of
Business. Foster is also a well published author with multiple com-
mercial and educational papers; and has authored, contributed, or
edited for major publications including Snort 2.1 Intrusion Detection
(Syngress Publishing, ISBN: 1-931836-04-3); Hacking Exposed,
Fourth Edition, Anti-Hacker Toolkit, Second Edition; Advanced Intrusion
Detection; Hacking the Code: ASP.NET Web Application Security
(Syngress, ISBN: 1-932266-65-8); Anti-Spam Toolkit; and Google
Hacking for Penetration Testers (Syngress, ISBN: 1-931836-36-1).
Matt Fisher is a Senior Security Engineer for SPI Dynamics,
which specializes in automated web application security assessments
products for the entire software development lifecycle.As an engi-
neer at SPI Dynamics, he has performed hundreds of web applica-

the business of security and security testing to companies of all sizes
in an effort to raise the bar on security practice as well as to stay
current in the security industry.
315_PTG_FM.qxd 11/22/04 6:50 PM Page x
xi
I'm Johnny. I hack stuff.
Have you ever had a hobby that changed your life? I have a tendency to get
hyper-focused on my hobbies, but this “Google Hacking thing”, although it’s
labeled me “That Google Guy” has been a real blessing for me. I’ve been pub-
lished in the papers, written about, and linked more times than I can count. I’m
now invited to speak at the conferences I once attended in awe. I’ve been to
Japan and back, and now, much to my disbelief, written a large portion of the
book you hold now. I’ve met many, many amazing people and I’ve made some
close friends despite the fact that I’ve never actually “met” most of them. I’ve
been given amazing opportunities, and there’s no apparent end in sight. I owe
many people a huge debt of thanks, but it’s “printing day” for this book, and
I’m left with a few short minutes to express my gratitude. It’s simply not
enough, and to all those I’ve forgotten, I’m sorry.You know you helped, so
thanks. = /
First and foremost, thanks to God for the many blessings in my life. Christ for
the Living example, and the Spirit of God that encourages me to live each day
with real purpose.Thanks to my wife and three wonderful children. Words can’t
express how much you mean to me.Thanks for putting up with the “real”
j0hnny.
Thanks to Mom and Dad for letting me stay up all hours as I fed my digital
addiction.
Thanks to the book team, Alrik “Murf” van Eijkelenborg, James Foster, Steve,
Matt, Pete and Roelof. Mr. Cooper, Mrs. Elliott, Athy C, Vince Ritts, Jim
Chapple,Topher H, Mike Schiffman, Dominique Brezinski and
rain.forest.puppy all stopped what they were doing to help shape my future. I

all keep me humble! Thanks to Andrew and Jaime.You guys rule!
Thanks to Apple Computer, Inc for making an awesome laptop (and OS).
Despite being bounced down my driveway due to a heartbreaking bag failure a
month after I bought it, my 12” G4 PowerBook wasn’t affected in the slightest.
That same laptop was used to layout, author and proof more than 10 chapters
of this book, maintain and create my website, and present to the masses at all
the conferences. No ordinary laptop could have done all that. I only wish it
wasn’t so ugly and dented. ( />—Johnny Long
November 22, 2004
315_PTG_FM.qxd 11/22/04 6:50 PM Page xii
xiii
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxiii
Chapter 1 Google Searching Basics . . . . . . . . . . . . . . .1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Exploring Google’s Web-Based Interface . . . . . . . . . . . . . . .2
Google’s Web Search Page . . . . . . . . . . . . . . . . . . . . . .2
Google Web Results Page . . . . . . . . . . . . . . . . . . . . . .5
Google Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Google Image Search . . . . . . . . . . . . . . . . . . . . . . . . .8
Google Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Language Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Building Google Queries . . . . . . . . . . . . . . . . . . . . . . . .14
The Golden Rules of Google Searching . . . . . . . . . . .14
Basic Searching . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Using Boolean Operators and Special Characters . . . . .18
Search Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Working With Google URLs . . . . . . . . . . . . . . . . . . . . . .24
URL Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Special Characters . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Stocks: Search for Stock Information . . . . . . . . . . . . . .71
Define: Show the Definition of a term . . . . . . . . . . . . .72
Phonebook: Search Phone Listings . . . . . . . . . . . . . . .72
Colliding Operators and Bad Search-Fu . . . . . . . . . . . . . .75
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Links to Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .85
Chapter 3 Google Hacking Basics . . . . . . . . . . . . . . .87
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Anonymity with Caches . . . . . . . . . . . . . . . . . . . . . . . . .88
Using Google as a Proxy Server . . . . . . . . . . . . . . . . .95
Directory Listings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Locating Directory Listings . . . . . . . . . . . . . . . . . . . .100
Finding Specific Directories . . . . . . . . . . . . . . . . . . .101
Finding Specific Files . . . . . . . . . . . . . . . . . . . . . . . .102
Server Versioning . . . . . . . . . . . . . . . . . . . . . . . . . .103
315_PTG_TOC.qxd 11/22/04 5:57 PM Page xiv
Contents xv
Going Out on a Limb:Traversal Techniques . . . . . . . . . . .108
Directory Traversal . . . . . . . . . . . . . . . . . . . . . . . . . .109
Incremental Substitution . . . . . . . . . . . . . . . . . . . . .110
Extension Walking . . . . . . . . . . . . . . . . . . . . . . . . . .111
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Links to Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .118
Chapter 4 Preassessment . . . . . . . . . . . . . . . . . . . . .121
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
The Birds and the Bees . . . . . . . . . . . . . . . . . . . . . . . . .122

Mapping Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Domain Determination . . . . . . . . . . . . . . . . . . . . . .154
Site Crawling . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Page Scraping Domain Names . . . . . . . . . . . . . . .156
API Approach . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Link Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Group Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Non-Google Web Utilities . . . . . . . . . . . . . . . . . . . .166
Targeting Web-Enabled Network Devices . . . . . . . . . . . .171
Locating Various Network Reports . . . . . . . . . . . . . . . . .173
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Links to Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .178
Chapter 6 Locating Exploits and Finding Targets . . .181
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Locating Exploit Code . . . . . . . . . . . . . . . . . . . . . . . . .182
Locating Public Exploit Sites . . . . . . . . . . . . . . . . . .182
Locating Exploits Via Common Code Strings . . . . . . . . .184
Locating Vulnerable Targets . . . . . . . . . . . . . . . . . . . . . .186
Locating Targets Via Demonstration Pages . . . . . . . . .187
Locating Targets Via Source Code . . . . . . . . . . . . . . .189
Locating Targets Via CGI Scanning . . . . . . . . . . . . . .197
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Links to Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .201
Chapter 7 Ten Simple Security Searches That Work . .203
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .261
Chapter 9 Usernames, Passwords, and Secret Stuff,
Oh My! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Searching for Usernames . . . . . . . . . . . . . . . . . . . . . . . .264
Searching for Passwords . . . . . . . . . . . . . . . . . . . . . . . . .270
Searching for Credit Card Numbers, Social Security
Numbers, and More . . . . . . . . . . . . . . . . . . . . . . . . . .276
Social Security Numbers . . . . . . . . . . . . . . . . . . . . .279
Personal Financial Data . . . . . . . . . . . . . . . . . . . . . .279
315_PTG_TOC.qxd 11/22/04 5:57 PM Page xvii
xviii Contents
Searching for Other Juicy Info . . . . . . . . . . . . . . . . . . . .280
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .287
Chapter 10 Document Grinding and Database
Digging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Office Documents . . . . . . . . . . . . . . . . . . . . . . . . . .299
Database Digging . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Login Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Support Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Database Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Actual Database Files . . . . . . . . . . . . . . . . . . . . . . . .310
Automated Grinding . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Google Desktop Search . . . . . . . . . . . . . . . . . . . . . . . . .316

Getting Help from Google . . . . . . . . . . . . . . . . . . . . . . .354
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Links to Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .360
Chapter 12 Automating Google Searches . . . . . . . .363
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Understanding Google Search Criteria . . . . . . . . . . . . . .365
Analyzing the Business Requirements for Black
Hat Auto-Googling . . . . . . . . . . . . . . . . . . . . . . .368
Google Terms and Conditions . . . . . . . . . . . . . . . . . .368
Understanding the Google API . . . . . . . . . . . . . . . . . . .369
Understanding a Google Search Request . . . . . . . . . .371
Auto-Googling the Google Way . . . . . . . . . . . . . . . .375
Google API Search Requests . . . . . . . . . . . . . . . .375
Reading Google API Results Responses . . . . . . . .376
Sample API Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Source Documentation . . . . . . . . . . . . . . . . . . . .381
Understanding Google Attack Libraries . . . . . . . . . . . . . .384
Pseudocoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
Perl Implementation . . . . . . . . . . . . . . . . . . . . . . . .386
Source Documentation . . . . . . . . . . . . . . . . . . . .389
Python Implementation . . . . . . . . . . . . . . . . . . . . . .390
Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Source Documentation . . . . . . . . . . . . . . . . . . . .392
315_PTG_TOC.qxd 11/22/04 5:57 PM Page xix
xx Contents
C# Implementation (.NET) . . . . . . . . . . . . . . . . . . .393
Source Documentation . . . . . . . . . . . . . . . . . . . .396

Web Traffic Reports . . . . . . . . . . . . . . . . . . . . . .447
HTML Comments . . . . . . . . . . . . . . . . . . . . . . . . .447
Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . .448
Sample Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
315_PTG_TOC.qxd 11/22/04 5:57 PM Page xx
Contents xxi
Bad Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
System Documentation . . . . . . . . . . . . . . . . . . . . . .452
Hidden Form Fields, JavaScript, and Other
Client-Side Issues . . . . . . . . . . . . . . . . . . . . . .453
Playing with Packets . . . . . . . . . . . . . . . . . . . . . . . . . . .453
Viewing and Manipulating Packets . . . . . . . . . . . . . .456
Code Vulnerabilities in Web Applications . . . . . . . . . . . . .459
Client-Side Attacks . . . . . . . . . . . . . . . . . . . . . . . . .459
Escaping from Literal Expressions . . . . . . . . . . . . .463
Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . .468
Command Execution: SQL Injection . . . . . . . . . . . . .471
Enumerating Databases . . . . . . . . . . . . . . . . . . . . . .475
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . .482
Appendix C Google Hacking Database
A number of extended tables and additional penetration testing
tools are accessible from the Syngress Solutions Site
(www.syngress.com/solutions).
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .485
315_PTG_TOC.qxd 11/22/04 5:57 PM Page xxi
315_PTG_TOC.qxd 11/22/04 5:57 PM Page xxii
Have you ever seen the movie, The Matrix? If you haven’t, I strongly recom-

In fact, even outside the realm of information security, I personally believe
that solid Google skills are some of the most important professional capabilities
you can have over the next five to 10 years. Are you a professional penetration
tester? Puzzled parent? Political partisan? Pious proselyte? Whatever your walk
is in life, if you go to Google and ask the right questions using the techniques
from this book, you will be more thoroughly armed with the information that
you need to live successfully.
What’s more, Johnny has written this book so that you can learn to ask
Google for the really juicy stuff–secrets about the security vulnerabilities of
Web sites. Using the time-tested advice on these pages, you’ll be able to find
and fix potentially massive problems before the bad guys show up and give you
a very bad day. I’ve been doing penetration testing for a decade, and have con-
sistently been astounded by the usefulness of Web site searches in our craft.
When Johnny originally started his Web site, inventorying several ultra-pow-
erful search strategies a few years back, I became hooked on his stuff. In this
book, he’s now gathered his best tricks, added a plethora of new ideas, and
wrapped this information in a comprehensive methodology for penetration
testing and ethical hacking.
If you think,“Oh, that Google search stuff isn’t very useful in a real-world
penetration test… that’s just playing around,” then you have no idea what you
are talking about.Whenever we conduct a detailed penetration test, we try to
schedule at least one or two days for a very thorough investigation to get a feel
for our target before firing a single packet from a scanner. If we can get even
more time from the client, we perform a much deeper investigation, starting
with a thorough interrogation of our favorite recon tool, Google.With a good
investigation, using the techniques Johnny so masterfully shares in this book,
our penetration-testing regimen really gets off on the right foot.
I especially like Johnny’s clear-cut, no-bones-about-it style in explaining
exactly what each search means and how you can maximize the value of your
results.The summary and FAQs at the end of each chapter help novices and