Dangerous Google
– Searching for Secrets
Michał Piotrowski
This article has been published in issue 4/2005 of the hakin9 magazine.
All rights reserved. This file may be distributed for free pending no changes are made to its contents or form.
hakin9 magazine, Wydawnictwo Software, ul. Lewartowskiego 6, 00-190 Warszawa,
www.hakin9.org
2
hakin9 4/2005
Basics
G
oogle serves some 80 percent of all
search queries on the Internet, mak-
ing it by far the most popular search
engine. Its popularity is due not only to excel-
lent search effectiveness, but also extensive
querying capabilities. However, we should
also remember that the Internet is a highly
dynamic medium, so the results presented
by Google are not always up-to-date – some
search results might be stale, while other
relevant resources might not yet have been
visited by Googlebot (the automatic script
that browses and indexes Web resources for
Google).
Table 1 presents a summary of the most
important and most useful query operators
along with their descriptions, while Figure 1
shows document locations referred to by the
operators when applied to Web searches. Of
course, this is just a handful of examples – skil-

tems and Web services,
• how to locate publicly available network de-
vices using Google.
What You Should Know...
• how to use a Web browser,
• basic rules of operation of the HTTP protocol.
www.hakin9.org
3
hakin9 4/2005
Google hacking
Table 1. Google query operators
Operator Description Sample query
site
restricts results to sites within the
specied domain
site:google.com fox
will nd all sites containing the
word fox, located within the *.google.com domain
intitle
restricts results to documents whose
title contains the specied phrase
intitle:fox re
will nd all sites with the word fox in the
title and re in the text
allintitle
restricts results to documents
whose title contains all the specied
phrases
allintitle:fox re
will nd all sites with the words fox

from 1 to 100 and the word re. The same result can be
achieved with
1..100 re
link
restricts results to sites containing
links to the specied location
link:www.google.com
will return documents containing
one or more links to www.google.com
inanchor
restricts results to sites containing
links with the specied phrase in
their descriptions
inanchor:re
will return documents with links whose
description contains the word re (that's the actual link
text, not the URL indicated by the link)
allintext
restricts results to documents con-
taining the specied phrase in the
text, but not in the title, link descrip-
tions or URLs
allintext:"re fox"
will return documents which con-
tain the phrase re fox in their text only
+
species that a phrase should occur
frequently in results
+re
will order results by the number of occurrences of

hakin9 4/2005
Basics
The right query can yield some quite
remarkable results. Let's start with
something simple.
Suppose that a vulnerability is
discovered in a popular application
– let's say it's the Microsoft IIS server
version 5.0 – and a hypothetical at-
tacker decides to nd a few comput-
ers running this software in order to
attack them. He could of course use
a scanner of some description, but
he prefers Google, so he just enters
the query
"Microsoft-IIS/5.0 Server
at" intitle:index.of
and obtains
links to the servers he needs (or,
more specically, links to autogen-
erated directory listings for those
servers). This works because in its
standard conguration, IIS (just like
many other server applications) adds
banners containing its name and ver-
sion to some dynamically generated
pages (Figure 2 shows this query in
action).
It's a typical example of infor-
mation which seems quite harm-

ager and Advanced Guestbook.
The rst is a web-based le
manager for uploading, browsing,
managing and modifying les on
a server. Unfortunately, WebJeff
Filemanager version 1.6 contains
a bug which makes it possible
to download any le on the server,
as long as it's accessible to the user
running the HTTP daemon. In other
words, specifying a page such as
/index.php3?action=telecharger&f
ichier=/etc/passwd in a vulnerable
system will let any intruder download
the /etc/passwd le (see Figure 3).
The aggressor will of course locate
vulnerable installations by querying
Google for
"WebJeff-Filemanager
1.6" Login
.
Our other target – Advanced
Guestbook – is a PHP application
Figure 1. The use of search query operators illustrated using the hakin9
website
Figure 2. Locating IIS 5.0 servers using the intitle operator
www.hakin9.org
5
hakin9 4/2005
Google hacking

To prevent such security leaks,
administrators should track current
information on all the applications
used by their systems and imme-
diately patch any vulnerabilities.
Another thing to bear in mind is that
it's well worth removing application
banners, names and versions from
any pages or les that might contain
them.
Information about
Networks and Systems
Practically all attacks on IT sys-
tems require preparatory target
reconnaissance, usually involving
scanning computers in an attempt
Table 2. Google queries for locating various Web servers
Query Server
"Apache/1.3.28 Server at" intitle:index.of
Apache 1.3.28
"Apache/2.0 Server at" intitle:index.of
Apache 2.0
"Apache/* Server at" intitle:index.of
any version of Apache
"Microsoft-IIS/4.0 Server at" intitle:index.of
Microsoft Internet Information Services 4.0
"Microsoft-IIS/5.0 Server at" intitle:index.of
Microsoft Internet Information Services 5.0
"Microsoft-IIS/6.0 Server at" intitle:index.of
Microsoft Internet Information Services 6.0

Apache on Fedora
intitle:"Welcome to Your New Home Page!" Debian
Apache on Debian
intitle:"Welcome to IIS 4.0!"
IIS 4.0
intitle:"Welcome to Windows 2000 Internet Services"
IIS 5.0
intitle:"Welcome to Windows XP Server Internet Services"
IIS 6.0