Intruder Tools

Google Search Directives

Google is quite useful for helping you find vulnerable systems in your target environment. At this year’s BlackHat Las Vegas 2011 conference, researchers warned that “You can do a Google search with your web browser and start operating [circuit] breakers … .” Among the results was one referencing an “RTU pump status” for a remote terminal unit, like those used in water treatment plants and pipelines that appeared to be connected to the Internet. The result also included a password: 1234 .

Many Google search directives will turn up interesting intrusion information. The site: directive allows an attacker to search for pages on just a single site or domain, narrowing down and focusing the search. The link: directive shows sites that link to a given website. The intitle: directive allows you to search within title text. The inurl: directive searches for specific terms to be included in the URL of a given site. The all in the name of the directive indicates you want pages with all of the terms used in the search, such as allintext: , allintitle: , and allinurl: . For more on forming useful Google queries, see the Syngress book Google Hacking for Penetration Testers [Johnny Long, Ed Skoudis, and Alrik van Eijkelenborg, Syngress, 2005].

A very good source to find different Google search options is the GHDB (Google Hacking Database) , hosted by Hackers for Charity, a group I do volunteer work for. The GHDB site catalogs Google queries that will turn up interesting information on website vulnerabilities. Many of the searches locate insecure systems or servers that expose valuable information that can be used to launch an attack. For instance, the Vulnerable Servers page includes the following entry:

"html allowed guestbook"
When this is typed in Google, it finds
websites which have HTML-enabled
guestbooks. This is really stupid because
users could totally mess up their guestbook
by typing...

followed by a series of JavaScript and HTML statements that could potentially compromise a guestbook.

A couple of other tools that implement many of the search terms contained in the GHDB are SiteDigger, Wikto, and Gooscan. SiteDigger runs on Windows and generates its searches from a user-provided domain, as well as the contents of either the GHDB or Foundstone’s own FSDB of Google searches. SiteDigger is now maintained by McAfee. Wikto, which also runs on Windows, performs Google searches using the GHDB against one or more user-provided domains. Wikto offers several features, including a scan of the target webs servers looking for well-known vulnerable scripts. Gooscan, which runs on Linux and does not require a Google API key, formulates queries for Google’s regular human interface web page and scrapes the results it gets back. The use of Gooscan could violate Google’s terms of service.


The information in this article will be useful in preparing for your penetration test engagements. The reconnaissance phase used in many penetration tests and ethical hacking projects is used to gather information you will leverage for the remainder of the project.

Related content

comments powered by Disqus