What do the search for old car parts and cyber reconnaissance have in common? Google dorking. Before you head off this page to check out life hack videos, let me explain.
I have been using Google search, Google cache, and the Internet archive for years now to help me find parts and information to support my classic car habit. . It just so happens that many of the techniques that I use are extremely effective in doing reconnaissance on your enterprise. What’s more, they are free and—while not well known by most—they are certainly used by attackers. Since I began this blog talking about car parts, clearly I own a couple of classic cars. Anyone who has ever owned a classic car knows that you spend as much time looking for parts and repairing classic cars as you do driving them. (Sure, I can get replica parts more easily but they are not always available and are often outrageously expensive. Besides I would miss out on the thrill of the hunt.) Google dorking is what allows me to spend a little more time driving, just as it could give bad actors a little more time and information to attack your network.
Basically, Google dorking is taking advantage of advanced search techniques to ferret out information and uncover vulnerabilities that you wouldn’t otherwise find with a typical search.
There are a couple of basic search operators you can use with Google. Many know about the Boolean operators or the “ “/in quotes operator, but there are several more that can be quite interesting to use. For example, site:syntax. If you start your Google query with site:www.yourenterprise.com, Google will return only the results within the pages contained at www.yourenterprise.com. Very handy. You can extract everything you might want to know at a specific site without having to wade through all the other non-relevant results. For instance, I use this operator to extract all the data about a specific car part out of an entire forum.
The more search terms you use, the fewer results from that specific site. Let me show you how I use that to my advantage. Let’s say I search all the Craigslist sites across the country using the following syntax: site:*.craigslist.org post id: Datsun 14″ rims. Evidently, I am looking for Datsun 14” rims. The “post id:” is specific to only allow results where someone is selling something rather than returning a listing of offers from each of the Craigslist sites. As you probably guessed, the * is a wild card and will return results for all Craigslist sites across the country. How does this affect my enterprise security?
Now that you know how that you don’t need anything special to taking advantage of Google dorking, you likely won’t be surprised that the site:syntax technique I described above could be used to query every server in yourenterprise.com to look for literally anything. Another useful syntax along the same lines is intitle:index.of name size, which will return directory file listings that have been left accessible to the public on the Internet. Combining this method with the site:*.yourenterprise.com above would list all the Internet-facing directory listings at all servers in the yourentrprise.com domain—with a single query.
Two other similar tools make reconnaissance even easier. The first is Google Cache, which keeps a cached copy of web pages that are no longer available and keeps those web pages cached for about 90 days. The second is the archive.org Wayback Machine, which stores copies indefinitely. I mention both of these because companies believe they can remove what they deem sensitive information off of their websites so it can’t be uncovered for reconnaissance. If the information was publicly accessible there is a reasonable chance that it never goes away thanks to the Wayback Machine. I use the Wayback Machine to look up web pages from 20 years ago that detail how to modify a particular part so it can be used today. With the Wayback Machine, you can use those orphaned links in forums that go nowhere, and access the content they pointed to 10 or 20 years ago. Similarly, bad actors can access old web pages that companies believed they had made inaccessible, scrape potentially sensitive information, and create problems that you never anticipated.
Read more: Cybersecurity guidance from the top
In conclusion, by no means are these the only Google dorking or tool options available to search for reconnaissance data within your organization using Google. They do, however, show you how easy it is to learn much more about your organization than they should be able to. True, it is one more thing to learn in order to improve your security posture, but it will pay to become alert and familiar to what can be done with Google dorking.
If you need any help addressing questions about your enterprise security, please feel free to reach out to the CBTS Security Team.