Hugging the Web (Part 3: The Google Bloodhound)
Hello, my web huggers! In today's tutorial we will learn how to use the Google Hacking Database (GHDB) developed by Exploit Database, to find vulnerable web servers and "juicy" information.
In today's modern age, it is important for the hacker to be able to dig up and find intelligence. Using the most popular search engine in the world as of 2015, the average hacker's job becomes easier. Not just easier, but very efficient.
Our friends over at Exploit Database have developed a library of "Google Dorks" that will pull up information on the spot. They are all user submitted, and frequently patched by companies all over the web, so it is important we know how to use this tool correctly. That is why today I present: The Google Bloodhound
First let's open up this library that is google hacking database and check out the layout.
As you can see, this is a very easy layout to use. If we click on the categories tab, we can see that we have plenty of options to choose from.
Take Note: You will often find google dorks that simply do not work. These are all user submitted, so this is normal.
For the sake of simplicity I chose "File containing passwords" to prove how easy it is to gain access to an unauthorized account. I also did not want to search for a specific key phrase in the search box so instead I didn't type anything in, and hit enter.
Ah, yes! I finally found a dork that is perfect for this tutorial.
Here is the one I will be using:
From the looks of this dork, we already know a couple of things.
- We know that it will pull results from pastebin.com, a popular website known to hold the world's most notorious pastes.
- We know that it will search for the keyword, "Username"
As you can see, we are bombarded with results. 69,000 to be exact.
Upon clicking a "juicy" link, we are bombarded with even more usernames and passwords.
I have of course, edited out the actual passwords, but it is still surprising to see how many people are at risk. This is one link out of 69,000.
You, dear hacker, have found ways to creep in the dark corners of the internet through nothing but a google search. The moral of the story is not to actually be a creepy stalker, but to protect yourself.
Change passwords frequently.
Make sure you check to see if you have been "pwnd" at a very helpful website, http://www.haveibeenpwnd.com.
I hope you have enjoyed this tutorial, and please leave any questions or concerns in the comments.