WEBVTT

0
00:02.470 --> 00:09.190
Let’s dive deeper and see how hackers find vulnerable services, credentials or other hidden data 

1
00:09.310 --> 00:17.450
using Google dorks.This is information that has been accidentally exposed on the Internet and the most

2
00:17.450 --> 00:18.270
of the time

3
00:18.350 --> 00:22.900
it happened because of a misconfiguration of a server.

4
00:23.030 --> 00:29.150
Google advanced operators can be used to exploit insecure services.

5
00:29.150 --> 00:35.690
You can see a list with all Google operators here on this Wikipedia page.

6
00:35.690 --> 00:41.710
These are all Google operators. Before continuing

7
00:41.920 --> 00:47.950
I want to point out that you are not allowed to log into a device that requires a password,

8
00:47.950 --> 00:55.950
even if that web password is shown in clear text. That is the line where it becomes illegal to access a

9
00:55.950 --> 01:03.600
device that you don't have permission to use. All information shown in this video is for educational

10
01:03.600 --> 01:04.680
purposes only.

11
01:05.760 --> 01:13.560
Be aware that Google might start blocking your connection if you connect from a single static IP address.

12
01:13.560 --> 01:19.680
Let's get started with some examples. In the next Google dork

13
01:19.710 --> 01:34.530
I'll use two operators: "allintext" and "filetype". allintext:username filetype:log


14
01:34.530 --> 01:42.340
"allintext" is a Google search operator used to search only in the body text of the documents while ignoring

15
01:42.340 --> 01:51.040
links, urls, and titles. And the "filetype" type operator will limit the results to a specific file

16
01:51.040 --> 01:51.750
type,

17
01:51.850 --> 01:53.860
in this case to logtype.

18
02:00.490 --> 02:04.530
See how Google is trying to block my connection.

19
02:04.800 --> 02:06.480
I have to solve these captcha!

20
02:15.870 --> 02:23.300
After solving the captcha we see a lot of information that has been probably accidentally exposed.

21
02:23.420 --> 02:24.710
Let's see this one!

22
02:28.730 --> 02:36.050
These are the logs of maria db server and if you are searching for words username or password you’ll 

23
02:36.050 --> 02:39.770
find a lot of exposed credentials in clear-text.

24
02:43.120 --> 02:53.580
Many of the passwords are random strong passwords, but that’s of no help.  Let’s see a Google Hacking query that 


25
02:53.580 --> 02:57.370
would find exposed PHPinfo files.

26
02:57.600 --> 03:06.030
You should know that phpinfo() provides you complete information about PHP, the web server and other services 


27
03:06.240 --> 03:08.470
that are running on a server.

28
03:09.690 --> 03:11.010
So filetype

29
03:11.010 --> 03:26.170
:php inurl:info and I'm searching for "Php Credits" between double quotes "Configuration" and "Php Core"

30
03:29.760 --> 03:33.710
Let's try some pages!

31
03:33.920 --> 03:37.850
This is sensitive information exposed by mistake.

32
03:47.340 --> 03:55.800
The next Google Dork will allow us to search for WordPress sites that have wp-content directory exposed.


33
03:57.130 --> 04:08.260
inurl: wp-content and the / and then index of

34
04:15.860 --> 04:17.990
And we see exposed directories!

35
04:25.320 --> 04:33.020
This problem can be fixed by setting the correct directly permissions and disabling directory indexing.

36
04:33.380 --> 04:39.750
By the way directory indexing is very important when running any type of a blog.

37
04:40.170 --> 04:49.160
Let’s go ahead and see  how different Apache HTTP servers are performing. intitle:


38
04:49.840 --> 04:58.550
"Apache Status" inurl:server-status


39
05:17.290 --> 05:24.250
If you include inurl in your query Google will restricted the results to documents containing that

40
05:24.250 --> 05:31.690
word inurl. The Apache status module allows a server administrator to find out how

41
05:31.690 --> 05:34.000
well the server is performing.

42
05:34.000 --> 05:41.620
This is confidential information and should be available only to the admin.

43
05:41.840 --> 05:44.530
This is how the servers are performing.

44
05:46.490 --> 05:54.080
Let's move on and search for ftp servers that published files which are supposed to be internal but were

45
05:54.170 --> 06:00.870
unwillingly made public intitle:"index of" 


46
06:02.790 --> 06:09.210
inurl:ftp ; these are the results!

47
06:12.070 --> 06:16.030
Resources published by ftp probably by mistake!

48
06:21.430 --> 06:28.960
If I want to see only the results that are published after year 2019 I can add the after

49
06:28.960 --> 06:29.560
operator.

50
06:30.580 --> 06:34.690
So after:2019

51
06:41.900 --> 06:43.010
Let's try another one!

52
06:43.490 --> 06:53.030
I’ll search for configuration files with passwords:
filetype:env "DB_PASSWORD"


53
06:57.120 --> 07:07.250
Configuration files should not be made public and  .ENV files are a great example. These are simple configuration

54
07:07.280 --> 07:13.820
text files that are used to define some variables you want to pass into your applications environment.

55
07:15.520 --> 07:23.650
If we search for .ENV files that contain a string for the database password we instantly find the password

56
07:23.860 --> 07:32.760
to the database we've discovered. Now let's find lists of emails! To find them

57
07:32.850 --> 07:40.890
we'll be looking for a spreadsheet  .XLSx file type with the string "email.xlsx" in the URL.


58
07:40.900 --> 07:54.860
Like this!

59
07:54.930 --> 07:59.270
These are all Excel files that contain emails.

60
07:59.310 --> 08:04.250
Organizations are frequently exposing these lists by accident.