WEBVTT 0:00:04.180000 --> 0:00:08.320000 Google Docs. In this video, we're going to be taking a look at the process 0:00:08.320000 --> 0:00:14.320000 of utilizing Google Docs or Google hacking as it's known as by hackers 0:00:14.320000 --> 0:00:19.160000 and penetration testers to essentially identify information pertinent 0:00:19.160000 --> 0:00:22.840000 to a target. And in this case, we're going to be primarily focusing on, 0:00:22.840000 --> 0:00:26.580000 you know, domains as our targets, right? 0:00:26.580000 --> 0:00:30.800000 So we're essentially going to be taking it out to utilize search filters, 0:00:30.800000 --> 0:00:34.520000 Google search filters to find exactly what we're looking for. 0:00:34.520000 --> 0:00:40.080000 This will include specific sub domain specific files associated with a 0:00:40.080000 --> 0:00:45.920000 target. Like maybe we wanted to find, you know, PDF files for that are 0:00:45.920000 --> 0:00:49.400000 publicly available for a particular domain, etc, etc. 0:00:49.400000 --> 0:00:52.220000 You get the idea you'll actually see what this looks like when we get 0:00:52.220000 --> 0:00:56.060000 started. So again, I'm going to be utilizing my Kali Linux VM. 0:00:56.060000 --> 0:01:00.460000 And of course, you can follow along if you want to as well, just remember, 0:01:00.460000 --> 0:01:05.860000 be very careful with with what you actually engage with, because as you'll 0:01:05.860000 --> 0:01:11.440000 see, there is quite a lot of content you can find online that is unsecured 0:01:11.440000 --> 0:01:16.320000 and could be potentially useful as, you know, as a penetration tester. 0:01:16.320000 --> 0:01:18.620000 So let me just switch over. 0:01:18.620000 --> 0:01:23.760000 All right, so I am back on my Kali Linux system. 0:01:23.760000 --> 0:01:25.660000 And we can get started. 0:01:25.660000 --> 0:01:28.480000 So I'm just going to open up Google because that's what we're dealing 0:01:28.480000 --> 0:01:31.680000 with. And then, you know, we'll actually walk through it, right? 0:01:31.680000 --> 0:01:33.480000 So there we are, Google dot com. 0:01:33.480000 --> 0:01:36.820000 So let's say our target is I need calm. 0:01:36.820000 --> 0:01:41.300000 So you know, a standard person who is unenlightened might just type in 0:01:41.300000 --> 0:01:42.840000 I need calm, right? 0:01:42.840000 --> 0:01:47.120000 Fairly simple. So we type in I need calm, you can see we have I need calm 0:01:47.120000 --> 0:01:49.740000 here, they're linked in page Twitter. 0:01:49.740000 --> 0:01:51.380000 Okay, that's looking okay. 0:01:51.380000 --> 0:01:55.900000 But you know, this is really not giving me information that might be useful 0:01:55.900000 --> 0:01:59.300000 to me, right? In with regards to this particular domain. 0:01:59.300000 --> 0:02:04.540000 So let's say I wanted to limit all results to this particular domain. 0:02:04.540000 --> 0:02:07.100000 To do that, I can utilize the site operator. 0:02:07.100000 --> 0:02:09.460000 And I'm just going to zoom in here. 0:02:09.460000 --> 0:02:13.140000 So I'll say site colon, I need calm. 0:02:13.140000 --> 0:02:14.920000 All right, now you'll see what will happen. 0:02:14.920000 --> 0:02:23.420000 So as you can see, it will now limit limit all results to specific limit 0:02:23.420000 --> 0:02:27.600000 all the results to the domain I need calm, but not just that will also 0:02:27.600000 --> 0:02:31.320000 show you sub domains for this particular domain here. 0:02:31.320000 --> 0:02:33.580000 So you can see we have my dot I need calm. 0:02:33.580000 --> 0:02:35.200000 We have I need calm here. 0:02:35.200000 --> 0:02:39.140000 These are all the pages or categories for the I need calm website. 0:02:39.140000 --> 0:02:40.960000 So you can see we have blog careers. 0:02:40.960000 --> 0:02:45.920000 So we are already starting to actually, you know, identify potentially 0:02:45.920000 --> 0:02:49.880000 interesting pages and not just that, but potentially interesting sub domains 0:02:49.880000 --> 0:02:54.020000 like for example, they have courses dot I need calm, they have community 0:02:54.020000 --> 0:02:57.380000 dot I need calm, you know, so on and so forth. 0:02:57.380000 --> 0:03:01.300000 But this is still very wide with regards to the scope, right? 0:03:01.300000 --> 0:03:05.760000 We can pretty much go through all of these pages and identify, you know, 0:03:05.760000 --> 0:03:08.740000 sub domains that might be interesting like this one here, although I'm 0:03:08.740000 --> 0:03:09.800000 not telling you to do that. 0:03:09.800000 --> 0:03:17.140000 But let's say we wanted to look for specific specific results and we want 0:03:17.140000 --> 0:03:22.660000 to limit it to I need calm, but let's say within the website title, or 0:03:22.660000 --> 0:03:26.020000 the within the website URL, let's say we were looking for an admin panel, 0:03:26.020000 --> 0:03:27.880000 well, we could say in URL. 0:03:27.880000 --> 0:03:30.580000 So that's the next search filter. 0:03:30.580000 --> 0:03:32.900000 We can say admin. 0:03:32.900000 --> 0:03:34.760000 Will this show us an admin panel? 0:03:34.760000 --> 0:03:39.300000 Well, it shows us a Microsoft 365 teams admin paid, which looks like a 0:03:39.300000 --> 0:03:42.120000 course, nothing to do with admin. 0:03:42.120000 --> 0:03:44.440000 Let's see if we can find anything there. 0:03:44.440000 --> 0:03:47.040000 We have another page here. 0:03:47.040000 --> 0:03:49.860000 But yeah, we pretty much don't have anything there. 0:03:49.860000 --> 0:03:52.100000 So that's a bummer. 0:03:52.100000 --> 0:03:56.040000 So we can see we have the forum, by the way, we can also change this to 0:03:56.040000 --> 0:03:59.880000 forum. If we were looking for an any forum, we can just type in in URL 0:03:59.880000 --> 0:04:05.000000 forum. And there we go, we get links pertinent to, you know, the actual 0:04:05.000000 --> 0:04:09.180000 search, the search queries we have provided. 0:04:09.180000 --> 0:04:12.580000 So you can see that the forum is community.ini.com. 0:04:12.580000 --> 0:04:15.920000 So we've been able to identify that conclusively. 0:04:15.920000 --> 0:04:19.780000 Now, let's say we were looking for things that are a little bit interesting. 0:04:19.780000 --> 0:04:23.580000 What if we wanted to enumerate subdomains via Google? 0:04:23.580000 --> 0:04:24.840000 Well, we could do that. 0:04:24.840000 --> 0:04:30.800000 And the way we can do that is by saying site, and we then use the wildcard 0:04:30.800000 --> 0:04:36.360000 symbol or the asterisk, and we say site colon asterisk, and then dot i 0:04:36.360000 --> 0:04:42.680000 need.com. This will not show i need .com, but it'll show subdomains for 0:04:42.680000 --> 0:04:44.600000 i need.com. So I'll hit enter. 0:04:44.600000 --> 0:04:47.800000 And as you can see now, now we're getting somewhere. 0:04:47.800000 --> 0:04:51.120000 So we have my dot i need .com courses.ini.com. 0:04:51.120000 --> 0:04:54.000000 So this is essentially what sublister was doing. 0:04:54.000000 --> 0:04:59.100000 It was essentially utilizing docs for all the search engines to limit 0:04:59.100000 --> 0:05:00.840000 the results to subdomains. 0:05:00.840000 --> 0:05:04.720000 And these are, of course, subdomains that have been indexed by Google. 0:05:04.720000 --> 0:05:08.000000 Now you may be thinking to yourself, well, aren't these the subdomains 0:05:08.000000 --> 0:05:11.720000 that, you know, i need is exposed by their own choice? 0:05:11.720000 --> 0:05:13.120000 Well, that's true. 0:05:13.120000 --> 0:05:14.640000 That is the case. 0:05:14.640000 --> 0:05:17.780000 But in some cases, companies can become very sloppy. 0:05:17.780000 --> 0:05:21.720000 And they may expose a sub domain to the internet that, you know, they 0:05:21.720000 --> 0:05:23.480000 probably don't want to expose. 0:05:23.480000 --> 0:05:27.340000 And in many cases, some companies don't even know that these subdomains 0:05:27.340000 --> 0:05:29.520000 are accessible via Google. 0:05:29.520000 --> 0:05:31.240000 So let's take a look and let's see. 0:05:31.240000 --> 0:05:34.740000 Oh, looks like we have the same remote desktop one there. 0:05:34.740000 --> 0:05:38.200000 We let's take a look at some of the other ones. 0:05:38.200000 --> 0:05:41.780000 Okay, we have shop.ini courses. 0:05:41.780000 --> 0:05:43.140000 We've already seen that. 0:05:43.140000 --> 0:05:46.420000 But you know, we still aren't getting anything interesting. 0:05:46.420000 --> 0:05:48.960000 Nothing interesting so far. 0:05:48.960000 --> 0:05:52.140000 So let's try and make this a little bit. 0:05:52.140000 --> 0:05:55.520000 Let's try and make our search a little bit more refined. 0:05:55.520000 --> 0:05:59.580000 So I can say in URL, we can say maybe admin. 0:05:59.580000 --> 0:06:03.620000 Let's say we're looking for an ad sub domain that, you know, has admin 0:06:03.620000 --> 0:06:07.580000 in its URL. In this case, that might not be very useful. 0:06:07.580000 --> 0:06:11.460000 So we can use the in title operator or filter. 0:06:11.460000 --> 0:06:16.500000 That will essentially limit all the results to subdomains with admin within 0:06:16.500000 --> 0:06:18.540000 the actual site title. 0:06:18.540000 --> 0:06:21.000000 So I'll hit enter. 0:06:21.000000 --> 0:06:26.200000 And we have a sales admin, which looks like the sub domain is stg, a C 0:06:26.200000 --> 0:06:29.080000 P.ini. This looks like a CRM. 0:06:29.080000 --> 0:06:34.620000 So you can already see that just by, you know, utilizing the Google search 0:06:34.620000 --> 0:06:38.480000 engine and, you know, utilizing Google Docs, we can start finding sub 0:06:38.480000 --> 0:06:40.280000 domains, you know, manually. 0:06:40.280000 --> 0:06:43.320000 And of course, this is something that sublister would do. 0:06:43.320000 --> 0:06:45.980000 But it's very important that you learn how to do this yourself. 0:06:45.980000 --> 0:06:47.060000 Now, why am I saying that? 0:06:47.060000 --> 0:06:54.220000 Well, let's say we wanted to find we can say, let's limit it to subdomains 0:06:54.220000 --> 0:06:55.760000 of I N E dot com. 0:06:55.760000 --> 0:06:58.000000 But we wanted to find a file. 0:06:58.000000 --> 0:07:01.240000 So we can say file type and then we specify the type of file. 0:07:01.240000 --> 0:07:02.720000 So let's say PDFs. 0:07:02.720000 --> 0:07:05.980000 Right. So you can start to see that now it's going to limit the results 0:07:05.980000 --> 0:07:11.300000 to, you know, sub domains that have PDFs or pages or sub domains with 0:07:11.300000 --> 0:07:12.840000 pages that have PDFs. 0:07:12.840000 --> 0:07:17.320000 So in this case, it looks like we have a diagram here, network diagram. 0:07:17.320000 --> 0:07:19.000000 Okay. Okay. Interesting. 0:07:19.000000 --> 0:07:23.600000 Interesting. Let's try and limit this maybe to sales. 0:07:23.600000 --> 0:07:25.260000 Let's see. Ah, nothing there. 0:07:25.260000 --> 0:07:28.640000 Nothing there. So nothing useful there. 0:07:28.640000 --> 0:07:30.160000 Can we say CRM maybe? 0:07:30.160000 --> 0:07:32.160000 Okay. Nothing there. 0:07:32.160000 --> 0:07:34.200000 Maybe marketing. 0:07:34.200000 --> 0:07:35.920000 I think they're okay. 0:07:35.920000 --> 0:07:42.240000 So you can see that we probably need to make our search query a bit more 0:07:42.240000 --> 0:07:46.780000 specific or, you know, we pretty much do not have anything. 0:07:46.780000 --> 0:07:49.760000 We didn't get anything written by Google. 0:07:49.760000 --> 0:07:56.020000 So let's try and limit this to XLS X files or Excel spreadsheet files. 0:07:56.020000 --> 0:07:57.560000 Nothing there. Okay. 0:07:57.560000 --> 0:08:00.380000 That's good. Maybe PDF. 0:08:00.380000 --> 0:08:01.840000 We've already done PDF. 0:08:01.840000 --> 0:08:03.580000 So can we say documents? 0:08:03.580000 --> 0:08:05.680000 So doc or doc X? 0:08:05.680000 --> 0:08:07.920000 Uh huh. Nothing there. 0:08:07.920000 --> 0:08:13.700000 Maybe zip. I believe zip still works or dot zip, but you get the idea. 0:08:13.700000 --> 0:08:16.420000 So we can limit it to specific files. 0:08:16.420000 --> 0:08:23.260000 So if we say, you know, PDF or maybe X, we can say file type colon XLS 0:08:23.260000 --> 0:08:28.400000 X. And instead of searching for sub domains, we just search for, you know, 0:08:28.400000 --> 0:08:30.760000 we limit the results to I any dot com. 0:08:30.760000 --> 0:08:32.640000 In this case, nothing there. 0:08:32.640000 --> 0:08:36.700000 So maybe doc X. Okay. 0:08:36.700000 --> 0:08:41.240000 So Google is, of course, detected that we are making too many requests, 0:08:41.240000 --> 0:08:46.160000 good on them. We are making too many requests, uh, taxis, taxis. 0:08:46.160000 --> 0:08:48.160000 I believe that's all the taxis I can see there. 0:08:48.160000 --> 0:08:50.020000 So okay, that looks like it's working. 0:08:50.020000 --> 0:08:51.900000 So yeah, nothing there. 0:08:51.900000 --> 0:08:57.280000 All right. So that is how to essentially, um, you know, limit or how to, 0:08:57.280000 --> 0:09:00.300000 uh, perform sub domain enumeration manually. 0:09:00.300000 --> 0:09:04.440000 Now one other thing that, you know, we can do for example, if we're looking 0:09:04.440000 --> 0:09:07.980000 for information regarding, you know, employees, for example, we can say, 0:09:07.980000 --> 0:09:11.540000 uh, site, I need dot com, and then we can say employees. 0:09:11.540000 --> 0:09:13.840000 So we can enter standard search query here. 0:09:13.840000 --> 0:09:16.260000 So you can say site, I need dot com employees. 0:09:16.260000 --> 0:09:22.220000 And you can see we get results based on the actual, uh, keyword that we 0:09:22.220000 --> 0:09:26.520000 so, you know, if we were trying to look for employees, uh, or individuals 0:09:26.520000 --> 0:09:29.580000 that work at I need, this would be one of the ways we can do it. 0:09:29.580000 --> 0:09:34.160000 So you can see that you can limit it to what information you're looking 0:09:34.160000 --> 0:09:35.540000 for specifically. 0:09:35.540000 --> 0:09:37.720000 So there we are. 0:09:37.720000 --> 0:09:44.220000 Um, we can also say maybe, um, let's see, I need dot com, maybe instructors. 0:09:44.220000 --> 0:09:46.980000 And this will probably display there we are. 0:09:46.980000 --> 0:09:48.520000 So we have the instructors page. 0:09:48.520000 --> 0:09:51.740000 So you get the idea, you can pretty much search for whatever you're looking 0:09:51.740000 --> 0:09:54.260000 for by utilizing Google Docs. 0:09:54.260000 --> 0:09:58.420000 Now let me take you through a couple of examples that might not be too 0:09:58.420000 --> 0:09:59.440000 good to show you. 0:09:59.440000 --> 0:10:05.480000 But, uh, if we were looking maybe for sites with directory, listing and 0:10:05.480000 --> 0:10:12.180000 enabled, we can use the in title, uh, search filter and specify that, 0:10:12.180000 --> 0:10:16.520000 uh, within the title, we're looking for index off. 0:10:16.520000 --> 0:10:19.840000 All right. So this is a common vulnerability within web servers. 0:10:19.840000 --> 0:10:24.140000 So if you're familiar with our web servers work, if you've ever set one 0:10:24.140000 --> 0:10:29.500000 up, there is a misconfiguration called directory listing. 0:10:29.500000 --> 0:10:34.160000 Now it's not really a misconfiguration, but you really, really want to 0:10:34.160000 --> 0:10:37.280000 have this open or running on a production site. 0:10:37.280000 --> 0:10:41.240000 The reason for that is because it allows users to view the contents of 0:10:41.240000 --> 0:10:44.740000 that directory. So in this case, it looks like we have a couple of sites 0:10:44.740000 --> 0:10:47.320000 that are hosting probably pirated movies. 0:10:47.320000 --> 0:10:49.880000 So I wouldn't recommend clicking on that. 0:10:49.880000 --> 0:10:53.960000 And you can see that nothing else there. 0:10:53.960000 --> 0:10:55.660000 It's not displaying anything else there. 0:10:55.660000 --> 0:11:01.280000 So next, um, hmm, we have a couple of other sites. 0:11:01.280000 --> 0:11:06.920000 There we go. But yeah, you get the idea first to show you how this works. 0:11:06.920000 --> 0:11:11.040000 If I click on maybe this looks like a government website, so index of 0:11:11.040000 --> 0:11:12.220000 data, that's probably secured. 0:11:12.220000 --> 0:11:13.820000 But let's click on that. 0:11:13.820000 --> 0:11:17.300000 No, it isn't. So it looks like they have data that's publicly exposed. 0:11:17.300000 --> 0:11:19.720000 I'm not really sure what this data is. 0:11:19.720000 --> 0:11:22.320000 It looks like, yeah, I'm not going to click on that. 0:11:22.320000 --> 0:11:25.960000 Anyway, this is publicly available accessible information. 0:11:25.960000 --> 0:11:29.400000 But again, I'm just doing this for educational purposes. 0:11:29.400000 --> 0:11:35.880000 There are a couple of other search searches we can perform that I haven't 0:11:35.880000 --> 0:11:42.200000 covered here. But let's say we wanted to try and find an older version 0:11:42.200000 --> 0:11:46.740000 of a website. This is very important because companies can modify websites 0:11:46.740000 --> 0:11:49.180000 and are constantly making changes to website. 0:11:49.180000 --> 0:11:53.280000 So if you wanted to see what a website looked maybe, you know, five months 0:11:53.280000 --> 0:11:57.780000 ago or maybe one year ago, you can use the cash operator and then specify 0:11:57.780000 --> 0:11:59.200000 the site itself. 0:11:59.200000 --> 0:12:03.800000 So cash, i-n-e.com and we'll give this a couple of seconds. 0:12:03.800000 --> 0:12:06.320000 And again, looks like I have the same issues. 0:12:06.320000 --> 0:12:10.220000 So boats, okay, do I see any more boats there? 0:12:10.220000 --> 0:12:13.840000 Very fine. Okay, Google probably allows us to do that. 0:12:13.840000 --> 0:12:15.520000 So there we are. 0:12:15.520000 --> 0:12:20.180000 So that'll display the Google web cache for i-n-e.com. 0:12:20.180000 --> 0:12:24.360000 And in this case, it looks like we don't have any, you know, we, this 0:12:24.360000 --> 0:12:25.760000 is pretty much the latest version. 0:12:25.760000 --> 0:12:29.300000 We can also utilize the way back machine. 0:12:29.300000 --> 0:12:36.100000 The way back machine is a site that stores older versions of a website 0:12:36.100000 --> 0:12:38.720000 after a fixed period of time. 0:12:38.720000 --> 0:12:40.460000 And it stores those snapshots. 0:12:40.460000 --> 0:12:42.160000 So I can say, hddps. 0:12:42.160000 --> 0:12:48.200000 i-n-e.com. And it's going to take a second. 0:12:48.200000 --> 0:12:51.700000 There we are. So it's taken snapshots all the way from 1999. 0:12:51.700000 --> 0:12:54.140000 So we can see the earliest version of this website. 0:12:54.140000 --> 0:12:57.260000 So I'll click on the snapshot maybe on the 9th of February. 0:12:57.260000 --> 0:13:02.720000 This is very close to when I was born, which is kind of scary actually. 0:13:02.720000 --> 0:13:03.680000 But there we are. 0:13:03.680000 --> 0:13:06.220000 Let's see how the website looks. 0:13:06.220000 --> 0:13:09.460000 It looks like he's saying, welcome to the great web of China. 0:13:09.460000 --> 0:13:13.020000 Okay, I'm guessing that's before i-n -e actually set it up for its current 0:13:13.020000 --> 0:13:16.060000 use case. Let's see how it looked in 2006. 0:13:16.060000 --> 0:13:19.100000 So let's see how it looked on August the 3rd. 0:13:19.100000 --> 0:13:20.300000 This is really cool. 0:13:20.300000 --> 0:13:23.360000 So the snapshot was taken 2,200 hours. 0:13:23.360000 --> 0:13:26.200000 Let's click on that one there. 0:13:26.200000 --> 0:13:28.540000 All right, this is 2006. 0:13:28.540000 --> 0:13:30.700000 So I'm expecting it to be... 0:13:30.700000 --> 0:13:34.820000 Well, that snapshot doesn't really make any sense. 0:13:34.820000 --> 0:13:39.060000 Let's take a look at a more recent one, maybe 2016, right? 0:13:39.060000 --> 0:13:41.520000 That's probably where things started getting really interesting. 0:13:41.520000 --> 0:13:43.980000 So maybe March the 12th 2016. 0:13:43.980000 --> 0:13:49.880000 All right, so we can start to see how the website looked then. 0:13:49.880000 --> 0:13:54.620000 Okay, so you training. 0:13:54.620000 --> 0:13:58.880000 So I'm just going to give this a second, a couple of seconds to load up. 0:13:58.880000 --> 0:14:05.940000 All right, so if you ever wanted to know how a site looked in 2016, like 0:14:05.940000 --> 0:14:09.200000 for example, i-n-e.com, this is how it looked like. 0:14:09.200000 --> 0:14:13.620000 So the way back machine is really cool because it gives you a sort of 0:14:13.620000 --> 0:14:15.980000 a historical view of what a website looked like. 0:14:15.980000 --> 0:14:18.300000 Let me show you something even cooler than that. 0:14:18.300000 --> 0:14:21.800000 I'll show you what hackasploit.org looked like during its inception. 0:14:21.800000 --> 0:14:24.040000 So hackasploit.org. 0:14:24.040000 --> 0:14:28.660000 I know that we really had a very, very bad theme right around 2018 when 0:14:28.660000 --> 0:14:30.760000 I first set the site up. 0:14:30.760000 --> 0:14:34.400000 So let's take a look at April the 20th 2018. 0:14:34.400000 --> 0:14:38.040000 Not really sure what to expect, but this had a different title. 0:14:38.040000 --> 0:14:39.940000 Hackasploit Cybersecurity. 0:14:39.940000 --> 0:14:42.840000 Okay, let's see what that looked like because I think I've even forgotten 0:14:42.840000 --> 0:14:47.100000 that myself. So yeah, we'll just give this a couple of seconds because 0:14:47.100000 --> 0:14:51.040000 it needs to fetch that content and then of course render it so that we 0:14:51.040000 --> 0:14:54.080000 can view the webpage. 0:14:54.080000 --> 0:14:57.480000 All right, so this is our hackasploit.org looked. 0:14:57.480000 --> 0:15:01.980000 Nothing too different, but the theme definitely has changed. 0:15:01.980000 --> 0:15:06.160000 But you can sort of get an idea as to how this would be useful. 0:15:06.160000 --> 0:15:11.920000 So a good example of this is I'll give you a personal example or personal 0:15:11.920000 --> 0:15:15.640000 analogy is when I was performing a pen test for a company that I can't 0:15:15.640000 --> 0:15:23.160000 name, they had information that was potentially useful for attackers on 0:15:23.160000 --> 0:15:27.700000 one of, on an older version of this site, probably a few, probably four 0:15:27.700000 --> 0:15:29.640000 or five years in the past. 0:15:29.640000 --> 0:15:33.460000 And they thought that that information was not accessible by anyone. 0:15:33.460000 --> 0:15:36.320000 And with the way back machine, we could go ahead and view it. 0:15:36.320000 --> 0:15:40.340000 And there was a lot of sensitive information that was leaked. 0:15:40.340000 --> 0:15:45.380000 So you can definitely take a look at the way back machine to get a historical 0:15:45.380000 --> 0:15:47.600000 view of what a website looked like. 0:15:47.600000 --> 0:15:51.900000 And of course, that's not just why you should be doing it is because older 0:15:51.900000 --> 0:15:56.360000 version of website might have potentially important information like email 0:15:56.360000 --> 0:16:00.080000 addresses, contact information, you know, etc. 0:16:00.080000 --> 0:16:02.940000 So let's head back over to google.com. 0:16:02.940000 --> 0:16:07.960000 And I'll probably explore a few more Google Docs that we can use or that 0:16:07.960000 --> 0:16:12.300000 you can use rather if you're ever trying to find interesting stuff. 0:16:12.300000 --> 0:16:18.720000 So another example of this is let's say we want to see if some website 0:16:18.720000 --> 0:16:25.780000 has inadvertently, you know, listed or, you know, saved or exposed a directory 0:16:25.780000 --> 0:16:29.420000 that has passwords, you know, a lot of people do that. 0:16:29.420000 --> 0:16:33.860000 So we can, for example, say in URL. 0:16:33.860000 --> 0:16:42.560000 And in this case, we can say auth user file dot dxt. 0:16:42.560000 --> 0:16:46.020000 And you can already see that a few sites have them. 0:16:46.020000 --> 0:16:50.580000 So for example, this one here, which is just an IP address. 0:16:50.580000 --> 0:16:54.160000 And probably have this exposed on the internet. 0:16:54.160000 --> 0:16:57.760000 And that means that there's a login form here. 0:16:57.760000 --> 0:16:59.480000 There's probably the password. 0:16:59.480000 --> 0:17:01.500000 The passwords are probably leaked on this page. 0:17:01.500000 --> 0:17:05.460000 I'm not going to get into that because again, that'll be sort of going 0:17:05.460000 --> 0:17:08.160000 over what I'm allowed to do. 0:17:08.160000 --> 0:17:13.160000 But it looks like we have another one here. 0:17:13.160000 --> 0:17:14.740000 And it looks like the same site. 0:17:14.740000 --> 0:17:16.020000 Interesting. Very, very interesting. 0:17:16.020000 --> 0:17:16.980000 Let's change this around. 0:17:16.980000 --> 0:17:19.060000 I think there's another one we can use. 0:17:19.060000 --> 0:17:24.700000 So we can say in URL password dot dxt or maybe in title password dot dxt. 0:17:24.700000 --> 0:17:28.840000 So it looks like we have a couple of sites that have leaked their password 0:17:28.840000 --> 0:17:33.160000 dot dxt file, you know, on the internet. 0:17:33.160000 --> 0:17:41.220000 Let's take a few individuals or the owners of this website here. 0:17:41.220000 --> 0:17:45.240000 Haven't inadvertently leaked this information to the public. 0:17:45.240000 --> 0:17:46.440000 But there you go. 0:17:46.440000 --> 0:17:50.460000 You can see that there is password information or you at least use the 0:17:50.460000 --> 0:17:53.840000 names for a specific domain here. 0:17:53.840000 --> 0:17:57.080000 But you get the idea you can do a lot of you can do a lot with Google 0:17:57.080000 --> 0:18:01.200000 Docs. Now, I'm not covered all of the most important ones because I'm 0:18:01.200000 --> 0:18:06.520000 really focused on passive enumeration or passive information gathering. 0:18:06.520000 --> 0:18:10.840000 One of the greatest resources for, you know, whenever you're trying to 0:18:10.840000 --> 0:18:16.040000 utilize Google Docs or perform Google hacking is the Google hacking database, 0:18:16.040000 --> 0:18:20.140000 right, which is owned by offensive security, the parent company that owns 0:18:20.140000 --> 0:18:21.620000 and develops Kali Linux. 0:18:21.620000 --> 0:18:25.980000 So this is a database of Google Docs that can allow you to find specific 0:18:25.980000 --> 0:18:30.300000 information. So for example, in this case, this will essentially, this 0:18:30.300000 --> 0:18:34.420000 Google Doc can be used to find files that contain juicy information. 0:18:34.420000 --> 0:18:36.760000 So these are government sites. 0:18:36.760000 --> 0:18:42.920000 So you can see we have site, gov dot, whatever, in title index of because 0:18:42.920000 --> 0:18:44.580000 directory listing is enabled. 0:18:44.580000 --> 0:18:46.800000 And the file type is CSV. 0:18:46.800000 --> 0:18:48.180000 So we can actually test this. 0:18:48.180000 --> 0:18:51.440000 Or let's see if we actually find some juicy files, which of course we 0:18:51.440000 --> 0:18:55.080000 will, because people don't take the time secure their stuff. 0:18:55.080000 --> 0:18:56.300000 So there we are. 0:18:56.300000 --> 0:19:00.020000 A lot of, a lot of sites here. 0:19:00.020000 --> 0:19:03.400000 And these all look like government sites for different governments. 0:19:03.400000 --> 0:19:06.840000 And as I said, I'm not going to be going through this, but you can see 0:19:06.840000 --> 0:19:10.800000 that they're all being leaked because directory listing is enabled. 0:19:10.800000 --> 0:19:14.660000 Most of these are WordPress sites, which makes a lot of sense, because 0:19:14.660000 --> 0:19:18.240000 WordPress can be quite hard to lock down. 0:19:18.240000 --> 0:19:22.220000 But yeah, you can also limit this to, you know, you can specify additional 0:19:22.220000 --> 0:19:24.440000 keywords to find what you're looking for. 0:19:24.440000 --> 0:19:27.740000 So maybe you can say passwords. 0:19:27.740000 --> 0:19:31.580000 There we are. And in this case, you know, with that, we're limited to, 0:19:31.580000 --> 0:19:43.080000 you know, any of the any URL with the gov dot prefix, you know, and yeah, 0:19:43.080000 --> 0:19:47.680000 so you can utilize the Google hacking database to search for to find specific 0:19:47.680000 --> 0:19:54.380000 information. So let's take a look at a couple of others. 0:19:54.380000 --> 0:19:56.020000 That might be potentially interesting. 0:19:56.020000 --> 0:19:57.960000 These are the latest ones here. 0:19:57.960000 --> 0:19:59.380000 Let's run a few filters. 0:19:59.380000 --> 0:20:06.020000 So let's say we're looking for files containing passwords, probably. 0:20:06.020000 --> 0:20:11.780000 There we are files containing passwords, we can then utilize these, these 0:20:11.780000 --> 0:20:23.080000 particular docs, or, you know, search this one, for example, here, or 0:20:23.080000 --> 0:20:26.500000 maybe this one here. 0:20:26.500000 --> 0:20:29.540000 Let's see whether we're able to find any credentials that might have been 0:20:29.540000 --> 0:20:34.560000 leaked. There we are. 0:20:34.560000 --> 0:20:37.780000 You can see that we might have a few here. 0:20:37.780000 --> 0:20:45.920000 So this looks like a potentially interesting website. 0:20:45.920000 --> 0:20:51.180000 That is, I probably won't check them because I don't want to do that. 0:20:51.180000 --> 0:20:54.960000 But yeah, you can do a lot of stuff with with the Google search engine 0:20:54.960000 --> 0:20:56.860000 through the use of Google Docs. 0:20:56.860000 --> 0:21:00.400000 I've just gone through some of the most interesting ones that you can 0:21:00.400000 --> 0:21:03.760000 do from the perspective of a penetration tester, you know, legally speaking, 0:21:03.760000 --> 0:21:08.700000 sort of limiting the results to a particular URL or a particular title 0:21:08.700000 --> 0:21:11.020000 or particular domain or sub domain. 0:21:11.020000 --> 0:21:14.660000 So definitely take a look at the Google hacking database. 0:21:14.660000 --> 0:21:21.120000 As I said, you know, this will, this is pretty much a one stop shop if 0:21:21.120000 --> 0:21:24.980000 you're ever trying to find potentially interesting files or potentially 0:21:24.980000 --> 0:21:32.120000 incriminating files that, you know, a company might not have secured with 0:21:32.120000 --> 0:21:33.100000 regards to their website. 0:21:33.100000 --> 0:21:37.200000 So definitely take a look at this, especially if they have a WordPress 0:21:37.200000 --> 0:21:42.120000 site, then you can limit this again by using the filter option to a particular 0:21:42.120000 --> 0:21:46.280000 content management system, or you can just perform a search, maybe like 0:21:46.280000 --> 0:21:48.580000 WordPress. There we are. 0:21:48.580000 --> 0:21:52.360000 And in this case, you know, we can also limit this to maybe WordPress. 0:21:52.360000 --> 0:21:56.020000 There we are. And these are all the Google Docs for WordPress. 0:21:56.020000 --> 0:22:01.180000 So you can try and find WordPress, you know, WordPress config backup files. 0:22:01.180000 --> 0:22:03.800000 This is this is this is something that I've used before. 0:22:03.800000 --> 0:22:07.920000 So let me just take a step back here. 0:22:07.920000 --> 0:22:11.960000 So, you know, sites that have taken a backup of the WordPress config file 0:22:11.960000 --> 0:22:14.240000 and have not deleted that backup. 0:22:14.240000 --> 0:22:16.920000 If you're not familiar with it, the WordPress config file pretty much 0:22:16.920000 --> 0:22:20.600000 contains credentials to the MySQL database. 0:22:20.600000 --> 0:22:25.560000 So, you know, this could be potentially damning for a particular company. 0:22:25.560000 --> 0:22:28.840000 But yeah, that concludes the practical demonstration side of this video.