Do you Google Hack?

Back in college I wrote a paper on Google Hacking. Until now, I still find it a very fascinating and interesting topic to discuss about. Below is the introduction of the paper.

The introduction of Google (Google) has revolutionized the way people use and interact with the Internet. First time in human history has a system become such efficient in retrieving complicated and difficult to locate information with such high relevancy that it has become the de facto search engine people use to seek any sort of information. We can be rather certain in saying that Google has definitely brought a positive contribution to the society.

However, with great power comes great drawback. The powerful searching ability that made Google what it is today is also exactly the one that made Google an extremely popular and powerful tool to search for sensitive information in the hands of a malicious Internet user. These information, such as credit card numbers, personal information, server vulnerabilities, network exploits, usernames and passwords, that is on the World Wide Web which used to be hard to access, confidential, and discreet, suddenly through Google, became just one click away. Furthermore, with the use of automated tools, it makes parsing through the immense returned information and to gather specific results easier than ever. On top of that, malicious programs have been written, which uses Google to locate vulnerable hosts. These mentioned methods of using Google to uncover sensitive information is commonly known as ‘Google Hacking.’

To test the validity of Google hacking, I ran a few rounds of Google hacking to observe the returned results. Within a few minutes of basic Google hacking, I was able to locate about 60,400 returned results of individual’s Curriculum Vitae, most containing very detailed personal information. I was also able to locate about 17,500 returned results of server password. Last but not least, I was also able to identify about 23,400 returned results of a certain popular free forum that has exploits that is well known to allow manipulation of arbitrary server files. I also tried to locate social security numbers, credit cards, and such sensitive information, but am not successful due to my limited Google hacking skills at the time of this experiment.

I have been able to locate many resources regarding this topic, for the largest Google hacking repository being run by Johnny Long, a well known authority in Google hacking and the author of the book “Google Hacking: For Penetrating Testers.” Most of these resources out there are aimed at teaching the basic of Google hacking, in hope to educate administrators and the general publics the possibility of Google hacking, so that we can better protect ourselves. It has gained a lot of momentum throughout the years, and security experts have already started to act with it. Security groups such as Seattle’s Agora has also set up conference competitions in the past to educate and inform Seattle’s security experts this vulnerability and the possible harm it could cause.
So what exactly is Google hacking and how is it done? Is it just hype with no real effect or does it live up to its name and proved to be dangerous? In this paper, I will explore and teach the different aspects of Google hacking, and hopefully come to a conclusion to better educate and protect us from the Google’s crawlers.

——————– To be continued ———————

Cheers!
-aL