Tuning your Google search skills

There are books written specifically on advancing Google search skills, but for web penetration testing, we can focus on some tips and practices that can better leverage the engine and eliminate useless search hits, commonly referred to as noise. We can use some operators to filter or focus our results, while others will perform logical combinations or modify the engine's behavior. Let's take a look at the most effective modifiers and options, filtering or focusing first, followed by logical operators:

• The site: operator: Using the site: operator tells Google's engine to only accept files hosted on a particular domain. When we're looking for legitimate contact information, exposed files, and content, we'll want to use this operator to allow us to focus purely on that domain's results, rather than on a full dump of links in page-hit order that may spam many other sites. Take, for instance, a search on Cisco ASA documentation, both before (left) the site: operator and after (right):

• The credentials operators: Using keywords such as username, password, userid, pwd, passcode, credentials, or any other variant can help us locate password or username recovery details. A quick targeted search on these terms can not only point you to portal entries you will likely target, but may, in fact, provide the keys to unlock them. We'll discuss using default credentials against the results of these queries later in this book:

site:<target site> username|userid|password|passcode|pwd

• The inurl: operator: An early recon of a target, including lessons learned from social engineering, may provide us with clues as to the platform used, developers involved, or points of interest in a web application. We can combine the inurl: operator with the site: operator to probe those specific points of interest:

site:<target site> inurl:index

• The file handle (ext:) operator: Using standard file handles allows us to call out and include (or exclude) file extensions of interest. Using typical file extensions, you can invoke each of them using the ext: operator. For instance, we'd search for all PHP files in www.hackthissite.org with the word index in the URL using the following string:

site:<target site> ext:php inurl:index

• The filetype: operator: If we're looking for a file type that may not be displayed but linked to or archived on a site, we'd instead use the filetype: operator. Invoking filetype:xls in your search, for instance, would scour your search area for Excel spreadsheets:

site:<target site> filetype:xls inurl:finance

• The intitle: operator: When we want a specific file, we can use the intitle: operator. This is very useful to locate platform-specific configuration files, or it can help to expose the robots.txt file. As you may recall from our HTTrack use, the utility's default behavior is to avoid spidering the sections of the website identified in the robots.txt file. This was envisioned to allow web developers to prevent certain necessary but sensitive locations from being searchable by reputable browsers. If other precautions aren't followed, robots.txt can provide a hacker with a list of files and folders they may want to see. Well, for hackers, there is a good chance that there are some juicy details in there that would be very helpful.  To see what is in the robots.txt files, you can simply enter this:

site:<target site> intitle:"index.of" robots.txt

Each of the preceding operators can help narrow searches alone or in combination, but learning more about the processing engine of Google's search can also help us eliminate extraneous information and understand the results. Here are some quick tip highlights:

• Using the logical operator OR is helpful (AND is assumed). If written out, OR must always be all caps to be considered the logical OR, lest it is considered part of the search phrase itself. You can also use the | operator, commonly referred to as the pipe operator.
• Google search will focus on the first 10 non-trivial words of a search phrase. Using * in the place of optional or throw-away words in a search phrase won't count against the ten-word limit but effectively extends the phrase for more complex searches.
• You can use - before an operator or filter to exclude (negate) the effect of that filter or operation. An example might be where we want to determine what, other than web servers, a particular domain may be presenting:

site:packtpub.com –site:www.packtpub.com

• This is not the same as the keyword NOT, which is actually only useful to exclude a word from the search but has no effect on the special operators. If we were to run the following, it would yield plenty of www results, unlike the search with - used as a modifier:

site:packtpub.com NOT site:www.packtpub.com