Google Hacking in 2017

It has been some time since my last post. Then again, I've been busy taking the Cracking The Perimeter course from Offensive Security (probably a future blog post):

https://www.offensive-security.com/information-security-training/cracking-the-perimeter/

So, let's talk about "Google hacking" in 2017 and how we used it in a pentest. This is just a quick post; I need to get more content out.


Google Hacking

If you are in the information security realm, you know what "Google hacking" is. For those that aren't aware, it's the use of Google to find indexed information that may contain files, configurations or other such information. In some cases, helping to find a known vulnerability across a large set of sites.

On a recent pentest, we had found that a client's administrator had accidentally uploaded a file on their web server which contained various passwords and usernames for services as well as their VPN. We found the file via "Google hacking" within a few hours of starting the assessment. Our search term was quite simple:

site:CLIENTDOMAIN.TLD filetype:xlsx  

The client was not amused by what we had found, insisting that their admins nor personnel would ever be that reckless. After showing them some Google results, they started to grown concerned. After all, we found usernames and passwords. What else was out there? A little while later, we were able to find an email address list of the company (meant to be internal) which was later used as part of their phishing campaign. It's important to note that their people were not being reckless. They were, however, following an established process that was wrong and unknowingly posting their data online.

I began wondering "how many sites still fall for this?" This, being storing passwords on the general Internet and having them get indexed by Google.

Turns out I was in for a surprise...

*Note the labeling in the first column :(

While some stored datasets are from ~2010, many were found from 2017. That's right, passwords being openly stored on the Internet and being indexed on Google in 2017. Some places ranged from student systems all the way to insurance resellers. Honestly, there are VERY few excuses to ever storing people's passwords online. I only posted one screen shot because how many documents do you really want to see? Google it yourself ;)

Your stuff on Google and you want it removed? Read the KB article below:

https://support.google.com/webmasters/answer/6332384

Join EFF!