Information Gathering Using Google
Lih Wern Wong School of Computer and Information Science, Edith Cowan University firstname.lastname@example.org
Google is a powerful search engine. However, by combining Google features and creativity in construction query, it will return sensitive information that usually would not be found by casual users. Attacker could use Google to look for vulnerable targets and passively gather information about their targets to assist further attacks. This paper discusses ways to exploit Google to obtain valuable information and how it can be used by attackers to perform attack. The ideas discussed are applicable to other search engines as well. Keywords: Google, Google hacking, information gathering, penetration testing
Google is the most widely used and powerful search engine. Lots of users are unaware that they are actually exposing far more information on the Internet than they wanted. Users who are able to construct the accurate query will be able to find the exact information they desire. Unfortunately, Google has been exploited by attackers for malicious purposes, to find vulnerable systems, passwords, other sensitive information and far more systems information than they need to know. Google can be used as an information gathering tools to profile targets. Though tools like Nessus and nmap are much more capable of scanning websites for vulnerabilities, the use of such tools can be detected and they create lots of “noise” which usually will alert the administrator (Mowse, 2003). By employing Google, an attacker can much more silently scan their targets for some of the vulnerabilities. Since Google has been constantly crawling the Internet for websites and indexed them in Google’s enormous database, it speeds up attacker vulnerability scanning process. Though Google is used solely in this paper, the ideas discussed are applicable to other search engines as well.
PROFILING A PERSON
This section focuses more on how to gather information about a particular person for general reconnaissance, social engineering (e.g. deceives or talks bank customers into revealing password) or other criminal acts. Personal Webpage and Blog In order to get a better understanding of a target, combining target name or email with words like homepage, blogs and family could point attacker to more information about the target. Driven by selfimportance and vanity, a lot of individuals setup their own personal webpage or blog (a web version personal journal). Blogging is gaining huge popularity as users share their daily routines, thoughts and opinion on various matters. Through such sites, people have unwittingly released information including personal opinions, interests, dislike, job particulars and contact information (Granneman, 2004). If personal photos were posted on these sites, it allows attacker to identify the actual victim or victim’s friends and associates. Using all this accurate information with matching photo at hand, attacker could easily socially engineer the victim. The attacker could strike up a conversation using
recent topics posted by the victim to initially gain trust and later persuade the victim into revealing desired information. Personal webpage and blog are highly resourceful and reliable source to profile a person. Web-based Message Groups People join groups in Yahoo! or Google Groups which they have interest in. Google Groups is Usenet archives that enable users to access Usenet posts data since 1995 (Google, 2003). By searching an individual screen name and checking their profile, attacker could potentially figure out their interests or the kind of groups they most likely will join (Long, 2005, p. 141). Attacker could join a particular group and check their message archive for useful information about target themselves, which is useful for social engineering. Sometimes, even a group description is enough to determine the group context without actually joining the group. Groups like computer related groups could reveals some details on what projects an organization is currently engaged in or the type of hardware of software solution used. A software development organization employees (using organization email to correspond) may post some questions related to programming problems the employee faced on some of these software development groups. If the employee uses an organization email to correspond, attacker could get a rough idea of the ongoing projects in that organization. Even if actual name is only used to correspond, attacker could possible find out their affiliated organization through sites like blog. Furthermore, if a system administrator is seeking help on solving networks issues, attacker would know which organization is having possible exploitable holes. Attacker could also actively engage in the group to “help” the victim with the problem, deceiving the victim into revealing more information. Resume Resume or curriculum vitae mostly contain accurate and current particulars of an individual. They are usually displayed in personal websites. It is a very reliable and favorable source that attacker can count on when profiling a person. Its previous employment section gives attacker another approach to advance the social engineering process. Attacker could impersonate a future employer/head hunter agent and call up the victim to find out more background information about the “candidate”. At such time, the victim will most probably give out accurate information to convince the attacker into hiring the victim. Query "phone * * *" "address *" "e-mail" intitle:”curriculum vitae” would return positive resumes (Davies, 2004).
Figure 1.1: Curriculum Vitae (Curriculum Vitae, n.d.)
PROFILING A TARGET ORGANIZATION
If attacker has a fixed target, Google could assist in finding information that is useful for social engineering or physical breaches. Most of this information is publicly accessible for their employees’ convenience, while some of them can be very informative. Intranet, Human Resources and Help Desk Many organizations have an intranet which contains information that should only be accessible by employees. For organization convenience, the intranet may contain human resources information (e.g. departmental contacts), policy and procedures, help desk information. Though intranet is supposedly private, somehow such sites are still accessible to public by searching intitle:intranet inurl:intranet “human resources”. Substitute human resources with words like help.desk, IT department for additional information. This information includes name of individual in-charge, their position and contacts are very helpful for social engineering, as shown in Figure 2.1, with helpful links to Contacts, Help Desk and Policies. By skimming through the policies, which may usually include operation procedures, attacker could roughly know how the organization operates.
Figure 2.1: Intranet (CSD Contacts, 2005) Self-help Guides Some organizations provide guided help for troubleshooting or installation that could be too informative. Attacker could learn their configuration details and technology involved which are useful in later attacking phase. A search “how to” network setup dhcp server (“help desk” | helpdesk) shows a “how to” guide on network setup, as shown in Figure 2.2 (Long 2005, p. 124). Information that is beneficial in Figure 2.2 includes proxy address and port number, workgroup name (i.e. DIS-STUDENT), email information and configurations (i.e. web-based and MS Outlook support), and additional server names (ie. dis.unimelb.edu.au, unimelb.edu.au.). Attacker can use this information within the organization networks.
Figure 2.2: Informative Self-help Guide (DIS, n.d.) Jobs Postings Recruitment section of organization website could easily being disregarded as a source of information. However, it reveals information regarding information technology in use and corporate structure. It reveals operating system, software used, network type and server type. It also shows various corporate departments with their respective vacant positions with job description. Attacker could perform a physical breach by impersonating a new employee taking up a new position, pretending it is his first day at work and ask for access control. Attack will find information regarding jobs vacancies of an organization, by combining operator site and employment | job | recruitment.
Figure 2.3: Job Postings Reveal Information (Employment, 2005)
Figure 2.3 shows that the technology this organization uses most probably includes .NET Frameworks applications, Oracle database, Veritas application, various OS (e.g. Windows 2003, Linux) and IBM AS/400 server. Attacker could then set his path right, focus his attacks on such technology weakness. Google Local Part of the social engineering process includes eavesdropping on conversations, people watching, engage in friendly target employee conversation. Google Local can be very helpful in locating employee favorite hang out places such as coffee shops, restaurants, grocery stores and pubs to eavesdrop, chat with employees or update with corporate gossip. Attacker could pose as an interested job applicant, and engage in a conversation with a target organization IT personnel, which could potentially reveal information regarding operating system, version, patch levels and application in use (Cole, 2003) in the target organization. Google Local (http://local.google.com/ ) (Currently Google Local only works in US, Canada and UK) allows attacker to find any business type in a target organization surrounding, with detailed map to locate the place, shown in Figure 2.4.
Figure 2.4: Google Local (Google Local, 2005) Link Mapping Links in an organization website can reveal non-obvious relationship between the linked organizations. Attacker could attack a poorly secured partner site and subvert the trust relationship between the two domains to compromise the much better secured target. BiLE of www.sensepost.com (BiLE, 2003) is an automated tool, capable of revealing such hidden relationships based on complex calculations and predefined rules. For instance, a link from a target site weighs more than a link to a target site (SensePost, 2003, p. 9). Though Google link operator is only capable of showing sites that links to a particular given URL in the query, it is used intensively to assist such footprinting process in BiLE. It is a subtle way to learn the possible relationships of an organization, over which an organization have no control.
PROFILING WEB SERVER AND WEB APPLICATION, AND LOCATING LOGIN PORTALS
Attackers can use Google to profile web servers and the web applications the server is running on, before attacking potential vulnerable machines with vulnerable version application. Login portals provide “front-door” access to the target which is a helpful start for attacker. Server Versioning Server tag at the bottom of directory listing page provides useful information to determine the type of web server application and version that is running on the website, as shown in Figure 3.1. Attacker who wants to exploit the vulnerabilities of say Apache 1.3.28, can run a search on “server at” “Apache/1.3.28” to locate potential vulnerable machines. Query “Microsoft-IIS/6.0 server at” will locate website running Microsoft IIS server 6.0. This is a fairly easy way to determine the server version. Though a vulnerable version does not guarantee a possible flaw as it may have been patched. However, if directory listing is allowed, it could suggest that the administrator is not concerned with the server security and there is a possibility that the server is not fully patched.
Figure 3.1: Server Tag Reveals Server Version (Kernelnewbies, n.d.) Web Application Error Messages Error message generated by application installed in web server can reveal information about the server and applications that reside on the server. Query “ASP.NET_SessionId”“data source=” "Application key" reveal sites with ASP.NET application state dump, which contains a great deal of information regarding the web application and applications that resides on the server, such as database connection string and application path in web server, as shown in Figure 3.2. The connection string itself provides valuable information including database type, database name, username and password to connect to the database. Thus, it would be easy for the attacker to connect to the database server to manipulate the contents. After all, if such dump files are crawled by Google, the attacker is convinced that the web server is probably not secure.
Figure 3.2: ASP.NET Application State Dump (Broward County, 2005) PHP error message can be revealed using query intext:”Warning: Failed opening” include_path, which help attacker to characterize the web server, as shown in Figure 3.3. The error message also exposes actual server path, web path and related PHP filenames. Attacker could try to traverse on these actual file paths to look for potential valuable information. Poor programming practice and lack of comprehensive testing have caused such error messages to exist or not being caught by existing error checking mechanism.
Figure 3.3: PHP Error Message (RightVision, n.d.)
Default Pages and Documentations Most web applications or web servers have default or test pages which enable administrators to validate that the application is successfully installed. Poor configuration has left such pages being crawled by Google. The mere existence of default pages even in Google cache will help attacker profiling process. Figure 3.4 shows Apache installation using query intitle:Test Page.for.Apache seeing.this.instead. Besides, different range of server version has disparate default pages (Long, 2004). Figure 3.4 shows Apache 1.3.11-1.3.31 installation as oppose to Figure 3.5 Apache 1.3.0-1.3.9 installation, found using query intitle:Test.Page.for.Apache “It worked!” “this Web site!”. Attacker can use manuals or documentations that are usually shipped with web server applications to profile the web servers, though not as accurate as default pages. Query intitle:“Apache 1.3 documentation” or intitle:“Apache 2.0 documentation” will find respective range of Apache servers (Racerx, 2005). Figure 3.6 shows IIS 5.1 release notes, using query inurl:iishelp core. The mere existence of default pages and documentations could signify careless administrator, which means potential vulnerable sites. These two techniques give attacker another approach to identity web server versions.
Figure 3.4: Apache 1.3.11-1.3.31 Installation (Lanalana, n.d.)
Figure 3.5: Apache 1.3.0-1.3.9 Installation (Mvacs, n.d.)
Figure 3.6: IIS Default Documentation (IIS 5.1, 2001) Locating Login Pages Web application login pages, such as the one shown in Figure 3.7, found using query allinurl:”exchange/logon.asp”, allows attacker to profile the applications that reside on the web server and they act as a break-in channel. In this case, the site even specifies the way the username is constructed (i.e. Note: In most cases, your username…) and the software version and patch level (i.e. 5.5 SP4). Attacker could find exploits related to the specific application version to compromise it. Besides, the login page is a default page, it could implicitly indicate that the website administrator is unskillful and the security of this site is probably weak (Long, 2005, p. 251). Administrator should customize the login page so that it does not indicate the actual application in used. Way of finding generic login pages includes inurl:/admin/login.asp, “please log in” or inurl:login.php. Attacker could use the login pages to brute force or dictionary attack a range of passwords with the respective usernames.
Figure 3.7: Microsoft Outlook Web Access Login Portal (Myers, 2005)
FINDING EXPLOITS AND VULNERABLE TARGETS USING VULNERABLE APPLICATIONS COMMON WORDS
If an attacker intends to attack any vulnerable targets without a specific one, Google is highly effective in finding such vulnerable targets. Attacker can first use Google to dig up exploit codes written by hackers to facilitate exploitation on vulnerable targets. Subsequently, attacker can search vulnerable targets through flawed applications commonly displayed words. Attacker can rely on Google to search for exploit codes that are posted on public sites or in hacking community sites. To retrieve this large number of exploits, usually written in C language, use query filetype:c exploit. However, some exploits are shown in other view format such as txt, html or php. Thus, to effectively locate such exploits, attacker will search for common code strings inside the exploit codes, such as main or #include <stdio.h> which is commonly included in C programs to reference standard input/output library (ComSec, 2003). Regardless of file extension, query “#include <stdio.h>” main exploit will produce sites with exploit codes. Attacker can use source code of a vulnerable application to construct an effective based query to search for vulnerable targets. Attacker could visit security advisory websites to learn 3rd party application used in web applications that have security vulnerabilities. Most of the sites that use such 3rd party components have the phrase “Powered by”, follow by component name and version. For instance, query “Powered by CubeCard 2.0.1” will locate websites using CubeCard 2.0.1, which is vulnerable to SQL injection and cross-site scripting (Secunia, 2005). Another example to look for vulnerable targets is allinurl:/CuteNews/show_archives.php, as CuteNews show_archives parameter is susceptible to cross-site scripting (Mohanty, 2005).
To get an idea on how to produce an accurate query to locate the vulnerable websites, attacker can learn the common display words of sites using the 3rd party web components by checking the components source code (Long, 2005, p. 185). If the source code is not available, attacker could directly install the vulnerable components to learn their common sign. Large amount of sites that uses 3rd party applications/components left these trials on their sites. There is a fair chances that attacker could locate lots of sites using unpatched vulnerable 3rd party applications.
FINDING USERNAME, PASSWORD, SENSITIVE INFORMATION
Usernames and passwords are used by most authentication mechanism which attackers are very keen in hunting them. Google can also be used to unveil highly sensitive information such as credit cards numbers. Finding Username Knowing a user’s username means attacker has solved half of the puzzle in breaking in. Attacker could use username to socially engineer the help desk to reveal the matching password. Basically, a generic query of finding username could be inurl:admin inurl:userlist. Alternatively, try inurl:root.asp?acs=anon to locate Microsoft Outlook Web Access Address Book (Chambet, 2004). It contains a public accessible address book with staff contacts, as shown in Figure 5.1. The “Alias” column is most likely staff username used on the organization login. Attacker can randomly submit any common starting letters in names to harvest almost the entire entries in the address book. Some sites even show how a username is usually created (e.g. append first letter of your last name to your first name).
Figure 5.1: Outlook Public Address Book (SPC, n.d.) Finding Password Host with Microsoft Frontpage Extension installed can be searched for username and password using “# -FrontPage-” inurl:service.pwd. Although the password is encrypted using DES encryption,
attacker could run tool like John the Ripper to decrypt the encrypted form password, as seen in Figure 5.2 (ComSec, 2003). In addition, MySQL database credential information could potentially be stored in connect.inc (Google Hacking, n.d.). Figure 5.3 shows the result of searching intitle:”index of” intext:connect.inc. However, finding password in Google does not actually yield much positive result. Most passwords found are no longer valid. Most passwords found are usually stored in configuration or log files in an unencrypted or weak encrypted format.
Figure 5.2: FrontPage Extension Usernames and Passwords (Heyerlist, n.d.)
Figure 5.3: MySQL Database Credential (Central College, n.d.) Other Valuable Information There is much more valuable information that attackers can obtain through Google search, for instance credit card numbers. Most of these highly valuable numbers are released by attacker who deceives unwitting users into submitting personal information through phishing, not so much of a leak from ecommerce sites (Leyden, 2005). National identification number like Social Security Number (SSN) could also be located using Google. The fact that some educational institutes use SSN for student identification has threatened students’ privacy, exposing them to possible identity theft. There are usually posted alongside with associated names and grades, and exposed in public networks, as shown in Figure 5.4 (edited), found using query SSN “772-55”. Besides, some organization announces competition winners name with national identification number (“IC” in this example) in their websites, as shown in Figure 5.5 (edited), found using query IC "820508-*-*". Once the attacker knows the format of such numbers, it is trivial for the attacker to find them. Such numbers can be used to perform identify theft, for instance to apply credit card or driving licence.
Figure 5.4: Google Uncovers Social Security Number (Rutgers, 2005)
Figure 5.5: National Identification Number Exposed in Competition Winners List (Maybank, 2005)
Files and database contains information that attackers can use to accomplish their distinct objectives. Google can be used to locate files and contents inside these files. This section will focus on ways to locate configuration files, log files, office documents and databases, since they usually contain sensitive information. Google Cache Google cache can be very helpful to ordinary users as well as attacker. Each time Google crawls a page, it stores a copy of the page as cache in Google own servers. Thus, users can always access the document even though the live page has been removed. Unfortunately, attacker can take advantage of
this feature to grab sensitive information that has been removed from the hosting server. Additionally, attacker could achieve anonymity by accessing a page cache version, as the data are retrieved from Google server, which act like a proxy and not from the actual server. However, this is only true if the stripped or text-only cache is retrieved (Greene, 2001). Other non-text objects like images in cache pages are still retrieved from the actual server. Configuration Files Configuration files provide program settings information on how applications or networks are configured to operate, which are very helpful pieces of information to attacker. Figure 6.1 shows result sought using query filetype:ini inurl:ws_ftp.ini . It locates WS_FTP application configuration files which contain FTP server information on username, password, directory and host name. The poorly encrypted password shown can easily be decrypted using free tools (Ipswitch, 1996). Sometimes, Google returns vast amounts of results which require further refinement. Ways to filter the results includes (Long, 2004) ?Create unique base words or phrases base on actual file. ?Filter out words like test, samples, how-to, and tutorial to exclude the example files. ?Locates and filter out commonly changed values like “yourservername“, “yourpassword” in the sample configuration files.
Figure 6.1: WS_FTP Configuration File (Ipswitch, n.d.) Office Documents Office documents include word processing documents, spreadsheets, Microsoft PowerPoint, Microsoft Access and Adobe Acrobat files. Some of the files contents can be crawled and rendered by Google as HTML document, which enables attacker to hunt for highly relevant documents through Google search. Attacker could for instance, query filetype:xls username password email to locate potential Microsoft Excel files that contains sensitive information, as shown in Figure 6.2 (edited) (Greene, 2000).
Figure 6.2: Microsoft Excel Reveals Username and Password (Digitalbrain, 2003) Network Report Nessus is a vulnerability scanner that produces an assessment report after scanning network vulnerability and misconfiguration. Thus, with that in mind, attacker could query Google with “This file was generated by Nessus” to find the report and locate vulnerabilities on potential targets that yet to be fixed (Trivedi, 2005, p. 8). Figure 6.3 shows such report contains assessed host IP, open port number, detailed potential vulnerabilities description and countermeasures. There is a high possibility that the sites mentioned in the report could be exploited, as such report may be uploaded by malicious users who perform vulnerability scanning on other machines. If an administrator is conscious enough to perform a vulnerability scanning, the assessment report should not have existed on the server.
Figure 6.3: Nessus Assessment Report (Nessus Scan Report, n.d.) Database SQL scripts Database dumps usually refer to SQL scripts that contain text-based information about database and table structure, including table name, field name, field type and even actual records in tables. Administrator uses this file to reconstruct the database. Figure 6.4 shows dump file containing table structures and actual records (i.e username, password), using query filetype:sql “# Dumping data for table” (username|user|users|password) (Long, 2005, p. 309). The query consists of generic dump file extension, common header name and promising field names. Such SQL scripts are very helpful if the site is vulnerable to SQL injection as well. Since attacker knows the table structure, attacker could manipulate the database file through SQL injection. At worst, if the sites login credential is stored in that database, attacker could insert a username and password to the database to access private sites.
Figure 6.4: Database Dumps Reveal Helpful Information (MySQL Dump, n.d.)
WEB-ENABLED NETWORK DEVICES
Lots of network devices such as routers, firewalls, printers and proxy servers have web interfaces that show the device status and allow administrators to remotely configure their settings. Network device misconfiguration has exposed these devices to Google. Attacker could subvert these devices to gain access to the trusted network protected by these devices, or directly exploit the device vulnerabilities. For instance, query intitle:”ADSL Configuration page” will find SolWise ADSL modem crawled by Google, as shown in Figure 7.1 (Chat11, 2004).
Figure 7.1: ADSL Modem Configuration Page (ADSL Configuration Page, n.d.) Most network printers have web-based interface that allows users to conveniently view the printers’ status or modify their configurations from any web browser. Misconfiguration has exposed such printers on the Internet. Figure 7.2 shows network printer captured using query “Phaser 6250” “Printer Neighborhood” (Chambet, 2004). The network printer provides a lot of detailed information about surrounding network, including its IP address, print jobs list, printed document filenames, and computer names issuing print job. Attacker can even further compromise the printer through its administrative page. Some of these printers allow attacker to issue test print page through the internet! Network printers like Phaser 740 have vulnerability that allows attacker to access a hidden file through the URL to modify the administrative password. If attacker is aiming to cause annoyance for any users, Google is very effective in finding these network devices for exploitation. Thus, administrator should never allow such devices to be exposed on the Internet.
Figure 7.2: Google Exposes Network Printer (Phaser 6250, 2003)
There a few simple ways users should practice to protect themselves from such innocuous attack using Google. Firstly, users need to know the two ways a page could be found and indexed by Google. First method, the page could be linked from other sites that have been crawled by Google. Secondly, the page is manually submitted to Google database. To avoid personal profiling, user should avoid using actual name when corresponding in web-based message groups or blogs. Users could perform a search (e.g. actual name, username) on themselves to so that they are aware of the information that is published in the Internet to avoid such information being used against them. Administrator should perform search on their own web servers to exposure potential threats using Google. All of the above mentioned technique can be automated using tools like Gooscan, SiteDigger and Athena. Such tools use a signature database consisting of various Google queries to search for sites information leakage. Administrator can search their own websites for exposure effectively and efficiently using such tools. However, using automated tools like Gooscan and Athena that does not utilize Google API violates Google Terms and Condition, which can result in temporary service banning (Calashain, 2003, p. 137). Employees in an organization should be advised of what information is published for public access to avoid possible social engineering by using such information against them. Administrator should first make sure all web servers are installed with the latest patches. Since directory listing provides a road map to private files, administrator should disable directory listing, unless users are allow to browse files in a FTP-style manner. All default username, password, test pages and documentation should be removed. Administrator should ensure their web pages are fully tested for potential errors and all errors are caught properly. Default pages should be customized to remove all possible common words. Robots.txt should be used to specify web directories that should not be indexed by Google. However, attacker can still directly access the robots.txt of a targeted site to learn the directory structures. Use password protection mechanism to protect private pages that are intended for specific users, since Google is unable to indexed password-protected pages. Put META tag <META NAME="ROBOTS"
CONTENT="NOARCHIVE"> in a page’s HEAD section to prevent Google from caching a page. Lastly, if a page that is not intended for public viewing is found in Google, after removing the page from the web servers, administrator could resort to Google Remove URL and Google Groups Post (http://services.google.com/urlconsole/controller ) to remove the identified URL and its respective cache page from Google repository.
Google is able to produce some astonishing results, which depend very much on the precision of the constructed query. The possibility of constructing potential exploitable query is boundless; creativity of attacker in creating query is the only limitation. Google is very effective in profiling an individual as lots of users have unwittingly disclosed personal information. They are unaware that search engines like Google could collect and index all this information and serve them to anyone with the correct query. If attacker has no specific targets, Google is highly effective in finding vulnerable targets from the mass of indexed websites to perform random attacks, as opposed to finding potential vulnerabilities on a specific target, which is not effective. There are others penetrations tools that are much better in finding vulnerabilities on a specific target than Google. The powerfulness of Google is a two-edgesword. Attackers have armed themselves with Google to gather pieces of organization information that seems innocuous to facilitate further compromise. Administrators should embrace Google as one of their penetration testing tools to protect their organization from information leakage.
ADSL Configuration Page (n.d.) Retrieved May 3, 2005, from http://router.breukink.co.uk/ BiLE (2003). Bi-directional Link Extraction. Retrieved April 30, 2005, from http://www.sensepost.com/restricted/BilePublic.tgz Broward County (2005). OnCoRe Setting Options. Retrieved May 5, 2005, from http://22.214.171.124/OncoreV2/Settings.aspx Calashain, T. (2003). Google Hacks: 100 Industrial-Strength Tips & Tools. California: O’Reilly. Central College (n.d.) Retrieved May 5, 2005, from http://enrolme.centralcollege.ac.uk/enrolme/connect.inc Chambet, P. (2004). Google Attacks. Retrieved May 3, 2005, from http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-chambet/bh-us-04-chambet-googleup.pdf Chat11 (2004, July 5). Using Google to Find Passwords. Retrieved May 1, 2005, from http://www.chat11.com/How_To_Use_Google_To_Find_Passwords Cole, E. (2003). Hacker Beware. Singapore: Prentice Hall. ComSec (2003, May 25). Google A Dream Come True. Retrieved May 3, 2005, from htp://www.governmentsecurity.org/comsec/googletut1.txt CSD Contacts (n.d.). Retrieved May 5, 2005, from http://www.jmls.edu/intranet/csd/contacts.shtml Curriculum Vitae (n.d.). John Terning – Curriculum Vitae. Retrieved May 3, 2005, from http://t8web.lanl.gov/people/terning/john/cv/cvmain.html Davies, G. (2004). Advanced Information Gathering. Retrieved May 3, 2005, from http://packetstormsecurity.com/hitb04/hitb04-gareth-davies.pdf
Digitalbrain (2003). Retrieved May 3, 2005, from http://frome.digitalbrain.com/frome/ICT/Digitalbrain%20users/ All%20DigitalBrain% 20Users.xls DIS (n.d.). DIS Student Plug-In Network Setup – How-To. Retrieved May 3, 2005, from http://www.dis.unimelb.edu.au/helpdesk/connect.pdf Employment (2005, March 31). Public Mutual - Employment Opportunity. Retrieved May 3, 2005, from http://www.publicmutual.com.my/page.aspx?name=co-Employment Google (2003). Google Acquires Deja's Usenet Archive. Retrieved April 28, 2005, from http://groups.google.com/googlegroups/deja_announcement.html Google Local (2005). Retrieved May 5, 2005, from http://local.google.com/ Granneman, S. (2004, March 9). Googling Up Password. Retrieved May 2, 2005, from http://www.securityfocus.com/columnists/224 Greene, T.C. (2000, June 25). Crackers Use Search Engines to Exploit Weak Sites. Retrieved April 30, 2005, from http://www.theregister.co.uk/2000/06/25/crackers_use_search_engines/ Greene, T.C. (2001, November 28). The Google Attack Engine. Retrieved April 30, 2005, from http://www.theregister.co.uk/2001/11/28/the_google_attack_engine/ Heyerlist (n.d.) Retrieved May 7, 2005, from http://www.heyerlist.org/garderobe/_vti_pvt/service.pwd IIS 5.1 (2001). Internet Information Services 5.1 Release Notes. Retrieved May 6, 2005, from http://www.aspit.net/iishelp/iis/misc/localhost/iishelp/iis/htm/core/readme.htm Ipswitch (n.d.) Retrieved May 5, 2005, from http://www.ryerson.ca/~mblee/WS_FTP.ini Ipswitch (1996). WS_FTP Professional – User Guide. Retrieved April 30, 2005, from http://www.oxinet.co.uk/ipswitch/ws_ftp.pdf Kernelnewbies (n.d.) Index of /documents/kdoc. Retrieved May 5, 2005, from http://kernelnewbies.org/documents/kdoc/ Lanalana (n.d.) Test Page for Apache Installation. Retrieved May 7, 2005, from http://iolanipalace.org/ Leyden, J. (2005, April 4). Hacking Google for Fun and Profit. Retrieved May 1, 2005, from http://www.securityfocus.com/news/10816 Long, J. (2004, March 19). The Google Hacker’s Guide. Retrieved May 1, 2005, from http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index&req=g etit&lid=34 Long, J. (2005). Google Hacking for Penetration Testers. United States of America: Syngress Publishing. Maybank (2005). Maybank MaxiHome Year End Promotion Winners List. Retrieved May 5, 2005, from http://www.maybank2u.com.my/maybank_group/ products_services/consumer_loan/maxihome_winners2.shtml Mohanty, D. (2005, March 11). Demystifying Google Hacks. Retrieved May 2, 2005, from http://www.securitydocs.com/link.php?action=detail&id=3098&headerfooter=no Mowse (2003, February 16). Google Knowledge: Exposing Sensitive Data with Google. Retrieved May 1, 2005, from http://www.digivill.net/~mowse/code/mowse-googleknowledge.pdf Mvacs (n.d.) It Worked! The Apache Web Server is Installed on this Web Site!. Retrieved May 7, 2005, from http://mvacs.ess.ucla.edu/
Myers (2005). Microsoft Outlook Web Access – Logon. Retrieved May 8, 2005, from http://mail.dnmyers.edu/exchange/logon.asp MySQL Dump (n.d.) MySQL Dump 8.22. Retrieved May 4, 2005, from http://www.ozeki.hu/attachments/34/etalon.sql Nessus Scan Report (n.d.). Retrieved May 8, 2005, from http://www.geocities.com/mvea/debian30r2_install.htm Phaser 6250 (2003). About Printer – Printer 6250. Retrieved May 2, 2005, from http://126.96.36.199/aboutprinter.html PhaserLink (1999, November 16). Fwd: Printer Vulnerability: Tektronix PhaserLink Webserver gives Administrator Password. Retrieved May 1, 2005, from http://www.securityexpress.com/archives/bugtraq/1999-q4/0001.html Racerx (2005, April). Google Hacking Techniques. Retrieved May 2, 2005, from http://www.exploitersteam.org/forumnews-id30.html RightVision (n.d.). Serveur Appliance – Software – Right Vision. Retrieved May 10, 2005, from http://www.rightvision.com/lg-fr-rubrique-distributeurs.html Rutgers (2005). Names. Retrieved May 10, 2005, from http://teachx.rutgers.edu/~mja/wakka/ workfiles/int_excel/students.xls Secunia (2005, March 3). CubeCart Cross-Site Scripting Vulnerabilities. Retrieved April 28, 2005, from http://secunia.com/advisories/14416/ SensePost (2003, February). The Role of Non-Obvious Relationships in the Foot Printing Process. Retrieved April 28, 2005, from http://www.sensepost.com/restricted/BH_footprint2002_paper.pdf SPC (n.d.). Find Names. Retrieved May 8, 2005, from http://email.spc.edu/exchange/USA/finduser/root.asp?acs=anon Trivedi, K. (2005, January). Foundstone SiteDigger 2.0 – Identifying Information Leakage Using Search Engines. Retrieved April 1, 2005, from http://www.foundstone.com/resources/whitepapers/wp_sitedigger.pdf
Lih Wern Wong ?2005. The author/s assign the School of Computer and Information Science (SCIS) & Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. The authors also grant a nonexclusive license to SCIS & ECU to publish this document in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is prohibited without the express permission of the authors.
copyright ©right 2010-2020。