Google is your best friend when it comes to hacking. The search engine giant has crawled loads of data which was intended to be protected by webmasters, but is being exploited and mined by smart users using Google dorks. Today I will be discussing some practical dorks which will help you gain passwords, databases and vulnerable directories. The basic methodology remains the same, query Google using specialized dorks with precise parameters and you are good to go. I assume you have basic working knowledge of google dorks.
FTP passwords
intitle:index.of ws_ftp.iniYou can also this dork which uses "parent directory" to avoid results other than directory listings
filetype:ini ws_ftp pwdeven if the site or file has been taken offlline, you can still search the contents in the Google cache using the following dork
Or
"index of/" "ws_ftp.ini" "parent directory"
"cache:www.abc.com/ws_ftp.ini"
where
http://www.abc.com/ is the site you want to check the dork for.
The ws_ftp password uses quite weak encryption algorithm, hence once you get the password, you can break it using the decryptor provided here or from here.
PHP Hacking
intitle:index.of config.phpto view php file contents
intitle:"Index of" phpinfo.phpyou can also try the directory traversal attack in php using the following dork
inurl:download.php?=filenameif you are lucky, substitute the filename with ‘index.php’, download it, read it and get the password (hint:if you are not able to find it, try looking for globals.php).
Since most websites today deny this trick, but you may get lucky with some :)
SQL Dumps
ext:sql intext:@gmail.com intext:e10adc3949ba59abbe56e057f20f883e
ext:sql intext:"INSERT INTO" intext:@somemail.com intext:passwordRemember kids
- Use different email providers, substitute gmail/yahoomail instead of somemail ,or try custom domain mail providers.
- Use different file extensions.
- Use different type of hashes, some older ones might be using md4 and some others might be using other prominent encryption algorithms.
- just mix everything up and try different combinations :)
Its not over..Yet
A very flexible query can be used to hunt for WS_FTP.log which in turn can disclose valuable information about the server.
+htpasswd +WS_FTP.LOG filetype:logYou can substitute "+htpasswd" for "+FILENAME" & you may get several results not mentioned before using the normal search. You can further explore filenames by using keywords like
phpinfo, admin, MySQL, password, htdocs, root, Cisco, Oracle, IIS, resume, inc, sql, users, mdb, frontpage, CMS, backend, https, editor, intranetThe list goes on and on.. Also you cam try this dork to data mine information about the uploader
"allinurl: "some.host.com" WS_FTP.LOG filetype:log"which tells you more about who's uploading files to a specific site, quite handy for some passive reconnaissance.
Also..if you are one hell of a lazy b**tard ,you can do it using some software like Google Hacks..but remember, manual way is the way to go. I may have included some software specific password mining, but that would cripple your imagination. My recco ? go postal by using your imagination and developing your own dorks and queries.
I guess that was enough for this time, will be coming with more tuts with time.
0 comments:
Post a Comment