cDc creates tool that automates Google hacking

February 22, 2008

The hacking group Cult of the Dead Cow (cDc) has released a tool that turns Google into an automated vulnerability scanner, scouring Web sites for sensitive information such as passwords or server vulnerabilities.1

The tool is a stand-alone Windows .Net application, licensed under the open source GNU General Public License, that provides about 1,500 customized searches under categories such as "vulnerable servers," "sensitive online shopping information," and "files containing juicy information." The results are displayed as a list of links that can be opened directly in a browser.1 cDc states that their reason for releasing this tool is "to enable everyone - whether they're private users, enterprise, or government - to audit their own Web sites and see if their pants are hanging down. And if they are, then they can correct these problems."2

This kind of "Google hacking" is already well known. Johnny Long, a hacker (in the truest sense of the term) has already amassed quite a collection of these "Google Hacks" on his web site.2 Johnny has spoken about Google hacking at several computer security conferences in the past including SANS, Defcon, and the Black Hat Briefings, and even wrote a book about the technique called "Google Hacking for Penetration Testers" (which, somewhat ironically, you can examine online through Google Book Search).3 The concept behind it is quite simple: By searching for particular keywords (often very specific filenames, messages, error codes, version information, etc.) with advanced search operators, one can uncover sensitive information that has been automatically "crawled" by Google. Things such as usernames, passwords, corporate Intranets, login portals, e-mail archives, firewall logs, and even hardware devices such as printers, security cameras, and networking equipment that can be controlled remotely through web interfaces can all be found easily thanks to Google.4 Those that inadvertently have allowed this information to be viewed online by anybody are referred to as "googledorks".

What cDc has done is create an automated tool that allows an unskilled user to utilize these same techniques.2 Goolag Scanner doesn't do anything a hacker or penetration tester couldn't do by typing text into Google, but it makes searching for holes much easier.5 When cDc created a furore ten years ago by publishing the popular back-door program Back Orifice, it was also not a total innovation: back door programs giving hackers remote control of computers via a network had existed for some time. The publication of Back Orifice was nevertheless a milestone: it demonstrated how easy it can be to take complete remote control of a PC running Windows.2

Other existing tools that use "Google Hacks" to search the web for information leaks include Gooscan, Athena, Wikto and SiteDigger. Note that the use of these type of tools may not be permitted in certain countries and Google's Terms of Service forbids access of its services through automated means.

Although a downloadable version of Goolag is presently available only for Windows, it is being ported to other platforms.5 But be warned, by performing large-scale automated searches, even without acting on any of the results, you run the risk of getting your IP address blocked by Google.6

Those wishing to control Google's ability to discover and index their web pages can do so by following the instructions posted here.

1. "Hackers turn Google into vulnerability scanner", InfoWorld, February 22, 2008

2. "Cult of the Dead Cow turns Google into a vulnerability scanner", Heise, February 20, 2008

3. "Google Hacking for Penetration Testers", Johnny Long, Syngress, 2005

4. "Google Hacking Database",, February 22, 2008

5. "Google-Powered Hacking Makes Search A Threat", InformationWeek, February 22, 2008

6. "Hackers turn Google into vulnerability scanner", TechSpot, February 22, 2008