Translation Proxies

It s possible to use Google as a transparent proxy server via the translation serv
ice.
When you click a Translate this page link, you are taken to a translated copy of
that
page hosted on Google s servers. This serves as a sort of proxy server, fetching t
he page
on your behalf. If the page you want to view requires no translation, you can st
ill use
the translation service as a proxy server by modifying the hl variable in the UR
L to
match the native language of the page. Bear in mind that images are not proxied
in
this manner.

Proxy Server Language Hijinks

As we will see in later chapters, proxy servers can be used to help hide your lo
cation
and identity while you re surfing the Web. Depending on the geographical location
of
a proxy server, the language settings of the main Google page may change to matc
h
the language of the country where the proxy server is located. If your language
settings
change inexplicably, be sure to check your proxy server settings. Even experienc
ed
proxy users can lose track of when a proxy is enabled and when it s not. As we
will see later, language settings can be modified directly via the URL.

Solutions Fast Track

Intitle
¦ Finds strings in the title of a page
¦ Mixes well with other operators
¦ Best used with Web, Group, Images, and News searches
Allintitle
¦ Finds all terms in the title of a page
¦ Does not mix well with other operators or search terms
¦ Best used with Web, Group, Images, and News searches
Inurl
¦ Finds strings in the URL of a page
¦ Mixes well with other operators
¦ Best used with Web and Image searches
Allinurl
¦ Finds all terms in the URL of a page
¦ Does not mix well with other operators or search terms
¦ Best used with Web, Group, and Image searches
Filetype
¦ Finds specific types of files based on file extension
¦ Synonymous with ext
¦ Requires an additional search term
¦ Mixes well with other operators
¦ Best used with Web and Group searches
Allintext
¦ Finds all provided terms in the text of a page
¦ Pure evil don t use it
¦ Forget you ever heard about allintext
Site
¦ Restricts a search to a particular site or domain
¦ Mixes well with other operators
¦ Can be used alone
¦ Best used with Web, Groups and Image searches
Link
¦ Searches for links to a site or URL
¦ Does not mix with other operators or search terms
¦ Best used with Web searches
Inanchor
¦ Finds text in the descriptive text of links
¦ Mixes well with other operators and search terms
¦ Best used for Web, Image, and News searches
Daterange
¦ Locates pages indexed within a specific date range
¦ Requires a search term
¦ Mixes well with other operators and search terms
¦ Best used with Web searches
¦ Might be phased out to make way for as_qdr.
Numrange
¦ Finds a number in a particular range
¦ Mixes well with other operators and search terms
¦ Best used with Web searches
¦ Synonymous with ext.
Cache
¦ Displays Google s cached copy of a page
¦ Does not mix with other operators or search terms
¦ Best used with Web searches
Info
¦ Displays summary information about a page
¦ Does not mix with other operators or search terms
¦ Best used with Web searches
Related
¦ Shows sites that are related to provided site or URL
¦ Does not mix with other operators or search terms
¦ Best used with Web searches
Phonebook, Rphonebook, /Bphonebook
¦ Shows residential or business phone listings
¦ Does not mix with other operators or search terms
¦ Best used as a Web query
Author
¦ Searches for the author of a Group post
¦ Mixes well with other operators and search terms
¦ Best used as a Group search
Group
¦ Searches Group names, selects individual Groups
¦ Mixes well with other operators
¦ Best used as a Group search
Insubject
¦ Locates a string in the subject of a Group post
¦ Mixes well with other operators and search terms
¦ Best used as a Group search
Msgid
¦ Locates a Group message by message ID
¦ Does not mix with other operators or search terms
¦ Best used as a Group search
¦ Flaky. Use the advanced search form at groups.google.com/advanced_search instead
Stocks
¦ Shows the Yahoo Finance stock listing for a ticker symbol
¦ Does not mix with other operators or search terms
¦ Best provided as a Web query
Define
¦ Shows various definitions of a provided word or phrase
¦ Does not mix with other operators or search terms
¦ Best provided as a Web query

Google Hacker s Tip

It s a good idea to use a proxy server if you value your anonymity online. Penetra
tion
testers use proxy servers to emulate what a real attacker would do during an act
ual
break-in attempt. Locating working, high-quality proxy servers can be an arduous
task, unless of course we use a little Google hacking to do the grunt work for u
s! To
locate proxy servers using Google, try these queries:
inurl:"nph-proxy.cgi" "Start browsing"
or
"cacheserverreport for" "This analysis was produced by calamaris"
These queries locate online public proxy servers that can be used for testing pu
rposes.
Nothing like Googling for proxy servers! Remember, though, that there are lots o
f
places to obtain proxy servers, such as the atomintersoft site or the samair.ru
proxy
site. Try Googling for those!

Netcat
Netcat has been described as the Swiss Army Knife of TCP/Internet Protocol (IP).
It is a
tool that is used for good and evil; from catching the reverse shell from an exp
loit
(evil) to helping network administrators dissect a protocol (good). In this case
we will
use it to send a request to Google s Web servers and show the resulting HTML on th
e
screen. You can get Netcat for UNIX as well as Microsoft Windows by Googling netc
at
download.

How to Spot a Transparent Proxy

In some cases it is useful to know if you are sitting behind a transparent proxy
. There
is a quick way of finding out. Telnet to port 80 on a couple of random IP addres
ses
that are outside of your network. If you get a connection every time, you are be
hind
a transparent proxy. (Note: try not to use private IP address ranges when conduc
ting
this test.)
Another way is looking up the address of a Web site, then Telnetting to the IP
number, issuing a GET/HTTP/1.0 (without the Host: header), and looking at the
response. Some proxies use the Host: header to determine where you want to conne
ct,
and without it should give you an error.
$ host www.paterva.com
www.paterva.com has address 64.71.152.104
$ telnet 64.71.152.104 80
Trying 64.71.152.104...
Connected to linode.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 400 Bad Request
Server: squid/2.6.STABLE12
Not only do we know we are being transparently proxied, but we can also see
the type and server of the proxy that s used. Note that the second method does not
work with all proxies, especially the bigger proxies in use at many ISPs.

Searching for Usernames

inurl:admin inurl:userlist Generic userlist files
inurl:admin filetype:asp inurl:userlist Generic userlist
files
inurl:php inurl:hlstats intext: Half-life statis
tics file, lists username and Server Username other information
filetype:ctl inurl:haccess.ctl Basic Microsoft FrontPag
e equivalent(?)of htaccess shows Web user credentials
filetype:reg reg intext: internet account manager Microsoft Internet Account Manag
er can reveal usernames and more
filetype:wab wab Microsoft Outlook Expres
s Mail address books
filetype:mdb inurl:profiles Microsoft Access databas
es containing (user) profiles.
index.of perform.ini mIRC IRC ini file can list IRC u
sernames and other information
inurl:root.asp?acs=anon Outlook Mail Web Access
directory can be used to discover usernames
filetype:conf inurl:proftpd.conf sample PROFTP FTP server configuration
file reveals username and server information
filetype:log username putty PUTTY SSH client logs ca
n reveal usernames and server information
filetype:rdp rdp Remote Desktop Connectio
n files reveal user credentials
intitle:index.of .bash_history UNIX bash shell history
reveals commands typed at a bash command prompt; usernames are often typed as ar
gument strings
intitle:index.of .sh_history UNIX shell history revea
ls commands typed at a shell command prompt; usernames are often typed as argume
nt strings
index of lck Various lock files list the user
currently using a file
filetype:reg reg HKEY_CURRENT_USER username Windows Registry exports can rev
eal usernames and other information
+intext:webalizer +intext:Total Usernames +intext: Usage Statistics for
Webalizer Web statistics page lists Web usernames and statistical information

Searching for Passwords

filetype:config config intext: appSettings User ID .Net Web Application con
figuration may contain authentication information
filetype:netrc password .netrc file may contain
cleartext passwords
intitle: Index of passwords modified Password directories
inurl:/db/main.mdb ASP-Nuke database files often co
ntain passwords
filetype:bak inurl: htaccess|passwd| shadow|htusers BAK files referring to p
asswords or usernames
filetype:log See `ipsec copyright BARF log files reveal ipsec data
inurl: calendarscript/users.txt CalenderScript passwords
inurl:ccbill filetype:log CCBill log files may con
tain authentication data
inurl:cgi-bin inurl:calendar.cfg CGI Calendar (Perl) conf
iguration file reveals information including passwords for the program.
inurl:chap-secrets -cvs chap-secrets file may li
st usernames and passwords
enable password | secret current configuration -intext:the
Cisco secret 5 and password 7 passwords
intext: enable secret 5 $ Cisco enable secrets
intext: enable password 7 Cisco router config files
[WFClient] Password= filetype:ica Citrix WinFrame-Client m
ay contain login information
inurl:passlist.txt Cleartext passwords. No
decryption required!
filetype:cfm cfapplication name password ColdFusion source code mentionin
g passwords
intitle:index.of config.php Config.php files
inurl:config.php dbuname dbpass config.php files
inurl:server.cfg rcon password Counter strike rcon passwords
ext:inc pwd= UID= Database connection strings
ext:asa | ext:bak intext:uid intext:pwd - uid..pwd database | server | dsn
Database credentials in ASA and BAK files
filetype:ldb admin Database lock files may
contain credential info
filetype:properties inurl:db intext: password db.properties file conta
ins usernames, decrypted passwords
filetype:inc dbconn Dbconn.inc files contain
the username and password a website uses to connect to a database.
filetype:pass pass intext:userid dbman password files
allinurl:auth_user_file.txt DCForum s password file
powered by ducalendar -site:duware.com ducalendar database may reveal p
assword data
Powered by Duclassified -site:duware.com Duclassified database may reveal
password
powered by duclassmate -site:duware.com duclassmate database may reveal
password data
Powered by Dudirectory -site:duware.com dudirectory database may reveal
password data
powered by dudownload -site:duware.com dudownload database may reveal p
assword data
Powered by DUpaypal -site:duware.com Dupaypal database may reveal pas
sword data.
intitle:dupics inurl:(add.asp | default.asp | view.asp | voting.asp) -site:duwar
e.com dupics database may reveal password data
eggdrop filetype:user user Eggdrop config files
Powered By Elite Forum Version *.* Elite forums database co
ntains authentication information
intitle: Index of pwd.db Encrypted pwd.db passwords
ext:ini eudora.ini Eudora INI file may cont
ain usernames and encrypted passwords
inurl:filezilla.xml -cvs filezilla.xml contains p
asswords data
filetype:ini inurl:flashFXP.ini FlashFXP configu
ration file may contain FTP passwords
filetype:dat inurl:Sites.dat FlashFXP FTP passwords
inurl: Sites.dat + PASS= FlashFXP Sites.dat server config
uration file
ext:pwd inurl:(service | authors | administrators | users) # -FrontPage-
Frontpage sensitive authentication-related files
filetype:url +inurl: ftp:// +inurl: @ FTP bookmarks, some of w
hich contain plaintext login names and passwords
intitle:index.of passwd passwd.bak Generic PASSWD files
inurl:zebra.conf intext:password -sample -test -tutorial -download
GNU Zebra enable passwords (plain text or encrypted)
intext: powered by EZGuestbook HTMLJunction EZGuestbook databas
e reveals authentication data
intitle: Index of .htpasswd htpasswd.bak htpasswd password files
intitle: Index of .htpasswd htgroup -intitle: dist -apache -htpasswd.c
htpasswd password files
filetype:htpasswd htpasswd htpasswd password files
http://*:*@www bob:bob HTTP web authentication informat
ion
liveice configuration file ext:cfg -site:sourceforge.net Icecast liveice.cfg file
which may contain passwords
sets mode: +k IRC channel keys
signin filetype:url Javascript user validati
on mechanisms may contain cleartext usernames and passwords
LeapFTP intitle: index.of./ sites.ini modified LeapFTP client configura
tion file may reveal authentication information
inurl:lilo.conf filetype:conf password -tatercounter2000 -bootpwd -man
LILO boot passwords
Powered by Link Department Link management script contains
encrypted admin passwords and session data
your password is filetype:log log files containing the phrase
(Your password is).
admin account info filetype:log logs containing admin server acc
ount information
intitle:index.of master.passwd master.passwd files
allinurl: admin mdb Microsoft Access admin databases
filetype:mdb inurl:users.mdb Microsoft Access user dat
abases
filetype:xls username password email Microsoft Excel spreadsh
eets containing the words username, password and email
intitle:index.of administrators.pwd Microsoft Front Page adm
inistrative usernames and passwords.
filetype:pwd service Microsoft Frontpage service info
inurl:perform.ini filetype:ini mIRC IRC passwords
inurl:perform filetype:ini mIRC potential connectio
n data
filetype:cfg mrtg target[*] -sample -cvs -example Mrtg.cfg SNMP configuration file
may reveal public and private community strings
intitle: index of intext:connect.inc MySQL database connectio
n information
intitle: Index of .mysql_history mysql history files
intitle: index of intext:globals.inc MySQL user/password info
rmation
Your password is * Remember this for later use NickServ registration passwords
filetype:conf oekakibbs Oekakibss configuration
files may reveal passwords
filetype:conf slapd.conf OpenLDAP slapd.conf file
contains configuration data including the root password
inurl: slapd.conf intext: credentials -manpage - Manual Page -man: -sample
OpenLDAP slapd.conf file contains configuration data including the root password
filetype:dat wand.dat Opera web browser magic wand store
d cerdentials
inurl:pap-secrets -cvs pap-secrets file may list userna
mes and passwords
filetype:dat inurl:pass.dat Pass.dat files may revea
l passwords
index.of passlist Passlist password files
filetype:dat password.dat Password.dat files can c
ontain plaintext usernames and passwords
filetype:log inurl: password.log Password.log files can contain c
leartext usernames and passwords
filetype:pem intext:private PEM private key files
intitle:index.of people.lst people.lst files
intitle:index.of intext: secring.skr | secring.pgp | secring.bak
PGP secret keyrings
inurl:secring ext:skr | ext:pgp | ext:bak PGP secret keyrings
filetype:inc mysql_connect OR mysql_pconnect PHP .inc files contain a
uthentication information
filetype:inc intext:mysql_connect PHP .inc files contain u
sernames, passwords
ext:php intext: $dbms $dbhost $dbuser $dbpasswd $table_prefix phpbb_installed php
ection information
intitle: phpinfo() + mysql.default_password + Zend Scripting Language Engine
phpinfo files may contain default mysql passwords
inurl:nuke filetype:sql PHP-Nuke or Postnuke dat
abase dumps may contain authentication data
parent directory +proftpdpasswd ProFTPd User names and password
hashes from web server backups
filetype:conf inurl:psybnc.conf USER.PASS= psyBNC configuration fil
es may contain authentication info
intitle:rapidshare intext:login Rapidshare login passwor
ds.
inurl: editor/list.asp | inurl: database_editor.asp | inurl: login.asa are set
Results Database Editor usernames/ passwords
ext:yml database inurl:config Ruby on Rails database l
ink file
ext:ini Version=4.0.0.4 password servU FTP Daemon ini fil
e may contain usernames and passwords
filetype:ini ServUDaemon servU FTP Daemon INI fil
es may contains setting, session and authentication data
filetype:ini inurl: serv-u.ini Serv-U INI file may cont
ain username and password data
intitle: Index of sc_serv.conf sc_serv content Shoutcast sc_serv.conf f
iles often contain cleartext passwords
intitle: Index of spwd.db passwd -pam.conf spwd.db password files
filetype:sql insert into (pass|passwd|password) SQL dumps containing cleartext o
r encrypted passwords
filetype:sql ( passwd values | password values | pass values )
SQL file password references
filetype:sql ( values * MD5 | values * password | values * encrypt )
SQL files may contain encrypted passwords
filetype:sql + IDENTIFIED BY -cvs SQL files mentioning authenticat
ion info
filetype:sql password SQL files mentioning authenticat
ion info
filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS SSH host keys stored in Windows
Registry
inurl: GRC.DAT intext: password Symantec Norton Anti-Virus Corpo
rate Edition data file contains encrypted passwords
filetype:inf sysprep Sysprep.inf files contai
n all information for a Windows information including administrative passwords,
IP addresses and product IDs
server-dbs intitle:index of teamspeak server admin f
iles
filetype:ini wcx_ftp Total commander FTP pass
words
intitle:index.of trillian.ini Trillian INI files conta
in passwords.
ext:txt inurl:unattend.txt unattend.txt files conta
in all information for a Windows information including administrative passwords,
IP addresses and product IDs
index.of.etc Unix /etc directories
intitle: Index of..etc passwd Unix /etc/passwd files
intitle:Index.of etc shadow U NIX /etc/shadow password
files
ext:passwd -intext:the -sample -example Various passwords
filetype:bak createobject sa VBScript database connec
tion backups
inurl:ventrilo_srv.ini adminpassword ventrilo passwords for m
any servers
filetype:reg reg +intext: WINVNC3 vnc passwords
!Host=*.* intext:enc_UserPassword=* ext:pcf VPN profiles often conta
in authentication data
inurl:vtund.conf intext:pass -cvs vtund configuration file
s can contain usernames and passwords
filetype:mdb wwforum Web Wiz Forums database contains
authentication information
intext: powered by Web Wiz Journal Web Wiz Journal ASP Blog
database contains administrative information
AutoCreate=TRUE password=* Website Access Analyzer password
s
filetype:pwl pwl Windows Password List fi
les
filetype:reg reg +intext: defaultusername +intext: defaultpassword
Windows registry keys which reveal passwords
filetype:ini ws_ftp pwd WS_FTP.ini file contains
weakly encrypted passwords
index of/ ws_ftp.ini parent directory WS_FTP.ini file contains weakly
encrypted passwords
inurl: wvdial.conf intext: password wvdial.conf may contain phone nu
mbers, usernames and passwords
inurl:/wwwboard WWWBoard passwd.txt authen
tication configuration files
wwwboard WebAdmin inurl: passwd.txt wwwboard|webadmin
WWWBoard password files
login: * password= * filetype:xls xls files containing login names
and passwords
inurl:/yabb/Members/Admin.dat YaBB forums Administrator passwo
rd

Searching for Usernames

- Usernames can be found in a variety of locations.
- In some cases, digging through documents or e-mail directories might be require
d.
- A simple query such as your username is can be very effective in locating
usernames.
Searching for Passwords
 -Passwords can also be found in a variety locations.
- A query such as Your password forgot can locate pages that provide a forgottenpas
sword recovery mechanism.
- intext:(password | passcode | pass) intext:(username | userid | user) is anothe
r generic search for locating password information.
Searching for Credit Cards Numbers, Social Security Numbers, and More
- Documents containing credit card and Social Security number information do exis
t and are relatively prolific.
- Some irresponsible news outlets have revealed functional queries that locate th
is information.
- There are relatively few examples of personal financial data online, but there
is agreat deal of variety.
- In most cases, specific file extensions can be searched for.
Searching for Other Juicy Info
- From address books and chat log files to network vulnerability reports, there s n
o shortage of sensitive data online.