Footprinting and Information Gathering Using Search Engines

Footprinting and Information Gathering Using Search Engines

General Search Engines

Google Dorking leverages advanced search operators to uncover information that is not immediately

visible through standard searches.

Technical Commands:

- site:example.com - Lists all indexed pages from the site example.com.

- intitle:"index of" - Searches for directory listings.

- filetype:pdf "financial report" - Finds PDF files containing the words "financial report".

- inurl:admin - Finds URLs containing "admin", which may indicate admin login pages.

Example Command:

site:example.com filetype:xls inurl:"password"

This command searches for Excel files on example.com that contain the word "password" in their

URL, potentially revealing sensitive information.

Case Study:

In 2014, during the Sony Pictures hack, attackers used Google Dorking to find internal documents

that were accidentally indexed by Google. They searched for terms like site:sony.com filetype:doc

confidential to locate sensitive documents.

 Footprinting and Information Gathering Using Search Engines

FTP Search Engines

FTP search engines help locate files stored on public FTP servers, often finding backup files,

configuration files, and other sensitive information.

Popular FTP Search Engines:

- NSEEK

- FileWatcher

Technical Commands:

To search for publicly accessible FTP servers, you can use:

- intitle:"index of" "ftp" - Finds FTP directories.

- filetype:log site:ftp.example.com - Searches for log files on a specific FTP server.

Example Command:

intitle:"index of" "ftp" site:example.com

This command searches for FTP directories on the example.com domain.

Case Study:

Attackers used FTP search engines to find open FTP servers and downloaded backup files that

contained sensitive information. For instance, an open FTP server may have been found using

intitle:"index of" "backup".

 Footprinting and Information Gathering Using Search Engines

IoT Search Engines

IoT search engines like Shodan and Censys are specialized for finding internet-connected devices.

Popular IoT Search Engines:

- Shodan

- Censys

Technical Commands and Filters:

Shodan:

- port:23 - Finds devices using Telnet.

- country:US - Filters results to devices in the United States.

- product:"WebcamXP" - Searches for webcams using the WebcamXP software.

Example Command:

shodan search "default password" port:23

This command searches for devices using the default password on Telnet port 23, which often

indicates poorly secured devices.

Censys:

- service:HTTP - Finds devices with HTTP services.

- location.country: "United States" - Filters results to devices in the United States.

- protocols: "23/telnet" - Searches for devices with Telnet protocol enabled.

Example Command:
 Footprinting and Information Gathering Using Search Engines

service:HTTP protocol: "23/telnet"

This command finds devices running HTTP services with Telnet protocol enabled.

Case Study:

In the 2016 Mirai botnet attack, attackers used Shodan to find vulnerable IoT devices with default

credentials. They used commands like shodan search "default password" port:23 to locate and

compromise these devices, eventually using them to launch a massive DDoS attack.
 Footprinting and Information Gathering Using Search Engines

Social Media and Public Databases

Social media and public databases can provide detailed information about individuals and

organizations, which can be used for spear-phishing and other targeted attacks.

Technical Commands and Techniques:

LinkedIn:

- Use LinkedIn to gather information on employees and their roles.

- Combine with tools like Maltego to visualize connections and hierarchies.

Twitter and Facebook:

- Monitor hashtags and mentions for information leaks.

- Use advanced search operators to find specific posts. For example, from:exampleuser

since:2021-01-01 until:2021-12-31 on Twitter to find posts from a specific user within a date range.

Public Databases:

- Pastebin: Search for leaked credentials and other sensitive information.

- Use Google Dorking: site:pastebin.com "example.com" to find pastes related to a specific domain.

Example Command:

site:linkedin.com "Software Engineer" "example.com"

This command searches LinkedIn for profiles with the title "Software Engineer" at example.com,

which can help in gathering information on key personnel.

Case Study:
 Footprinting and Information Gathering Using Search Engines

In the 2013 Target data breach, attackers used LinkedIn to gather information about Target

employees. They identified key personnel and sent spear-phishing emails to gain access to the

network.
 Footprinting and Information Gathering Using Search Engines

Additional Case Studies

1. Equifax Data Breach (2017):

Attackers used a vulnerability in a web application to gain access to sensitive data. They likely used

Google Dorking to identify the vulnerable application by searching for specific error messages or

application versions.

2. Marriott International Data Breach (2018):

Attackers used stolen credentials to access the database. They may have gathered information

about Marriott's IT infrastructure using LinkedIn and other public resources.

3. Capital One Data Breach (2019):

An insider exploited a misconfigured web application firewall. Information about the misconfiguration

may have been gathered using Shodan or Censys.

4. Adobe Data Breach (2013):

Attackers used advanced search techniques to find vulnerabilities in Adobe's web applications, likely

leveraging Google Dorking and other search tools to locate specific pages and scripts.