Search Engines

Shodan/Censys/Google Dorks

Google. Yes, Google. 

Ethical Hackers should learn how to use Google Dorks (also known as Google Hacking or Google Dorking). These are queries that take advantage of advanced Google operators and search parameters to refine the search results and locate/find sensitive or hidden information that might not easily be accessible through normal search queries. 

Below you can find a Google Dork cheat sheet to use for reference. Make sure to look over this document and also watch the provided videos below. 

Searching for Log files

Log files contain sensitive information that can be found on websites. These files, such as error logs and access logs, are sometimes located in the public area of a website. Attackers can use this information to determine the version of PHP you are using and the important system path of your content management system (CMS) or frameworks. 

FTP Servers

We can look for open FTP servers that are exposed to the Internet. These can provide information that we can download and view to gain more information. 

EVN Files

.env files are the ones used by popular web development frameworks to declare general variables and configurations for local and online dev environments.

This shows to to search for a specific filetype. Keep this in mind and you can search for any filetype you wish!

SQL Dumps

The entire contents of a database that we can download and view? Recall, a database will contain user information. 

PhpMyAdmin 

Look for PHPMyAdmin database managenment sites. These should not be exposed to the Internet and could provide a means to gaining access to the entire database.

Restricted Documents

You never know what might be exposed that should not be. We can look for documents that are restricted for a specific TLD.

Security Search Engines

A security search engine provides a quick means to search for exposed systems that belong to a company or organization. It also allows us to learn about their network without actively having to engage with their systems.

Two popular ones are: Shodan and Censys.

Shodan Demo

Brief demo showing how you can find systems on Hawaii.edu.

When I clicked and visited the site I went from passive to active as I engaged with the Hawaii.edu site.  Keep that in mind.


https://www.shodan.io/

Censys Demo

Brief demo showing how you can find systems and learn about htem using Hawaii.edu.


https://search.censys.io/

Source Code Repositories

Don't forget you should also look to see if the company is posting source code on any source code repos like GitHub! Even though GitHub is the most popular there are infrastructure as code tools like CloudFormation, Ansible, Puppet, Chef and SaltStack that could generate interesting code for you to review. And you never know what a repo might include.