Named Untangling the Web: A Guide to Internet Research, this 643-page guide is full of useful advice regarding how to use the Internet Archive, search engines, public websites etc. The most interesting part of this book is titled “Google Hacking”.
What is Google Hacking? How does it work?
The NSA’s guide describes Google ( or any search engine) Hacking as follows:
It’s basically a clever and legal method of finding information that’s not available on the public internet.
If you want to understand how Google Hacking works, you need to read how search engines work. Thanks to its spiders, a search engine like Google can access and index all the parts of a website if a “door” is open. With the help of afile, webmasters have the power to restrict the search engine spiders.
Very often a webmaster fails to configure thefile properly. This situation worsened a couple of years ago when Google started indexing file types like PDF, Word, Excel, Access, Excel etc.
Many of the organizations still don’t prevent their sensitive data and files. Thus, tons of useful information is bound to appear in Google’s database.
The information accessed using Google Hacking:
What if I tell you that you can get your hands on a plenty of shocking information using Google hacking? This data usually falls under these categories:
- Personal and financial info
- User ID, computer account logins, passwords
- Private, or proprietary company data
- Sensitive government information
- Flaws in websites and servers
Common Google Hacking techniques:
These techniques are an excellent and unconventional method to discover sensitive information. Let’s tell you about some of the most common ones.
Search using file types, keyword, and site type:
Many websites and organizations store their financial, personnel, etc., data in Microsoft Excel format. So, here’s how you need to look for some sensitive information of a South African company. Don’t forget to include keywords like Confidential, Budget etc.
Use stock words and phrases:
Along with file types like Excel, Word, or PowerPoint, you are also advised to use stock words and phrases like do not distribute, confidential, proprietary, not for distribution, etc.
Look for files containing login information:
You need to search for files containing login, password, and userid information. It’s interesting to note that even foreign websites usually use these terms in English. So a search for a spreadsheet file might look like:
Misconfigured web servers:
Very often Google contains directories that are not intended to be on the web. In Google Hacking, these servers provide a rich set of information. To exploit this error, one should use this format:
NSA describes Numrange search as one of the “scariest searches available through Google. It uses 2 number separated by 2 dots and no spaces. A user can use it with search keywords and other search options. For example:
For more detailed information on these searches, you read the Google Hacking chapter in NSA’s eBook.
Google Hack to search inside websites requiring registration:
Very often some websites ask you to register to view its contents. For that, you can use Google hacking to view contents without registration. You can try these queries or something similar:
Search in the native language:
With more and more people on the internet, people are becoming lesser dependent on English. Now millions of websites don’t use languages written in the Latin alphabet. So, a search made in native language has the more probability of returning the expected result.
The NSA eBook explains more techniques that could be applied to any search engine. You can find the eBook here and learn some new Google Hacking tricks.