[ISN] Book Review: Google Hacking for Penetration Testers

InfoSec News isn at c4i.org
Tue Apr 12 07:07:03 EDT 2005 

http://books.slashdot.org/books/05/04/11/1750217.shtml

[ http://www.amazon.com/exec/obidos/ASIN/1931836361/c4iorg  - WK]

Author: Johnny Long 
Pages: 448 
Publisher: Syngress 
Rating: 8 
Reviewer: Corey Nachreiner 
ISBN: 1931836361 
Summary Google's dark and dork sides exposed; despite the title, 
useful for everyone who'd like to get the most out of Google. 

According to its cover, Johnny Long's book focuses primarily on
revealing the "Dark Side" of Google -- a promise it delivers in
spades. But I can also heartily recommend Google Hacking to newbies
who simply want to learn how to harness Google's full potential.

The first few chapters of the book walk you through Google's
interfaces and features, then introduce you to Google's advanced
operators and techniques you can use to refine your Google searches.  
Instead of submitting basic searches that leave you arduously parsing
hundreds of results for your desired answer, you quickly learn to
submit powerful queries that almost instantly yield the results you
intend. Even as an experienced Google user, I learned a lot from
Google Hacking's early chapters. For Google neophytes, this alone
makes the book worth its price.

However, we all know Slashdotters really want this book in order to
learn how hackers misuse Google. Well, you won't be disappointed. As
soon as Long has taught you to submit advanced queries, he wastes no
time in showing you the techniques l33t Google hax0rs use to exploit
the search engine's power. For example, did you know you can use
Google as a free proxy server? By submitting a specially-crafted,
English-to-English translation query, you can capitalize on Google's
translation service to anonymously submit all your Web requests. This
simple hack just scratches the surface of Google's malicious
potential.

Most Web surfers don't realize the sheer amount of extremely sensitive
information available for the harvesting on the Internet. In that
sense, Google Hacking is eye-popping. Do you want to find
misconfigured Web servers that publicly list their directory contents?  
A quick Google search does the trick. Or, suppose you found some new
exploit code that only works against a particular version of IIS 5.0.  
Submit a quick Google query for a helpful list of possible targets. Do
you want to harvest user logins, passwords (for example, mySQL
passwords in a connect.inc file), credit card numbers, social security
numbers or any other potentially damaging tidbit that Web users and
administrators accidentally leak onto the Internet? Google Hacking
shows you how, with highly refined searches gleaned from the community
contributing to the Google Hacking database (GHDB) found on Long's Web
site.

While Long's book discloses these and many other potentially malicious
Google searching techniques, it does so responsibly, with the goal of
prevention in mind. Only the less damaging search strings are fully
revealed. Long saves the juicier (read: more dangerous) hacks for your
own discovery. Long even obfuscates the sensitive results of the more
damaging search strings in order to protect the innocent incompetents
he refers to as "googledorks." After showing you how hackers subvert
Google to their malicious intent, Long dedicates a chapter to how Web
administrators can configure their Web servers securely in order to
prevent sensitive data from making it into a Google Hacker's clutches.

Though I've gushed about the book so far, I will quibble with its
inconsistent tone. Some of its chapters target readers having
different levels of technical understanding. While the book starts out
in a voice easy enough for even the most novice user to understand,
some of the later chapters, on topics such as document grinding,
database digging, and query automation, jump drastically and use
language and techniques that only programmers or Unix power-users
would understand. In addition, the humor that made Johnny's live
presentation so memorable shows up in his book, but in scant supply;  
frankly, more jokes would be welcome.

But these negatives are mere nits. Whether you're a penetration tester
wanting to exploit Google, a Web administrator wanting to protect
yourself from information leaks, or even a newbie wanting to harness
Google's full potential, Google Hacking for Penetration Testers makes
an excellent resource. If you, too, use Google as a second brain, pick
up Johnny Long's book and learn how to exploit this powerful search
engine to its full capacity.

-=-

Corey Nachreiner [1], Network Security Analyst for WatchGuard's 
LiveSecurity Service, writes about network security on the free RSS 
news feed, WatchGuard Wire 

[1] http://www.watchguard.com/archive/bios.asp

More information about the ISN mailing list