Google dorks
FTP passwords
ws_ftp.ini is a configuration
file for a popular win32 FTP
client that stores usernames,
(weakly) encoded
passwords, sites and
directories that the user can
store for later reference.
intitle:index.of ws_ftp.ini
You can also this dork which
uses "parent directory" to
avoid results other than
directory listings
filetype:ini ws_ftp pwd
Or
"index of/" "ws_ftp.ini"
"parent directory"
even if the site or file has
been taken offlline, you can
still search the contents in
the Google cache using the
following dork
"cache:www.abc.com/
ws_ftp.ini"
where
www.abc.com is the site you
want to check the dork for.
The ws_ftp password uses
quite weak encryption
algorithm, hence once you
get the password, you can
break it using the decryptor
provided here or from
here.
PHP Hacking
Sites made in PHP have a file
known as “config.php” which
stores configuration and the
username and password for
the sql database the site is
hosting. This password is
required only once per
transaction (i.e when ever
admin logins or a transaction
is committed at administrator
level) and hence will be
specified by the
‘ require_once’ parameter in
the config file or in index file.
intitle:index.of config.php
to view php file contents
intitle:"Index of" phpinfo.php
you can also try the
directory traversal attack in
php using the following dork
inurl:download.php?=filename
if you are lucky, substitute
the filename with ‘index.php’,
download it, read it and get
the password (hint:if you are
not able to find it, try looking
for globals.php).
Since most websites today
deny this trick, but you may
get lucky with some :) You
might also want to have a
look at Hacking PHP 4.4
websites in 20 seconds
SQL Dumps
We will be hunting for SQL
password dumps saved in
database, here ext:sql
specifies the type of
password dump,
e10adc3949ba59abbe56e057f20f883e
is the md5 hash for 123456;
one of the most common
password people keep..and
intext dork will allows to
search inside the dump.
ext:sql intext:@gmail.com
intext:e10adc3949ba59abbe56e057f20f883e
ext:sql intext:"INSERT INTO"
intext:@somemail.com
intext:password
Remember kids
1. Use different email
providers, substitute gmail/
yahoomail instead of
somemail ,or try custom
domain mail providers.
2. Use different file extensions.
3. Use different type of hashes,
some older ones might be
using md4 and some others
might be using other
prominent encryption
algorithms.
4. just mix everything up and
try different combinations :)
Its not over..Yet
A very flexible query can be
used to hunt for WS_FTP.log
which in turn can disclose
valuable information about
the server.
+htpasswd +WS_FTP.LOG
filetype:log
You can substitute
"+htpasswd" for
"+FILENAME" & you may get
several results not
mentioned before using the
normal search. You can
further explore filenames by
using keywords like
phpinfo, admin, MySQL,
password, htdocs, root,
Cisco, Oracle, IIS, resume,
inc, sql, users, mdb,
frontpage, CMS, backend,
https, editor, intranet
The list goes on and on..
Also you cam try this dork to
data mine information about
the uploader
"allinurl: "some.host.com"
WS_FTP.LOG filetype:log"
which tells you more about
who's uploading files to a
specific site, quite handy for
some passive
reconnaissance.
Also..if you are one hell of a
lazy b**tard ,you can do it
using some software like
Google Hacks..but
remember, manual way is the
way to go. I may have
included some software
specific password mining, but
that would cripple your
imagination. My recco ? go
postal by using your
imagination and developing
your own dorks and queries.
ws_ftp.ini is a configuration
file for a popular win32 FTP
client that stores usernames,
(weakly) encoded
passwords, sites and
directories that the user can
store for later reference.
intitle:index.of ws_ftp.ini
You can also this dork which
uses "parent directory" to
avoid results other than
directory listings
filetype:ini ws_ftp pwd
Or
"index of/" "ws_ftp.ini"
"parent directory"
even if the site or file has
been taken offlline, you can
still search the contents in
the Google cache using the
following dork
"cache:www.abc.com/
ws_ftp.ini"
where
www.abc.com is the site you
want to check the dork for.
The ws_ftp password uses
quite weak encryption
algorithm, hence once you
get the password, you can
break it using the decryptor
provided here or from
here.
PHP Hacking
Sites made in PHP have a file
known as “config.php” which
stores configuration and the
username and password for
the sql database the site is
hosting. This password is
required only once per
transaction (i.e when ever
admin logins or a transaction
is committed at administrator
level) and hence will be
specified by the
‘ require_once’ parameter in
the config file or in index file.
intitle:index.of config.php
to view php file contents
intitle:"Index of" phpinfo.php
you can also try the
directory traversal attack in
php using the following dork
inurl:download.php?=filename
if you are lucky, substitute
the filename with ‘index.php’,
download it, read it and get
the password (hint:if you are
not able to find it, try looking
for globals.php).
Since most websites today
deny this trick, but you may
get lucky with some :) You
might also want to have a
look at Hacking PHP 4.4
websites in 20 seconds
SQL Dumps
We will be hunting for SQL
password dumps saved in
database, here ext:sql
specifies the type of
password dump,
e10adc3949ba59abbe56e057f20f883e
is the md5 hash for 123456;
one of the most common
password people keep..and
intext dork will allows to
search inside the dump.
ext:sql intext:@gmail.com
intext:e10adc3949ba59abbe56e057f20f883e
ext:sql intext:"INSERT INTO"
intext:@somemail.com
intext:password
Remember kids
1. Use different email
providers, substitute gmail/
yahoomail instead of
somemail ,or try custom
domain mail providers.
2. Use different file extensions.
3. Use different type of hashes,
some older ones might be
using md4 and some others
might be using other
prominent encryption
algorithms.
4. just mix everything up and
try different combinations :)
Its not over..Yet
A very flexible query can be
used to hunt for WS_FTP.log
which in turn can disclose
valuable information about
the server.
+htpasswd +WS_FTP.LOG
filetype:log
You can substitute
"+htpasswd" for
"+FILENAME" & you may get
several results not
mentioned before using the
normal search. You can
further explore filenames by
using keywords like
phpinfo, admin, MySQL,
password, htdocs, root,
Cisco, Oracle, IIS, resume,
inc, sql, users, mdb,
frontpage, CMS, backend,
https, editor, intranet
The list goes on and on..
Also you cam try this dork to
data mine information about
the uploader
"allinurl: "some.host.com"
WS_FTP.LOG filetype:log"
which tells you more about
who's uploading files to a
specific site, quite handy for
some passive
reconnaissance.
Also..if you are one hell of a
lazy b**tard ,you can do it
using some software like
Google Hacks..but
remember, manual way is the
way to go. I may have
included some software
specific password mining, but
that would cripple your
imagination. My recco ? go
postal by using your
imagination and developing
your own dorks and queries.
Comments
Post a Comment