 Default pages, documentation, and programs speak volumes about the server that
hosts them.They suggest that a server is not well maintained and is by extension
vulnerable due to poor maintenance.
Locating Login Portals
 Login portals can draw attackers who are searching for specific types of software. In
addition, they can serve as a starting point for information-gathering attacks, since
most login portals are designed to be user friendly, providing links to help
documents and procedures to aid new users. Administrative login portals and
remote administration tools are sometimes even more dangerous, especially if they
are poorly configured.
Locating Network Hardware
 All sorts of network devices can be located with Google queries.These devices are
more than a passing technological curiosity for some attackers, since many devices
linked from the Web are poorly configured, trusted devices often overlooked by
typical security auditors. Web cameras are often overlooked devices that can
provide insight for an attacker, even though an extremely small percentage of
targets have Web cameras installed. Network printers, when compromised, can
reveal a great deal of sensitive information, especially for an attacker capable of
viewing print jobs and network information.
Using and Locating Various Web Utilities
 Web-enabled network devices can be located with simple Google queries.
 The information from these devices can be used to help build a network map.
Locating Various Network Reports
 Network statistic reports can be located with simple Google queries.
 The information from these reports can be used to help build a network map.
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 341
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 341
Q: I run an IIS 6.0 server, and I don’t like the idea of those static HTTP 1.1 error pages
hanging around my site, luring potential malicious interest in my server. How can I
enable the customized error messages?
A: If you aren’t in the habit of just asking Google by now, you should be! Seriously, try a

Google search for site:microsoft.com “Configuring Custom Error Messages” IIS 6.0. At the
time of this writing, the article describing this procedure is the first hit.The procedure
involves firing up the IIS Manager, double-clicking My Computer, right-clicking the
Web Sites folder, and selecting Properties. See the Custom Errors tab.
Q: I run an Apache server, and I don’t like the idea of those server tags on error messages
and directory listings. How can I turn these off?
A: To remove the tags, locate the section in your httpd.conf file (usually in
/etc/httpd/conf/httpd.conf) that contains the following:
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature On
The ServerSignature setting can be changed to Off to remove the tag altogether or to
Email, which presents an e-mail link with the ServerAdmin e-mail address as it appears in
the httpd.conf file.
Q: I’ve got an idea for a search that’s not listed here. If you’re so smart about Google, why
isn’t my search listed in this book?
A: This book serves as more of a primer than a reference book.There are so many possible
Google searches out there that it’s impossible to include them all in one book. Most
342 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To have
your questions about this chapter answered by the author, browse to www.
syngress.com/solutions and click on the “Ask the Author” form.

452_Google_2e_08.qxd 10/5/07 1:03 PM Page 342
searches listed in this book are the result of a community of people working together to
come up with as many effective searches as possible. Fortunately, this community of indi-
viduals has created a unique and extensive database that is open to the public for the
purposes of adequately defending against this unique threat.The Search Engine Hacking
forum and the GHDB are both available at . If you’ve got a
new search, first search the database to make sure it’s unique. If you think it is, submit it
to the forums, and your search could be the newest addition to the database. But beware,
Google searcher. Google hacking is fun and addictive. If you submit one search, I think
you’ll find it’s hard to stop. Just ask any of the individuals on the Google Master’s list.
Some of them found it hard to stop at 10 or 20 unique submitted searches! Check out
the Acknowledgments page for a list of users who have made a significant contribution
to the Google hacking community.
Q: The NQT tool can only scan one port at a time. Could this behavior be modified?
A: Without modifying the code on the remote NQT server, this task would require the
coding of a PHP loop that feeds the requests one at a time to the NQT server.
Remember, though, that even single ports can play a critical role when it comes time to
perform an actual network port scan. For many different types of scans, it’s always advan-
tageous to have a list of ports that are known to be open.
Q: Aren’t there any Web-based tools besides NQT with a larger port scan range?
A: If you’re interested in scanning lots of ports, you might be better off with a standard
scanner like nmap. However, to flex those Google muscles, try a query like
inurl:portscan.php (“from Port”|“Port Range”) suggested by Jimmy Neutron on the Google
Hacking Forums. Although there aren’t many results, who knows what the future holds
for this search!
Q: So Web interfaces on network devices are a bad idea?
A: They don’t have to be, but statistically they are for a few reasons. First, they are often
excessive when you consider that the same task could be more securely accomplished
via serial port connection or via a dedicated admin network connection. Second, small
devices require small servers, so some exotic Web servers are used that are not as well

tested as Apache, for example (consider the vulnerabilities on Axis cams at security
focus).Third, as we’ve seen in this chapter, the pages can be found with (or submitted
to) Google if the admins are not careful.This opens the floodgates for all the fledgling
Google hackers out there.
Q: Our network devices (routers) can’t be accessed by anyone from the outside. Does that
mean we are safe?
Tracking Down Web Servers, Login Portals, and Network Hardware • Chapter 8 343
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 343
A: Even though it is not accessible from the wide area network (WAN), it may be acces-
sible from a compromised host on your LAN. Posting information about it on usenet or
tech forums is a risk. For an example, try searching for intext:“enable secret 5 $” as sug-
gested by hevnsnt on the Google Hacking Forums.Then try the same on Google
Groups. It’s a good thing Cisco implemented strong encryption on those passwords,
since these searches often reveal sensitive information about these devices.
344 Chapter 8 • Tracking Down Web Servers, Login Portals, and Network Hardware
452_Google_2e_08.qxd 10/5/07 1:03 PM Page 344
345
Usernames,
Passwords, and
Secret Stuff, Oh My!
Solutions in this chapter:
■
Searching for Usernames
■
Searching for Passwords
■
Searching for Credit Card Numbers, Social
Security Numbers, and More
■
Searching for Other Juicy Info

■
List of Sites
Chapter 9
 Summary
 Solutions Fast Track
 Frequently Asked Questions
452_Google_2e_09.qxd 10/5/07 1:08 PM Page 345
Introduction
This chapter is not about finding sensitive data during an assessment as much as it is about
what the “bad guys” might do to troll for the data.The examples presented in this chapter
generally represent the lowest-hanging fruit on the security tree. Hackers target this infor-
mation on a daily basis.To protect against this type of attacker, we need to be fairly candid
about the worst-case possibilities. We won’t be overly candid, however. We don’t want to give
the bad guys any ideas they don’t already have.
We start by looking at some queries that can be used to uncover usernames, the less
important half of most authentication systems.The value of a username is often overlooked,
but as we’ve already discussed, an entire multimillion-dollar security system can be shattered
through skillful crafting of even the smallest, most innocuous bit of information.
Next, we will take a look at queries that are designed to uncover passwords. Some of the
queries we look at reveal encrypted or encoded passwords, which will take a bit of work on
the part of an attacker to use to his or her advantage. We also take a look at queries that can
uncover cleartext passwords.These queries are some of the most dangerous in the hands of
even the most novice attacker. What could make an attack easier than handing a username
and cleartext password to an attacker?
We wrap up this chapter by discussing the very real possibility of uncovering highly sen-
sitive data such as credit card information and information used to commit identity theft,
such as Social Security numbers. Our goal here is to explore ways of protecting against this
very real threat.To that end, we don’t go into details about uncovering financial information
and the like. If you’re a “dark side” hacker, you’ll need to figure these things out on your
own, or make the wise decision to turn to the light side of the force.

Searching for Usernames
Most authentication mechanisms use a username and password to protect information.To
get through the “front door” of this type of protection, you’ll need to determine usernames
as well as passwords. Usernames also can be used for social engineering efforts, as we dis-
cussed earlier.
Many methods can be used to determine usernames. In the “Database Digging” chapter,
we explored ways of gathering usernames via database error messages. In the “Tracking
Down Web Servers” chapter, we explored Web server and application error messages that
can reveal various information, including usernames.These indirect methods of locating
usernames are helpful, but an attacker could target a usernames directory with a simple
query like “your username is”. This phrase can locate help pages that describe the username
creation process, as shown in Figure 9.1.
346 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My!
452_Google_2e_09.qxd 10/5/07 1:08 PM Page 346
Figure 9.1 Help Documents Can Reveal Username Creation Processes
An attacker could use this information to postulate a username based on information
gleaned from other sources, such as Google Groups posts or phone listings.The usernames
could then be recycled into various other phases of the attack, such as a worm-based spam
campaign or a social-engineering attempt.An attacker can gather usernames from a variety
of sources, as shown in the sample queries listed in Table 9.1.
Table 9.1 Sample Queries That Locate Usernames
Query Description
inurl:admin inurl:userlist Generic userlist files
inurl:admin filetype:asp inurl:userlist Generic userlist files
inurl:php inurl:hlstats intext: Half-life statistics file, lists username and
Server Username other information
filetype:ctl inurl:haccess.ctl Basic Microsoft FrontPage equivalent(?)of
htaccess shows Web user credentials
filetype:reg reg intext:”internet Microsoft Internet Account Manager
account manager” can reveal usernames and more

Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 347
Continued
452_Google_2e_09.qxd 10/5/07 1:08 PM Page 347
Table 9.1 continued Sample Queries That Locate Usernames
Query Description
filetype:wab wab Microsoft Outlook Express Mail address
books
filetype:mdb inurl:profiles Microsoft Access databases containing
(user) profiles.
index.of perform.ini mIRC IRC ini file can list IRC usernames
and other information
inurl:root.asp?acs=anon Outlook Mail Web Access directory can
be used to discover usernames
filetype:conf inurl:proftpd.conf –sample PROFTP FTP server configuration file
reveals username and server
information
filetype:log username putty PUTTY SSH client logs can reveal user-
names and server information
filetype:rdp rdp Remote Desktop Connection files reveal
user credentials
intitle:index.of .bash_history UNIX bash shell history reveals com-
mands typed at a bash command
prompt; usernames are often typed as
argument strings
intitle:index.of .sh_history UNIX shell history reveals commands
typed at a shell command prompt; user-
names are often typed as argument
strings
“index of ” lck Various lock files list the user currently
using a file

+intext:webalizer +intext:Total Webalizer Web statistics page lists Web
Usernames +intext:”Usage Statistics for” usernames and statistical information
filetype:reg reg HKEY_CURRENT_ Windows Registry exports can reveal
USER username usernames and other information
348 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My!
452_Google_2e_09.qxd 10/5/07 1:08 PM Page 348
Underground Googling
Searching for a Known Filename
Remember that there are several ways to search for a known filename. One way relies
on locating the file in a directory listing, like intitle:index.of install.log. Another, often
better, method relies on the filetype operator, as in filetype:log inurl:install.log.
Directory listings are not all that common. Google will crawl a link to a file in a direc-
tory listing, meaning that the filetype method will find both directory listing entries
as well as files crawled in other ways.
In some cases, usernames can be gathered from Web-based statistical programs that check
Web activity.The Webalizer program shows all sorts of information about a Web server’s
usage. Output files for the Webalizer program can be located with a query such as
+intext:webalizer +intext:”Total Usernames” +intext:”Usage Statistics for”. Among the informa-
tion displayed is the username that was used to connect to the Web server, as shown in
Figure 9.2. In some cases, however, the usernames displayed are not valid or current, but the
“Visits” column lists the number of times a user account was used during the capture
period.This enables an attacker to easily determine which accounts are more likely to be
valid.
Figure 9.2 The Webalizer Output Page Lists Web Usernames
Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 349
452_Google_2e_09.qxd 10/5/07 1:08 PM Page 349
The Windows registry holds all sorts of authentication information, including usernames
and passwords.Though it is unlikely (and fairly uncommon) to locate live, exported
Windows registry files on the Web, at the time of this writing there are nearly 200 hits on
the query filetype:reg HKEY_CURRENT_USER username, which locates Windows registry

files that contain the word username and in some cases passwords, as shown in Figure 9.3.
Figure 9.3 Generic Windows Registry Files Can Reveal Usernames and Passwords
As any talented attacker or security person will tell you, it’s rare to get information
served to you on a silver platter. Most decent finds take a bit of persistence, creativity, intelli-
gence, and just a bit of good luck. For example, consider the Microsoft Outlook Web Access
portal, which can be located with a query like inurl:root.asp?acs=anon. There are few hits for
this query, even though there lots of sites run the Microsoft Web-based mail portal.
Regardless of how you might locate a site running this e-mail gateway, it’s not uncommon
for the site to host a public directory (denoted “Find Names,” by default), as shown in
Figure 9.4.
350 Chapter 9 • Usernames, Passwords, and Secret Stuff, Oh My!
452_Google_2e_09.qxd 10/5/07 1:08 PM Page 350