Johnny Long | Alrik van Eijkelenborg
1 The reference to the good, bad and ugly of Googling
An excellent book dedicated to a seemingly narrow topic. Googling is mainstream, I can't think of one person that has traveled the internet that hasn't stopped by Google.com at least once in their surfing career. Unfortunately, there are hackers that spend a lot of time on Google!
If you are responsible for securing your employer's network you can not be without this indispensable reference. For less than $50 you could save your company from exposing information that can be readily used by hackers to obtain your most prized data.
Chapters 1-2 provide you with the basics of Googling. There isn't much more information than you can get from Google's website, but Johnny does a great job of explaining the basics of Google.
Chapters 3-10 are the meat of the book. While I've used Google extensively in performing penetration tests before reading this book I've learned many new techniques to dig deeper in less amount of time.
Chapter 11 explains how you can secure your systems from hackers using Google to gather information about your company. The chapter also introduces tools such as Gooscan. It also details methods Google has in place to remove information you'd rather not have the public see.
Chapter 12 discusses automating your Google searches with the Google API. A basic understanding of computer programming is required.
The book concludes with two appendices which will help you in developing a good strategy for security testing and securing your website.
The author's writing style is straightforward and easy to read. Reading and absorbing this book is like taking a master's level course in the art of information enumeration. Highly recommended for anyone administering networks connected to the Internet.
2 Overcoming My Mixed Feelings/Initial Reactions To The Book
Some months ago after reading an article about people using the Google search engine to look up credit card numbers using Google syntax, I came across a web site run by Johnny Long. This site is dedicated to tricks and tips of how Google can be used to hack information in places many would consider to be "unlikely". The site is loaded with good information, so I was happy to have the chance to review Long's book entitled "Google Hacking for Penetration Testers" (2005, Syngress, 502 pages, $31.47 at Amazon). While loaded with great information and content, I must say that I left the book with mixed feelings.
The mixed feelings mainly arise from the way the book is written. While the book is set up as a tool to help penetration testers, there are absolutely no disclaimers addressing the liabilities and risks that can arise from penetration testing, or the fact that anyone planning to do any penetration testing should have the written approval from the target company before testing begins. But then again, the tone of the book is how Google can be used to do "pre-testing" to identify holes that may be good targets for more detailed penetration testing. This is a thin line that is made thinner by the way the text is written. Specifically, it is written as if the target audience is the hacker and not the people who need to do the testing or setting up defenses. In fact, you do not hit any discussion of defensive approaches or ways to prevent these type of probes/attacks until Chapter 11 on page 321.
This is not to say that the book is not chock full of good, solid information. Long does present a thorough overview and explanation of the ways Google syntax can be used to extract many different kinds of interesting information. Whether it be finding specific file types, server type information, Microsoft Outlook mail/pst files, instant messaging buddy lists, passwords, and/or user names, Long shows how it is done. (A side note for Lotus Notes administrators: the only mention of Notes in the book is not by name, but as a screen shot of "even 'tight-lipped' software".)
Parts of the book may get too technical for "non-techies", but you can easily skim over this information and ask your technical staff for deeper explanations of proxy servers, packet routing, and caching from your own staff who may have a better understanding of the concepts.
Who Should Read This Book?
So like me, if you can look beyond the elements of the book that gave me cause for concern, you will see that Long does provide a bevy of useful information for professional security auditors, information systems managers, system administrators, application developers, and information security managers. However, it would be advisable to consider the concerns I do have about what the book does not say/recommend. There is no substitute for getting written agreements from your customers (i.e. targets) or consult with your attorneys. Also make sure your professional liability insurance is sufficient to cover any potential losses that may arise from penetration testing without authorization or gone bad. All this being said, this will be a top shelf reference book in my professional library.
Scorecard
Long chips it in from the greenside bunker to score a birdie on a Par 4.
3 Great for stimulating ideas .........
I am involved in penetration testing on an occasional basis (my principal role is audit management, my principal interest is systems auditing), per other reviews this is an excellent resource for anyone planning or executing tests.
I have used google with simplistic searches and obtained good results (e.g. pictures of site being tested, too much detail in job postings ...). This book is an excelent source of ideas and techniques, for both social engineering, and more technical tests.
It has also made me consider what the google desktop search tool could be used for, when run on key servers in internal nets.
Authors writing style is very easy to read yet packed with valuable information.
This book is likely to be of significant value to forensic investigators and for those with an interest in competitive intelligence.
4 Great Tutorial!
Rather than reiterate what other reviewers have said, I'll focus on a few other things worth a mention.
The first two chapters provide a solid foundation for Google use. They can be read and understood by anyone. The knowledge presented in these two chapters alone can make your queries much more efficient. Usage for each operator and searching technique is explained in detail, so that the fundamentals can be applied to any search. These two chapters comprise the best Google tutorial available anywhere!
The rest of the book focuses on techniques relevant to security testing. There so many ways to use Google to enumerate information. The author walks your through each of the techniques and the principles behind them. The examples expand upon and reinforce the techniques discussed in the first two chapters.
I also own the O'Reilly "Google Hacks" book. It's a good book mostly consisting of tips geared towards coders looking harness Google's power for miscellaneous purposes. Although Johnny Long's book does present plenty of code and techniques for automation, its primary focus is using Google's relevance to security testing. Defensive techniques (how to limit what googlebot crawls) are also discussed. "Google Hacking" makes a better starting point for those interested in security testing.
5 Indispensable reference for the dark side of Google searches
While Google is a researcher's friend, it is a hacker's dream. The subtitle of Google Hacking for Penetration Testers is "Explore the Dark Side of Googling". The dark side of Google is that far too many networks are insecure with inadequate security and enable unauthorized information to leak into Google. This leakage creates the situation where significant amounts of password files, confidential information, and configuration data and much more are easily available.
After reading Google Hacks: Tips & Tools for Smarter Searching, the real power and potential danger of Google is easily understood. Author Johnny Long details how penetration testers can harvest information that has been crawled by Google. The need for Google to be an integral part of any penetration test is now easily understood.
In a similar manner, when Dan Farmer wrote SATAN in 1995, it was met with significant consternation in that many felt he was wrong to release such a powerful program into the wild. Silicon Graphics, his employer at the time, considered his conduct unprofessional and summarily fired him. Ironically, in 2005, a security administrator can be fired if they don't run a vulnerability scanner akin to SATAN. Running scanning tools is now part of security due diligence and any administrator not running such a tool is careless.
With that, some may think author Johnny Long gives far too much ammunition to those seeking to peruse corporate data, but those were the same mistaken objections to SATAN. The book is not meant to be a crutch for script kiddies, its aim is rather to show how Google can be used to uncover data that most companies would rather remain secured. It is simply a matter of time until such Google searches will be considered due diligence for any basic security endeavor.
The book's 12 chapters show how one can plunder and pillage corporate data via Google. Chapters 1 and 2 provide a basic introduction to Google searching, including building Google queries, URL and operator syntax, search reduction, and more.
Chapters 3 through 10 detail the internals of Google hacking. The avenues of attack are nearly endless and various methods are detailed from traversal techniques, site crawling, tracking down Web server logins, and much more. With the sheer amount of data produced on corporate Web sites, it is hard not to have information leakage. The problem is that Google is the perfect glue to bond those disparate pieces of data together to form a dangerous set of connected data. Google is now gluing isolated data, which is dangerous data when in the wrong hands.
Chapter 11 details what can be done to protect an organization from Google hackers. While author Johnny Long may be a hacker, he is quite mainstream when he writes that the best hardware and software configuration money can buy can't protect computing resources if an effective security policy is not in place. Long observes that a good security policy, when properly enforced, outlines the assets the organization is trying to protect, how the protection mechanisms are installed, the acceptable level of operational risk, and what do to in the event of a compromise or disaster.
Chapter 11 details the use of the robots.txt file, which can be used to block Web crawlers such as Google. The chapter also recommends the use of various tools to secure an internal Web site. Tools from Foundstone are detailed, in addition to Gooscan, a tool created by Long that enables bulk Google searches to determine how much information has leaked.
A decade ago, Google was the type of powerful search tool that was rumored to be used within the NSA. Today, petabytes of data are only a few clicks away on Google, and with the Google API, all of that information can be seamlessly integrated into a few scripts. The challenge companies face is to take security seriously and stop making it easy for their password files, payroll data, and other confidential information to be entered into Google's server farm.
6 This book should be on the President's Desk
About the only thing I don't like about this book is the title, Google Hacking For Penetration Testers. It sounds like it's going to be boring but it is far from it. This book is fantastic. I couldn't put it down. This book opens up a whole world of information vulnerability from a tool we use in searching for information, the Google search engine.
The book is like a college education spanning the freshman year all the way to graduate school. A novice can easily understand the author's, Johnny Long's, explanations on how to surf Google. Yes,you can go to Google itself and get this information, but he compiles it for you in the first several chapters in a neat, clean, well laid out format. Anyone reading this section will have a solid grounding in the basics of using Google to surf the web.
As I read the book I kept saying "Good Point" and I thought that many web types like myself "know" what the author is saying but seeing it in print makes you focus and think about issues of security. It exposes so many vulnerabilities and gives options to deal with them. For under $45 this book could save you from major problems as an individual or as an enterprise.
The book does get complicated. It expects you to be a web adminstrator, web master, or very familiar with web development and servers. Johnny Long has a straightforward writing style which he combines with concrete examples that open your eyes to the points he is making. For example, Johnny shows how configuration files and document types can be crawled for user names and passwords. It's chilling to read about the devious methods Google hackers use.
Johnny Long is talking about one of the most serious, really important things in this day and age. SECURITY. Secure web sites are important to each of us as individuals. It's important to your company. Vital information is shown to be at risk in Google Hacking. This book should be on the President of the United States desk.
Have you ever seen a tv show where a former thief shows you how to protect your house? This book is just like that. Some of the tips are very simple, ones that many administrators know and those who are smart implement. Others are more complex. The table of contents reads like a dry college curriculum. But if you follow what is written, trying out the suggestions as it relates to your site, not only will you be rewarded, but the book just comes to life and you find yourself saying 'I can't believe how useful this is'.
In summing up, Johnny Long has issued a wake-up call to all who use the web. I showed this book to a colleague of mine and we both felt that the strength of the book lies in its constant repetition that the Google search engine, while effective in helping web surfers find information, also helps those web surfers with not such good intentions. Any reader would do well to follow the author's advice throughout the book in each and every chapter.
7 Required reading for network and security admins
If you are at the book store trying to decide if the book is worth spending $44.95, just flip open to Chapter 7: Ten Simple Security Searches That Work. This chapter alone is probably worth the price of the book.
There are some aspects of security that are core fundamentals that remain true throughout time. Then, there are some aspects of security that are created by new technology. A few years ago, securing wireless networks was unheard of. Now it is at the forefront of many security administrator's concerns. Google is the latest hot technology to create its own security field.
There are other search engines, but Google is the one that has become synonymous with the act of Web searching itself. Google is an excellent tool. But, like many excellent tools, it is also somewhat of a double-edged sword. The same aspects that make it excel at what it does also make it gather sensitive and private information which may be used to compromise systems or gain unauthorized access.
This book is a must-read in my opinion. Network and security administrators should be required to read this book and follow the advice at the end to ensure that Google hackers don't compromise your network.
Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).
8 Awesome!!!
You don't know how powerful Google is until you read Google Hacking for Penetration Testers.
This is a great book!
9 Best search engine feature summary on the marcet
The book "Google Hacking for penetration testers" is no doubt a real eye opener and as far as I know the first book on the marcet thoroughly covering this important issue. I am confident that this will soon be refered to as a "Standard" literature for IT security.
It is also a nice additional feature that each chapter has its summary at the end.
The actual "contents" of the book is (currently) well worth the money, however there are a few things which I didnt like about the book:
- Book layout should be easier readable / accessable
- The physical pages look like photocopies or copy of a novell that I picked up in a sale.
- optional overview chart tables (take out) would have been a very helpful addition.
- The book reads like an interview or keynote speech, but should actually be more engineering like.
- Whats the point in printing pages of scripts ? Shouldnt that be downloadable or on a cd ? Or at least in the Appendix ?
Summary:
For now probably the "best search engine feature summary on the marcet". The layout of the book should be newly structured to be in an easier accessable format. I guess what I dislike most about the book is the casual writing style and the missing engineer style. The book is hardly usable as a reference but more as a one time read.
If the contents wouldnt be worth it, I would rate it with less. Unfortunately the layout absolutely disvalues the contents value. Usually casual writing style is used to fill the pages, with content thats not thoroughly researched.
10 Application reconnaissance taken to the next level
'Google Hacking for Penetration Testers' (GHFPT) should be a wake-up call for organizations that consider 'information leakage' a theoretical problem. 'Information leakage' refers to the unintentional disclosure of sensitive information to public forums, like the Web. Security staff can use the tools and techniques outlined in Johnny Long's GHFPT to assess the degree of information leakage affecting their organizations. They can then propose, implement, and test remedies. When Google says they are clean, they can be reasonably assured they are.
'Google hacking' is popular because the results are so unambiguous. If you can locate a sensitive configuration file, mail box, registry key, etc., using Google, so can an intruder. GHFPT thoroughly documents multiple ways to find an incredible range of sensitive information using Web searches. Johnny Long takes care not to document how to find Social Security numbers or credit cards, although details on doing so have been posted on the Web.
While companies have performed corporate espionage or collected 'business intelligence' against each other, I wonder how many direct their gaze inwards. Armed with GHFPT, a security administrator should know how to search and secure his organization's Web site. The book explains tools like Sensepost's Wikto, which automate Google-based reconnaissance and use the Google query API. Those who wish to write their own Google query tools will like James Foster's excellent chapter 12. There he demonstrates four implementations, in Perl, Python, C#, and C.
GHFPT concludes with two appendices. The first, by Pete Herzog, outlines professional penetration testing with respect to the Open Source Security Testing Methodology Manual. The second, by Matt Fisher, is a brief discussion of Web application security. Readers who want to know more about the latter subject will enjoy 'Hacking Exposed: Web Applications' by Scambray and Shema; 'Hack Proofing Your E-Commerce Site,' by Russel, et al; and 'Hack Proofing Your Web Applications,' by Forristal. While those books are several years old, they are thorough and still relevant.
When you hire your next penetration testing team, be sure to ask if they offer Google assessment services. I see this as the next step in application reconnaissance. I also highly recommend all security staff read GHFPT. You are responsible now if an intruder compromises your Web server via an application attack. You will soon find yourself responsible if an intruder queries Google and discovers an exposed password file that yields the same level of access. Reading and experimenting with GHFPT is the best insurance policy you could buy in 2005.
11 A True Eye Opener
I have been using this book for three weeks. Every time Google Hacking gets further than three feet from my keyboard, I get up, find it, put it back by my side. I first used the "recipies" in the book to locate intellectual property violations of SANS material. Next, I went on a digital painting campaign and created over 150 images and used the book to help me find the raw source material. Most recently, I have used the optimized searches the book shows one how to do to help with a research project.
Buy the book, try the searches, learn what is possible. It wouldn't hurt to use the book for its intended purpose as well, to see what information about you, about your organization is exposed on the Internet.
12 Could be the most important security book you read this year
Want to be completely unnerved by the power and (mis-)use of Google? If you're at all concerned about system security, you really need to get a copy of Google Hacking For Penetration Testers by Johnny Long (Syngress). The world is more insecure than I thought...
Chapter List: Introduction; Google Searching Basics; Advanced Operators; Google Hacking Basics; Preassessment; Network Mapping; Locating Exploits and Finding Targets; Ten Simple Security Searches That Work; Tracking Down Web Servers, Login Portals, and Network Hardware; Usernames, Passwords, and Secret Stuff, Oh My!; Document Grinding and Database Digging; Protecting Yourself from Google Hackers; Automating Google Searches; Professional Security Testing; An Introduction to Web Application Security; Google Hacking Database; Index
Long walks a fine line in this book, and I think he does it pretty well. His goal is to show the reader how Google can be used to discover a vast array of information that most companies would not willingly divulge. He refrains from showing exact search criteria for finding things like social security number and credit card lists. Additionally, his screen prints of results appropriately blur exact URL information so that he's not giving up personal information. But he does give you enough information that you can understand how certain searches could be used to find files that you may not have realized were indexed.
If you have never used Google for anything more than simple searches from the main page, you'll get a lot of benefit from the first few chapters. He details the Google search keywords and how they can be mixed and matched to dramatically narrow your search focus. Even the simple act of learning how to filter for file types can be immensely valuable. The book kicks into high gear following those first chapters. Long works through various security assessment situations and shows how Google can map your environment far better than you imagined. Simple things like searching for "Powered By" messages or log files with certain strings can tell an attacker what software is running and at what version. This then allows a more refined attack based on known exploits. But instead of leaving the book at that point, he offers some strategies for limiting the amount of information Google can access, as well as ways to remove data that has already gotten out there.
Google Hacking could well be one of the most important security books you buy this year. Even if you're not in charge of security for a company or organization, you should explore some of the techniques to search for your own personal information. Just because *you* didn't expose it doesn't mean that someone else didn't. Highly recommended read...
13 A must have for any IT or security professional
If you are responsible for IT resources you must have this book. If you are a security professional you must have this book.
This book will illustrate how Google can used by the bad guys to profile and enumerate your network infrastructure. Johnny Long does an excellent job explaining how Google works with advanced operators and how fiddling with syntax can yield interesting results.
He shows how a hacker can learn a ton of information about your network and company without ever sending a packet at your network.
You will learn how to find out information about misconfigured servers, "interesting" files left laying around servers, locating exploits, mapping networks and quite a bit more. But, you will learn how to defend and protect yourself against the evil Google hacker.
You will learn how to Google hack yourself as part of your penetration testing.
This is an easy read. You don't have to know about the OSI model or ACL rulesets. It should be on the bookshelf of every IT professional, and should be referred to often.
Hats off to Johnny Long for writing such an incredibly valuable resource.
14 how to [mis-] use Google
We all use Google, for many different reasons. But Long points out that its sheer effectiveness has lead to an insidious activity. By crackers and phishers ("black hats"), who are trying to break into systems and get confidential data. Like being able to find a person's real name and US Tax Id or credit card numbers.
Long shows how Google's many search options and comprehensive data can be used by a cracker. For example, searching for a text string written by a common web search, like Apache or IIS, that gives the server's name and version number. Typically, these are default strings that some sysadmins don't bother changing. So when the pages are made public, those strings appear, and Google lets the cracker find them. If she knows of a security bug in that server version, she can Google for who is running it and then drill down. Long goes into far more complicated attacks than that. But the example shows the gist of how Google can be (mis-)used.
Long writes a disquieting text for sysadmins and Web administrators. In the rush by so many organisations to make information available, even if ostensibly only to your employees and customers, Google can expose you to vulnerability. A compelling read.
15 Beyond Google Hacks
I was impressed with this book.It should be considered a "must"
read for security professionals,network and sysadmins,and anybody
who has a personal or business web page.Anybody who uses Google
could benefit from reading it.I thought I was a pretty good
Googler before I read this book,but I was learning new things by
the second chapter.You'll definitely see Google in a whole new
light after finishing it.This book will get you thinking
"outside the globe".
Crackers know this stuff.Shouldn't you?
Although I know the author doesn't condone it,
if you are a multi-media type,you can uninstall those spyware
infested p2p apps and buy a bigger hard drive.You'll need it.
I read a ton of network security books each year.This one made
the top three,IMO.
Have Fun
