McAfee has released an update to its tool that uses Google to automatically search for security holes in Web sites.

SiteDigger 2.0, delivered on Monday, looks for information about a Web site's security by sending specific queries to Google's Web database. Known as Google hacking, such searches can turn up easily exploitable flaws and sensitive information, including credit card numbers and user account information.

The free service should help Webmasters stay informed about what information is out there regarding their sites, said Chris Prosise, vice president of worldwide professional services for security technology company McAfee.

"We built this tool really as an awareness tool," Prosise said, adding that SiteDigger highlights problems that Webmasters might otherwise not know about. "As a victim, you would never really know that someone was using this information."

SiteDigger does not discern whether the person using it is an authorized administrator of the site or a potential attacker looking for weaknesses. Prosise agreed that this means the tool could be used against a site, but pointed out that Google requires that any user of an automated service sign up with its Web services development program.

Recently, the Santy worm used Google queries to find potentially vulnerable computers, which the program would then try to infect with its code. Several other tools have been created by other research groups to comb for flaws using Google's database.

Google could not immediately be reached for comment on SiteDigger.

Johnny Long, a senior engineer at Computer Sciences Corp. and author of the book "Google Hacking for Penetration Testers," said such tools are necessarily for Web administrators to keep their sites safe.

"There is no way for a security team to stay on top of Google without automation," he said. "They can't spend all the time trolling through Google."

Long maintains a site of more than 800 signatures of common security problems that can be searched for using Google. SiteDigger and other tools use the signatures to query the search engine for the problems.

While stressing that SiteDigger benefits Web sites with knowledgeable security personnel--usually the larger sites--Long acknowledged that smaller, less security-conscious sites would likely be at a disadvantage against potential attackers. Such sites typically aren't aware of the threats posed by Google hacking.

"The little guys are going to lose whenever a new tool comes out," he said. "The smaller site you are, the more you have to worry about."


Source : http://news.zdnet.com/2100-1009_22-5519726.html

Anyone try that tool?

I'm going to try it right now...

/* edit: Phhppttt! System Requirements - Windows .NET Framework (can be installed using Windows Update) */

I'll still try it out and report back, but that's a bit depressing. Not unforseen, but depressing none-the-less. At least it gives me a reason to sign up for a Google developers API key.

Sitedigger has been out for a while...

Guess they just released a new version...

Here is an article from back in aug 04. http://www.eweek.com/article2/0,1759,1635768,00.asp

Foundstone (pre-mcafee) actually has a lot of great tools...

http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/sitedigger.htm

Free Tools Download Link


If Google tells you the WebAPI section is down, just try again in about 2 minutes, worked for me

Checking for: intitle:"Index of" secring.bak site:xxx.website
Not Found
Checking for: intitle:index.of master.passwd site:xxx.website
Not Found
Checking for: intitle:"Index of" ".htpasswd" htpasswd.bak site:xxx.website
Not Found
Checking for: intitle:"Index of" upload.asp site:xxx.website
Not Found
Checking for: intitle:"Index of" AT-admin.cgi site:xxx.website
Not Found
Checking for: intitle:"Index of" global.inc site:xxx.website
Not Found
Checking for: intitle:"Index of" guestbook.cgi site:xxx.website
Not Found
Checking for: intitle:"Index of" fpcount.exe site:xxx.website
Not Found
Checking for: intitle:"Index of" msadcs.dll site:xxx.website
Not Found
Checking for: intitle:index.of .bash_history site:xxx.website
Not Found
Checking for: intitle:index.of .sh_history site:xxx.website
Not Found
Checking for: intitle:index.of trillian.ini site:xxx.website
Not Found
Checking for: "Select a database to view" intitle:"filemaker pro" site:xxx.website
Not Found
Checking for: intitle:"osCommerce" inurl:admin filetype:php site:xxx.website
Not Found
Checking for: "phpMyAdmin" "running on" inurl:"main.php" site:xxx.website
Not Found
Checking for: intitle:"the page cannot be found" inetmgr site:xxx.website
Not Found
Checking for: "supplied argument is not a valid MySQL result resource" site:xxx.website
Not Found
Checking for: "access denied for user" "using password" site:xxx.website
Not Found
Checking for: intitle:"Index of" index.html.bak site:xxx.website
Not Found
Checking for: intitle:"Index of" index.php.bak site:xxx.website
Not Found
Checking for: intitle:"Index of" index.jsp.bak site:xxx.website
Not Found
Checking for: intitle:"Index of" access_log site:xxx.website
Not Found
Checking for: intitle:"Index of" WSFTP.LOG site:xxx.website
Not Found
Checking for: intitle:"Index of" service.pwd site:xxx.website
Not Found
Checking for: allinurl:auth_user_file.txt site:xxx.website
Not Found
Checking for: intitle:"index.of" config.php" site:xxx.website
Not Found
Checking for: intitle:index.of.etc site:xxx.website
Not Found
Checking for: filetype:xls username password email site:xxx.website
Not Found
Checking for: filetype:htpasswd htpasswd site:xxx.website
Not Found
Checking for: intitle:"Index of" ".htpasswd" "htgroup" -intitle:"dist" -apache -htpasswd.c site:xxx.website
Not Found
Checking for: intitle:"Index of" ".htpasswd" htpasswd.bak site:xxx.website
Not Found
Checking for: intitle:index.of administrators.pwd site:xxx.website
Not Found
Checking for: intitle:Index.of etc shadow site:xxx.website
Not Found
Checking for: intitle:index.of secring.pgp site:xxx.website
Not Found
Checking for: inurl:config.php dbuname dbpass site:xxx.website
Not Found
Checking for: intitle:"Index of" master.passwd site:xxx.website
Not Found
Checking for: intitle:"Index of" .mysql_history site:xxx.website
Not Found
Checking for: intitle:index.of passlist site:xxx.website
Not Found
Checking for: inurl:passlist.txt site:xxx.website
Not Found
Checking for: intitle:"Index of" passwd passwd.bak site:xxx.website
Not Found
Checking for: intitle:"Index of..etc" passwd site:xxx.website
Not Found
Checking for: intitle:"Index of" "people.lst" site:xxx.website
Not Found
Checking for: intitle:"Index of" pwd.db site:xxx.website
Not Found
Checking for: intitle:"Index of" spwd.db passwd -pam.conf site:xxx.website
Not Found
Checking for: inurl:Custva.asp site:xxx.website
Not Found
Checking for: "Powered by mnoGoSearch - free web search engine software" site:xxx.website
Not Found
Checking for: "#mysql dump" filetype:sql site:xxx.website
Not Found
Checking for: "This summary was generated by wwwstat" site:xxx.website
Not Found
Checking for: "Host Vulnerability Summary Report" site:xxx.website
Not Found
Checking for: "Index of" / "chat/logs" site:xxx.website
Not Found
Checking for: "Most Submitted Forms and Scripts" "this section" site:xxx.website
Not Found
Checking for: "Network Host Assessment Report" "Internet Scanner" site:xxx.website
Not Found
Checking for: "Network Vulnerability Assessment Report" site:xxx.website
Not Found
Checking for: "not for distribution" confidential site:xxx.website
Not Found
Checking for: "These statistics were produced by getstats" site:xxx.website
Not Found
Checking for: "robots.txt" + "Disallow:" filetype:txt site:xxx.website
Not Found
Checking for: "Thank you for your order" +receipt site:xxx.website
Not Found
Checking for: "This file was generated by Nessus" site:xxx.website
Not Found
Checking for: "This report lists" "identified by Internet Scanner" site:xxx.website
Not Found
Checking for: "This report was generated by WebLog" site:xxx.website
Not Found
Checking for: intitle:index.of cgiirc.config' site:xxx.website
Not Found
Checking for: inurl:'cgiirc.config' site:xxx.website
Not Found
Checking for: intitle:"Index of" finance.xls site:xxx.website
Not Found
Checking for: intitle:"Index of" finances.xls site:xxx.website
Not Found
Checking for: intitle:"Ganglia" "Cluster Report for" site:xxx.website
Not Found
Checking for: intitle:index.of haccess.ctl site:xxx.website
Not Found
Checking for: filetype:htaccess Basic site:xxx.website
Not Found
Checking for: intitle:"statistics of" "advanced web statistics" site:xxx.website
Not Found
Checking for: intitle:"Usage Statistics for" "Generated by Webalizer" site:xxx.website
Not Found
Checking for: intitle:"wbem" compaq login site:xxx.website
Not Found
Checking for: intitle:admin intitle:login site:xxx.website
Not Found
Checking for: intitle:index.of "Apache" "server at" site:xxx.website
Not Found
Checking for: intitle:index.of inbox dbx site:xxx.website
Not Found
Checking for: intitle:index.of dead.letter site:xxx.website
Not Found
Checking for: intitle:index.of inbox site:xxx.website
Not Found
Checking for: intitle:index.of inbox dbx site:xxx.website
Not Found
Checking for: intitle:index.of ws_ftp.ini site:xxx.website
Not Found
Checking for: inurl:admin filetype:xls site:xxx.website
Not Found
Checking for: inurl:admin intitle:login site:xxx.website
Not Found
Checking for: inurl:changepassword.asp site:xxx.website
Not Found
Checking for: inurl:main.php phpMyAdmin site:xxx.website
Not Found
Checking for: inurl:main.php Welcome to phpMyAdmin site:xxx.website
Not Found
Checking for: inurl:vbstats.php "page generated" site:xxx.website
Not Found
Checking for: inurl:ipsec.conf -intitle:manpage site:xxx.website
Not Found
Checking for: inurl:ipsec.secrets -history -bugs site:xxx.website
Not Found
Checking for: inurl:ipsec.secrets "holds shared secrets" site:xxx.website
Not Found
Checking for: intitle:"Index of" mt-db-pass.cgi site:xxx.website
Not Found
Checking for: mystuff.xml intitle:"index of" site:xxx.website
Not Found
Checking for: "phpinfo.php" -manual site:xxx.website
Not Found
Checking for: "# phpMyAdmin MySQL-Dump" filetype:txt site:xxx.website
Not Found
Checking for: "# phpMyAdmin MySQL-Dump" "INSERT INTO" -"the" site:xxx.website
Not Found
Checking for: intitle:Index.of robots.txt site:xxx.website
Not Found
Checking for: site:edu grades admin site:xxx.website
Not Found
Checking for: "# Dumping data for table" site:xxx.website
Not Found
Checking for: "cacheserverreport for" "This analysis was produced by calamaris" site:xxx.website
Not Found
Checking for: "index of" / lck site:xxx.website
Not Found
Checking for: intitle:"Index of" .bash_history site:xxx.website
Not Found
Checking for: inurl:admin filetype:asp inurl:userlist site:xxx.website
Not Found
Checking for: inurl:admin inurl:userlist site:xxx.website
Not Found
Checking for: intitle:"Index of" .sh_history site:xxx.website
Not Found
Checking for: "ORA-00921: unexpected end of SQL command" site:xxx.website
Not Found
Checking for: "A syntax error has occurred" filetype:ihtml site:xxx.website
Not Found
Checking for: "access denied for user" "using password" site:xxx.website
Not Found
Checking for: "An illegal character has been found in the statement" -"previous message" site:xxx.website
Checking for: "Can't connect to local" intitle:warning site:xxx.website
Not Found
Checking for: "Chatologica MetaSearch" "stack tracking:" site:xxx.website
Not Found
Checking for: "detected an internal error [IBM][CLI Driver][DB2/6000]" site:xxx.website
Not Found
Checking for: "Fatal error: Call to undefined function" -reply -the -next site:xxx.website
Not Found
Checking for: "Incorrect syntax near" site:xxx.website
Not Found
Checking for: "Incorrect syntax near" -the site:xxx.website
Not Found
Checking for: "ORA-00933: SQL command not properly ended" site:xxx.website
Not Found
Checking for: "PostgreSQL query failed: ERROR: parser: parse error" site:xxx.website
Not Found
Checking for: "Supplied argument is not a valid MySQL result resource" site:xxx.website
Not Found
Checking for: "Syntax error in query expression " -the site:xxx.website
Not Found
Checking for: "Unclosed quotation mark before the character string" site:xxx.website
Not Found
Checking for: "Warning: Cannot modify header information - headers already sent" site:xxx.website
Not Found
Checking for: An unexpected token "END-OF-STATEMENT" was found site:xxx.website
Not Found
Checking for: "Error Diagnostic Information" intitle:"Error Occurred While" site:xxx.website
Not Found
Checking for: filetype:asp "Custom Error Message" Category Source site:xxx.website
Not Found
Checking for: intitle:"the page cannot be found" inetmgr site:xxx.website
Not Found
Checking for: intitle:"the page cannot be found" "internet information services" site:xxx.website
Not Found
Checking for: intitle:"500 Internal Server Error" "server at" site:xxx.website
Not Found
Checking for: intitle:"Under construction" "does not currently have" site:xxx.website
Not Found
Checking for: "supplied argument is not a valid MySQL result resource" site:xxx.website
Not Found
Checking for: "mySQL error with query" site:xxx.website
Not Found
Checking for: "ORA-00921: unexpected end of SQL command" site:xxx.website
Not Found
Checking for: "ORA-00936: missing expression" site:xxx.website
Not Found
Checking for: inurl:sitebuildercontent site:xxx.website
Not Found
Checking for: inurl:sitebuilderfiles site:xxx.website
Not Found
Checking for: inurl:sitebuilderpictures site:xxx.website
Not Found
Checking for: "You have an error in your SQL syntax near" site:xxx.website
Not Found
Checking for: "Supplied argument is not a valid PostgreSQL result" site:xxx.website
Not Found
Checking for: warning "error on line" php sablotron site:xxx.website
Not Found
Checking for: intitle:"the page cannot be found" "2004 microsoft corporation" site:xxx.website
Not Found
Checking for: "Welcome to phpMyAdmin" AND " Create new database" site:xxx.website
Not Found
Checking for: intitle:"Index of c:\Windows" site:xxx.website
Not Found
Checking for: intitle:"index.of.personal" site:xxx.website
Not Found
Checking for: inurl:backup intitle:index.of inurl:admin site:xxx.website
Not Found
Checking for: "Index of /backup" site:xxx.website
Not Found
Checking for: intitle:index.of.private site:xxx.website
Not Found
Checking for: inurl:index.of.protected site:xxx.website
Not Found
Checking for: intitle:index.of.protected site:xxx.website
Not Found
Checking for: intitle:index.of.secret site:xxx.website
Not Found
Checking for: intitle:"index.of.secure" site:xxx.website
Not Found
Checking for: intitle:index.of.winnt site:xxx.website
Not Found
Checking for: "Select a database to view" intitle:"filemaker pro" site:xxx.website
Not Found
Checking for: "Welcome to Intranet" site:xxx.website
Not Found
Checking for: "Welcome to PHP-Nuke" congratulations site:xxx.website
Not Found
Checking for: "YaBB SE Dev Team" site:xxx.website
Not Found
Checking for: allinurl:install/install.php site:xxx.website
Not Found
Checking for: intitle:"Gallery in Configuration mode" site:xxx.website
Not Found
Checking for: inurl:shop "Hassan Consulting's Shopping Cart Version 1.18" site:xxx.website
Not Found
Checking for: intitle:"osCommerce" inurl:admin filetype:php site:xxx.website
Not Found
Checking for: intitle:"Remote Desktop Web Connection" site:xxx.website
Not Found
Checking for: intitle:"Terminal Services Web Connection" site:xxx.website
Not Found
Checking for: inurl:footer.inc.php site:xxx.website
Not Found
Checking for: inurl:info.inc.php site:xxx.website
Not Found
Checking for: inurl:manyservers.htm site:xxx.website
Not Found
Checking for: inurl:search.php vbulletin site:xxx.website
Not Found
Checking for: "seeing this instead" intitle:"test page for apache" site:xxx.website
Not Found
Checking for: aboutprinter.shtml site:xxx.website
Not Found
Checking for: allintitle:Netscape FastTrack Server Home Page site:xxx.website
Not Found
Checking for: intitle:"Apache HTTP Server" intitle:"documentation" site:xxx.website
Not Found
Checking for: intitle:"Welcome to IIS 4.0" site:xxx.website
Not Found
Checking for: i_index.shtml "Ready" site:xxx.website
Not Found
Checking for: intitle:"Test Page for Apache" "It Worked!" site:xxx.website
Not Found
Checking for: intitle:"Test Page for Apache" "It Worked!" "on this web" site:xxx.website
Not Found
Checking for: inurl:tech-support inurl:show Cisco site:xxx.website
Not Found
Checking for: "powered by openbsd" +"powered by apache" site:xxx.website
Not Found
Checking for: intitle:admin intitle:login site:xxx.website
Not Found
Checking for: intitle:"Index of" index.html.bak site:xxx.website
Not Found
Checking for: intitle:"Index of" index.php.bak site:xxx.website
Not Found
Checking for: intitle:"Index of" index.html~ site:xxx.website
Not Found
Checking for: intitle:"Index of" index.php~ site:xxx.website
Not Found
Checking for: inurl:"MultiCameraFrame?Mode=" site:xxx.website
Not Found
--------------- Done--------------


criteria searched == "xxx.website"

Quite a good program if you ask me. I've already searched a couple of my own websites, nothing so far, but no news is good news :)

Sitedigger is a wonderful tool, the new release has signatures from that johnny hack stuff site (w/e it's called)

I wrote a tut involving the old one, maybe it deserves an update:
http://www.antionline.com/showthread.php?s=&threadid=260714

I too have used the SiteDigger tool when it was still under the control of Foundstone. I love the functionality of the tool but the original one would only allow you to scan a single domain. I understand the mentality of this approach but when you have 30 or so domains, it would be nice to be able to read in a config file that would parse through all the domains you want to test. Does the new build do this?

--TH13

Nope-

The Google API key only allows you 1000 or so searches a day I believe, so x domains plus however many signatues might run out.

I figured as much. Ahhh well. Thanks for the infoz. :)

--TH13

hey man cool ,i kinda like this tool ,
and by the wad SODA,nice tut