Goolag - Automated Google hacking
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Goolag - Automated Google hacking

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Goolag - Automated Google hacking

    From the SearchSecurity.com (TechTarget) March 21 Newsletter:


    Those clever folks at Cult of the Dead Cow (cDc), previously most infamous for creating the Windows hacking tool "Back Orifice," have once again raised a rallying cry with their new tool, Goolag. Goolag allows security personnel and ruffians alike to make automated queries that test websites for hundreds of common security flaws.

    Using a technique popularized by security researcher Johnny Long, the Google search engine is used to send specially crafted queries to websites, which often oblige by returning information that most security administrators would prefer remain hidden or fixed.

    A typical example of such "Google hacking" would be to search for a particular PHP script used during development, but not removed from an operational system: inputting the phrase filetypehp inurl:"viewfile" -"index.php" -"idfil into Google unsurprisingly reveals a fair number of websites that fail to prevent such files from being viewed. This is but one of literally hundreds of security gaffes that Google can be used to uncover.

    However, running hundreds of search queries one-by-one in order to "Google hack" a website can lead to carpel tunnel, which may be why cDc decided to automate the process by creating Goolag. The Goolag scanner is a standalone Windows application with a simple GUI. It uses a single XML-based configuration file for its settings. All the Google hacking queries (affectionately known as "dorks" within the
    industry) come with the distribution of the scanner and reside in a single file.

    For those who have misgivings about installing software created by clever hackers, the cDc has published the full source code of Goolag; for the brave, simply download the executable and you can be Google hacking in mere minutes.

    Running Goolag is simplicity itself, so resist the temptation to examine anything for which you don't have direct security responsibility. Then take the output of Goolag and get your Web developers busy fixing the flaws you will most likely find.

    Scott Sidel is an ISSO with Lockheed Martin.
    www.goolag.org... This is just too easy...

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    OK, they may be "naughty boys" but they do have a sense of humour:

    Warning:

    This site may contain explicit descriptions of or advocate one or more of the following:

    adultery, murder, morbid violence, bad grammar, deviant sexual conduct in violent contexts, or the consumption of alcohol and illegal drugs.

    Then again, it may not.
    And:
    All Rights Reserved.Permission to use, copy, modify, and distribute this software and
    its documentation for educational, research, and not-for-profit purposes,
    without fee and under the terms of the GNU Affero General Public License, is
    hereby granted, provided that the above copyright notice, this paragraph and
    the following three paragraphs appear in all copies, modifications, and
    distributions. It would also be nice, but not binding, if you sent us a
    picture of your sister drunk and nekid.


  3. #3
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    Dude, I've just downloaded it. Nice little Unicorn and nice little GUI. Software seems to be pretty straight. Now it's time to see what this application can really do. Negative, thank you.

    Anyone else going to download this application? If so, what did you think of it and what did *YOU* use it for?
    Last edited by Computernerd22; March 22nd, 2008 at 01:04 AM.

  4. #4
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I downloaded it, I ran it against my web server and it so far hasn't found anything, but I've only done three tests. I do realize the type of tool this is and don't really expect it to find anything, but it's good to be sure.

    I may contact some friends who own bigger web servers and see if they'll let me test it but they have to OK it first.

  5. #5
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    Does it run on loonix? I don't wanna install it on my
    daughter's Windows box. It might turn her into a
    H-word.
    I came in to the world with nothing. I still have most of it.

  6. #6
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    In Lubbock, TX, they don't do this thing called loonix yet.

    Windows versions only at the moment. Stay tuned for releases on other platforms.
    Last edited by Negative; March 23rd, 2008 at 06:23 AM.

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I wanted to add my two cents.

    While I see this as "useful" in some ways.. .I don't think the "automated" portion is part of it. What did cDc do? They took a list of checks ("google dorks") developed by others and wrapped them in a UI. Nothing overly fancy about that... and it's been done before, Foundstone released a similar tool, SiteDigger, several years ago (2005).

    There's also a bit of a difference, SiteDigger requires a Google API Key, Which means you can run a large batch of queries at once... With Goolag you are limited to a couple of queries because Google will then blacklist your IP (since Goolag doesn't use the API Key).

    I've seen suggestions from both cDc and popular media suggesting that Goolag be used by enterprises to check for vulnerabilities. This is a horrible suggestion as it will lead to entire enterprises having their IPs blacklisted. If you make use of Google a great deal to do your job, think of what would happen if everyone in your company suddenly couldn't access Google.

    The tool is coming to fruition too late and too flawed.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    I saw some warnings about IP blacklisting, but I have yet to see Google actually do it. What happens with some Goolag queries is that you're directed to a "We're sorry" Google page where you're asked to fill out the CAPTCHA - the API key you mention, I assume, makes sure you don't have to do that (which is obviously an advantage over Goolag).

    Just to make sure, I ran over 10K goolag queries against various sites (all mine) - all I get is the Google CAPTCHA request... just wondering how many queries you have to run before Google blacklists your IP...

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Out of curiosity, how many of those goolag queries were successful and how many of them failed because the Google CAPTCHA request comes up and the software doesn't handle it?

    As for being blacklisted... My test with Goolag have also only resulted in the Google CAPTCHA... What I've been told is that people who scan, do the CAPTCHA, and repeat multiple times end up blacklisted.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  10. #10
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    I didn't do all the CAPTCHA's (there's just too many) - probably 50 or so before I gave up... after that, I just canceled them all...

Similar Threads

  1. Google vs eBay
    By Egaladeist in forum General Computer Discussions
    Replies: 1
    Last Post: October 28th, 2005, 05:49 AM
  2. Befriending Google
    By ch4r in forum Other Tutorials Forum
    Replies: 2
    Last Post: January 21st, 2005, 02:53 PM
  3. Advanced Google Hacking...???
    By The Duck in forum The Security Tutorials Forum
    Replies: 5
    Last Post: January 16th, 2005, 04:04 AM
  4. Google as a Hacking Tool
    By 3rr0r in forum The Security Tutorials Forum
    Replies: 26
    Last Post: December 1st, 2004, 06:31 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •