Goolag - Automated Google hacking

[Negative]

From the SearchSecurity.com (TechTarget) March 21 Newsletter:

Those clever folks at Cult of the Dead Cow (cDc), previously most infamous for creating the Windows hacking tool "Back Orifice," have once again raised a rallying cry with their new tool, Goolag. Goolag allows security personnel and ruffians alike to make automated queries that test websites for hundreds of common security flaws.

Using a technique popularized by security researcher Johnny Long, the Google search engine is used to send specially crafted queries to websites, which often oblige by returning information that most security administrators would prefer remain hidden or fixed.

A typical example of such "Google hacking" would be to search for a particular PHP script used during development, but not removed from an operational system: inputting the phrase filetypehp inurl:"viewfile" -"index.php" -"idfil into Google unsurprisingly reveals a fair number of websites that fail to prevent such files from being viewed. This is but one of literally hundreds of security gaffes that Google can be used to uncover.

However, running hundreds of search queries one-by-one in order to "Google hack" a website can lead to carpel tunnel, which may be why cDc decided to automate the process by creating Goolag. The Goolag scanner is a standalone Windows application with a simple GUI. It uses a single XML-based configuration file for its settings. All the Google hacking queries (affectionately known as "dorks" within the
industry) come with the distribution of the scanner and reside in a single file.

For those who have misgivings about installing software created by clever hackers, the cDc has published the full source code of Goolag; for the brave, simply download the executable and you can be Google hacking in mere minutes.

Running Goolag is simplicity itself, so resist the temptation to examine anything for which you don't have direct security responsibility. Then take the output of Goolag and get your Web developers busy fixing the flaws you will most likely find.

Scott Sidel is an ISSO with Lockheed Martin.

www.goolag.org... This is just too easy...

[nihil]

OK, they may be "naughty boys" but they do have a sense of humour:

Warning:

This site may contain explicit descriptions of or advocate one or more of the following:

adultery, murder, morbid violence, bad grammar, deviant sexual conduct in violent contexts, or the consumption of alcohol and illegal drugs.

Then again, it may not.

And:

All Rights Reserved.Permission to use, copy, modify, and distribute this software and
its documentation for educational, research, and not-for-profit purposes,
without fee and under the terms of the GNU Affero General Public License, is
hereby granted, provided that the above copyright notice, this paragraph and
the following three paragraphs appear in all copies, modifications, and
distributions. It would also be nice, but not binding, if you sent us a
picture of your sister drunk and nekid.

[Computernerd22]

Dude, I've just downloaded it. Nice little Unicorn and nice little GUI. Software seems to be pretty straight. Now it's time to see what this application can really do. Negative, thank you.

Anyone else going to download this application? If so, what did you think of it and what did *YOU* use it for?

[gore]

I downloaded it, I ran it against my web server and it so far hasn't found anything, but I've only done three tests. I do realize the type of tool this is and don't really expect it to find anything, but it's good to be sure.

I may contact some friends who own bigger web servers and see if they'll let me test it but they have to OK it first.

[rcgreen]

Does it run on loonix? I don't wanna install it on my
daughter's Windows box. It might turn her into a
H-word.

[Negative]

In Lubbock, TX, they don't do this thing called loonix yet.

Windows versions only at the moment. Stay tuned for releases on other platforms.

[HTRegz]

Hey Hey,

I wanted to add my two cents.

While I see this as "useful" in some ways.. .I don't think the "automated" portion is part of it. What did cDc do? They took a list of checks ("google dorks") developed by others and wrapped them in a UI. Nothing overly fancy about that... and it's been done before, Foundstone released a similar tool, SiteDigger, several years ago (2005).

There's also a bit of a difference, SiteDigger requires a Google API Key, Which means you can run a large batch of queries at once... With Goolag you are limited to a couple of queries because Google will then blacklist your IP (since Goolag doesn't use the API Key).

I've seen suggestions from both cDc and popular media suggesting that Goolag be used by enterprises to check for vulnerabilities. This is a horrible suggestion as it will lead to entire enterprises having their IPs blacklisted. If you make use of Google a great deal to do your job, think of what would happen if everyone in your company suddenly couldn't access Google.

The tool is coming to fruition too late and too flawed.

[Negative]

I saw some warnings about IP blacklisting, but I have yet to see Google actually do it. What happens with some Goolag queries is that you're directed to a "We're sorry" Google page where you're asked to fill out the CAPTCHA - the API key you mention, I assume, makes sure you don't have to do that (which is obviously an advantage over Goolag).

Just to make sure, I ran over 10K goolag queries against various sites (all mine) - all I get is the Google CAPTCHA request... just wondering how many queries you have to run before Google blacklists your IP...

[HTRegz]

Out of curiosity, how many of those goolag queries were successful and how many of them failed because the Google CAPTCHA request comes up and the software doesn't handle it?

As for being blacklisted... My test with Goolag have also only resulted in the Google CAPTCHA... What I've been told is that people who scan, do the CAPTCHA, and repeat multiple times end up blacklisted.

[Negative]

I didn't do all the CAPTCHA's (there's just too many) - probably 50 or so before I gave up... after that, I just canceled them all...