Good day. Today we’ll talk about protection and access to CCTV cameras. There are quite a lot of them and they are used for different purposes. As always, we will use a standard database that will allow us to find such cameras and select passwords for them. Theory Most devices are not configured or updated after installation. Therefore, our target audience is located under the popular ports 8000, 8080 and 554. If you need to scan the network, it is better to immediately select these ports. Method No. 1 For a clear example, you can look at interesting queries in the Shodan and Sensys search engines. Let's look at some illustrative examples with simple queries. has_screenshot:true port:8000 // 183 results; has_screenshot:true port:8080 // 1025 results; has_screenshot:true port:554 // 694 results; In this simple way you can access a large number of open cameras, which are located in interesting places: shops, hospitals, gas stations, etc. Let's look at a few interesting options for clarity. A doctor's waiting room Private somewhere in the depths of Europe A class somewhere in Chelyabinsk A women's clothing store In this simple way you can find quite a lot of interesting objects to which access is open. Don't forget that you can use the country filter to get data by country. has_screenshot:true port:8000 country:ru has_screenshot:true port:8080 country:ru has_screenshot:true port:554 country:ru Method No. 2 You can use the search for standard social networks. To do this, it is better to use page headers when viewing images from cameras, here is a selection of the most interesting options: inurl:/view.shtml inurl:ViewerFrame?Mode= inurl:ViewerFrame?Mode=Refresh inurl:view/index.shtml inurl:view/ view.shtml intitle:”live view” intitle:axis intitle:liveapplet all in title:”Network Camera Network Camera” intitle:axis intitle:”video server” intitle:liveapplet inurl:LvAppl intitle:”EvoCam” inurl:”webcam. html” intitle:”Live NetSnap Cam-Server feed” intitle:”Live View / - AXIS 206M” intitle:”Live View / - AXIS 206W” intitle:”Live View / - AXIS 210″ inurl:indexFrame.shtml Axis intitle: start inurl:cgistart intitle:”WJ-NT104 Main Page” intitle:snc-z20 inurl:home/ intitle:snc-cs3 inurl:home/ intitle:snc-rz30 inurl:home/ intitle:”sony network camera snc-p1″ intitle:”sony network camera snc-m1″ intitle:”Toshiba Network Camera” user login intitle:”i-Catcher Console - Web Monitor” Reaping the benefits and finding the airport Company office Add another port to the collection and you can complete Method No. 3 This method is the target. It is used when we either have one point and need to guess a password, or we want to run a database using standard passwords and find valid results. Hydra is perfect for these purposes. To do this, you need to prepare a dictionary. You can go through and look for standard passwords for routers. Let's look at a specific example. There is a camera model, DCS-2103. It occurs quite often. It works through port 80. Let's use the corresponding data and find the necessary information in shadan. Next, we collect all the IPs of potential targets that are interesting to us. Next, we create a list. Let's collect a list of passwords and use it all using the hydra utility. To do this, we need to add a dictionary, a list of IPs to the folder and run the following command: hydra -l admin -P pass.txt -o good.txt -t 16 -vV -M targets.txt http-get There should be a file in the root folder pass.txt with passwords, login we use one admin with the -l parameter, if you need to set a dictionary for logins, then you need to add a file to the root directory and register it with the -L parameter. The selected results will be saved in the file good.txt. The list of IP addresses must be added to the root directory with the targets.txt file. The last phrase in the http-get command is responsible for connecting via port 80. Example of the program Entering the command and getting started At the end I would like to add some information about scanning. To get network numbers you can use an excellent service. Next, these meshes need to be checked for the presence of the ports we need. I won’t recommend scanners, but I will say that it’s worth moving towards such and similar scanners as masscan, vnc scanner and others. You can write it based on the well-known nmap utility. The main task is to scan the range and find active IPs with the necessary ports. Conclusion Remember that in addition to standard viewing, you can also take photos, record videos and download them for yourself. You can also control the camera and rotate it in the desired directions. And the most interesting thing is the ability to turn on sounds and speak on some cameras. What can I recommend here? Set a strong access password and be sure to forward ports.

And today I will tell you about another search engine that is used by pentesters/hackers - Google, or more precisely about the hidden capabilities of Google.

What are Google Dorks?

Google Dork or Google Dork Queries (GDQ) is a set of queries for identifying the worst security holes. Anything that is not properly hidden from search robots.

For brevity, such requests are called Google dorks or simply dorks, like those admins whose resources were hacked using GDQ.

Google Operators

To begin with, I would like to provide a small list of useful Google commands. Among all the Google advanced search commands, we are mainly interested in these four:

• site - search on a specific site;
• inurl - indicate that the searched words should be part of the page/site address;
• intitle - search operator in the title of the page itself;
• ext or filetype - search for files of a specific type by extension.

Also, when creating Dork, you need to know several important operators, which are specified by special characters.

• | - the OR operator, also known as a vertical slash (logical or), indicates that you need to display results containing at least one of the words listed in the query.
• "" - The quote operator indicates an exact match.
• — - the minus operator is used to exclude from displaying results with words specified after the minus.
• * - the asterisk or asterisk operator is used as a mask and means “anything.”

Where to find Google Dorky

The most interesting dorks are the fresh ones, and the freshest ones are those that the pentester found himself. True, if you get too carried away with experiments, you will be banned from Google... before entering the captcha.

If you don’t have enough imagination, you can try to find fresh dorks on the Internet. The best site to find dorks is Exploit-DB.

The Exploit-DB online service is a non-profit Offensive Security project. If anyone is not aware, this company provides training in the field of information security and also provides pentesting services.

The Exploit-DB database contains a huge number of dorks and vulnerabilities. To search for dorks, go to exploit-db.com and go to the “Google Hacking Database” tab.

The database is updated daily. At the top you can find the latest additions. On the left side is the date the dork was added, name and category.

Exploit-DB website

At the bottom you will find dorks sorted by category.

Exploit-DB website
Exploit-DB website

Another good site is google-dorking.com. There you can often find interesting, new dorks that don’t always end up on Exploit-DB.

Examples of using Google Dorks

Here are examples of dorks. When experimenting with dorks, do not forget about the disclaimer!

This material is for informational purposes only. It is addressed to information security specialists and those who are planning to become one. The information presented in this article is provided for informational purposes only. Neither the editors of the website www.site nor the author of the publication bear any responsibility for any harm caused by the material in this article.

Doors for finding website problems

Sometimes it is useful to study the structure of a site by obtaining a list of files on it. If the site is made on the WordPress engine, then the repair.php file stores the names of other PHP scripts.

The inurl tag tells Google to search for the first word in the body of the link. If we had written allinurl, the search would have occurred throughout the entire body of the link, and the search results would have been more cluttered. Therefore, it is enough to make a request like this:

inurl:/maint/repair.php?repair=1

As a result, you will receive a list of WP sites whose structure can be viewed via repair.php.

Studying the structure of a website on WP

WordPress causes a lot of problems for administrators with undetected configuration errors. From the open log you can find out at least the names of the scripts and downloaded files.

inurl:"wp-content/uploads/file-manager/log.txt"

In our experiment, a simple request allowed us to find a direct link to the backup in the log and download it.

Finding valuable information in WP logs

A lot of valuable information can be gleaned from logs. It is enough to know what they look like and how they differ from the mass of other files. For example, an open source database interface called pgAdmin creates a service file pgadmin.log. It often contains usernames, database column names, internal addresses, and the like.

The log is found with a simple query:

ext:log inurl:"/pgadmin"

There is an opinion that open source is safe code. However, the openness of source codes in itself only means the opportunity to explore them, and the goals of such research are not always good.

For example, Symfony Standard Edition is popular among frameworks for developing web applications. When deployed, it automatically creates a parameters.yml file in the /app/config/ directory, where it saves the database name, as well as login and password.

You can find this file using the following query:

inurl:app/config/ intext:parameters.yml intitle:index.of

f Another file with passwords

Of course, the password could then be changed, but most often it remains the same as it was set at the deployment stage.

The open source UniFi API browser tool is increasingly used in corporate environments. It is used to manage segments of wireless networks created according to the “seamless Wi-Fi” principle. That is, in an enterprise network deployment scheme in which many access points are controlled from a single controller.

The utility is designed to display data requested through Ubiquiti's UniFi Controller API. With its help, it is easy to view statistics, information about connected clients, and other information about the server’s operation via the UniFi API.

The developer honestly warns: “Please do keep in mind this tool exposes A LOT OF the information available in your controller, so you should somehow restrict access to it! There are no security controls built into the tool...". But many people don't seem to take these warnings seriously.

Knowing about this feature and asking another specific query, you will see a lot of service data, including application keys and passphrases.

inurl:"/api/index.php" intitle:UniFi

General search rule: first we determine the most specific words that characterize the selected target. If this is a log file, then what distinguishes it from other logs? If this is a file with passwords, then where and in what form can they be stored? Marker words are always found in some specific place - for example, in the title of a web page or its address. By limiting your search area and specifying precise markers, you will get raw search results. Then clean it of debris, clarifying the request.

Doors for searching open NAS

Home and office network storage is popular nowadays. The NAS function is supported by many external drives and routers. Most of their owners don’t bother with security and don’t even change default passwords like admin/admin. You can find popular NAS by the typical titles of their web pages. For example, the request:

intitle:"Welcome to QNAP Turbo NAS"

will display a list of NAS IPs made by QNAP. All that remains is to find the weakest one among them.

The QNAP cloud service (like many others) has the function of providing file sharing via a private link. The problem is that it's not that closed.

inurl:share.cgi?ssid=

Finding shared files

This simple query shows files shared through the QNAP cloud. They can be viewed directly from the browser or downloaded for more detailed information.

Doors for searching IP cameras, media servers and web admin panels

In addition to NAS, you can find a ton of other web-managed network devices with advanced Google queries.

The most common way to do this is CGI scripts, so the main.cgi file is a promising target. However, he can meet anywhere, so it is better to clarify the request.

For example, by adding a standard call to it?next_file. As a result, we get a dork like:

inurl:"img/main.cgi?next_file"

In addition to cameras, there are similarly media servers that are open to anyone and everyone. This is especially true for Twonky servers manufactured by Lynx Technology. They have a very recognizable name and default port 9000.

For cleaner search results, it is better to indicate the port number in the URL and exclude it from the text part of web pages. The request takes the form

intitle:"twonky server" inurl:"9000" -intext:"9000"

Video library by year

Typically, a Twonky server is a huge media library that shares content via UPnP. Authorization for them is often disabled “for convenience.”

Doors for searching for vulnerabilities

Big data is a buzzword now: it is believed that if you add Big Data to anything, it will magically begin to work better. In reality, there are very few real experts on this topic, and with the default configuration, big data leads to large vulnerabilities.

Hadoop is one of the simplest ways to compromise tera- and even petabytes of data. This open-source platform contains well-known headers, port numbers and service pages that make it easy to find the nodes it manages.

intitle:"Namenode information" AND inurl:":50070/dfshealth.html"

Big Data? Big vulnerabilities!

With this concatenation query we get search results with a list of vulnerable Hadoop-based systems. You can browse the HDFS file system directly from your browser and download any file.

Google Dorks is a powerful tool for any penetration tester, which not only an information security specialist, but also an ordinary network user should know about.

How to search correctly using google.com

Everyone probably knows how to use a search engine like Google =) But not everyone knows that if you correctly compose a search query using special constructions, you can achieve the results of what you are looking for much more efficiently and quickly =) In this article I will try to show that and what you need to do to search correctly

Google supports several advanced search operators that have special meaning when searching on google.com. Typically, these statements change the search, or even tell Google to do completely different types of searches. For example, the design link: is a special operator, and the request link:www.google.com will not give you a normal search, but will instead find all web pages that have links to google.com.
alternative request types

cache: If you include other words in your query, Google will highlight those included words within the cached document.
For example, cache:www.web site will show the cached content with the word "web" highlighted.

link: The search query above will show web pages that contain links to the specified query.
For example: link:www.site will display all pages that have a link to http://www.site

related: Displays web pages that are “related” to the specified web page.
For example, related: www.google.com will list web pages that are similar to Google's home page.

info: Query Information: will present some of the information Google has about the web page you are requesting.
For example, info:website will show information about our forum =) (Armada - Adult Webmasters Forum).

Other information requests

define: The define: query will provide a definition of the words you enter after it, collected from various online sources. The definition will be for the entire phrase entered (that is, it will include all words in the exact query).

stocks: If you start a query with stocks: Google will process the rest of the query terms as stock symbols, and link to a page showing ready-made information for these symbols.
For example, stocks:Intel yahoo will show information about Intel and Yahoo. (Note that you should type breaking news symbols, not the company name)

Query Modifiers

site: If you include site: in your query, Google will limit the results to those websites it finds in that domain.
You can also search by individual zones, such as ru, org, com, etc ( site:com site:ru)

allintitle: If you run a query with allintitle:, Google will limit the results to all the query words in the title.
For example, allintitle: google search will return all Google pages by search such as images, Blog, etc

intitle: If you include intitle: in your query, Google will limit the results to documents containing that word in the title.
For example, intitle:Business

allinurl: If you run a query with allinurl: Google will limit the results to all query words in the URL.
For example, allinurl: google search will return documents with google and search in the title. Also, as an option, you can separate words with a slash (/) then words on both sides of the slash will be searched within the same page: Example allinurl: foo/bar

inurl: If you include inurl: in your query, Google will limit the results to documents containing that word in the URL.
For example, Animation inurl:site

intext: searches only the specified word in the text of the page, ignoring the title and texts of links, and other things not related to. There is also a derivative of this modifier - allintext: those. further, all words in the query will be searched only in the text, which can also be important, ignoring frequently used words in links
For example, intext:forum

daterange: searches in a time frame (daterange:2452389-2452389), dates for times are indicated in Julian format.

Well, and all sorts of interesting examples of queries

Examples of writing queries for Google. For spammers

Inurl:control.guest?a=sign

Site:books.dreambook.com “Homepage URL” “Sign my” inurl:sign

Site:www.freegb.net Homepage

Inurl:sign.asp “Character Count”

“Message:” inurl:sign.cfm “Sender:”

Inurl:register.php “User Registration” “Website”

Inurl:edu/guestbook “Sign the Guestbook”

Inurl:post “Post Comment” “URL”

Inurl:/archives/ “Comments:” “Remember info?”

“Script and Guestbook Created by:” “URL:” “Comments:”

Inurl:?action=add “phpBook” “URL”

Intitle:"Submit New Story"

Magazines

Inurl:www.livejournal.com/users/ mode=reply

Inurl greatestjournal.com/ mode=reply

Inurl:fastbb.ru/re.pl?

Inurl:fastbb.ru /re.pl? "Guest book"

Blogs

Inurl:blogger.com/comment.g?”postID””anonymous”

Inurl:typepad.com/ “Post a comment” “Remember personal info?”

Inurl:greatestjournal.com/community/ “Post comment” “addresses of anonymous posters”

“Post comment” “addresses of anonymous posters” -

Intitle:"Post comment"

Inurl:pirillo.com “Post comment”

Forums

Inurl:gate.html?”name=Forums” “mode=reply”

Inurl:”forum/posting.php?mode=reply”

Inurl:"mes.php?"

Inurl:”members.html”

Inurl:forum/memberlist.php?”

Obtaining private data does not always mean hacking - sometimes it is published publicly. Knowledge of Google settings and a little ingenuity will allow you to find a lot of interesting things - from credit card numbers to FBI documents.

WARNING

All information is provided for informational purposes only. Neither the editors nor the author are responsible for any possible harm caused by the materials of this article.

Today, everything is connected to the Internet, with little concern for restricting access. Therefore, many private data become the prey of search engines. Spider robots are no longer limited to web pages, but index all content available on the Internet and constantly add non-public information to their databases. Finding out these secrets is easy - you just need to know how to ask about them.

Looking for files

In capable hands, Google will quickly find everything that is not found on the Internet, for example, personal information and files for official use. They are often hidden like a key under a rug: there are no real access restrictions, the data simply lies on the back of the site, where no links lead. The standard Google web interface provides only basic advanced search settings, but even these will be sufficient.

You can limit your Google search to a specific type of file using two operators: filetype and ext . The first specifies the format that the search engine determined from the file title, the second specifies the file extension, regardless of its internal content. When searching in both cases, you only need to specify the extension. Initially, the ext operator was convenient to use in cases where the file did not have specific format characteristics (for example, to search for ini and cfg configuration files, which could contain anything). Now Google's algorithms have changed, and there is no visible difference between operators - in most cases the results are the same.

Filtering the results

By default, Google searches for words and, in general, any entered characters in all files on indexed pages. You can limit the search area by top-level domain, a specific site, or by the location of the search sequence in the files themselves. For the first two options, use the site operator, followed by the name of the domain or selected site. In the third case, a whole set of operators allows you to search for information in service fields and metadata. For example, allinurl will find the given one in the body of the links themselves, allinanchor - in the text equipped with the tag , allintitle - in page titles, allintext - in the body of pages.

For each operator there is a lightweight version with a shorter name (without the prefix all). The difference is that allinurl will find links with all words, and inurl will only find links with the first of them. The second and subsequent words from the query can appear anywhere on web pages. The inurl operator also differs from another operator with a similar meaning - site. The first also allows you to find any sequence of characters in a link to the searched document (for example, /cgi-bin/), which is widely used to find components with known vulnerabilities.

Let's try it in practice. We take the allintext filter and make the request produce a list of numbers and verification codes of credit cards that will expire only in two years (or when their owners get tired of feeding everyone).

Allintext: card number expiration date /2017 cvv

When you read in the news that a young hacker “hacked into the servers” of the Pentagon or NASA, stealing classified information, in most cases we are talking about just such a basic technique of using Google. Suppose we are interested in a list of NASA employees and their contact information. Surely such a list is available in electronic form. For convenience or due to oversight, it may also be on the organization’s website itself. It is logical that in this case there will be no links to it, since it is intended for internal use. What words can be in such a file? At a minimum - the “address” field. Testing all these assumptions is easy.

Inurl:nasa.gov filetype:xlsx "address"

We use bureaucracy

Finds like this are a nice touch. A truly solid catch is provided by a more detailed knowledge of Google's operators for webmasters, the Network itself, and the peculiarities of the structure of what is being sought. Knowing the details, you can easily filter the results and refine the properties of the necessary files in order to get truly valuable data in the rest. It's funny that bureaucracy comes to the rescue here. It produces standard formulations that are convenient for searching for secret information accidentally leaked onto the Internet.

For example, the Distribution statement stamp, required by the US Department of Defense, means standardized restrictions on the distribution of a document. The letter A denotes public releases in which there is nothing secret; B - intended only for internal use, C - strictly confidential, and so on until F. The letter X stands out separately, which marks particularly valuable information representing a state secret of the highest level. Let those who are supposed to do this on duty search for such documents, and we will limit ourselves to files with the letter C. According to DoDI directive 5230.24, this marking is assigned to documents containing a description of critical technologies that fall under export control. You can find such carefully protected information on sites in the top-level domain.mil, allocated for the US Army.

"DISTRIBUTION STATEMENT C" inurl:navy.mil

It is very convenient that the .mil domain contains only sites from the US Department of Defense and its contract organizations. Search results with a domain restriction are exceptionally clean, and the titles speak for themselves. Searching for Russian secrets in this way is practically useless: chaos reigns in domains.ru and.rf, and the names of many weapons systems sound like botanical ones (PP “Kiparis”, self-propelled guns “Akatsia”) or even fabulous (TOS “Buratino”).

By carefully studying any document from a site in the .mil domain, you can see other markers to refine your search. For example, a reference to the export restrictions “Sec 2751”, which is also convenient for searching for interesting technical information. From time to time it is removed from official sites where it once appeared, so if you cannot follow an interesting link in the search results, use Google’s cache (cache operator) or the Internet Archive site.

Climbing into the clouds

In addition to accidentally declassified government documents, links to personal files from Dropbox and other data storage services that create “private” links to publicly published data occasionally pop up in Google's cache. It’s even worse with alternative and homemade services. For example, the following query finds data for all Verizon customers who have an FTP server installed and actively using their router.

Allinurl:ftp:// verizon.net

There are now more than forty thousand such smart people, and in the spring of 2015 there were many more of them. Instead of Verizon.net, you can substitute the name of any well-known provider, and the more famous it is, the larger the catch can be. Through the built-in FTP server, you can see files on an external storage device connected to the router. Usually this is a NAS for remote work, a personal cloud, or some kind of peer-to-peer file downloading. All contents of such media are indexed by Google and other search engines, so you can access files stored on external drives via a direct link.

Looking at the configs

Before the widespread migration to the cloud, simple FTP servers ruled as remote storage, which also had a lot of vulnerabilities. Many of them are still relevant today. For example, the popular WS_FTP Professional program stores configuration data, user accounts and passwords in the ws_ftp.ini file. It is easy to find and read, since all records are saved in text format, and passwords are encrypted with the Triple DES algorithm after minimal obfuscation. In most versions, simply discarding the first byte is sufficient.

It is easy to decrypt such passwords using the WS_FTP Password Decryptor utility or a free web service.

When talking about hacking an arbitrary website, they usually mean obtaining a password from logs and backups of configuration files of CMS or e-commerce applications. If you know their typical structure, you can easily indicate the keywords. Lines like those found in ws_ftp.ini are extremely common. For example, in Drupal and PrestaShop there is always a user identifier (UID) and a corresponding password (pwd), and all information is stored in files with the .inc extension. You can search for them as follows:

"pwd=" "UID=" ext:inc

Revealing DBMS passwords

In the configuration files of SQL servers, user names and email addresses are stored in clear text, and their MD5 hashes are written instead of passwords. Strictly speaking, it is impossible to decrypt them, but you can find a match among the known hash-password pairs.

There are still DBMSs that do not even use password hashing. The configuration files of any of them can simply be viewed in the browser.

Intext:DB_PASSWORD filetype:env

With the advent of Windows servers, the place of configuration files was partially taken by the registry. You can search through its branches in exactly the same way, using reg as the file type. For example, like this:

Filetype:reg HKEY_CURRENT_USER "Password"=

Let's not forget the obvious

Sometimes it is possible to get to classified information using data that was accidentally opened and came to the attention of Google. The ideal option is to find a list of passwords in some common format. Only desperate people can store account information in a text file, Word document or Excel spreadsheet, but there is always enough of them.

Filetype:xls inurl:password

On the one hand, there are a lot of means to prevent such incidents. It is necessary to specify adequate access rights in htaccess, patch the CMS, not use left-handed scripts and close other holes. There is also a file with a list of robots.txt exceptions that prohibits search engines from indexing the files and directories specified in it. On the other hand, if the structure of robots.txt on some server differs from the standard one, then it immediately becomes clear what they are trying to hide on it.

The list of directories and files on any site is preceded by the standard index of. Since for service purposes it must appear in the title, it makes sense to limit its search to the intitle operator. Interesting things are in the /admin/, /personal/, /etc/ and even /secret/ directories.

Stay tuned for updates

Relevance is extremely important here: old vulnerabilities are closed very slowly, but Google and its search results are constantly changing. There is even a difference between a “last second” filter (&tbs=qdr:s at the end of the request URL) and a “real time” filter (&tbs=qdr:1).

The time interval of the date of the last update of the file is also indicated implicitly by Google. Through the graphical web interface, you can select one of the standard periods (hour, day, week, etc.) or set a date range, but this method is not suitable for automation.

From the look of the address bar, you can only guess about a way to limit the output of results using the &tbs=qdr: construction. The letter y after it sets the limit of one year (&tbs=qdr:y), m shows the results for the last month, w - for the week, d - for the past day, h - for the last hour, n - for the minute, and s - for give me a sec. The most recent results that Google has just made known are found using the filter &tbs=qdr:1 .

If you need to write a clever script, it will be useful to know that the date range is set in Google in Julian format using the daterange operator. For example, this is how you can find a list of PDF documents with the word confidential, downloaded from January 1 to July 1, 2015.

Confidential filetype:pdf daterange:2457024-2457205

The range is indicated in Julian date format without taking into account the fractional part. Translating them manually from the Gregorian calendar is inconvenient. It's easier to use a date converter.

Targeting and filtering again

In addition to specifying additional operators in the search query, they can be sent directly in the body of the link. For example, the filetype:pdf specification corresponds to the construction as_filetype=pdf . This makes it convenient to ask any clarifications. Let's say that the output of results only from the Republic of Honduras is specified by adding the construction cr=countryHN to the search URL, and only from the city of Bobruisk - gcs=Bobruisk. You can find a complete list in the developer section.

Google's automation tools are designed to make life easier, but they often add problems. For example, the user’s city is determined by the user’s IP through WHOIS. Based on this information, Google not only balances the load between servers, but also changes the search results. Depending on the region, for the same request, different results will appear on the first page, and some of them may be completely hidden. The two-letter code after the gl=country directive will help you feel like a cosmopolitan and search for information from any country. For example, the code of the Netherlands is NL, but the Vatican and North Korea do not have their own code in Google.

Often, search results end up cluttered even after using several advanced filters. In this case, it is easy to clarify the request by adding several exception words to it (a minus sign is placed in front of each of them). For example, banking, names and tutorial are often used with the word Personal. Therefore, cleaner search results will be shown not by a textbook example of a query, but by a refined one:

Intitle:"Index of /Personal/" -names -tutorial -banking

One last example

A sophisticated hacker is distinguished by the fact that he provides himself with everything he needs on his own. For example, VPN is a convenient thing, but either expensive, or temporary and with restrictions. Signing up for a subscription for yourself is too expensive. It's good that there are group subscriptions, and with the help of Google it's easy to become part of a group. To do this, just find the Cisco VPN configuration file, which has a rather non-standard PCF extension and a recognizable path: Program Files\Cisco Systems\VPN Client\Profiles. One request and you join, for example, the friendly team of the University of Bonn.

Filetype:pcf vpn OR Group

INFO

Google finds password configuration files, but many of them are encrypted or replaced with hashes. If you see strings of a fixed length, then immediately look for a decryption service.

Passwords are stored encrypted, but Maurice Massard has already written a program to decrypt them and provides it for free through thecampusgeeks.com.

Google runs hundreds of different types of attacks and penetration tests. There are many options, affecting popular programs, major database formats, numerous vulnerabilities of PHP, clouds, and so on. Knowing exactly what you're looking for will make it much easier to find the information you need (especially information you didn't intend to make public). Shodan is not the only one that feeds with interesting ideas, but every database of indexed network resources!

The following is an alphabetical list of the search operators. This list includes operators that are not officially supported by Google and not listed in Google's online help.

Note: Google may change how undocumented operators work or may eliminate them completely.

Each entry typically includes the syntax, the capabilities, and an example. Some of the search operators won’t work as intended if you put a space between the colon (:) and the subsequent query word. If you don’t care to check which search operators require no space after the colon, always place the keyword immediately next to the colon. Many search operators can appear anywhere in your query. In our examples, we place the search operator as far to the right as possible. We do this because the Advanced Search form writes queries in this way. Also, such a convention makes it clearer as to which operators are associated with which terms.

Allinanchor:

If you start your query with allinanchor: , Google restricts results to pages containing all query terms you specify in the on links to the page. For example, [ allinanchor: best museums sydney] will return only pages in which the anchor text on links to the pages contain the words “best,” “museums,” and “sydney.”

Group:

If you include group: in your query, Google will restrict your Google Groups results to newsgroup articles from certain groups or subareas. For example, [ sleep group:misc.kids.moderated ] will return articles in the group misc.kids.moderated that contain the word “sleep” and [ sleep group:misc.kids ] will return articles in the subarea misc.kids that contain the word “sleep.”

Id: intitle:

The query intitle: term restricts results to documents containing term in the . For instance, [ flu shot intitle:help] will return documents that mention the word “help” in their titles, and mention the words “flu” and “shot” anywhere in the document (title or not).

Note: There must be no space between the intitle: and the following word.

Putting intitle: in front of every word in your query is equivalent to putting allintitle: at the front of your query, e.g., [ intitle:google intitle:search] is the same as [ allintitle: google search ].

If you include inurl: in your query, Google will restrict the results to documents containing that word in the . For instance, searches for pages on Google Guide in which the URL contains the word “print.” It finds pdf files that are in the directory or folder named “print” on the Google Guide website. The query [ inurl:healthy eating] will return documents that mention the words “healthy” in their URL, and mention the word “eating” anywhere in the document.

Note: There must be no space between the inurl: and the following word.

Putting inurl: in front of every word in your query is equivalent to putting allinurl: at the front of your query, e.g., [ inurl:healthy inurl:eating] is the same as [ allinurl: healthy eating ].

In URLs, words are often run together. They need not be run together when you're using inurl:.

The query link: URL shows pages that point to that. For example, to find pages that point to Google Guide’s home page, enter:

Find links to the UK Owners Direct home page not on its own site.

Location: related:

You can also restrict your results to a site or domain through the domains selector on the Advanced Search page.