Google http://www.google.com/search?q= %26ie=UTF-8%26hl=en%26meta= 1 T1 TECHNOLOGY PROFILE DON "cacheserverreport for" "This analysis was produced by calamaris" "cacheserverreport for" "This analysis was produced by calamaris" These are squid server cache reports. Fairly benign, really except when you consider using them for evil purposes. For example, an institution stands up a proxy server for their internal users to get to the outside world. Then, the internal user surf all over to their hearts content (including intranet pages cuz well, the admins are stupid) Voila, intranet links show up in the external cache report. Want to make matters worse for yourself as an admin? OK, configure your external proxy server as a trusted internal host. Load up your web browser, set your proxy as their proxy and surf your way into their intranet. Not that I've noticed any examples of this in this google list. *COUGH* *COUGH* *COUGH* unresolved DNS lookups give clues *COUGH* *COUGH* ('scuse me. must be a furball) OK, lets say BEST CASE scenario. Let's say there's not security problems revealed in these logs. Best case scenario is that outsiders can see what your company/agency/workers are surfing. 1000 http://johnny.ihackstuff.com 2 T2 TECHNOLOGY PROFILE DON intitle:"Ganglia" "Cluster Report for" intitle:"Ganglia" "Cluster Report for" These are server cluster reports, great for info gathering. Lesse, what were those server names again? 1000 http://johnny.ihackstuff.com 3 T3 TECHNOLOGY PROFILE DON intitle:"Index of" dbconvert.exe chats intitle:"Index of" dbconvert.exe chats ICQ (http://www.icq.com) allows you to store the contents of your online chats into a file. These folks have their entire ICQ directories online. On purpose? 1000 http://johnny.ihackstuff.com 4 T4 TECHNOLOGY PROFILE DON intitle:"Apache HTTP Server" intitle:"documentation" intitle:"Apache HTTP Server" intitle:"documentation" When you install the Apache web server, you get a nice set of online documentation. When you learn how to use Apache, your supposed to delete these online Apache manuals. These sites didn't. If they're in such a hurry with Apache installs, I wonder what else they rushed through? 1000 http://johnny.ihackstuff.com 5 T5 TECHNOLOGY PROFILE DON "Error Diagnostic Information" intitle:"Error Occurred While" "Error Diagnostic Information" intitle:"Error Occurred While" These aren't too horribly bad, but there are SO MANY of them. These sites got googlebotted while the site was having "technical difficulties." The resulting cached error message gives lots of juicy tidbits about the target site. 1000 http://johnny.ihackstuff.com 6 T6 TECHNOLOGY PROFILE DON intitle:"Index of" finance.xls intitle:"Index of" finance.xls "Hey! I have a great idea! Let's put our finances on our website in a secret directory so we can get to it whenever we need to!" 1000 http://johnny.ihackstuff.com 7 T7 TECHNOLOGY PROFILE DON intitle:index.of finances.xls intitle:index.of finances.xls "Hey! I have a great idea! Let's put our finances on our website in a secret directory so we can get to it whenever we need to!" 1000 http://johnny.ihackstuff.com 8 T8 TECHNOLOGY PROFILE DON "# Dumping data for table" "# Dumping data for table" SQL database dumps. LOTS of data in these. So much data, infact, I'm pressed to think of what else an ev1l hax0r would like to know about a target database.. What's that? Usernames and passwords you say? Patience, grasshopper..... 1000 http://johnny.ihackstuff.com 9 T9 TECHNOLOGY PROFILE DON intitle:index.of .bash_history intitle:index.of .bash_history Ok, this file contains what a user typed at a shell command prompt. You shouldn't advertise this file. You shouldn't flash it to a web crawler. It contains COMMANDS and USERNAMES and stuff... *sigh* Sometimes there aren't words to describe how lame people can be. This particular theme can be carried further to find all sorts of things along these lines like .profile, .login, .logout files, etc. I just got bored with all the combinations... 1000 http://johnny.ihackstuff.com 10 T10 TECHNOLOGY PROFILE DON intitle:index.of .sh_history intitle:index.of .sh_history Ok, this file contains what a user typed at a shell command prompt. You shouldn't advertise this file. You shouldn't flash it to a web crawler. It contains COMMANDS and USERNAMES and stuff... *sigh* Sometimes there aren't words to describe how lame people can be. This particular theme can be carried further to find all sorts of things along these lines like .profile, .login, .logout files, etc. I just got bored with all the combinations... 1000 http://johnny.ihackstuff.com 11 T11 TECHNOLOGY PROFILE DON intitle:"Index of" .mysql_history intitle:"Index of" .mysql_history The .mysql_history file contains commands that were performed against a mysql database. A "history" of said commands. First, you shouldn't show this file to anyone, especially not a MAJOR SEARCH ENGINE! Secondly, I sure hope you wouldn't type anything sensitive while interacting with your databases, like oh say USERNAMES AND PASSWORDS... 1000 http://johnny.ihackstuff.com 12 T12 TECHNOLOGY PROFILE DON intitle:index.of mt-db-pass.cgi intitle:index.of mt-db-pass.cgi These folks had the technical prowess to unpack the movable type files, but couldn't manage to set up their web servers properly. Check the mt.cfg files for interesting stuffs... 1000 http://johnny.ihackstuff.com 13 T13 TECHNOLOGY PROFILE DON intitle:"Welcome to Windows 2000 Internet Services" intitle:"Welcome to Windows 2000 Internet Services" At first glance, this search reveals even more examples of operating system users enabling the operating system default web server software. This is generally accepted to be a Bad Idea(TM) as mentioned in the previous example. However, the googleDork index on this particular category gets quite a boost from the fact that this particular screen should NEVER be seen by the general public. To quote the default index screen: "Any users attempting to connect to this site are currently receiving an 'Under Construction page'" THIS is not the 'Under Construction page.' I was only able to generate this screen while sitting at the console of the server. The fact that this screen is revealed to the general public may indicate a misconfiguration of a much more insidious nature... 1000 http://johnny.ihackstuff.com 14 T14 TECHNOLOGY PROFILE DON intitle:"Welcome to IIS 4.0" intitle:"Welcome to IIS 4.0" Moving from personal, lightweight web servers into more production-ready software, we find that even administrators of Microsoft's Internet Information Server (IIS) sometimes don't have a clue what they're doing. By searching on web pages with titles of "Welcome to IIS 4.0" we find that even if they've taken the time to change their main page, some dorks forget to change the titles of their default-installed web pages. This is an indicator that their web server is most likely running, or was upgraded from, the now considered OLD IIS 4.0 and that at least portions of their main pages are still exactly the same as they were out of the box. Conclusion? The rest of the factory-installed stuff is most likely lingering around on these servers as well. <br>Old code: FREE with operating system. Poor content management: an average of $40/hour. Factory-installed default scripts: FREE with operating system. Getting hacked by a script kiddie that found you on Google: PRICELESS. For all the things money can't buy, there's a googleDork award. 1000 http://johnny.ihackstuff.com 15 T15 TECHNOLOGY PROFILE DON "Index of /backup" "Index of /backup" Backup directories are often very interesting places to explore. More than one server has been compromised by a hacker's discovery of sensitive information contained in backup files or directories. Some of the sites in this search meant to reveal the contents of their backup directories, others did not. Think about it. What.s in YOUR backup directories? Would you care to share the contents with the whole of the online world? Probably not. Whether intentional or not, bsp.gsa.gov reveals backup directory through Google. Is this simply yet another misconfigured .gov site? You decide. BSP stands for "best security practices," winning this site the Top GoogleDork award for this category. 1000 http://johnny.ihackstuff.com 16 T16 TECHNOLOGY PROFILE DON "powered by openbsd" +"powered by apache" "powered by openbsd" +"powered by apache" I like the OpenBSD operating system. I really do. And I like the Apache web server software. Honestly. I admire the mettle of administrators who take the time to run quality, secure software. The problem is that you never know when security problems will pop up. <A HREF="http://online.securityfocus.com/news/493" target="_blank">A BIG security problem popped up within the OpenBSD/Apache combo.</a> Now, every administrator that advertised this particular combo with cute little banners has a problem. Hackers can find them with Google. I go easy on these folks since the odds are they.ve patched their sites already. Then again, they may just show up on <A HREF="http://www.zone-h.com/en/defacements" target="_blank">zone-h..</a> 1000 http://johnny.ihackstuff.com 17 T17 TECHNOLOGY PROFILE DON intitle:"Index of" secring.bak intitle:"Index of" secring.bak PGP is a great encryption technology. It keeps secrets safe. Everyone from drug lords to the head of the DEA can download PGP to encrypt their sensitive documents. Everyone, that is except googleDorks. GoogleDorks, it seems, don't understand that anyone in possession of your private keyring (secring) can get to your secret stuff. It should noever be given out, and should certainly not be posted on the Internet. The highest ranking is awarded for this surprising level of ineptitude. 1000 http://johnny.ihackstuff.com 18 T18 TECHNOLOGY PROFILE DON intitle:index.of people.lst intitle:index.of people.lst *sigh* 1000 http://johnny.ihackstuff.com 19 T19 TECHNOLOGY PROFILE DON intitle:index.of passwd passwd.bak intitle:index.of passwd passwd.bak There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The hits in this search show "passwd" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 1000 http://johnny.ihackstuff.com 20 T20 TECHNOLOGY PROFILE DON intitle:index.of master.passwd intitle:index.of master.passwd There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The hits in this search show "master.passwd" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! For master.passwd, be sure to check other files in the same directory... 1000 http://johnny.ihackstuff.com 21 T21 TECHNOLOGY PROFILE DON intitle:"Index of" pwd.db intitle:"Index of" pwd.db There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. The his in this search show "pwd.db" files which contain encrypted passwords which may look like this: "guest MMCHhvZ6ODgFo" A password cracker can eat cheesy hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 1000 http://johnny.ihackstuff.com 22 T22 TECHNOLOGY PROFILE DON intitle:"Index of" ".htpasswd" htpasswd.bak intitle:"Index of" ".htpasswd" htpasswd.bak There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 1000 http://johnny.ihackstuff.com 23 T23 TECHNOLOGY PROFILE DON intitle:"Index of" ".htpasswd" "htgroup" -intitle:"dist" -apache -htpasswd.c intitle:"Index of" ".htpasswd" "htgroup" -intitle:"dist" -apache -htpasswd.c There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! You'll need to sift through these results a bit... 1000 http://johnny.ihackstuff.com 24 T24 TECHNOLOGY PROFILE DON intitle:"Index of" spwd.db passwd -pam.conf intitle:"Index of" spwd.db passwd -pam.conf There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 1000 http://johnny.ihackstuff.com 25 T25 TECHNOLOGY PROFILE DON intitle:"Index of..etc" passwd intitle:"Index of..etc" passwd There's nothing that defines a googleDork more than getting your PASSWORDS grabbed by Google for the world to see. Truly the epitome of a googleDork. And what if the passwords are hashed? A password cracker can eat cheesy password hashes faster than Elvis eatin' jelly doughnuts. Bravo googleDorks! Good show! 1000 http://johnny.ihackstuff.com 26 T26 TECHNOLOGY PROFILE DON buddylist.blt buddylist.blt These searches bring up common names for AOL Instant Messenger "buddylists". These lists contain screen names of your "online buddies" in Instant Messenger. Not that's not too terribly exciting or stupid unless you want to mess with someone's mind, and besides, some people make these public on purpose. The thing that's interesting are the files that get stored ALONG WITH buddylists. Often this stuff includes downloaded pictures, resumes, all sorts of things. This is really for the peepers out there, and it' possible to spend countless hours rifling through people's personal crap. A few methods: 1. <A HREF="http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=buddylist%2Eblt" target="_blank">buddylist.blt</A> 2. <A HREF="http://www.google.com/search?sourceid=navclient&q=buddy%2Eblt" target="_blank">buddy.blt</A> 3. <A HREF="http://www.google.com/search?sourceid=navclient&q=buddies%2Eblt" target="_blank">buddies.blt</A> 1000 http://johnny.ihackstuff.com 27 T27 TECHNOLOGY PROFILE DON intitle:index.of config.php intitle:index.of config.php This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database. Way to go, googleDorks!! 1000 http://johnny.ihackstuff.com 28 T28 TECHNOLOGY PROFILE DON "phpinfo.php" -manual "phpinfo.php" -manual this brings up sites with "phpinfo.php" files. There is SO much cool stuff in here that you just have to check one out for yourself! I mean full blown system versioning, SSL version, sendmail version and path, ftp, LDAP, SQL info, Apache mods, Apache env vars, *sigh* the list goes on and on! Thanks "joe!" =) 1000 http://johnny.ihackstuff.com 29 T29 TECHNOLOGY PROFILE DON "supplied argument is not a valid MySQL result resource" "supplied argument is not a valid MySQL result resource" One of many potential error messages that spew interesting information. The results of this message give you real path names inside the webserver as well as more php scripts for potential "crawling" activities. 1000 http://johnny.ihackstuff.com 31 T30 TECHNOLOGY PROFILE DON intitle:index.of robots.txt intitle:index.of robots.txt The robots.txt file contains "rules" about where web spiders are allowed (and NOT allowed) to look in a website's directory structure. Without over-complicating things, this means that the robots.txt file gives a mini-roadmap of what's somewhat public and what's considered more private on a web site. Have a look at the robots.txt file itself, it contains interesting stuff. However, don't forget to check out the other files in these directories since they are usually at the top directory level of the web server! 1000 http://johnny.ihackstuff.com 32 T31 TECHNOLOGY PROFILE DON index.of passlist index.of passlist I'm not sure what uses this, but the passlist and passlist.txt files contain passwords in CLEARTEXT! That's right, no decoding/decrypting/encrypting required. How easy is this? *sigh* Supreme googledorkage 1000 http://johnny.ihackstuff.com 33 T32 TECHNOLOGY PROFILE DON index.of.secret index.of.secret What kinds of goodies lurk in directories marked as "secret?" Find out... 1000 http://johnny.ihackstuff.com 34 T33 TECHNOLOGY PROFILE DON index.of.private index.of.private What kinds of things might you find in directories marked "private?" let's find out.... 1000 http://johnny.ihackstuff.com 35 T34 TECHNOLOGY PROFILE DON index.of.etc index.of.etc This search gets you access to the etc directory, where many many many types of password files can be found. This link is not as reliable, but crawling etc directories can be really fun! 1000 http://johnny.ihackstuff.com 36 T35 TECHNOLOGY PROFILE DON index.of.winnt index.of.winnt The \WINNT directory is the directory that Windows NT is installed into by default. Now just because google can find them, this doesn't necessarily mean that these are Windows NT directories that made their way onto the web. However, sometimes this happens. Other times, they aren't Windows NT directories, but backup directories for Windows NT data. Wither way, worthy of a nomination. 1000 http://johnny.ihackstuff.com 37 T36 TECHNOLOGY PROFILE DON index.of.secure index.of.secure What could be hiding in directories marked as "secure?" let's find out... 1000 http://johnny.ihackstuff.com 38 T37 TECHNOLOGY PROFILE DON index.of.protected index.of.protected What could be in a directory marked as "protected?" Let's find out... 1000 http://johnny.ihackstuff.com 39 T38 TECHNOLOGY PROFILE DON index.of.password index.of.password These directories are named "password." I wonder what you might find in here. Warning: sometimes p0rn sites make directories on servers with directories named "password" and single html files inside named things liks "horny.htm" or "brittany.htm." These are to boost their search results. Don't click them (unless you want to be buried in an avalanche of p0rn... 1000 http://johnny.ihackstuff.com 40 T39 TECHNOLOGY PROFILE DON "This report was generated by WebLog" "This report was generated by WebLog" These are weblog-generated statistics for web sites... A roadmap of files, referrers, errors, statistics... yummy... a schmorgasbord! =P 1000 http://johnny.ihackstuff.com 41 T40 TECHNOLOGY PROFILE DON "These statistics were produced by getstats" "These statistics were produced by getstats" Another web statistics package. This one originated from a google scan of an ivy league college. *sigh* There's sooo much stuff in here! 1000 http://johnny.ihackstuff.com 42 T41 TECHNOLOGY PROFILE DON "This summary was generated by wwwstat" "This summary was generated by wwwstat" More www statistics on the web. This one is very nice.. Lots of directory info, and client access statistics, email addresses.. lots os good stuff. You know, these are SOOO dangerous, especially if INTRANET users get logged... talk about mapping out an intranet quickly... thanks, sac =) 1000 http://johnny.ihackstuff.com 43 T42 TECHNOLOGY PROFILE DON intitle:index.of haccess.ctl intitle:index.of haccess.ctl this is the frontpage(?) equivalent of htaccess, I believe. Anyhow, this file describes who can access the directory of the web server and where the other authorization files are. nice find. 1000 http://johnny.ihackstuff.com 44 T43 TECHNOLOGY PROFILE DON filetype:ctl Basic filetype:ctl Basic haccess.ctl is the frontpage(?) equivalent of the .htaccess file. Either way, this file decribes who can access a web page, and should not be shown to web surfers. Way to go, googledork. =P This method is very reliable due to the use of this google query: filetype:ctl Basic This pulls out the file by name then searches for a string inside of it (Basic) which appears in the standard template for this file. 1000 http://johnny.ihackstuff.com 45 T44 TECHNOLOGY PROFILE DON filetype:xls username password email filetype:xls username password email This search shows Microsoft Excel spreadsheets containing the words username, password and email. Beware that there are a ton of blank "template" forms to weed through, but you can tell from the Google summary that some of these are winners... err losers.. depending on your perspective. 1000 http://johnny.ihackstuff.com 46 T45 TECHNOLOGY PROFILE DON inurl:shop "Hassan Consulting's Shopping Cart Version 1.18" inurl:shop "Hassan Consulting's Shopping Cart Version 1.18" These servers can be messed with in many ways. One specific way is by way of the "../" bug. This lets you cruise around the web server in a somewhat limited fashion. 1000 http://johnny.ihackstuff.com 47 T46 TECHNOLOGY PROFILE DON site:edu admin grades site:edu admin grades I never really thought about this until I started coming up with juicy examples for DEFCON 11.. A few GLARINGLY bad examples contain not only student grades and names, but also social security numbers, securing the highest of all googledork ratings! 1000 http://johnny.ihackstuff.com 48 T47 TECHNOLOGY PROFILE DON allinurl:auth_user_file.txt allinurl:auth_user_file.txt DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =) 1000 http://johnny.ihackstuff.com 49 T48 TECHNOLOGY PROFILE DON inurl:config.php dbuname dbpass inurl:config.php dbuname dbpass The old config.php script. This puppy should be held very closely. It should never be viewable to your web visitors because it contains CLEARTEXT usernames and passwords! The hishest of all googledorks ratings! 1000 http://johnny.ihackstuff.com 50 T49 TECHNOLOGY PROFILE DON inurl:tech-support inurl:show Cisco inurl:tech-support inurl:show Cisco This is a way to find Cisco products with an open web interface. These are generally supposed to be user and password protected. Google finds ones that aren't. Be sure to use Google's cache if you have trouble connecting. Also, there are very few results (2 at the time of posting.) 1000 http://johnny.ihackstuff.com 51 T50 TECHNOLOGY PROFILE DON i_index.shtml Ready i_index.shtml Ready These printers are not-only web-enabled, but their management interface somehow got crawled by google! These puppies should not be public! You can really muck with these printers. In some cases, going to the "password.shtml" page, you can even lock out the admins if a username and password has not already been set! Thanks to mephisteau@yahoo.co.uk for the idea =) 1000 http://johnny.ihackstuff.com 52 T51 TECHNOLOGY PROFILE DON aboutprinter.shtml aboutprinter.shtml More Xerox printers on the web! Google found these printers. Should their management interface be open to the WHOLE INTERNET? I think not. 1000 http://johnny.ihackstuff.com 53 T52 TECHNOLOGY PROFILE DON "Chatologica MetaSearch" "stack tracking:" "Chatologica MetaSearch" "stack tracking:" There is soo much crap in this error message... Apache version, CGI environment vars, path names, stack-freaking-dumps, process ID's, perl version, yadda yadda yadda... 1000 http://johnny.ihackstuff.com 54 T53 TECHNOLOGY PROFILE DON intitle:index.of mystuff.xml intitle:index.of mystuff.xml This particular file contains web links that trillian users have entered into the tool. Trillian combines many different messaging programs into one tool. AIM, MSN, Yahoo, ICQ, IRC, etc. Although this particular file is fairly benign, check out the other files in the same directory. There is usually great stuff here! 1000 http://johnny.ihackstuff.com 55 T54 TECHNOLOGY PROFILE DON intitle:index.of trillian.ini intitle:index.of trillian.ini Trillian pulls together all sort of messaging clients like AIM MSN, Yahoo, IRC, ICQ, etc. The various ini files that trillian uses include files like aim.ini and msn.ini. These ini files contain encoded passwords, usernames, buddy lists, and all sorts of other fun things. Thanks for putting these on the web for us, googledorks! 1000 http://johnny.ihackstuff.com 56 T55 TECHNOLOGY PROFILE DON intitle:admin intitle:login intitle:admin intitle:login Admin Login pages. Now, the existance of this page does not necessarily mean a server is vulnerable, but it sure is handy to let Google do the discovering for you, no? Let's face it, if you're trying to hack into a web server, this is one of the more obvious places to poke. 1000 http://johnny.ihackstuff.com 57 T56 TECHNOLOGY PROFILE DON "ORA-00921: unexpected end of SQL command" "ORA-00921: unexpected end of SQL command" Another SQL error message from Cesar. This one coughs up full web pathnames and/or php filenames. 1000 http://johnny.ihackstuff.com 58 T57 TECHNOLOGY PROFILE DON inurl:passlist.txt inurl:passlist.txt Cleartext passwords. No decryption required! 1000 http://johnny.ihackstuff.com 59 T58 TECHNOLOGY PROFILE DON inurl:sitebuildercontent inurl:sitebuildercontent This is a default directory for the sitebuilder web design software program. If these people posted web pages with default sitebuilder sirectory names, I wonder what else they got wrong? 1000 http://johnny.ihackstuff.com 60 T59 TECHNOLOGY PROFILE DON inurl:sitebuilderfiles inurl:sitebuilderfiles This is a default directory for the sitebuilder web design software program. If these people posted web pages with default sitebuilder sirectory names, I wonder what else they got wrong? 1000 http://johnny.ihackstuff.com 61 T60 TECHNOLOGY PROFILE DON inurl:sitebuilderpictures inurl:sitebuilderpictures This is a default directory for the sitebuilder web design software program. If these people posted web pages with default sitebuilder sirectory names, I wonder what else they got wrong? 1000 http://johnny.ihackstuff.com 62 T61 TECHNOLOGY PROFILE DON filetype:htpasswd htpasswd filetype:htpasswd htpasswd This is a nifty way to find htpasswd files. Htpasswd files contain usernames and crackable passwords for web pages and directories. They're supposed to be server-side, not available to web clients! *duh* 1000 http://johnny.ihackstuff.com 63 T62 TECHNOLOGY PROFILE DON "YaBB SE Dev Team" "YaBB SE Dev Team" Yet Another Bulletin Board (YABB) SE (versions 1.5.4 and 1.5.5 and perhaps others) contain an SQL injection vulnerability which may allow several attacks including unauthorized database modification or viewing. See http://www.securityfocus.com/bid/9674 for more information. Also see http://www.securityfocus.com/bid/9677 for information about an information leakage vulnerability in versions YaBB Gold - Sp 1.3.1 and others. 1000 http://johnny.ihackstuff.com 64 T63 TECHNOLOGY PROFILE DON inurl:custva.asp inurl:custva.asp The EarlyImpact Productcart contains multiple vulnerabilites, which could exploited to allow an attacker to steal user credentials or mount other attacks. See http://www.securityfocus.com/bid/9669 for more informationfor more information. Also see http://www.securityfocus.com/bid/9677 for information about an information leakage vulnerability in versions YaBB Gold - Sp 1.3.1 and others. 1000 http://johnny.ihackstuff.com 65 T64 TECHNOLOGY PROFILE DON "Powered by mnoGoSearch - free web search engine software" "Powered by mnoGoSearch - free web search engine software" According to http://www.securityfocus.com/bid/9667, certain versions of mnGoSearch contain a buffer overflow vulnerability which allow an attacker to execute commands on the server. 1000 http://johnny.ihackstuff.com 66 T65 TECHNOLOGY PROFILE DON intitle:"the page cannot be found" inetmgr intitle:"the page cannot be found" inetmgr IIS 4.0 servers. Extrememly old, incredibly easy to hack... 1000 http://johnny.ihackstuff.com 67 T66 TECHNOLOGY PROFILE DON intitle:"the page cannot be found" "2004 microsoft corporation" intitle:"the page cannot be found" "2004 microsoft corporation" Windows 2000 web servers. Aging, fairly easy to hack, especially out of the box... 1000 http://johnny.ihackstuff.com 68 T67 TECHNOLOGY PROFILE DON intitle:"the page cannot be found" "internet information services" intitle:"the page cannot be found" "internet information services" This query finds various types of IIS servers. This error message is fairly indicative of a somewhat unmodified IIS server, meaning it may be easier to break into... 1000 http://johnny.ihackstuff.com 69 T68 TECHNOLOGY PROFILE DON "# phpMyAdmin MySQL-Dump" filetype:txt "# phpMyAdmin MySQL-Dump" filetype:txt From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but don't leave your database dumps laying around on the web. They contain all SORTS of sensitive information... 1000 http://johnny.ihackstuff.com 70 T69 TECHNOLOGY PROFILE DON "# phpMyAdmin MySQL-Dump" "INSERT INTO" -"the" "# phpMyAdmin MySQL-Dump" "INSERT INTO" -"the" From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but don't leave your database dumps laying around on the web. They contain all SORTS of sensitive information... 1000 http://johnny.ihackstuff.com 71 T70 TECHNOLOGY PROFILE DON intitle:"Gallery in Configuration mode" intitle:"Gallery in Configuration mode" Gallery is a nice little php program that allows users to post personal pictures on their website. So handy, in fact, that I use it on my site! However, the Gallery configuration mode allows outsiders to make changes to your gallery. This is why you shouldn't leave your gallery in configuration mode. These people, unfortunately, have done just that! 1000 http://johnny.ihackstuff.com 72 T71 TECHNOLOGY PROFILE DON intitle:index.of cgiirc.config intitle:index.of cgiirc.config CGIIRC is a web-based IRC client. Very cool stuff. The cgiirc.config file lists the options for this porgram, including the default sites that can be attached to, server passwords, and crypts of admin passwords. This file is for CGIIRC, not Google surfers! 1000 http://johnny.ihackstuff.com 73 T72 TECHNOLOGY PROFILE DON inurl:cgiirc.config inurl:cgiirc.config This is another less reliable way of finding the cgiirc.config file. CGIIRC is a web-based IRC client. Very cool stuff. The cgiirc.config file lists the options for this porgram, including the default sites that can be attached to, server passwords, and crypts of admin passwords. This file is for CGIIRC, not Google surfers! 1000 http://johnny.ihackstuff.com 74 T73 TECHNOLOGY PROFILE DON inurl:inurl:ipsec.secrets -history -bugs inurl:inurl:ipsec.secrets -history -bugs from the manpage for ipsec_secrets: "It is vital that these secrets be protected. The file should be owned by the super-user, and its permissions should be set to block all access by others." So let's make it plain: DO NOT SHOW THIS FILE TO ANYONE! Googledorks rejoice, these files are on the web! 1000 http://johnny.ihackstuff.com 75 T74 TECHNOLOGY PROFILE DON inurl:ipsec.secrets "holds shared secrets" inurl:ipsec.secrets "holds shared secrets" from the manpage for ipsec_secrets: "It is vital that these secrets be protected. The file should be owned by the super-user, and its permissions should be set to block all access by others." So let's make it plain: DO NOT SHOW THIS FILE TO ANYONE! Googledorks rejoice, these files are on the web! 1000 http://johnny.ihackstuff.com 76 T75 TECHNOLOGY PROFILE DON inurl:ipsec.conf -intitle:manpage inurl:ipsec.conf -intitle:manpage The ipsec.conf file could help hackers figure out what uber-secure users of freeS/WAN are protecting.... 1000 http://johnny.ihackstuff.com 77 T76 TECHNOLOGY PROFILE DON intitle:"500 Internal Server Error" "server at" intitle:"500 Internal Server Error" "server at" This one shows the type of web server running on the site, and has the ability to show other information depending on how the message is internally formatted. 1000 http://johnny.ihackstuff.com 78 T77 TECHNOLOGY PROFILE DON "mySQL error with query" "mySQL error with query" Another error message, this appears when an SQL query bails. This is a generic mySQL message, so there's all sort of information hackers can use, depending on the actual error message... 1000 http://johnny.ihackstuff.com 79 T78 TECHNOLOGY PROFILE DON "You have an error in your SQL syntax near" "You have an error in your SQL syntax near" Another generic SQL message, this message can display path names and partial SQL code, both of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 81 T79 TECHNOLOGY PROFILE DON "Supplied argument is not a valid MySQL result resource" "Supplied argument is not a valid MySQL result resource" Another generic SQL message, this message can display path names, function names, filenames and partial SQL code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 80 T80 TECHNOLOGY PROFILE DON "ORA-00936: missing expression" "ORA-00936: missing expression" A generic ORACLE error message, this message can display path names, function names, filenames and partial database code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 82 T81 TECHNOLOGY PROFILE DON "ORA-00921: unexpected end of SQL command" "ORA-00921: unexpected end of SQL command" Another generic SQL message, this message can display path names, function names, filenames and partial SQL code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 83 T82 TECHNOLOGY PROFILE DON "ORA-00933: SQL command not properly ended" "ORA-00933: SQL command not properly ended" An Oracle error message, this message can display path names, function names, filenames and partial SQL code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 84 T83 TECHNOLOGY PROFILE DON "Unclosed quotation mark before the character string" "Unclosed quotation mark before the character string" An SQL Server error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 85 T84 TECHNOLOGY PROFILE DON "Incorrect syntax near" "Incorrect syntax near" An SQL Server error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 86 T85 TECHNOLOGY PROFILE DON "Incorrect syntax near" -the "Incorrect syntax near" -the An SQL Server error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 87 T86 TECHNOLOGY PROFILE DON "PostgreSQL query failed: ERROR: parser: parse error" "PostgreSQL query failed: ERROR: parser: parse error" An PostgreSQL error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 88 T87 TECHNOLOGY PROFILE DON "Supplied argument is not a valid PostgreSQL result" "Supplied argument is not a valid PostgreSQL result" An PostgreSQL error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 89 T88 TECHNOLOGY PROFILE DON "Syntax error in query expression " -the "Syntax error in query expression " -the An Access error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 90 T89 TECHNOLOGY PROFILE DON "An illegal character has been found in the statement" -"previous message" "An illegal character has been found in the statement" -"previous message" An Informix error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 91 T90 TECHNOLOGY PROFILE DON "A syntax error has occurred" filetype:ihtml "A syntax error has occurred" filetype:ihtml An Informix error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers 1000 http://johnny.ihackstuff.com 92 T91 TECHNOLOGY PROFILE DON "detected an internal error [IBM][CLI Driver][DB2/6000]" "detected an internal error [IBM][CLI Driver][DB2/6000]" A DB2 error message, this message can display path names, function names, filenames, partial code and program state, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 93 T92 TECHNOLOGY PROFILE DON An unexpected token "END-OF-STATEMENT" was found An unexpected token "END-OF-STATEMENT" was found A DB2 error message, this message can display path names, function names, filenames, partial code and program state, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 94 T93 TECHNOLOGY PROFILE DON intitle:"statistics of" "advanced web statistics" intitle:"statistics of" "advanced web statistics" the awstats program shows web statistics for web servers. This information includes who is visiting the site, what pages they visit, error codes produced, filetypes hosted on the server, number of hits, and more which can provide very interesting recon information for an attacker. 1000 http://johnny.ihackstuff.com 95 T94 TECHNOLOGY PROFILE DON intitle:"Usage Statistics for" "Generated by Webalizer" intitle:"Usage Statistics for" "Generated by Webalizer" The webalizer program shows web statistics for web servers. This information includes who is visiting the site, what pages they visit, error codes produced, filetypes hosted on the server, number of hits, referrers, exit pages, and more which can provide very interesting recon information for an attacker. 1000 http://johnny.ihackstuff.com 96 T95 TECHNOLOGY PROFILE DON "robots.txt" "Disallow:" filetype:txt "robots.txt" "Disallow:" filetype:txt The robots.txt file serves as a set of instructions for web crawlers. The "disallow" tag tells a web crawler where NOT to look, for whatever reason. Hackers will always go to those places first! 1000 http://johnny.ihackstuff.com 514 T96 TECHNOLOGY PROFILE DON "Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL" "Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL" This search reveals Postgresql servers in yet another way then we had seen before. Path information appears in the error message and sometimes database names. 1000 http://johnny.ihackstuff.com 98 T97 TECHNOLOGY PROFILE DON "phpMyAdmin" "running on" inurl:"main.php" "phpMyAdmin" "running on" inurl:"main.php" From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but lock it down! Things you can do include viewing MySQL runtime information and system variables, show processes, reloading MySQL, changing privileges, and modifying or exporting databases. Hacker-fodder for sure! 1000 http://johnny.ihackstuff.com 99 T98 TECHNOLOGY PROFILE DON inurl:main.php phpMyAdmin inurl:main.php phpMyAdmin From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but lock it down! Things you can do include viewing MySQL runtime information and system variables, show processes, reloading MySQL, changing privileges, and modifying or exporting databases. Hacker-fodder for sure! 1000 http://johnny.ihackstuff.com 100 T99 TECHNOLOGY PROFILE DON inurl:main.php Welcome to phpMyAdmin inurl:main.php Welcome to phpMyAdmin From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but lock it down! Things you can do include viewing MySQL runtime information and system variables, show processes, reloading MySQL, changing privileges, and modifying or exporting databases. Hacker-fodder for sure! 1000 http://johnny.ihackstuff.com 101 T100 TECHNOLOGY PROFILE DON "Warning: Cannot modify header information - headers already sent" "Warning: Cannot modify header information - headers already sent" A PHP error message, this message can display path names, function names, filenames and partial code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 102 T101 TECHNOLOGY PROFILE DON intitle:"wbem" compaq login intitle:"wbem" compaq login These devices are running HP Insight Management Agents for Servers which "provide device information for all managed subsystems. Alerts are generated by SNMP traps." The information on these pages include server addresses and other assorted SNMP information. 1000 http://johnny.ihackstuff.com 103 T102 TECHNOLOGY PROFILE DON intitle:"osCommerce" inurl:admin filetype:php intitle:"osCommerce" inurl:admin filetype:php This is a decent way to explore the admin interface of osCommerce e-commerce sites. Depending on how bad the setup of the web store is, web surfers can even Google their way into customer details and order status, all from the Google cache. 1000 http://johnny.ihackstuff.com 104 T103 TECHNOLOGY PROFILE DON intitle:index.of "Apache" "server at" intitle:index.of "Apache" "server at" This is a very basic string found on directory listing pages which show the version of the Apache web server. Hackers can use this information to find vulnerable targets without querying the servers. 1000 http://johnny.ihackstuff.com 105 T104 TECHNOLOGY PROFILE DON "access denied for user" "using password" "access denied for user" "using password" Another SQL error message, this message can display the username, database, path names and partial SQL code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 106 T105 TECHNOLOGY PROFILE DON intitle:"Under construction" "does not currently have" intitle:"Under construction" "does not currently have" This error message can be used to narrow down the operating system and web server version which can be used by hackers to mount a specific attack. 1000 http://johnny.ihackstuff.com 107 T106 TECHNOLOGY PROFILE DON "seeing this instead" intitle:"test page for apache" "seeing this instead" intitle:"test page for apache" This is the default web page for Apache 1.3.11 - 1.3.26. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 1000 http://johnny.ihackstuff.com 108 T107 TECHNOLOGY PROFILE DON intitle:"Test Page for Apache" "It Worked!" intitle:"Test Page for Apache" "It Worked!" This is the default web page for Apache 1.2.6 - 1.3.9. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 1000 http://johnny.ihackstuff.com 109 T108 TECHNOLOGY PROFILE DON intitle:"Test Page for Apache" "It Worked!" "on this web" intitle:"Test Page for Apache" "It Worked!" "on this web" This is the default web page for Apache 1.2.6 - 1.3.9. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 1000 http://johnny.ihackstuff.com 110 T109 TECHNOLOGY PROFILE DON "Can't connect to local" intitle:warning "Can't connect to local" intitle:warning Another SQL error message, this message can display database name, path names and partial SQL code, all of which are very helpful for hackers... 1000 http://johnny.ihackstuff.com 111 T110 TECHNOLOGY PROFILE DON intitle:index.of dead.letter intitle:index.of dead.letter dead.letter contains the contents of unfinished emails created on the UNIX platform. Emails (finished or not) can contain sensitive information. 1000 http://johnny.ihackstuff.com 112 T111 TECHNOLOGY PROFILE DON intitle:index.of ws_ftp.ini intitle:index.of ws_ftp.ini ws_ftp.ini is a configuration file for a popular FTP client that stores usernames, (weakly) encoded passwords, sites and directories that the user can store for later reference. These should not be on the web! 1000 http://johnny.ihackstuff.com 113 T112 TECHNOLOGY PROFILE DON intitle:index.of administrators.pwd intitle:index.of administrators.pwd This file contains administrative user names and (weakly) encrypted password for Microsoft Front Page. The file should not be readble to the general public. 1000 http://johnny.ihackstuff.com 114 T113 TECHNOLOGY PROFILE DON intitle:index.of secring.pgp intitle:index.of secring.pgp This file is the secret keyring for PGP encryption. Armed with this file (and perhaps a passphrase), a malicious user can read all your encrypted files! This should not be posted on the web! 1000 http://johnny.ihackstuff.com 115 T114 TECHNOLOGY PROFILE DON intitle:Index.of etc shadow intitle:Index.of etc shadow This file contains usernames and (lame) encrypted passwords! Armed with this file and a decent password cracker, an attacker can crack passwords and log into a UNIX system. 1000 http://johnny.ihackstuff.com 116 T115 TECHNOLOGY PROFILE DON inurl:ManyServers.htm inurl:ManyServers.htm Microsoft Terminal Services Multiple Clients pages. These pages are not necessarily insecure, sine many layers of security can be wrapped around the actual use of this service, but simply being able to find these in Google gives hackers an informational advantage, and many of the sites are not implemented securely. 1000 http://johnny.ihackstuff.com 117 T116 TECHNOLOGY PROFILE DON intitle:"Terminal Services Web Connection" intitle:"Terminal Services Web Connection" Microsoft Terminal Services Web Connector pages. These pages are not necessarily insecure, sine many layers of security can be wrapped around the actual use of this service, but simply being able to find these in Google gives hackers an informational advantage, and many of the sites are not implemented securely. In the worst case scenario these pages may allow an attacker to bypass a firewall gaining access to a "protected" machine. 1000 http://johnny.ihackstuff.com 118 T117 TECHNOLOGY PROFILE DON intitle:"Remote Desktop Web Connection" intitle:"Remote Desktop Web Connection" Microsoft Remote Desktop Connection Web Connection pages. These pages are not necessarily insecure, sine many layers of security can be wrapped around the actual use of this service, but simply being able to find these in Google gives hackers an informational advantage, and many of the sites are not implemented securely. In the worst case scenario these pages may allow an attacker to bypass a firewall gaining access to an otherwise inaccessible machine. 1000 http://johnny.ihackstuff.com 119 T118 TECHNOLOGY PROFILE DON "Welcome to Intranet" "Welcome to Intranet" According to whatis.com: "An intranet is a private network that is contained within an enterprise. [...] The main purpose of an intranet is to share company information and computing resources among employees [...] and in general looks like a private version of the Internet." Intranets, by definition should not be available to the Internet's unwashed masses as they may contain private corporate information. 1000 http://johnny.ihackstuff.com 120 T119 TECHNOLOGY PROFILE DON inurl:search.php vbulletin inurl:search.php vbulletin Version 3.0.0 candidate 4 and earlier of Vbulletin may have a cross-site scripting vulnerability. See http://www.securityfocus.com/bid/9656 for more info. 1000 http://johnny.ihackstuff.com 121 T120 TECHNOLOGY PROFILE DON inurl:footer.inc.php inurl:footer.inc.php From http://www.securityfocus.com/bid/9664, the AllMyPHP family of products (Versions 0.1.2 - 0.4) contains several potential vulnerabilities, som elalowing an attacker to execute malicious code on the web server. 1000 http://johnny.ihackstuff.com 122 T121 TECHNOLOGY PROFILE DON inurl:info.inc.php inurl:info.inc.php From http://www.securityfocus.com/bid/9664, the AllMyPHP family of products (Versions 0.1.2 - 0.4) contains several potential vulnerabilities, som elalowing an attacker to execute malicious code on the web server. 1000 http://johnny.ihackstuff.com 123 T122 TECHNOLOGY PROFILE DON inurl:admin intitle:login inurl:admin intitle:login This search can find administrative login pages. Not a vulnerability in and of itself, this query serves as a locator for administrative areas of a site. Further investigation of the surrounding directories can often reveal interesting information. 1000 http://johnny.ihackstuff.com 124 T123 TECHNOLOGY PROFILE DON intitle:admin intitle:login intitle:admin intitle:login This search can find administrative login pages. Not a vulnerability in and of itself, this query serves as a locator for administrative areas of a site. Further investigation of the surrounding directories can often reveal interesting information. 1000 http://johnny.ihackstuff.com 125 T124 TECHNOLOGY PROFILE DON filetype:asp "Custom Error Message" Category Source filetype:asp "Custom Error Message" Category Source This is an ASP error message that can reveal information such as compiler used, language used, line numbers, program names and partial source code. 1000 http://johnny.ihackstuff.com 126 T125 TECHNOLOGY PROFILE DON "Fatal error: Call to undefined function" -reply -the -next "Fatal error: Call to undefined function" -reply -the -next This error message can reveal information such as compiler used, language used, line numbers, program names and partial source code. 1000 http://johnny.ihackstuff.com 127 T126 TECHNOLOGY PROFILE DON inurl:admin filetype:xls inurl:admin filetype:xls This search can find Excel spreadsheets in an administrative directory or of an administrative nature. Many times these documents contain sensitive information. 1000 http://johnny.ihackstuff.com 128 T127 TECHNOLOGY PROFILE DON inurl:admin inurl:userlist inurl:admin inurl:userlist This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. 1000 http://johnny.ihackstuff.com 129 T128 TECHNOLOGY PROFILE DON inurl:admin filetype:asp inurl:userlist inurl:admin filetype:asp inurl:userlist This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. 1000 http://johnny.ihackstuff.com 130 T129 TECHNOLOGY PROFILE DON inurl:backup intitle:index.of inurl:admin inurl:backup intitle:index.of inurl:admin This query reveals backup directories. These directories can contain various information ranging from source code, sql tables, userlists, and even passwords. 1000 http://johnny.ihackstuff.com 131 T130 TECHNOLOGY PROFILE DON "Welcome to PHP-Nuke" congratulations "Welcome to PHP-Nuke" congratulations This finds default installations of the postnuke CMS system. In many cases, default installations can be insecure especially considering that the administrator hasn't gotten past the first few installation steps. 1000 http://johnny.ihackstuff.com 132 T131 TECHNOLOGY PROFILE DON allintitle:Netscape FastTrack Server Home Page allintitle:Netscape FastTrack Server Home Page This finds default installations of Netscape Fasttrack Server. In many cases, default installations can be insecure especially considering that the administrator hasn't gotten past the first few installation steps. 1000 http://johnny.ihackstuff.com 133 T132 TECHNOLOGY PROFILE DON "Welcome to phpMyAdmin" " Create new database" "Welcome to phpMyAdmin" " Create new database" phpMyAdmin is a widly spread webfrontend used to mantain sql databases. The default security mechanism is to leave it up to the admin of the website to put a .htaccess file in the directory of the application. Well gues what, obviously some admins are either too lazy or don't know how to secure their directories. These pages should obviously not be accessable to the public without some kind of password ;-) 1000 http://johnny.ihackstuff.com 134 T133 TECHNOLOGY PROFILE DON intitle:"Index of c:\Windows" intitle:"Index of c:\Windows" These pages indicate that they are sharing the C:\WINDOWS directory, which is the system folder for many Windows installations. 1000 http://johnny.ihackstuff.com 135 T134 TECHNOLOGY PROFILE DON warning "error on line" php sablotron warning "error on line" php sablotron Sablotron is an XML toolit thingie. This query hones in on error messages generated by this toolkit. These error messages reveal all sorts of interesting stuff such as source code snippets, path and filename info, etc. 1000 http://johnny.ihackstuff.com 136 T135 TECHNOLOGY PROFILE DON "Most Submitted Forms and Scripts" "this section" "Most Submitted Forms and Scripts" "this section" More www statistics on the web. This one is very nice.. Lots of directory info, and client access statistics, email addresses.. lots of good stuff. These are SOOO dangerous, especially if INTRANET users get logged... talk about mapping out an intranet quickly... 1000 http://johnny.ihackstuff.com 137 T136 TECHNOLOGY PROFILE DON inurl:changepassword.asp inurl:changepassword.asp This is a common script for changing passwords. Now, this doesn't actually reveal the password, but it provides great information about the security layout of a server. These links can be used to troll around a website. 1000 http://johnny.ihackstuff.com 138 T137 TECHNOLOGY PROFILE DON "Select a database to view" intitle:"filemaker pro" "Select a database to view" intitle:"filemaker pro" An oldie but a goodie. This search locates servers which provides access to Filemaker pro databases via the web. The severity of this search varies wildly depending on the security of the database itself. Regardless, if Google can crawl it, it's potentially using cleartext authentication. 1000 http://johnny.ihackstuff.com 139 T138 TECHNOLOGY PROFILE DON "not for distribution" confidential "not for distribution" confidential The terms "not for distribution" and confidential indicate a sensitive document. Results vary wildly, but web-based documents are for public viewing, and should neither be considered confidential or private. 1000 http://johnny.ihackstuff.com 140 T139 TECHNOLOGY PROFILE DON "Thank you for your purchase" +download "Thank you for your purchase" +download Many web-based businesses provide a method for customers to pay for and subsequently download software via the web. The post-purchase pages often contain the terms "Thank you for your purchase" and provide a link to download the purchased software. In many cases, these pages provide a method to download pay software without paying, a practice I do not advocate. 1000 http://johnny.ihackstuff.com 141 T140 TECHNOLOGY PROFILE DON "Thank you for your order" +receipt "Thank you for your order" +receipt After placing an order via the web, many sites provide a page containing the phrase "Thank you for your order" and provide a receipt for future reference. At the very least, these pages can provide insight into the structure of a web-based shop. 1000 http://johnny.ihackstuff.com 142 T141 TECHNOLOGY PROFILE DON allinurl:intranet admin allinurl:intranet admin According to whatis.com: "An intranet is a private network that is contained within an enterprise. [...] The main purpose of an intranet is to share company information and computing resources among employees [...] and in general looks like a private version of the Internet." Intranets, by definition should not be available to the Internet's unwashed masses as they may contain private corporate information. Some of these pages are simply portals to an Intranet site, which helps with information gathering. 1000 http://johnny.ihackstuff.com 143 T142 TECHNOLOGY PROFILE DON "This file was generated by Nessus" "This file was generated by Nessus" This search yeids nessus scan reports. Even if some of the vulnerabilities have been fixed, we can still gather valuable information about the network/hosts. This also works with ISS and any other vulnerability scanner which produces reports in html or text format. 1000 http://johnny.ihackstuff.com 144 T143 TECHNOLOGY PROFILE DON intitle:"index.of.personal" intitle:"index.of.personal" This directory has various personal documents and pictures. 1000 http://johnny.ihackstuff.com 145 T144 TECHNOLOGY PROFILE DON "This report lists" "identified by Internet Scanner" "This report lists" "identified by Internet Scanner" This search yeids ISS scan reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 1000 http://johnny.ihackstuff.com 146 T145 TECHNOLOGY PROFILE DON "Network Host Assessment Report" "Internet Scanner" "Network Host Assessment Report" "Internet Scanner" This search yeids ISS scan reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 1000 http://johnny.ihackstuff.com 147 T146 TECHNOLOGY PROFILE DON "Network Vulnerability Assessment Report" "Network Vulnerability Assessment Report" This search yeids vulnerability scanner reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 1000 http://johnny.ihackstuff.com 148 T147 TECHNOLOGY PROFILE DON "Host Vulnerability Summary Report" "Host Vulnerability Summary Report" This search yeids host vulnerability scanner reports, revealing potential vulnerabilities on hosts and networks. Even if some of the vulnerabilities have been fixed, information about the network/hosts can still be gleaned. 1000 http://johnny.ihackstuff.com 149 T148 TECHNOLOGY PROFILE DON intitle:index.of inbox intitle:index.of inbox This search reveals potential location for mailbox files. In some cases, the data in this directory or file may be of a very personal nature and may include sent and received emails and archives of email data. 1000 http://johnny.ihackstuff.com 150 T149 TECHNOLOGY PROFILE DON intitle:index.of inbox dbx intitle:index.of inbox dbx This search reveals potential location for mailbox files. In some cases, the data in this directory or file may be of a very personal nature and may include sent and received emails and archives of email data. 1000 http://johnny.ihackstuff.com 151 T150 TECHNOLOGY PROFILE DON intitle:index.of inbox dbx intitle:index.of inbox dbx This search reveals potential location for mailbox files by keying on the Outlook Express cleanup.log file. In some cases, the data in this directory or file may be of a very personal nature and may include sent and received emails and archives of email data. 1000 http://johnny.ihackstuff.com 152 T151 TECHNOLOGY PROFILE DON "#mysql dump" filetype:sql "#mysql dump" filetype:sql This reveals mySQL database dumps. These database dumps list the structure and content of databases, which can reveal many different types of sensitive information. 1000 http://johnny.ihackstuff.com 153 T152 TECHNOLOGY PROFILE DON allinurl:install/install.php allinurl:install/install.php Pages with install/install.php files may be in the process of installing a new service or program. These servers may be insecure due to insecure default settings. In some cases, these servers may allow for a new installation of a program or service with insecure settings. In other cases, snapshot data about an install process can be gleaned from cached page images. 1000 http://johnny.ihackstuff.com 154 T153 TECHNOLOGY PROFILE DON inurl:vbstats.php "page generated" inurl:vbstats.php "page generated" This is your typical stats page listing referrers and top ips and such. This information can certainly be used to gather information about a site and its visitors. 1000 http://johnny.ihackstuff.com 155 T154 TECHNOLOGY PROFILE DON "index of" / lck "index of" / lck These lock files often contain usernames of the user that has locked the file. Username harvesting can be done using this technique. 1000 http://johnny.ihackstuff.com 156 T155 TECHNOLOGY PROFILE DON "Index of" / "chat/logs" "Index of" / "chat/logs" This search reveals chat logs. Depending on the contents of the logs, these files could contain just about anything! 1000 http://johnny.ihackstuff.com 157 T156 TECHNOLOGY PROFILE DON index.of perform.ini index.of perform.ini This file contains information about the mIRC client and may include channel and user names. 1000 http://johnny.ihackstuff.com 158 T157 TECHNOLOGY PROFILE DON "SnortSnarf alert page" "SnortSnarf alert page" Snort is an intrusion detection system. SnorfSnarf creates pretty web pages from intrusion detection data. These pages show what the bad guys are doing to a system. Generally, it's a bad idea to show the bad guys what you've noticed. 1000 http://johnny.ihackstuff.com 159 T158 TECHNOLOGY PROFILE DON inurl:"newsletter/admin/" intitle:"newsletter admin" inurl:"newsletter/admin/" intitle:"newsletter admin" These pages generally contain newsletter administration pages. Some of these site are password protected, others are not, allowing unauthorized users to send mass emails to an entire mailing list. 1000 http://johnny.ihackstuff.com 160 T159 TECHNOLOGY PROFILE DON inurl:"newsletter/admin/" inurl:"newsletter/admin/" These pages generally contain newsletter administration pages. Some of these site are password protected, others are not, allowing unauthorized users to send mass emails to an entire mailing list. This is a less acurate search than the similar intitle:"newsletter admin" search. 1000 http://johnny.ihackstuff.com 161 T160 TECHNOLOGY PROFILE DON inurl:phpSysInfo/ "created by phpsysinfo" inurl:phpSysInfo/ "created by phpsysinfo" This statistics program allows the an admin to view stats about a webserver. Some sites leave this in a publically accessible web page. Hackers could have access to data such as the real IP address of the server, server memory usage, general system info such as OS, type of chip, hard-drive makers and much more. 1000 http://johnny.ihackstuff.com 162 T161 TECHNOLOGY PROFILE DON allinurl: admin mdb allinurl: admin mdb Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are! 1000 http://johnny.ihackstuff.com 163 T162 TECHNOLOGY PROFILE DON allinurl:"exchange/logon.asp" allinurl:"exchange/logon.asp" According to Microsoft "Microsoft (R) Outlook (TM) Web Access is a Microsoft Exchange Active Server Application that gives you private access to your Microsoft Outlook or Microsoft Exchange personal e-mail account so that you can view your Inbox from any Web Browser. It also allows you to view Exchange server public folders and the Address Book from the World Wide Web. Anyone can post messages anonymously to public folders or search for users in the Address Book. " Now, consider for a moment and you will understand why this could be potentially bad. 1000 http://johnny.ihackstuff.com 164 T163 TECHNOLOGY PROFILE DON intitle:"Big Brother - Status" inurl:bb intitle:"Big Brother - Status" inurl:bb The "Big Brother" program shows so much information it's sickening! I mean ping data, connection headers, stat info... With an info page like this, an attacker hardly has to run any reconnaisance... they can just throw an attack.. sickening. 1000 http://johnny.ihackstuff.com 165 T164 TECHNOLOGY PROFILE DON intitle:"Index of" cfide intitle:"Index of" cfide This is the top level directory of ColdFusion, a powerful web development environment. This directory most likely contains sensitive information about a ColdFusion developed site. 1000 http://johnny.ihackstuff.com 166 T165 TECHNOLOGY PROFILE DON intitle:"ColdFusion Administrator Login" intitle:"ColdFusion Administrator Login" This is the default login page for ColdFusion administration. Although many of these are secured, this is an indicator of a default installation, and may be inherantly insecure. In addition, this search provides good information about the version of ColdFusion as well as the fact that ColdFusion is installed on the server. 1000 http://johnny.ihackstuff.com 167 T166 TECHNOLOGY PROFILE DON intitle:"Error Occurred" "The error occurred in" filetype:cfm intitle:"Error Occurred" "The error occurred in" filetype:cfm This is a typical error message from ColdFusion. A good amount of information is available from an error message like this including lines of source code, full pathnames, SQL query info, database name, SQL state info and local time info. 1000 http://johnny.ihackstuff.com 168 T167 TECHNOLOGY PROFILE DON inurl:login.cfm inurl:login.cfm This is the default login page for ColdFusion. Although many of these are secured, this is an indicator of a default installation, and may be inherantly insecure. In addition, this search provides good information about the version of ColdFusion as well as the fact that ColdFusion is installed on the server. 1000 http://johnny.ihackstuff.com 169 T168 TECHNOLOGY PROFILE DON filetype:cfm "cfapplication name" password filetype:cfm "cfapplication name" password These files contain ColdFusion source code. In some cases, the pages are examples that are found in discussion forums. However, in many cases these pages contain live sourcecode with usernames, database names or passwords in plaintext. 1000 http://johnny.ihackstuff.com 170 T169 TECHNOLOGY PROFILE DON inurl:":10000" intext:webmin inurl:":10000" intext:webmin Webmin is a html admin interface for Unix boxes. It is run on a proprietary web server listening on the default port of 10000. 1000 http://johnny.ihackstuff.com 171 T170 TECHNOLOGY PROFILE DON allinurl:/examples/jsp/snp/snoop.jsp allinurl:/examples/jsp/snp/snoop.jsp These pages reveal information about the server including path information, port information, etc. 1000 http://johnny.ihackstuff.com 172 T171 TECHNOLOGY PROFILE DON allinurl:servlet/SnoopServlet allinurl:servlet/SnoopServlet These pages reveal server information such as port, server software version, server name, full paths, etc. 1000 http://johnny.ihackstuff.com 173 T172 TECHNOLOGY PROFILE DON intitle:"Test Page for Apache" intitle:"Test Page for Apache" This is the default web page for Apache 1.2.6 - 1.3.9. Hackers can use this information to determine the version of the web server, or to search Google for vulnerable targets. In addition, this indicates that the web server is not well maintained. 1000 http://johnny.ihackstuff.com 174 T173 TECHNOLOGY PROFILE DON inurl:login.asp inurl:login.asp This is a typical login page. It has recently become a target for SQL injection. Comsec's article at http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php brought this to my attention. 1000 http://johnny.ihackstuff.com 175 T174 TECHNOLOGY PROFILE DON inurl:/admin/login.asp inurl:/admin/login.asp This is a typical login page. It has recently become a target for SQL injection. Comsec's article at http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php brought this to my attention. 1000 http://johnny.ihackstuff.com 176 T175 TECHNOLOGY PROFILE DON "Running in Child mode" "Running in Child mode" This is a gnutella client that was picked up by google. There is a lot of data present including transfer statistics, port numbers, operating system, memory, processor speed, ip addresses, and gnutella client versions. 1000 http://johnny.ihackstuff.com 177 T176 TECHNOLOGY PROFILE DON "This is a Shareaza Node" "This is a Shareaza Node" These pages are from Shareaza client programs. Various data is displayed including client version, ip address, listening ports and uptime. 1000 http://johnny.ihackstuff.com 178 T177 TECHNOLOGY PROFILE DON "VNC Desktop" inurl:5800 "VNC Desktop" inurl:5800 VNC is a remote-controlled desktop product. Depending on the configuration, remote users may not be presented with a password. Even when presented with a password, the mere existance of VNC can be important to an attacker, as is the open port of 5800. 1000 http://johnny.ihackstuff.com 179 T178 TECHNOLOGY PROFILE DON "index of cgi-bin" "index of cgi-bin" CGI directories contain scripts which can often be exploited by attackers. Regardless of the vulnerability of such scripts, a directory listing of these scripts can prove helpful. 1000 http://johnny.ihackstuff.com 180 T179 TECHNOLOGY PROFILE DON intitle:Snap.Server inurl:Func= intitle:Snap.Server inurl:Func= This page reveals the existance of a SNAP server (Netowrk attached server or NAS devices) Depending on the configuration, these servers may be vulnerable, but regardless the existance of this server is useful for information gathering. 1000 http://johnny.ihackstuff.com 181 T180 TECHNOLOGY PROFILE DON inurl:server-status "apache" inurl:server-status "apache" This page shows all sort of information about the Apache web server. It can be used to track process information, directory maps, connection data, etc. 1000 http://johnny.ihackstuff.com 182 T181 TECHNOLOGY PROFILE DON eggdrop filetype:user user eggdrop filetype:user user These are eggdrop config files. Avoiding a full-blown descussion about eggdrops and IRC bots, suffice it to say that this file contains usernames and passwords for IRC users. 1000 http://johnny.ihackstuff.com 183 T182 TECHNOLOGY PROFILE DON intitle:"index of" intext:connect.inc intitle:"index of" intext:connect.inc These files often contain usernames and passwords for connection to mysql databases. In many cases, the passwords are not encoded or encrypted. 1000 http://johnny.ihackstuff.com 184 T183 TECHNOLOGY PROFILE DON intitle:"MikroTik RouterOS Managing Webpage" intitle:"MikroTik RouterOS Managing Webpage"