SECURITY 550

Power Search with Google

This course is meant as a detailed introduction to the security assessment methodology coined "Google Hacking". It will introduce you to some common techniques used by Google hackers, demonstrate a number of typical security exposures that Google uncovers, and aims to set you on the path of discovery if Google hacking is to be part of your security evaluation toolkit.

"Google Hacking" is a young and rapidly growing field of research. The implications of having our public sites crawled by search engines for security relevant data were largely unknown until recently. As more and more of our business processes, intellectual property, and research and development moves to a "Web" environment, the more important it will be for security practitioners to have the skills required to evaluate their sites from the perspective of a malicious search engine user.

Along with a study of proven Google Hacking techniques will be a description of some common technical defense measures used to throttle what data our site gives away and hopefully stop the most curious and persistent of Google hackers. At the end of the module you should have a solid toolkit of techniques and tips that you can take back to your organization and use to uncover unintended information disclosures, close common holes in Web servers and Internet connected devices, and clean up the exposures you discover.

Students are expected to be familiar with use of search engines, and particularly with some of the advanced operations that Google offers. Students would also benefit from a basic familiarity with Web servers, the HTTP protocol, and HTML.

Google Hacking Cheat Sheet

Who Should Attend:

• Web Administrators
• System Security Administrators
• Hands-on Security Managers
• Information Security Officers
• Penetration Testers and Security Auditors
• Intrusion Detection and Vulnerability Assessment Personnel
• Those charged with the protection of Intellectual Property within their organizations
• Any personnel responsible for the secure configuration of Internet facing systems

As a SysAdmin, I found this tack invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors.
-Christoper O'Keefe, CPC

Author Statement

The Power Search with Google course is meant as an introduction to the rapidly developing discipline of search engine driven vulnerability identification and exploitation. As an increasing number of our business processes and operations move to a web centric environment the more important it becomes that we learn about the growing role and expansive crawling capabilities of search engines, and the surprising level of organizational penetration they often achieve. It is also imperative that we learn to view the search engine from the perspective of an attacker and develop a grasp of how advanced search capabilities can be used to anonymously prepare to attack our organizations.

This course was developed to introduce those responsible for the security of Internet facing machinery to the offensive and defensive techniques required to anonymously assess, identify, exploit, and remediate web based vulnerabilities in their systems. This field is relatively new and it is now becoming obvious that the amount of serious vulnerabilities that can be uncovered using only simple search techniques is immense. Thus, a working familiarity with Google hacking and defense techniques is now perceived as a required skill for most Information Security personnel.

This module was written with the intermediate student in mind. There are hands on exercises that only require a moderately powered laptop and web browser to conduct. The student will benefit however, from a working knowledge of the HTTP protocol, previous experience with the Google search interface, and knowledge of HTML and hypertext concepts. It is intended that the student will be able to return to their organizations and immediately apply a collection of known search and assessment techniques through Google that will identify weaknesses in their systems. This course also aims to teach you standard vulnerability remediation and breach removal procedures when you uncover unwanted exposures on your site.
--Erik Kamerling