"Hack You Way To Security" Advanced Hacking Expressions

Advanced Hacking Expressions

Table of Contents

Advanced Operators - General ......................................................................................................2

Confidential Material Finding (By type of material) .....................................................................3
Databases........................................................................................................................................5
E-mail Address Search...................................................................................................................6
Files and Documents......................................................................................................................7
Login Portals...................................................................................................................................7
Network-enabled Device Finding (By Device Manufacturer) .....................................................7
Network Reports Finding (By Program) ......................................................................................9
Server Operating System Specifics ..............................................................................................9
"Hack You Way To Security" Advanced Hacking Expressions

Advanced Operators - General

Wildcard . The period ( . ) is a wildcard in Google. It represents any single-

character or space. If you look at the examples below, I've replaced
the space with the period and that allowed me to eliminate the double-
quotes

intitle:index.of Returns pages that have the term "index of" in their title. This is a way
to search for directory listings. You can also try: intitle:"index.of "parent
directory"

intitle:index.of.admin Returns pages that have the term "index of" in their title and the word
admin anywhere on the page, in the URL, and in the text. (Also try:
intitle:"index of" admin)

intitle:index.of.private Returns pages that have the term "index of" in their title and the word
private anywhere on the page, in the URL, and in the text. (Also try:
intitle:"index of" private)

intitle:"index of" "backup files" Returns pages that have the term "index of" in their title and the phrase
backup files anywhere on the page, in the URL, and in the text.

allintext: Finds a string of text within a page. It does not look in the title, URL or
links.

filetype: Active Server Pages asp

Adobe Acrobat Format pdf
Adobe PostScript ps
Cold Fusion cfm
Common Gateway Interface cgi
Data dat
Databases db, mdb, mde
Executables exe
FileMaker Pro fp
Java jsp
Information (various) inf , dat
Lotus 1-2-3 wk1, wk2, wk3, wk4, wk5,
wki, sks, wku
Lotus WordPro lwp
MacWrite mw
Microsoft Access mdb, mde
Microsoft Excel xls
Microsoft PowerPoint ppt
Microsoft Word doc
Microsoft Works wks, wps, wdb

Page 2
"Hack You Way To Security" Advanced Hacking Expressions

filetype: (continued) Microsoft Write wri

Rich Text Format rtf
Shockwave Flash swf
Text ans, txt
Web Address Book wab
Web Pages (Hypertext) html, htm
(Python) php
Windows XP/2000
Back-up Files filetype:bkf bkf

info: Shows Google's summary information for a URL.

author:somename Searches for any particular name in newsgroup posts.

bphonebook: Searches the business listings for phone book entries.

rphonebook: Searches the residential listing for phone book entries.

phonebook: Searches both business and residential listing for phone book entires.

Confidential Material Finding (By type of material)

Finding Credit Cards: numrange: You need two numbers here; a high and low number,
separated by a dash. A hacker will create a query that
would look like this to search for VISA and MasterCard
numbers: 4400-5500
filetype:afm Abassis Finance Manager
filetype:ab4 Accounting & Business File
filetype:tax Intuit Turbo Tax
filetype:mny Microsoft Money
filetype:mbf Microsoft Money Back-up Files
filetype:ptdb Peachtree Accounting
filetype:qbb Quickbooks Back-up Files
filetype:qbw Quickbooks Files
filetype:qdf Quicken

Finding Login Portals login | logon

username | userid
employee.id | "your user name is"
admin | administrator
password | passcode
"your password is"
user | password

Finding Social Security Numbers inurl:edu "student ID"

Inurl:edu ssn | "student ID"
ssn | "student ID"
ssn | benefit

Page 3
"Hack You Way To Security" Advanced Hacking Expressions

AOL Instant Messenger Buddy Lists filetype:blt blt +intext:screenname

Buddylist.blt

AIM and IRC Chat Log Files intext:"Sesssion Start * * * *:* *" filetype:log

ColdFusion Passwords filetype:cfm "cfapplication name" password

DCForum User Passwords allinurl:auth_user_file.txt

Generic Passwords filetype:dat "password.dat"

inurl:password.log filetype:log
filetype:log inurl:"password.log"

Generic Usernames inurl:admin inurl:userlist

Inurl:admin filteype:asp inurl:userlist

HTTP htpasswd Web Users filetype:htpasswd htpasswd

Intitle:"index of" ".htpasswd" "htgroup"
Intitle:"index of" .htpasswd.bak
http://*:*@www bob:bob (substitute bob for any name)

ICQ Chat logs intitle:Index of" dbconvert.exe chats

Internet Relay Channels (IRC) "sets mode: +k"

"Your password is * Remember this for later use"
IRC: Usernames, Passwords eggdrop filetype:user user
mIRC: Nicknames, Passwords filetype:ini inurl:perform.ini

Locked User Files "index of " lck

Microsoft Access User Profiles filetype:mdb inurl:profiles

Microsoft Frontpage Web Credentials filetype:ctl inurl:haccess.ctl basic

filetype:pwd service
intitle:index.of.administrators.pwd
ext:pwd inurl:_vti_pvt
inurl:(Service | authors | adminstrators)
"# -FrontPage-" inurl:service.pwd

Microsoft .net filetype:config config intext:appsettings "User ID"

MSN Messenger Contacts filteype:ctt ctt messenger

MySQL Databases intitle:"index of" intext:connect.inc

filetype:cnf my.cnf –cvs -example
intitle:"index of" intext:globals.inc

Palm Pilot Hot Sync filetype:pdb pdb backup

(pilot | pluckerdb)

Page 4
"Hack You Way To Security" Advanced Hacking Expressions

PHP intitle:index.of config.php

inurl:config.php dbuname dbpass
inurl:nuke filetype:sql

Remote Desktop Connection filetype:rdp rdp

SQL filetype:sql "identified by" –cvs

filetype:sql password

Student Grades (and possible SSN) site:edu admin grades

Trillion User Web Links intitle:index.of mystuff.xml

filetype:ini inurl:trillian.ini

Unix Passwords filetype:bak inurl:"htaccess | passwd | shadow | htusers

intitle:index.of master.psswd
intitle:index.of etc shadow
intitle: "index of" pwd.db
intitle:"index of" passwd
intitle:index.of passwd passwd.bak

Web Server Passwords (encrypted/unencrypted) "asp.net_SessionId" "data source="

Windows Passwords filetype:pwl pwl

Windows Registry Usernames filetype:reg reg hkey_current_user username

Windows XP/2000 Back-up Files filetype:bkf bkf

Databases

FileMaker Pro filetype:fp5 fp5 –"cvs log"

"Select a database to view" intitle:"filemaker pro"

IBM Websphere "Welcome to YourCo Financial"

"Welcome to Websphere" "(C) Copyrtight IBM"

Lotus Messaging intitle:messaging login" "© Copyright IBM"

Microsoft Access User Profiles filetype:mdb inurl:profiles

Microsoft FrontPage Dabases ext:mdb inurl:*mdb inurl:fpdb

ext:mdb inurl:*mdb inurl:shop.mdb

MySQL Databases intitle:"index of" intext:connect.inc

intitle:"index of" intext:globals.inc

Oracle intitle:"Gateway Configuration Menu"

Page 5
"Hack You Way To Security" Advanced Hacking Expressions

Intitle:"oragle http server index"

PHPMyAdmin "running on" inurl:"main.php"

"Welcome to phpMyAdmin" "Create new Database"
intitle:phpMyAdmin "Welcome to phpMyAdmin * * *"
"running on * as root@*"
inurl:main.php phpMyAdmin

SQL filetype:sql "identified by" –cvs

filetype:sql password

E-mail Address Search

Try: http://groups.google.com/advanced_group_search)

filetype:mbx mbx intext:subject Finds e-mails or mailboxes sitting on the Internet.

filetype:pst pst ( contacts | address | inbox) Finds personal outlook mail folder sitting on the
Internet.
filetype:reg reg +intext:"internet account manager" Finds Windows retistry keys for Internet e-mail.
e-mail address filetype:csv csv CSV (Comma Separated Version) file for stored e-mail
addresses.

intitle:index.of dead.letter A Unix based file that contains unfinished e-mails that
may contain sensitive or confidential information.
inurl:fcgi-bin/echo A fastcgi echo script reveals a lot of information from e-
mail addresses to server information.
filetype:pst pst –from –to –date Finds outlook PST files

intitle:index.of inbox Finds generic e-mail cached inboxes.

intitle:"Index of" –inurl:mailog mailog size Reveals usernames, e-mail addresses, user
login/logout times, IP addresses, directories on the
server and more.

inurl:e-mail filetype:mdb Microsoft Access databases containing e-mail

information

filetype:xls inurl:"e-mail.xls: Microsoft Excel spreadsheet containing e-mail

information.

filetype:xls username password e-mail Microsoft Excel Spreadsheet containing usernames,

passwords, and e-mail addresses.

intitle:index.of inbox dbx Outlook Express clean-up log or e-mail folder.

inurl:buddylist.blt Instant messaging buddy lists.

filetype:wab wab Microsoft's Web Address Book files

Page 6
"Hack You Way To Security" Advanced Hacking Expressions

Files and Documents

filetype: Adobe Acrobat Format pdf

Adobe PostScript ps
Databases db, mdb, mde
Lotus 1-2-3 wk1, wk2, wk3, wk4, wk5,
wki, sks, wku
Lotus WordPro lwp
MacWrite mw
Microsoft Access mdb, mde
Microsoft Excel xls
Microsoft PowerPoint ppt
Microsoft Word doc
Microsoft Works wks, wps, wdb
Microsoft Write wri
Rich Text Format rtf
Shockwave Flash swf
Text ans, txt
Web Pages (Hypertext) html, htm
(Python) php
Active Server Pages asp
Common Gateway Interface cgi
Cold Fusion cfm
Java jsp
Executables exe
Text txt
Visio vsd

Login Portals

login | logon username | userid

admin | administrator employee.id | "your user name is"
user | password password | passcode | "your password is"

Network-enabled Device Finding (By Device Manufacturer)

AXIS Video Server (CAM) inurl:indexFrame.shtml Axis

AXIS 200 Network Camera intitle:"The AXIS 200 Home Page"

Belkin Cable/DSL Router "version info" "Boot Version" "Internet Settings"

Canon Network Camera intitle:liveapplet inurl:LvAppl

Cisco Micro Webserver "micro webserver home page"

Cisco Products inurl:tech-support inurl:show Cisco

intitle:"switch home page" "cisco systems"
"Telnet – to"

Page 7
"Hack You Way To Security" Advanced Hacking Expressions

Generic Device Search "default web page" congratulations "hosting appliance"

"default web page" congratulations

Generic Firewall Configurations filetype:conf inurl:firewall intitle:cvs

Generic Printer Search "Printer Neighborhood"

"Printer named:"

HP Insight Management Agents: intitle:"wbem" compaq login

HP Switch intitle:"Object not found" netware

Intel Netstructure "congratulations on choosing" intel netstructure

iPlanet intitle:"web server, enterprise edition"

Jigsaw intitle:"jigsaw overview"

Konica Printers intitle:"Network administration" inurl:"nic"

Microsoft Terminal Server Client filetype:reg "Terminal Server Client"

(Reveals connection settings, credentials and configuration)

Novell Proxy/Firewall intitle:"BorderManager information alert"

Panasonic Network Camera intitle:"WJ-NT104 Main Page" Inurl:"ViewerFrame?Mode="

RICOH Copiers inurl:sts_index.cgi

RICOH Printers intitle:RICOH intitle:"Network Administration"

Samba inurl:"smb.comf" intext:"workgroup" filetype:conf

SharePoint inurl:/_layouts/settings

Sony Network Camera intitle:snc-z20 inurl:home/

SSL Configuration Files inurl:ssl.config filetype:conf

Sun AnswerBook Server inurl:"Answerbook2options"

Tektronix Phaser Printer intitle:"View and Configure PhaserLink"

TivoConnect Server inurl:/TiVoConnect

Webcam XP "powered by webcamXP"

Xerox Phaser inurl:live_staus.html

Xerox WorkCentre intitle:"xerox workcenter pro – index"

Page 8
"Hack You Way To Security" Advanced Hacking Expressions

Network Reports Finding (By Program)

ASP Web Server Passwords "asp.net_SessionId" "data source="

(encrypted/unencrypted)

AW Stats Web Statistics Reporting intitle:"statics of" "advanced web statistics"

Big Sister Network Reporting intitle:"Big Sister" ok attention trouble

Cacti Network Reporting inurl:"cacti" +inurl:"graph_view.php" +"Settings Tree View" –cvs

Fast Stats Echo Program inurl:fcgi-bin/echo

Ganglia Server Cluster Reports intitle:"Ganglia" "cluster report for"

Looking Glass Network Reporting "Looking Glass" (inurl:"lg/" inurl:lookingglass)

Microsoft FrontPage User

Web Credentials filetype:ctl inurl:haccess.ctl basic

Viso Network Drawings filetype:vsd vsd network –samples –examples

Server Operating System Specifics

intitle:index.of "server at" Finds the directory that shows the server version information of any
given Web site that has this directory. Knowing what server operating
system allows a hacker to exploit a known vulnerability.

A Few Specific Server Searches:

intitle:"Test Page for Apache"
"AnWeb/1.42.h" intitle:index.of
"Apache Tomcat/" intitle:index.of
"Apache-AdvanceExtranetServer/" intitle:index.of
"Apache/" "server at" intitle:index.of
"Apache/WWW" intitle:index.of
"HP Apache-based Web" "Server/1.3.25" intitle:index.of
"Jrun Web Server" intitle:index.of
"Microsoft-IIS/* server at" intitle:index.of
allintitle:Netscape Enterprise Server Home Page
allintitle:Netwscape FastTrack Server Home Page
"Oracle HTTP Server Powered by Apache" intitle:index.of
"Red Hat Secure" intitle:index.of

Googlebot "http_from=googlebot" googlebot.com "Server_Software"

Page 9