hello and welcome to the very first episode of hackbyte a brand new series here on hack five where i hope to teach you the basics of cyber security i'm nick former co-host on the nobel youtube channel and cyber security researcher on the first episode we'll learn how to take advantage of search engines and find almost anything on the internet using google dorks [Music] think of the google search bar as a gateway to almost all information on the internet acting as the largest database of information that people have public access to but all this information can make it difficult to find exactly what you want and to return you more accurate results google makes assumptions about your search query google will alter your search results based on a number of factors one being the popularity of a topic for example if you search will smith google will return to your results about the popular actor even if you wanted to learn about the baseball player with the same name google also takes into account your location where you're searching from your search history and even the device that you're searching on to optimize your results this can be convenient for a quick off-the-cuff search but can make finding something niche or having repeatable results more difficult today we'll learn about proper use of a google search so you can refine your search and find that needle in the haystack potential discoveries include databases containing sensitive information that were not properly secured contact information for individuals that can be sometimes hard to find otherwise or can even allow you to find vulnerabilities in a web server these advanced google searches sometimes referred to as google dorks simply take advantage of advanced google search operators for this tutorial we'll start by learning simple techniques such as using quotation marks to only include exact matches to some more advanced search queries so you can find leaked password lists and otherwise finally i'll show you guys a neat little tool called pagodo which can work in the background allowing you to maximize its effectiveness and perform more google dorks to follow this tutorial all you need is a device which can use google which shouldn't be too difficult however if you do want to install pagodo you will need a computer with python installed on it so the first thing i'll go over is how to hone in onto a specific topic and kind of filter out all the noise that google might throw out you if you're searching for a general term so i'll go back to that will smith example that i brought up earlier and say i'm looking for statistics about the catcher for the los angeles dodgers will smith so if i just search will smith that's probably not going to return what i want because by and large people who are searching will smith are going to want to learn about the very famous actor who was on the fresh prince of bel-air and many many other banks and like this is the most you can really expect from google if you give it a search term like will smith it's going to return results that are most likely to satisfy you and most people are going to be searching for will smith actor so if i wanted to filter out all this stuff that is related to will smith the actor which i do not want to learn about and find more about the baseball player well the first thing i'll do is i'll put will smith in quotation marks because i only want exact results for will smith i don't want anything that might just contain will or just contain smith and then i'm gonna oh as you can see it's already recommending uh the dodger baseball player but let's go take this a little bit further and make sure that nothing related to the actor is there so i might do stuff like do attack for actor so this basically saying the minus actor is saying i don't want to include any results that have the keyword actor and then i'll add another one for fresh prints and i'm just putting fresh prints in quotation marks because it's two words and so now if i search this almost nothing related to the fresh prince of bel air will show up and it's just going to give us stats about the far less popular baseball player but this is just a simple example of how you can um uh oh this is actually the other will smith the pitcher on the braves so if i instead wanted to find out about the dodgers then i would also include quotation dodgers so i learned about will smith the catcher who is right here yes so this is the will smith i wanted to find and as you can see because will smith is such a common name that i had to do a lot of refinement to get exactly what i wanted so the next example we'll go over something a little more advanced but nothing too tricky is finding websites that could have some insecurities so if you oftentimes vulnerabilities that you may run across like you find this really cool exploit like wow that seems really powerful if it's using the right hands but most of the times with those exploits there's a lot of caveats they can only successfully attack web servers or devices with very very specific vulnerabilities and so one of those vulnerabilities is not having ssl set up on your web server and so if you don't know simply put ssl is that little lock pad in the top of your url search term and that just makes basically means that this browser starts with https and is carried with ssl so anybody on your local network can't sniff that traffic going to that ssl network but if you want to find websites that don't have ssl enabled and are thus vulnerable to those kinds of attacks then you can limit your results to only include sites that have http instead of https and so to do that all you have to do is include the term in url http and then if you search that oops i forgot the colon and so this isn't going to work because it's just a generic search for http inside urls but instead if we limit it to a site with a specific domain we'll get the results that we want so let me go back to the main screen and so if i want to find media websites that that don't have ssl enabled i'll do site colon dot tv and then in url colon http and so now all of these websites are going to be tv websites that don't have ssl enabled and as you can see if i click any one of them they're not going to have that padlock in the top left and google chrome is actually telling me that this website's not secure please don't like log into it with a password that you care about or use your credit card to buy anything on this website because anyone on your network or further down the line would might be able to snoop in and steal that information and techcrunch. tv i don't think that's related to the actual tech crutch you can see a lot of these websites are a little bit sketchy and obviously because they don't have a ssl enabled but you could do this for any url so i could do if you're in a specific country and you want to find websites that are vulnerable to this kind of attack you can use your country's domain like norwayis. no tv while it's mostly used for uh tv television companies media websites it's actually the domain for tuvalu but that's a tiny country and there's not many websites hosted there yeah so that's a simple way to find any websites that are vulnerable to uh that don't have ssl enabled the last like simple google door i'll show you is actually pretty interesting what we're gonna do is we're gonna find any log files that are visible to the internet but contain like some interesting information so we're gonna limit it to only log files which already might contain something interesting and only return log files that have the keyword password in it so to do that we're going to do all in text colon and then password and we're going to specify that we want to only show files that are log files so we'll do file type log and we're going to want to limit our results to somewhat recent so i'll do after 2018 and so all of these are going to be log files that contain the keyword password and they're going to be more recent than 2018 and so i can just click random one and as you can see this is probably something that shouldn't be exposed to the internet and let me control f for password oh okay so this is just the log but as you can see so this one is just like logging like a computer log so it's just checking that there's passwords but if you go digging around here i'm sure you could find a password leak that is exposed to the internet and probably shouldn't be and the people who expose it to the internet probably aren't aware that it's there just an example of some of the google search operators that you can use to do some google dorks but if you want to learn more this is a pretty neat blog post that lists a bunch of other common search operators so you can vent your own google doors and find anything that you want to do so if you don't want to have to memorize and understand how to utilize all those different advanced google search operators and have to memorize all those different google dorks and also if you want to cast a wider net you can take advantage of some software to do this google dorking for you and there's a couple other tools out there but this one is my favorite it's called pagoda which stands for passive google dork and so basically uh what it does in a nutshell is takes advantage of online repositories of thousands of different google dorks and automatically sends them to google and saves the results for you and if you just blindly sent all these kind of fishy search queries to google you know every millisecond or so google is probably going to block your ip address but luckily pagodo does some fancy smart stuff and it sends them at random time intervals and it can even send them through proxies in order to avoid getting your ip blocked by google so on this tutorial i'm just going gonna really quickly show you how to install and how to set up pagoda properly i'll show you how to run a basic search and then i'll go over some results that i gathered using pagodo a little bit earlier to install it it's just like any other github repository i'm gonna copy this url and open a terminal window in a directory of your choosing i'm using it in my documents folder and then to install it we're just going to clone it into this folder it's going to take a second or two it's not that big and then now if i type in ls i can see that i have this new pagoda folder here so let's navigate into this pagoda folder and let's see all the files that have come with it and so we have this ghdbscraper.
pi uh program which i'm going to talk about a little bit later we have this main program for pagoda which is actually going to search the google dorks but before we can actually use these we have to install everything in the requirements. txt file and if you've ever used a python program from github before you're probably familiar with how to install the requirements of text but if not it's pretty simple all you have to do is python 3 because uh pagoda is a python 3 tool and then tac m pip install attack r requirements dot text and it's just going to take a couple seconds see what libraries that pagoda and ghd beat scraper need it looks like some web scraping stuff and numpy but those are already installed for me and so now that that's taken care of we're going to go ahead and talk about what this ghdb scraper. program does and it's important to use this one before you actually use pagoda.
pie and so what ghdb scraper does it checks the online repositories for google dorks and it downloads them and saves them for your computer so pakoda pop pi can actually use them um it's not necessary on a fresh install because as you can see we can go to this dorks folder and we can see that the dorks are already here so i'll cat a random one like error messages. txt just so you can see them as you can see it has some google dorks to go down but in case we've had pagoda installed for a while you want to make sure you have the most up-to-date dorks you're going to have to use ghdb scraper so i might as well show you how to use it really quickly so all you have to do is type python3 and then the name of the program which is ghdb scraper github database scraper. pi and tac i and what this is going to do is it's going to check all the dorks and it's going to see yeah so it's downloading all the dorks from this category files containing passwords saving it to uh this file and so this is just something that you should remember to do if you've had pagoda installed for a couple months you come back to it and you install um you want to run another search just make sure you have the most up to date works and now that we have all our dorks ready we can actually go ahead and learn how to use pagoda so it's actually really simple all you have to do is make sure you're in the same folder as pagoda.
pai which i am and then i'll run an example search so it's python. 3 pagoda to tell python to run pagoda. pi and then we're going to have to specify the domain so if you're how to do surveillance on a specific company or a specific organization you'd put their website or something like that i'm just going to keep it basic i'll just put something like amazon right now i don't want to anyone to take heat and so this will only include results with the domain on amazon.
com and then tak g this is going to be specifying the dot dorks file that we're going to use so i'm actually going to go ahead and open a new terminal window so we can take a look at all the different dork files that we have available so i'm going to go ahead and change the documents hack byte pagodo and then now if we go to the storks folder where all the dorks are installed automatically so we can see all of these um different dorks files and the one we're going to use depends on what we want to find so like as you can see they're pretty self-explanatory so if you want to find files that contain passwords files that contain usernames or files that contain juicy info you'll use each respective dork to find that information um there's pages that contain login portals so you can like copy them for phishing or you can see if they're exploitable stuff like that vulnerable files and vulnerable servers those are the kind of dorks that we went over at the end of the google dorking tutorial a little bit just a little bit ago and then another interesting part of pagoda is that even if you don't want to use this tool all of these are good repositories for google door king that you can do manually so if i just cat let's just do files containing juicy info because that's the scan i ran with the results that i'll show you and then these let me zoom out a little bit so it's a little easier to read so these are google doors that you can use on your own to just find specific things so if i want to find an rsa private key i might use this google doc with the domain that i want to specify and so when i tell pagoda to use this dot dorks file it's going to run through the list of all of these um search queries send it to google and add on that tacd for amazon that will specify that we only want results from amazon so that's what a dot dorks file is and let's go back to here so we specified amazon and we specified the domain we're going to want we'll specify it works so we're going to specify dorks files what was the name of it again i want to make sure i get it right it was files containing juicy info so let's go ahead and specify that one containing juicy info. dorks the next thing you do is specify attack l and this will be an integer representing the maximum results that you want to return so for each line you only want to return the first x number of results to keep things shorter you can keep it at a lower number like 50 or 20. by default it's a hundred just for this tutorial i'll leave it as 50.
i'm not even going to complete this whole search because they take forever then you can write tack s to save the results to an html file which can be very uh handy to review it later instead of just having it temporarily in the terminal window so i always recommend including tack s attack e specifies the minimum delay in seconds so this is the float so it includes a decimal so you can start with something low like 10 or 15 seconds but if you find that your ip is getting blocked you might want to change it to something higher the people who wrote pagoda recommend that you use 35 seconds so i'll specify 35. 0 seconds and then tack j is um something they the people who go to call the jitter factor and this adds some randomness to your searches and basically what this number is is it's a number that's multiplied by a random value to increase or decrease this delay so the minimum delay will be 35 seconds plus some random value that pagoda comes up with multiplied by this jitter factor so it's not that do not that important but the important thing to note is that if your ip does get blocked when using pygodo then you might want to increase this minimum value to make that less likely and then that's it that's all the arguments that we're going to include and then your google dorking will start and this will take a very very long time because it's going to through um 905 searches and then at minimum it's going to take 35 seconds between all of those searches probably more and if you want more results than 50 it's going to take even longer than that so this is definitely a tool that you have to plan around this is something i totally recommend before you go to sleep um you know you're investigating something so you're gonna run this search and just leave it going in the background overnight that's the easiest way to use the software because otherwise you can't really do much after here and so instead of waiting for all this time i'm going to go ahead and cut right now and i'm going to show you some results that i got earlier by um letting this program run overnight so here i am in this is actually my main installation of pagoda that last one i was using was just for the demonstration purposes and so i can see um this is what your results will look like by default when you save them it's just pagoda underscore results and then these numbers and then i'm going to go ahead and actually open this in nautilus so yeah this is the text file that i'm interested in and so this was after a long night of google doorking and then these are all the urls that it found and i think this was when i was doing files containing juicy info and so i think it's specified category yeah and so yeah so it shows you for each google work so if you go to line one in-text steam user passphrase yeah so this is trying to find any websites that might contain some steam information so i can just click a random one and hopefully it doesn't take me anywhere sketchy i'm on a virtual machine right now so i'm not that scared and then open chrome oops sorry i can't copy and paste something here we go and so this is some like it looks like some obscure forum website and i'm sure it's in spanish and i'm sure yeah and so this is a generic password thing but if you look through all of these then i'm sure you'll be able to find something uh interesting so it's going to still take some work but you're not going to have to type in the google docs automatically and you're going to have a nice convenient list of urls to be able to check and so yeah that's the basics of using pagoda it's actually a really simple program and that's most of the functionality you'll get it's just the more advanced you can get is adding your own google docs to those dot dorks files which is really easy and just making sure that and then targeting the domain that you want to target you can also throw it you don't have to specify a domain i should have mentioned that earlier that tacd doesn't is actually an optional parameter so you can just throw it at the internet and you get all the results from it and so yeah that's the basics of pagoda and the basics of google working hopefully the techniques that i showed you here can improve your internet sleuthing abilities allowing you to avoid those frustrating moments where you know there's something there but you just can't find it if you like this tutorial be sure to check out the ready youtube channel and if you have any ideas for a future video you can hit me up on twitter at nick gotcha thanks for watching and i'll see you guys next time thanks for supporting hack five find all our shows community and pentest products at hack5.