STACH & LIU

With the retirement of Google’s AJAX Search API on November 1, 2010, most of the security utilities available for Google Hacking cease to function properly, leaving the security industry with a need for new and innovative tools. GoogleDiggity is a new utility designed to help fill that need, now leveraging the Google JSON/ATOM Custom Search API, so it will not get you blocked by Google bot detection while scanning. Also, unlike other Google Hacking tools available, GoogleDiggity actually allows you to specify a Google Custom Search Engine (CSE) id to run Google Hacking vulnerability checks against a customized version of Google that will only return results tailored to your organization.

Leverages the new Bing 2.0 API and Stach & Liu’s newly developed Bing Hacking Database (BHDB) to find vulnerabilities and sensitive information disclosures related to your organization that are exposed via Microsoft’s Bing search engine. This utility also provides footprinting functionality that allows you to enumerate URLS, hosts, domains, IP-to-virtual host mappings, etc. for target companies.

Automates Google searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and information disclosures.

FlashDiggity first leverages the GoogleDiggity tool in order to identify Adobe Flash SWF applications for target domains via Google searches, such as ext:swf. Next, the tool is used to download all of the SWF files in bulk for analysis. The SWF files are disassembled back to their original ActionScript source code, and then analyzed for code-based vulnerabilities.

Data loss prevention tool that leverages Google/Bing to identify exposures of sensitive information (e.g. SSNs, credit card numbers, etc.) via common document formats such as .doc, .xls, and .pdf.

DLPDiggity utilizes IFilters to search through the actual contents of files, as opposed to just the meta-data. Using .NET regular expressions, DLPDiggity can find almost any type of sensitive data within common document file formats.

Leverages the Bing 2.0 API and the Google Safe Browsing API together to provide an answer to a simple question, “Am I being used as a platform to distribute malware to people who visit my website?”

MalwareDiggity first identifies off-site links of your web sites using Bing’s linkfromdomain: search directive, and then tests to see if those off-site links are to known malware distribution sites by running them against Google’s Safe Browsing API.

Utilizes Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more.

Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.

NOTE – The Code Search API has been retired by Google as of January 15, 2012. However, the risks associated with information disclosures and vulnerabilities exposed in open-source code remains. As such, we are currently working on an alternative search API to migrate CodeSearchDiggity to in order to identify vulnerabilities in open-source code projects.

Attack footprinting tool that leverages Bing’s linkfromdomain: search directive to find off-site links. From those results the tool then enumerates lists of applications, hostnames, domains, and sub-domains related to your attack target.

How would you like to get Google to do your port scanning for you? Using undocumented functionality within Google, we’ve been able to turn Google into an extremely effective network port scanning tool. As an example, see the Google search results for administrative web applications listening on non-standard TCP ports for the com domain.

You can provide domains, hostnames, and even IP address ranges to scan in order to identify open ports ranging across all 65,535 TCP ports. An additional benefit is that this port scanning is completely passive – no need to directly communicate with target networks since Google has already performed the scanning for you.

Don’t be the last to know if LulzSec or Anonymous post data dumps of your company’s passwords on PasteBin.com, or if a reckless employee shares an Excel spreadsheet with all of your customer data on a public website.

NotInMyBackYard leverages both Google and Bing, and comes with pre-built queries that make it easy for users to find sensitive data leaks related to their organizations that exist on 3rd party sites, such as PasteBin, YouTube, and Twitter. Uncover data leaks in documents on popular cloud storage sites like Dropbox, Microsoft SkyDrive, and Google Docs. A must have for organizations that have sensitive data leaks on domains they don’t control or operate.

SHODAN Diggity provides an easy-to-use scanning interface to the popular SHODAN hacking search engine, and comes equipped with convenient list of search queries ready in a pre-made dictionary file.

SHODAN is a search engine that lets you find specific types of computers (routers, servers, etc.) using a variety of filters. Some have also described it as a search engine of service banners. Shodan collects data mostly on web servers at the moment (port 80), but there is also some data from FTP (23), SSH (22) and Telnet (21) services.

Web search engines, such as Google and Bing, are great for finding websites. But what if you’re interested in finding computers running a certain piece of software (such as Apache)? Or you want to see how many anonymous FTP servers there are? Maybe a new vulnerability came out and you want to see how many hosts it could infect? Traditional web search engines don’t let you answer those questions.

According to the Verizon 2012 DBIR, malware was used to compromise a staggering 95% of all records breached for 2011. BBMS allows users to proactively track down and block sites distributing malware executables on the web. The tool leverages Bing, which indexes executable files, to find malware based on executable file signatures (e.g. “Time Stamp Date:”, “Size of Code:”, and “Entry Point:”).

Bing indexes executable filetypes, allowing us to find malware via Bing. This similiar to the now retired Google method previously used by HD Moore for similar purposes in his tool MWSearch.

With the retirement of Google’s SOAP Search API on September 7, 2009, most of the security utilities available for Google Hacking cease to function, leaving the security industry with a need for new and innovative tools. GoogleDiggity is a new MS Windows command line utility designed to help fill that need. GoogleDiggity leverages the Google AJAX API, so it will not get you blocked by Google bot detection while scanning. Also, unlike other Google Hacking tools available, GoogleDiggity actually allows you to specify a Google Custom Search Engine (CSE) id to run Google Hacking vulnerability checks against a customized version of Google that will only return results tailored to your organization.

NOTE – The cmdline version of GoogleDiggity still utilizes the old Google AJAX API, which is being retired. We will soon migrate the tool to the new Google JSON/ATOM Custom Search API. The GUI version of GoogleDiggity found within the SearchDiggity application has already been migrated over to the new API.

BingDiggity is a new command line utility that leverages the new Bing 2.0 API and Stach & Liu’s newly developed Bing Hacking Database (BHDB) to find vulnerabilities and sensitive information disclosures related to your organization that are exposed via Microsoft’s Bing search engine. This utility also provides footprinting functionality that allows you to enumerate URLS, hosts, domains, IP-to-virtual host mappings, etc. for target companies.

First ever Baidu hacking tool, which targets vulnerabilities disclosed by China’s dominant search engine.

COMING SOON – BaiduDiggity v 0.1 will be available for download shortly.

In the past, MSN/Bing hacking utilities were limited purely to footprinting techniques, as Microsoft took steps to prevent traditional Google Hacking techniques via Bing back in 2007. The Bing Hacking Database (BHDB) was created by Stach & Liu so that the Bing search engine could actually be used to discover vulnerabilities within target applications and infrastructure. It provides over 1300 Bing searches that return vulnerability data.

New GoogleDiggity input dictionary file containing 121 queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine. This dictionary helps assessors locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google.

The dictionary text file can be used directly as input to the –f option of the GoogleDiggity.exe command line tool. Also, it can be imported for use within the SearchDiggity GUI tool from the menu: “File”->”Import Query Definition”.

Information Coming Soon

The good folks over at Exploit-DB.com were kind enough to pick up where Johnny Long left off and resurrect the GHDB. They now maintain an updated version of the GHDB in a project labeled Google Hacking Database Reborn.

In that same spirit, we at the Diggity project were kind enough to translate their efforts into GoogleDiggity compatible input text files. These dorks are included with the standard SearchDiggity dictionary set, and can also be downloaded below.

Previously, the Google Diggity hacking tools provided an extra bonus feature of allowing you to specify a Google Custom Search Engine (CSE) id to have search queries performed against a custom Google engine of your creation.

With the retirement of the Google AJAX API announced on November 1, 2010, we’ve since migrated our Google Diggity tools to the new Google JSON/ATOM Custom Search API. With this new API, utilizing Google Custom Search Engines is now a requirement, and not just a bonus add-on feature.

This document provides a quick overview of how you can create a Google CSE of your own that simulates getting the normal full results of Google (i.e. search results across the whole Internet). We accomplish this by creating a Google CSE that returns results for all top level domains (TLDs) – examples: .com, .org. .gov, .edu, …