You are on page 1of 9

Translation Proxies It s possible to use Google as a transparent proxy server via the translation serv ice.

When you click a Translate this page link, you are taken to a translated copy of that page hosted on Google s servers. This serves as a sort of proxy server, fetching t he page on your behalf. If the page you want to view requires no translation, you can st ill use the translation service as a proxy server by modifying the hl variable in the UR L to match the native language of the page. Bear in mind that images are not proxied in this manner.

Proxy Server Language Hijinks As we will see in later chapters, proxy servers can be used to help hide your lo cation and identity while you re surfing the Web. Depending on the geographical location of a proxy server, the language settings of the main Google page may change to matc h the language of the country where the proxy server is located. If your language settings change inexplicably, be sure to check your proxy server settings. Even experienc ed proxy users can lose track of when a proxy is enabled and when it s not. As we will see later, language settings can be modified directly via the URL.

Solutions Fast Track Intitle Finds strings in the title of a page Mixes well with other operators Best used with Web, Group, Images, and News searches Allintitle Finds all terms in the title of a page Does not mix well with other operators or search terms Best used with Web, Group, Images, and News searches Inurl Finds strings in the URL of a page Mixes well with other operators Best used with Web and Image searches Allinurl Finds all terms in the URL of a page Does not mix well with other operators or search terms Best used with Web, Group, and Image searches Filetype Finds specific types of files based on file extension Synonymous with ext Requires an additional search term Mixes well with other operators Best used with Web and Group searches Allintext Finds all provided terms in the text of a page Pure evil don t use it Forget you ever heard about allintext

Site Restricts a search to a particular site or domain Mixes well with other operators Can be used alone Best used with Web, Groups and Image searches Link Searches for links to a site or URL Does not mix with other operators or search terms Best used with Web searches Inanchor Finds text in the descriptive text of links Mixes well with other operators and search terms Best used for Web, Image, and News searches Daterange Locates pages indexed within a specific date range Requires a search term Mixes well with other operators and search terms Best used with Web searches Might be phased out to make way for as_qdr. Numrange Finds a number in a particular range Mixes well with other operators and search terms Best used with Web searches Synonymous with ext. Cache Displays Google s cached copy of a page Does not mix with other operators or search terms Best used with Web searches Info Displays summary information about a page Does not mix with other operators or search terms Best used with Web searches Related Shows sites that are related to provided site or URL Does not mix with other operators or search terms Best used with Web searches Phonebook, Rphonebook, /Bphonebook Shows residential or business phone listings Does not mix with other operators or search terms Best used as a Web query Author Searches for the author of a Group post Mixes well with other operators and search terms Best used as a Group search Group Searches Group names, selects individual Groups Mixes well with other operators Best used as a Group search Insubject Locates a string in the subject of a Group post Mixes well with other operators and search terms Best used as a Group search Msgid Locates a Group message by message ID Does not mix with other operators or search terms Best used as a Group search Flaky. Use the advanced search form at instead Stocks Shows the Yahoo Finance stock listing for a ticker symbol Does not mix with other operators or search terms

Best provided as a Web query Define Shows various definitions of a provided word or phrase Does not mix with other operators or search terms Best provided as a Web query Google Hacker s Tip It s a good idea to use a proxy server if you value your anonymity online. Penetra tion testers use proxy servers to emulate what a real attacker would do during an act ual break-in attempt. Locating working, high-quality proxy servers can be an arduous task, unless of course we use a little Google hacking to do the grunt work for u s! To locate proxy servers using Google, try these queries: inurl:"nph-proxy.cgi" "Start browsing" or "cacheserverreport for" "This analysis was produced by calamaris" These queries locate online public proxy servers that can be used for testing pu rposes. Nothing like Googling for proxy servers! Remember, though, that there are lots o f places to obtain proxy servers, such as the atomintersoft site or the proxy site. Try Googling for those! Netcat Netcat has been described as the Swiss Army Knife of TCP/Internet Protocol (IP). It is a tool that is used for good and evil; from catching the reverse shell from an exp loit (evil) to helping network administrators dissect a protocol (good). In this case we will use it to send a request to Google s Web servers and show the resulting HTML on th e screen. You can get Netcat for UNIX as well as Microsoft Windows by Googling netc at download. How to Spot a Transparent Proxy In some cases it is useful to know if you are sitting behind a transparent proxy . There is a quick way of finding out. Telnet to port 80 on a couple of random IP addres ses that are outside of your network. If you get a connection every time, you are be hind a transparent proxy. (Note: try not to use private IP address ranges when conduc ting this test.) Another way is looking up the address of a Web site, then Telnetting to the IP number, issuing a GET/HTTP/1.0 (without the Host: header), and looking at the response. Some proxies use the Host: header to determine where you want to conne ct, and without it should give you an error. $ host has address $ telnet 80

Trying Connected to linode. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 400 Bad Request Server: squid/2.6.STABLE12 Not only do we know we are being transparently proxied, but we can also see the type and server of the proxy that s used. Note that the second method does not work with all proxies, especially the bigger proxies in use at many ISPs. Searching for Usernames inurl:admin inurl:userlist Generic userlist files inurl:admin filetype:asp inurl:userlist Generic userlist files inurl:php inurl:hlstats intext: Half-life statis tics file, lists username and Server Username other information filetype:ctl inurl:haccess.ctl Basic Microsoft FrontPag e equivalent(?)of htaccess shows Web user credentials filetype:reg reg intext: internet account manager Microsoft Internet Account Manag er can reveal usernames and more filetype:wab wab Microsoft Outlook Expres s Mail address books filetype:mdb inurl:profiles Microsoft Access databas es containing (user) profiles. index.of perform.ini mIRC IRC ini file can list IRC u sernames and other information inurl:root.asp?acs=anon Outlook Mail Web Access directory can be used to discover usernames filetype:conf inurl:proftpd.conf sample PROFTP FTP server configuration file reveals username and server information filetype:log username putty PUTTY SSH client logs ca n reveal usernames and server information filetype:rdp rdp Remote Desktop Connectio n files reveal user credentials intitle:index.of .bash_history UNIX bash shell history reveals commands typed at a bash command prompt; usernames are often typed as ar gument strings intitle:index.of .sh_history UNIX shell history revea ls commands typed at a shell command prompt; usernames are often typed as argume nt strings index of lck Various lock files list the user currently using a file filetype:reg reg HKEY_CURRENT_USER username Windows Registry exports can rev eal usernames and other information +intext:webalizer +intext:Total Usernames +intext: Usage Statistics for Webalizer Web statistics page lists Web usernames and statistical information

Searching for Passwords filetype:config config intext: appSettings User ID .Net Web Application con figuration may contain authentication information filetype:netrc password .netrc file may contain cleartext passwords intitle: Index of passwords modified Password directories inurl:/db/main.mdb ASP-Nuke database files often co ntain passwords filetype:bak inurl: htaccess passwd shadow htusers BAK files referring to p

asswords or usernames filetype:log See `ipsec copyright BARF log files reveal ipsec data inurl: calendarscript/users.txt CalenderScript passwords inurl:ccbill filetype:log CCBill log files may con tain authentication data inurl:cgi-bin inurl:calendar.cfg CGI Calendar (Perl) conf iguration file reveals information including passwords for the program. inurl:chap-secrets -cvs chap-secrets file may li st usernames and passwords enable password secret current configuration -intext:the Cisco secret 5 and password 7 passwords intext: enable secret 5 $ Cisco enable secrets intext: enable password 7 Cisco router config files [WFClient] Password= filetype:ica Citrix WinFrame-Client m ay contain login information inurl:passlist.txt Cleartext passwords. No decryption required! filetype:cfm cfapplication name password ColdFusion source code mentionin g passwords intitle:index.of config.php Config.php files inurl:config.php dbuname dbpass config.php files inurl:server.cfg rcon password Counter strike rcon passwords ext:inc pwd= UID= Database connection strings ext:asa ext:bak intext:uid intext:pwd - uid..pwd database server dsn Database credentials in ASA and BAK files filetype:ldb admin Database lock files may contain credential info filetype:properties inurl:db intext: password file conta ins usernames, decrypted passwords filetype:inc dbconn files contain the username and password a website uses to connect to a database. filetype:pass pass intext:userid dbman password files allinurl:auth_user_file.txt DCForum s password file powered by ducalendar ducalendar database may reveal p assword data Powered by Duclassified Duclassified database may reveal password powered by duclassmate duclassmate database may reveal password data Powered by Dudirectory dudirectory database may reveal password data powered by dudownload dudownload database may reveal p assword data Powered by DUpaypal Dupaypal database may reveal pas sword data. intitle:dupics inurl:(add.asp default.asp view.asp voting.asp) -site:duwar dupics database may reveal password data eggdrop filetype:user user Eggdrop config files Powered By Elite Forum Version *.* Elite forums database co ntains authentication information intitle: Index of pwd.db Encrypted pwd.db passwords ext:ini eudora.ini Eudora INI file may cont ain usernames and encrypted passwords inurl:filezilla.xml -cvs filezilla.xml contains p asswords data filetype:ini inurl:flashFXP.ini FlashFXP configu ration file may contain FTP passwords filetype:dat inurl:Sites.dat FlashFXP FTP passwords inurl: Sites.dat + PASS= FlashFXP Sites.dat server config uration file

ext:pwd inurl:(service authors administrators users) # -FrontPageFrontpage sensitive authentication-related files filetype:url +inurl: ftp:// +inurl: @ FTP bookmarks, some of w hich contain plaintext login names and passwords intitle:index.of passwd passwd.bak Generic PASSWD files inurl:zebra.conf intext:password -sample -test -tutorial -download GNU Zebra enable passwords (plain text or encrypted) intext: powered by EZGuestbook HTMLJunction EZGuestbook databas e reveals authentication data intitle: Index of .htpasswd htpasswd.bak htpasswd password files intitle: Index of .htpasswd htgroup -intitle: dist -apache -htpasswd.c htpasswd password files filetype:htpasswd htpasswd htpasswd password files http://*:*@www bob:bob HTTP web authentication informat ion liveice configuration file ext:cfg Icecast liveice.cfg file which may contain passwords sets mode: +k IRC channel keys signin filetype:url Javascript user validati on mechanisms may contain cleartext usernames and passwords LeapFTP intitle: index.of./ sites.ini modified LeapFTP client configura tion file may reveal authentication information inurl:lilo.conf filetype:conf password -tatercounter2000 -bootpwd -man LILO boot passwords Powered by Link Department Link management script contains encrypted admin passwords and session data your password is filetype:log log files containing the phrase (Your password is). admin account info filetype:log logs containing admin server acc ount information intitle:index.of master.passwd master.passwd files allinurl: admin mdb Microsoft Access admin databases filetype:mdb inurl:users.mdb Microsoft Access user dat abases filetype:xls username password email Microsoft Excel spreadsh eets containing the words username, password and email intitle:index.of administrators.pwd Microsoft Front Page adm inistrative usernames and passwords. filetype:pwd service Microsoft Frontpage service info inurl:perform.ini filetype:ini mIRC IRC passwords inurl:perform filetype:ini mIRC potential connectio n data filetype:cfg mrtg target[*] -sample -cvs -example Mrtg.cfg SNMP configuration file may reveal public and private community strings intitle: index of MySQL database connectio n information intitle: Index of .mysql_history mysql history files intitle: index of MySQL user/password info rmation Your password is * Remember this for later use NickServ registration passwords filetype:conf oekakibbs Oekakibss configuration files may reveal passwords filetype:conf slapd.conf OpenLDAP slapd.conf file contains configuration data including the root password inurl: slapd.conf intext: credentials -manpage - Manual Page -man: -sample OpenLDAP slapd.conf file contains configuration data including the root password filetype:dat wand.dat Opera web browser magic wand store d cerdentials inurl:pap-secrets -cvs pap-secrets file may list userna mes and passwords

filetype:dat inurl:pass.dat Pass.dat files may revea l passwords index.of passlist Passlist password files filetype:dat password.dat Password.dat files can c ontain plaintext usernames and passwords filetype:log inurl: password.log Password.log files can contain c leartext usernames and passwords filetype:pem intext:private PEM private key files intitle:index.of people.lst people.lst files intitle:index.of intext: secring.skr secring.pgp secring.bak PGP secret keyrings inurl:secring ext:skr ext:pgp ext:bak PGP secret keyrings filetype:inc mysql_connect OR mysql_pconnect PHP .inc files contain a uthentication information filetype:inc intext:mysql_connect PHP .inc files contain u sernames, passwords ext:php intext: $dbms $dbhost $dbuser $dbpasswd $table_prefix phpbb_installed php ection information intitle: phpinfo() + mysql.default_password + Zend Scripting Language Engine phpinfo files may contain default mysql passwords inurl:nuke filetype:sql PHP-Nuke or Postnuke dat abase dumps may contain authentication data parent directory +proftpdpasswd ProFTPd User names and password hashes from web server backups filetype:conf inurl:psybnc.conf USER.PASS= psyBNC configuration fil es may contain authentication info intitle:rapidshare intext:login Rapidshare login passwor ds. inurl: editor/list.asp inurl: database_editor.asp inurl: login.asa are set Results Database Editor usernames/ passwords ext:yml database inurl:config Ruby on Rails database l ink file ext:ini Version= password servU FTP Daemon ini fil e may contain usernames and passwords filetype:ini ServUDaemon servU FTP Daemon INI fil es may contains setting, session and authentication data filetype:ini inurl: serv-u.ini Serv-U INI file may cont ain username and password data intitle: Index of sc_serv.conf sc_serv content Shoutcast sc_serv.conf f iles often contain cleartext passwords intitle: Index of spwd.db passwd -pam.conf spwd.db password files filetype:sql insert into (pass passwd password) SQL dumps containing cleartext o r encrypted passwords filetype:sql ( passwd values password values pass values ) SQL file password references filetype:sql ( values * MD5 values * password values * encrypt ) SQL files may contain encrypted passwords filetype:sql + IDENTIFIED BY -cvs SQL files mentioning authenticat ion info filetype:sql password SQL files mentioning authenticat ion info filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS SSH host keys stored in Windows Registry inurl: GRC.DAT intext: password Symantec Norton Anti-Virus Corpo rate Edition data file contains encrypted passwords filetype:inf sysprep Sysprep.inf files contai n all information for a Windows information including administrative passwords, IP addresses and product IDs server-dbs intitle:index of teamspeak server admin f

iles filetype:ini wcx_ftp Total commander FTP pass words intitle:index.of trillian.ini Trillian INI files conta in passwords. ext:txt inurl:unattend.txt unattend.txt files conta in all information for a Windows information including administrative passwords, IP addresses and product IDs index.of.etc Unix /etc directories intitle: Index of..etc passwd Unix /etc/passwd files intitle:Index.of etc shadow U NIX /etc/shadow password files ext:passwd -intext:the -sample -example Various passwords filetype:bak createobject sa VBScript database connec tion backups inurl:ventrilo_srv.ini adminpassword ventrilo passwords for m any servers filetype:reg reg +intext: WINVNC3 vnc passwords !Host=*.* intext:enc_UserPassword=* ext:pcf VPN profiles often conta in authentication data inurl:vtund.conf intext:pass -cvs vtund configuration file s can contain usernames and passwords filetype:mdb wwforum Web Wiz Forums database contains authentication information intext: powered by Web Wiz Journal Web Wiz Journal ASP Blog database contains administrative information AutoCreate=TRUE password=* Website Access Analyzer password s filetype:pwl pwl Windows Password List fi les filetype:reg reg +intext: defaultusername +intext: defaultpassword Windows registry keys which reveal passwords filetype:ini ws_ftp pwd WS_FTP.ini file contains weakly encrypted passwords index of/ ws_ftp.ini parent directory WS_FTP.ini file contains weakly encrypted passwords inurl: wvdial.conf intext: password wvdial.conf may contain phone nu mbers, usernames and passwords inurl:/wwwboard WWWBoard passwd.txt authen tication configuration files wwwboard WebAdmin inurl: passwd.txt wwwboard webadmin WWWBoard password files login: * password= * filetype:xls xls files containing login names and passwords inurl:/yabb/Members/Admin.dat YaBB forums Administrator passwo rd

Searching for Usernames - Usernames can be found in a variety of locations. - In some cases, digging through documents or e-mail directories might be require d. - A simple query such as your username is can be very effective in locating usernames. Searching for Passwords -Passwords can also be found in a variety locations. - A query such as Your password forgot can locate pages that provide a forgottenpas sword recovery mechanism. - intext:(password passcode pass) intext:(username userid user) is anothe

r generic search for locating password information. Searching for Credit Cards Numbers, Social Security Numbers, and More - Documents containing credit card and Social Security number information do exis t and are relatively prolific. - Some irresponsible news outlets have revealed functional queries that locate th is information. - There are relatively few examples of personal financial data online, but there is agreat deal of variety. - In most cases, specific file extensions can be searched for. Searching for Other Juicy Info - From address books and chat log files to network vulnerability reports, there s n o shortage of sensitive data online.