Google hacking

What started as a joke builds into a movement.

Click to see: Google hacking illustration

Johnny Long says he has never met a Google employee. And yet he is at the center of a community of security experts and search engine enthusiasts that might be developing some of the most interesting uses of Google technology today. For the past 10 years, Long has made his living as a penetration tester, a “white hat” hacker who is asked to break into computer systems to test their security vulnerabilities.
His johnny.ihackstuff.com Web site is the starting point for anyone looking to turn Google into a hacker’s tool. At its heart is a repository of sneaky queries called the Google Hacking Database, which got its start nearly six years ago, when Long posted a few of what he refers to as “funny, or interesting, or dangerous,” Google queries in the Internet.
Initially, Long, who goes by the name Johnny Hax, did not expect the idea of using Google to break into computer networks to attract any kind of serious study.

“It was sort of a joke actually,” he says. “The whole Google hacking thing was supposed to be tongue-in-cheek, because I knew that the real hackers would get their feathers all ruffled.”
Instead of being bent out of shape, the hackers were intrigued, and Long’s Google hacking community now boasts nearly 60,000 members.
At the recent Black Hat security conference in Las Vegas, Long’s talk on Google hacking was a standing-room-only affair, and the Google Hacking Database now stands at about 1,500 queries.
“It evolved into this very visible thing,” says Long, a researcher with Computer Sciences Corp. and author of Google Hacking for Penetration Testers. “The sheer weight and breadth of the stuff that we dug up just made people go, ‘Wow.'”
Long, who talks about his Google hacks with a comic’s timing and a laid-back style, says that he has always been a hacker at heart. He claims to have legitimately broken into hundreds of computer networks in his capacity as a professional security researcher, a job he came to only after abandoning his “wear a stupid suit and climb the corporate ladder phase.”
The list of what Long and his fellow Google hackers have been able to dig up is impressive: passwords, credit card numbers and unsecured Web interfaces to things like PBXs, routers and Web sites.

Click to see: Johnny Long

Hackers also use Google for reconnaissance. One of the most basic techniques is to wait for a major security bulletin and then use Google to search for Web sites that are “powered by” the buggy software. Attackers can also map out computer networks using Google’s database, making it impossible for the networks’ administrators to block the snooper. Often, this kind of information comes in the form of apparently nonsensical information, something that Long calls “Google turds.” For example, because there is no such thing as a Web site with the URL “nasa,” a Google search for the query “site:nasa” should turn up zero results. Instead, it turns up what appears to be a list of servers, offering an insight into the structure of NASA’s internal network, he says.
But some of the most interesting hacks occur when Google’s servers are tricked into doing work for the hackers, Long says. A recent trend has been to create Web pages with thousands of fake links that trick Google into doing hacker reconnaissance work. The technique works on Web sites that require URLs with embedded user names and passwords for access to some areas.