included with Athena will load a nice array of digital photo searches. Simply select a query from the list and click the Search button. For example, selecting 1st photo with a PENTAX cam and clicking Search will deliver the Google results for that search, as shown in Figure 12.15. Figure 12.15 Basic Search Results Athena also allows you to add modifiers to the query using the Refine Search box. Using the previous query, entering inurl:”buddylist.blt” into the Refine Search box and clicking the Search button provides a much cleaner search (see Figure 12.16). Protecting Yourself from Google Hackers • Chapter 12 501 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 501 Figure 12.16 Athena’s Refine Query Feature in Action The results show that the image does not exist on the http://johnny.ihackstuff.com website. At this point, Athena might seem rather pointless. It functions just like a Web browser, submitting queries into Google and displaying the results. However,Athena’s most powerful functionality lies in its XML-based configuration files. Using Athena’s Config Files Two of these files are included with Athena: Athena.xml and digicams.xml.These files con- tain custom queries and descriptions of those queries.The digicams file contains sample queries for finding images and the Athena.xml file contains the queries found in the GHDB. To load the GHDB, simply select File | Open Config and select the Athena.XML file. 502 Chapter 12 • Protecting Yourself from Google Hackers 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 502 Figure 12.17 Athena Loaded with Athena.XML Jut as with the digicams image search, queries found in the GHDB can be modified and resubmitted through the Refine Search field. Constructing Athena Config Files Athena’s XML-based config files, can be modified or even completely overhauled based on your needs.There are two main sections to the XML file: a searchEngine section and the sig- nature section.The searchEngine section describes how a particular search engine’s queries are constructed.A typical searchEngine section is shown in the following code examples. <searchEngine> <searchEngineName>Google (UK)</searchEngineName> <searchEnginePrefixUrl>http://www.google.co.uk/search?q= </searchEnginePrefixUrl> <searchEnginePostfixUrl>%26ie=UTF-8%26hl=en%26meta= </searchEnginePostfixUrl> </searchEngine> Protecting Yourself from Google Hackers • Chapter 12 503 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 503 This section is responsible for describing how the various search engines handle search requests.The searchEngineName field is simply a text-based field that describes the name of the search engine.This name will appear in Athena’s drop-down box, allowing you to select from among different search engines.The searchEnginePrefixUrl field represents the first part of the search URL that is sent to the search engine. It is assumed that the query part of the search will be filled in after this prefix.The searchEnginePostfixURL field describes the part of the URL that will come after the prefix and the query.This usually describes various options such as output format (UTF-8). Note that Athena uses the <searchEngine> section, and SiteDigger does not.This section could be reworked to search the U.S based Google engine with the following searchEngine section: <searchEngine> <searchEngineName>Google (US)</searchEngineName> <searchEnginePrefixUrl>http://www.google.com/search?q= </searchEnginePrefixUrl> <searchEnginePostfixUrl>%26ie=UTF-8%26hl=en%26meta= </searchEnginePostfixUrl> </searchEngine> The signature section describes the individual searches that are to be performed. A typical signature section is shown in the following code example: <signature> <signatureReferenceNumber>22 </signatureReferenceNumber> <categoryref>T1</categoryref> <category>TECHNOLOGY PROFILE</category> <querytype>DON</querytype> <querystring>intitle:"Index of" secring.bak </querystring> <shortDescription>PGP Secret KeyRing Backup </shortDescription> <textualDescription>This query looked for a backup of the PGP secret key ring. With this keyring an attacker could decrypt messages encrypted by the user. </textualDescription> <cveNumber>1000</cveNumber> <cveLocation>http:// johnny.ihackstuff.com</cveLocation> </signature> The signatureReferenceNumber is a unique number assigned to each signature.The catego- ryref is a unique number that describes the signature in the context of its category, which is described in full by category.The querystring is the Google query that is to be performed. It is made HTML-friendly and inserted between the searchEnginePrefixUrl and the 504 Chapter 12 • Protecting Yourself from Google Hackers 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 504 searchEnginePostfixUrl in the URL sent to Google. shortDescription and textualDescription are short and long descriptions of the search, respectively.The cveNumber and cveLocation refer to the www.cve.mitre.org Common Vulnerabilities and Exposures list. The header of the XML file should contain these lines: <?xml version="1.0" encoding="utf-8"?> <searchEngineSignature> and the file should be closed out with a </searchEngineSignature> line as well. Using this format, it’s fairly simple to create a file of custom queries.The file must con- form to the UTF-8 character set and be strictly XML compliant.This means that HTML tags such as <A HREF> and <BR> must not only be matched with closing tags but that each HTML tag be case sensitive. Microsoft’s XML scanner will complain about an opening <BR> tag followed by a closing <br> tag, since the case of the tags is different.The less- than and greater-than symbols (< and >) can also cause problems when used improperly. If your data contains the Internet shorthand for “grin,” which is <G>, the MS XML scanner will complain. Tools and Traps… Current Config Files The maintainers of the GHDB make available current config files for use with Athena. This file can be downloaded from http://johnny.ihackstuff.com. Wikto Wikto is an amazing web scanning tool written by Roloef Temmingh while he was with Sensepost (www.sensepost.com). Wikto does many different things, but since this book focuses on Google hacking, we’ll take a look at the Google scanning portions of the tool. By default, Wikto launches a wizard interface as shown in Figure 11.18. Protecting Yourself from Google Hackers • Chapter 12 505 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 505 Figure 12.18 Wikto’s Target Selection Panel Wikto will first prompt for the target you wish to scan, as well as details about the target server. Clicking the Next button loads the Configuration panel as shown in Figure 11.19 Figure 12.19 Wikto’s Configuration Panel This panel prompts for proxy information and asks for your Google API key.The API issue is tricky, as Google is no longer giving out SOAP API keys. If you already have a SOAP API key (lucky you), enter it into the field and continue to the next panel. Otherwise, consider using Sensepost’s Aura (www.sensepost.com/research/aura) tool to sim- ulate Google SOAP API calls. Download and install Aura from the SensePost website, then click Start SensePost Aura to point Wikto at the Aura proxy. After entering an API key (or bypassing it with Aura), click through the rest of the wizard’s confirmation screens.The main Wikto screen will be displayed. We will first concentrate on the Googler tab. Clicking Start will launch a Google scan against the target site, searching for the specific file types listed in 506 Chapter 12 • Protecting Yourself from Google Hackers 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 506 the File Types field. Figure 12.20 shows the result of a scan against http://johnny.ihackstuff.com. Figure 12.20 Wikto’s Googler function Notice that the output fields list files and directories that were located on the target site. All of this information was gathered through Google queries, meaning the transactions are transparent to the target. Wikto will use this directory and file information in later scanning stages. Next, we’ll take a look at the GoogleHacks tab, shown in Figure 12.21. This scanning phase relies on the Google Hacking Database from http://johnny.ihack- stuff.com. Clicking the Load Google Hacks Database will load the most current version of the GHDB, providing Wikto with thousands of potentially malicious Google queries. Once the GHDB is loaded, pressing the Start button will begin the Google scan of the target site. What’s basically happening here is Wikto is firing off tons of Google queries, each with a site operator which points to the target website.The GHDB is shown in the upper panel, and any results are presented in the lower panel. Clicking on a result in the lower panel will show the detailed information about that query (from the GHDB) in the middle panel. In this case, many results are returned, since the target website (http://johnny.ihackstuff.com) mentions each of these queries in great detail. Protecting Yourself from Google Hackers • Chapter 12 507 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 507 Figure 12.21 Wikto’s GoogleHacks function In addition to this automated scanning process, Wikto allows you to perform manual Google queries against the target through the use of the Manual Query button and the asso- ciated input field. Wikto is an amazing tool with loads of features. Combined with GHDB compatibility, Wikto is definitely the best Google hacking tool currently available. Google Rower Google Rower is a Firefox extension (and also a stand-alone Windows program) that uses brute force lookup techniques to expand a search. Google Rower is a great tool to bypass the one thousand query lookup restriction. It accomplishes this by adding “padding digits” to a base query. It then harvests the results, removes duplicates, and displays the results. For example, Google Rower can obtain more results for the query JeffBall5 by searching for Jeffball55 a, Jeffball55 b, Jeffball55 c, etc. Google Rower can be downloaded from http://www.tankedgenius.com. Installation is a simple straightforward Firefox .xpi file installation.After installing Google Rower, open Firefox, select Tools->Google Rower and enter a query as shown in Figure 12.22. 508 Chapter 12 • Protecting Yourself from Google Hackers 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 508 Figure 12.22 GoogleRower Option Screen Entering a query of ihackstuff with the default options will query for the base term ihack- stuff followed by a series of characters, in this case the numbers one through nine.The results are sorted and displayed, as shown in Figure 12.23. Figure 12.23 Google Rower Results Alternatively you can right-click within Firefox and select Google Rower. In this case, Google Rower will launch with the query filled in based on the selected text. Protecting Yourself from Google Hackers • Chapter 12 509 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 509 Google Rower has several options to select from, as shown in Table 12.1. Table 12.1 Google Rower Options Google Rower Option Description Duplicates/Separation Google Rower provides several different options for separating the links via query and removing the duplicate links. The different options affect speed and memory that the extension will use. Print Titles By default Google Rower outputs the links of the results returned by Google. Selecting this option allows the titles of the pages as reported by Google to be outputted. No Headings in Output By default Google Rower outputs some head- ings to show which links came from which query. Selecting this option turns off those Headings. This option is useful when the results will be piped into another program. Google Site Indexer Google Site Indexer (GSI) was written by Jeffball55 (Jeff Stewart) and CP. GSI uses some of Google’s Advanced Operators, specifically site and inurl in order to create a file and directory map of a target web site. By sending Google queries such as site:tankedgenius.com, GSI can incrementally index all files Google has indexed. However, since Google only retrieves a maximum of a thousand results, GSI can mix the advanced operators (like site:tankedge- nius.com inurl:cp) in order to get a better mix of unique results. GSI can be downloaded from www.tankedgenius.com. Installation is a simple affair: clicking on the .xpi file from within Firefox will initiate the installation process.To run Google Site Indexer, open Firefox and select Tools -> GSI.The GSI interface will be displayed as shown in Figure 12.24. 510 Chapter 12 • Protecting Yourself from Google Hackers 452_Google_2e_12.qxd 10/5/07 1:24 PM Page 510 . is definitely the best Google hacking tool currently available. Google Rower Google Rower is a Firefox extension (and also a stand-alone Windows program) that uses brute force lookup techniques. the Googler tab. Clicking Start will launch a Google scan against the target site, searching for the specific file types listed in 506 Chapter 12 • Protecting Yourself from Google Hackers 452 _Google_ 2e_12.qxd. information in later scanning stages. Next, we’ll take a look at the GoogleHacks tab, shown in Figure 12.21. This scanning phase relies on the Google Hacking Database from http://johnny.ihack- stuff.com.