Google Hacking vs Criminal IP
This article is comparing the search results of Google Hacking filter “intitle”, which searches only sites containing specific keywords in the title, and the “title” filter provided by CIP.
What is Google Hacking?
Google Hacking is a service that uses Google Search and Google’s applications to find security vulnerabilities in the construction and computer code of a website. The information that can be collected with Google Hacking can be surprisingly diverse. We can narrow down the results using filters such as filetype, site, inurl, and intitle using quotation marks.
Compared to Google, which collects data based on the web, Criminal IP (https://www.criminalip.io/) collects data based on IP and port information. However, if the collected information comes from a web port, results previously invisible in the Google search engine can be found using Criminal IP. In particular, using Google’s intitle: filter shows results for content from a website’s <title> tag, which has very similar functions to Criminal IP’s title: filter. Let’s look at some of Google Hacking’s search tips and compare to Criminal IP’s features.
Searching for vulnerable directory listings using dead.letter
intitle:index.of “dead.letter”
Google search result for intitle:index.of “dead.letter”.
The dead.letter file is an error log generated when a specific error occurs in a Linux/Unix environment. ‘index.of’ is a string that can be viewed when visiting a website with directory listing vulnerabilities, with the search results yielding server addresses with full server accessibility.
An index.of file with vulnerable server addresses with full server accessibility. This particular string is visible and can be used to identify websites with directory listing vulnerability.
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
Criminal IP can yield the same results as shown with the title: filter. Use the query shown below to access Criminal IP’s Asset Search results.
Criminal IP search result for “dead.letter” itle:index of.
Criminal IP’s search results also show unique data that users cannot access on Google. In addition, Criminal IP identifies the crawled data by country, presence/absence of CVE vulnerabilities and types of web servers involves (such as apache).
Finding Remote Desktop Servers in Web format
intitle:”Remote Services Web Connection”
Google search result using intitle:”Remote Desktop Web Connection” inurl:tsweb.
MS also provides web versions of RDP servers. In other words, this Google Hacking query can serve as a case example for finding an externally exposed RDP server.
Users can access identical queries by using Criminal IP’s title: filter.
title:”Remote Services Web Connection”
Criminal IP Image Search results for title:”Remote Desktop Web Connection”
It should also be noted that Criminal IP’s Image Search provides RDP screenshots for user convenience.
Finding Apache Test Pages in its Default state
Google Search results for intitle:”Test Page for Apache”
The screenshot below shows the default welcome page that pops up immediately after installing Apache server. This is a famous example of a vulnerability that can be found using Google Hacking.
An exposed Apache Default Welcome page shown on Google Hacking search results for intitle:”Test Page for Apache”
Use the following query to yield the same search results using Criminal IP:
title:”Test Page for Apache installation”
It is very evident that Criminal IP’s results tab shows far more data than what users can find using Google Hacking. This can be attributed to IT system set-ups, where systems installed in a default state often lack a domain to be attributed to. Thus, when compared to Google, a system that crawls domains centrally, Criminal IP’s method of IP collections can yield a more comprehensive results especially for default welcome pag
