cDc automates Google Hacking
Kewl for cats
Infamous hacking group the Cult of the Dead Cow (cDc) has published a tool that searches for vulnerabilities and private data using carefully-selected Google search queries.
The process of so-called Google hacking is already well known, largely due to the efforts of Johnny "I Hack Stuff" Long, whose presentation on the subject have become a fixture of conferences such as Black Hat. cDc's Goolag Scan allows unskilled hackers or the simply curious to use the same techniques.
cDc is most famous for creating Back Orifice remote administration/back door package for Windows ten years ago. It describes Goolag Scanner as a web auditing tool, allowing users to check their own website for vulnerabilities. Searches can be restricted to an individual domain or extended to an entire top-level domain as desired.
There's nothing in the Windows-based application to stop hackers using the tool, a feature it shares with other utilities and one which makes making value judgements of dual use hacking/auditing tools a tricky business.
Goolag Scan provides 1,500 pre-configured Google search queries in categories such as "vulnerable servers", "sensitive online shopping information" and "files containing juicy information", Heise Security reports. The tool presents its findings in the form of of list of URLs that can be opened directly in a browser.
Links to downloads and the cDc's description of the utility can be found here. ®
Foundstone did this years ago and better with SIteDigger.
I prefer a more generous approach; allow users in, but add a warning for their eyes only that their browser is broken and don't allow them to submit bug reports relating to the markup. I don't code for IE any more but I agree that shutting out IE users entirely is a little excessive.
> 25,000 Goolag Scanner downloads to date.
http://www.goolag.org/ | http://www.cultdeadcow.com/