hacking

FIGURE 4.9

SocialMention displaying results and associated statistics.

Social Searcher (http://www.social-searcher.com/)

Social Searcher is yet another social media search engine. It uses Facebook, Twitter and

Google+ as its sources. The interface provided by this search engine is simple. Under

the search tab the search results are distributed into three tabs based on the source,

Introduction 65

under these tabs the posts are listed with a preview, which is very helpful in identifying the ones relevant for us. Similar to SocialMention we can setup e-mail alerts also.

Under the analytics tab we can get the sentiment analysis, users, keywords,

domains, and much more. One of the interesting of these is the popular tab which

lists the results with more interaction such as likes, retweets, etc.

TWITTER

Twitter is one of the most popular social networking sites with huge impact. Apart

from its usual functionality to microblog, it also allows to understand the reach and

user base of any entity which makes it a powerful tool for reconnaissance. Today it is

widely used for market promotion as well as analyze the social landscape.

Topsy (http://topsy.com/)

Topsy is a tool which allows us to search and monitor Twitter. Using it we can check

out the trend of any keyword over Twitter and analyze its reach. The interface is

pretty simple and looks like a conventional search engine, just the results are only

based on Twitter. The results presented by it can be narrowed down to various timeframes such as 1 day, 30 days, etc. We can also fiter out the results to only see the

images, tweets, links, videos, or inflencers. There is another fiter which allows us to

see only results containing results from specifi languages. All in all Topsy is a great

tool for market monitoring for specifi keywords.

FIGURE 4.10

Topsy search.

66 CHAPTER 4 Search the Web—Beyond Convention

Trendsmap (http://trendsmap.com/)

Trendsmap is a great visual platform which shows trending topics in the form of keywords, hashtags, and Twitter handles from the Twitter platform over the world map.

It is great platform which utilizes visual representation of the trends to understand

what’s hot in a specifi region of the world. Apart for showing this visual form of

information it also allows us to search through this information in the form of a topic

or a location which makes it easier for us to see only what we want.

Tweetbeep (http://tweetbeep.com/)

In its own words, Tweetbeep is like Google alerts for Twitter. It is a great service

which allows us to monitor topics of interest on Twitter such as a brand name, product, or updates related to companies and even links. From market monitoring purpose

it’s a great tool which can help us to quickly respond to topics of interest.

Twiangulate (http://twiangulate.com/search)

Twiangulate is a great tool which allows us to perform Twitter triangulations. Using

it we can fid who are the common people who are followers of and are followed

by two different twitter users. Similarly it also provides the feature to compare the

reach of two users. It is great tool to understand and compare the inflence of different Twitter users.

SOURCE CODE SEARCH

Most of the search engines we have used only look for the text visible on the web

page, but there are some search engines which index the source code present on the

internet. These kind of search engines can be very helpful when we are looking for

specifi technology used over the internet, such as a content management system

like WordPress. Utilities of such search engines are for search engine optimization,

competitive analysis, keyword research for marketing and are only limited by the

creativity of the user.

Due to the storage and scalability issues earlier there were no service providers in

this domain, but with technological advancements some options are opening up now,

let checkout some of these.

NerdyData (http://nerdydata.com)

NerdyData is one of the fist of its kind and unique search engine which allows us to

search the code of the web page. Using the platform is pretty simple, go to the URL

https://search.nerdydata.com/, enter the keyword like WordPress 3.7 and NerdyData

will list down the websites which contain that keyword in their source code. The

results not only provide the URL of the website but also shows the section of the

code with the keyword highlighted under the section Source Code Snippet. Apart

from this there are various features such as contact author, fetch backlink, and others

which can be very helpful but most of these are paid, yet the limited free usage of

NerdyData is very useful and is worth a try.

Introduction 67

FIGURE 4.11

NerdyData code search results.

Ohloh code (https://code.ohloh.net)

Ohloh code is another great search engine for source code searching, but it’s

a bit different in terms that it searches for open source code. What this means

is that its source of information is the code residing in open space, such as Git

repositories.

It provides great options to fiter out the results based on defiitions, languages

(programming), extensions, etc. through a bar on the left-hand side titled “Filter

Code Results.”

Searchcode (https://searchcode.com)

Similar to Ohloh, Searchcode also uses open source code repositories as its information source. The search fiters provided by Searchcode are very helpful, some of them

are repository, source, and language.

TECHNOLOGY INFORMATION

In this special section of search engines we will be working on some unique search

engines which will help us to gather information related to various different technologies and much more. In this segment we will be heavily dealing with IP addresses

and related terms, so it is advised to go through the section “Defiing the basic terms”

in the fist chapter.

68 CHAPTER 4 Search the Web—Beyond Convention

Whois (http://whois.net/)

Whois is basically a service which allows us to get information about the registrant

of an internet resource such as a domain name. Whois.net provides a platform using

which we can perform a Whois search for a domain or IP address. A whois record

usually consists of registrar info; date of registration and expiry; registrant info such

as name, e-mail address, etc.

Robtex (http://www.robtex.com)

Robtex is great tool to fid out information about internet resources such as IP

address, Domain name, Autonomous System (AS) number, etc. The interface is

pretty simple and straightforward. At the top left-hand corner is a search bar using

which we can lookup information. Searching for a domain gives us related information like IP address, route, AS number, location, etc. Similarly other information is

provided for IP addresses, route, etc.

W3dt (https://w3dt.net/)

W3dt is great online resource to fid out networking related information. There are

various section which we can explore using this single platform. The fist section is

domain name system (DNS) tools which allows us to perform various DNS-related

queries such as DNS lookup, reverse DNS lookup, DNS server figerprinting, etc.

Second section provides tools related to network/internet such as port scan, traceroute, MX record retriever, etc. The next section is web/HTTP which consists of tools

such as SSL certifiate info, URL encode/decode, HTTP header retrieval, etc., then

comes the database lookups section under which comes MAC address lookup, Whois

lookup, etc., in the end there are some general and ping-related tools. All in all it is

great set of tools which allows to perform a huge list of different useful functions

under single interface.

Shodan (http://www.shodanhq.com/)

So far we have used various types of search engines which help us to explore the web

in all different ways. What we haven’t encountered till now is an internet search engine

(remember the difference between web and internet explained in chapter 1) or simply

said a computer search engine. Shodan is a computer search engine which scans the

internet and grabs the service banner based on IP address and port. It allows us to search

this information using IP addresses, country fiters, and much more. Using it we can

fid out simple information such as websites using a specifi type of web server such as

Internet Information Services (IIS) or Apache and also information which can be quite

sensitive such as IP cameras without authentication or SCADA systems over internet.

Though the free version without registration provides very limited information,

which can be mitigated a bit using a registered account, yet it is suffiient enough to

understand the power of this unique search engine. We can utilize the power of this

tool through browser add-on or through its application programming interface also.

Shodan has a very active development history and comes up with new features all the

time, so we can expect much more from it in the future.

Introduction 69

FIGURE 4.12

Shodan results for port 21.

WayBack Machine (http://archive.org/web/web.php)

Internet Archive WayBack Machine is great resource to lookup how a website looked

in past. Simply type the website address into the search bar and it will return back

a timeline with the available snapshot highlighted on the calendar. Simply hovering

over these highlighted dates over calendar will present a link to the snapshot. This is

great tool to analyze how a website has evolved and thus monitor its past growth. It

can also be helpful to retrieve information from a website which was available in the

past but is not now.

REVERSE IMAGE SEARCH

We all are familiar with the phrase “A picture is worth a thousand words” and its veracity and are also aware of platforms like Google Images (http://images.google.com),

Flickr (https://www.flckr.com/), Deviantart (http://www.deviantart.com/), which

provides us images for keywords provided. Usually when we need to lookup some

information, we have a keyword or a set of them in the form of text, following the

same lead the search engines we have dealt with till now take text as an input and

get us the results, but in case we have an image and we want to see where it appears

on the web, where do we go? This is where reverse image search engines come in,

which take image as an input and looks up to fid its web appearance. Let’s get

familiar with some of these.

70 CHAPTER 4 Search the Web—Beyond Convention

Google Images (http://images.google.com/)

We all are aware that Google allows us to search the web for images, but what many

of us are unaware of is that it also allows to perform a reverse image search. We

simply need to go to the URL http://images.google.com and click on the camera icon

and provide the URL of the image on the web or upload a locally stored image fie,

we can also drag and drop an image fie into the search bar and voila Google comes

up with links to the pages containing that or similar images on the web.

FIGURE 4.13

Google reverse image search.

TinEye (https://www.tineye.com/)

TinEye is another reverse image search engine and has a huge database of images.

Similar to Google images, searching on TinEye is very simple, we can provide the

URL to the image, upload it, or perform a drag and drop. TinEye also provides

browser plugin for major browsers, which makes the task much easier. Though the

results of TinEye are not as comprehensive as Google images, yet it provides a great

platform for the task and must be tried.

ImageRaider (http://www.ImageRaider.com/)

Last but not the least in this list is ImageRaider. ImageRaider simply lists the

results domain wise. If a domain contains more than one occurrence of the

Introduction 71

image then it also tells that and the links to those images are listed under the

domain name.

Reverse image search can be very helpful to fid out more about someone when

we are hitting dead-ends using conventional methods. As many people use same

profie picture for various different platforms, making a reverse image search can

lead us to other platforms where the use has created a profie and also has previously

undiscovered information.

MISCELLANEOUS

We dealt with a huge list of search engines which are specialize in their domain and

are popular among a community. In this section we will be dealing with some different types of search platforms which are lesser known but serve unique purposes and

are very helpful in special cases.

DataMarket (http://datamarket.com/)

DataMarket is an open portal which consists of large data sets and provides the data

in a great manner through visualizations. The simple search feature provides results

for global topics with list of different visualizations related to the topic, for example,

searching for the keyword gold would provide results such as gold statistics, import/

export of gold, and much more. The results page consists of a bar on the left which

provides a list of fiters using which the listed results can be narrowed down. It also

allows us to upload our own data and create visualization from it. Refer to the link

http://datamarket.com/topic/list/ for a huge list of topics on which DataMarket provides information.

WolframAlpha (http://www.wolframalpha.com/)

In this chapter we learned about various search engines which take some value as

input and provide us with the links which might contain the answer to the questions

we are actually looking for, but what we are going to learn about now is not a search

engine but a computational knowledge engine. What this means is that it takes our

queries as input but does not provides with the URLs to the websites containing the

information, instead it tries to understand our natural language queries and based

upon an organized data set, provides a factual answer to them in form of text and

sometimes apposite visualization also.

Say, for example, we want to know the purpose of .mil domain, so we can simply type in the query “what is the purpose of the .mil internet domain?” and get

the results, to get the words starting with a and ending with e, a query like “words

starting with a and ending with e” would give us the results, we can even check the

net worth of Warren Buffett by a query like “Warren Buffett net worth.” For more

examples of the queries of various domains that WolframAlpha is able to answer,

checkout the page http://www.wolframalpha.com/examples/.

72 CHAPTER 4 Search the Web—Beyond Convention

FIGURE 4.14

WolframAlpha result.

Addictomatic (http://addictomatic.com)

Usually we visit various different platforms to search information related to a topic,

but addictomatic aggregate various news and media sources to create a single dashboard for any topic of our interest. The content aggregated is displayed in various

sections depending upon the source. It also allows us to move these sections depending upon our preference for better readability.

Carrot2 (http://search.carrot2.org/stable/search)

Carrot2 is a search results clustering engine, what this means is that it takes

search results from other search engines and organizes these results into topics

using its search results clustering algorithms. Its unique capability to cluster

the results into topics allows to get a better understanding of it and associated terms. These clusters are also represented in different interesting forms

such as folders, circles, and FoamTree. Carrot2 can be used through its web

interface which can be accessed using the URL http://search.carrot2.org/

and also through a software application which can be downloaded from

http://project.carrot2.org/download.html.

Introduction 73

FIGURE 4.15

Carrot2 search result cluster.

Boardreader (http://boardreader.com/)

Boards and forums are rich source of information as a lot of interaction and Q&A goes

on in places like this. Members of such platforms range from newbies to experts in the

domain to which the forum is related to. In places like this we can get answers to questions

which are diffiult to fid elsewhere as they purely comprise of user-generated content,

but how do we search them? Here is the answer Boardreader. It allows us to search

forums to get results which contains content with human interaction. It also displays a

trend graph of the search query keyword to show the amount of activity related to it. The

advance search features provided by it such as sort by relevance, occurrence between

specifi dates, domain-specifi search, etc. adds to its already incredible features.

Omgili (http://omgili.com/)

Similar to Boardreader, Omgili is also a forum and boards search engine. It displays

the results in the form of broad bars and these bars contain information such as date,

number of posts, author, etc. which can be helpful in estimating the relevance of the

result. One such information is Thread Info, which provides further information about

a thread such as forum name, number of authors, and replies to the thread, without

actually visiting the original thread forum page. It also allows us to fiter the results

based upon the timeline of their occurrence such as past month, week, day, etc.

74 CHAPTER 4 Search the Web—Beyond Convention

Truecaller (http://www.truecaller.com)

Almost everyone who uses or has ever used a smartphone is familiar with the concept

of mobile applications, better known as apps and many if not most of them have used

the famous app called Truecaller which helps to identify the person behind the phone

number, what many of us are unaware of is that it can also be used through a web

browser. Truecaller simply allows us to search using a phone number and provides

the user’s details using it’s crowdsourced database.

So we discussed a huge list of various search engines under various categories

which are not conventionally used but as we have already seen these are very useful

in different scenarios. We all are addicted to Google for all our searching needs and it

being one of the best in its domain has also served our purpose most of the time, but

sometimes we need different and specifi answers to our queries, then we need these

kind of search engines. This list tries to cover most of the aspects of daily searching

needs, yet surely there must be other platforms which need to be fid out and used

commonly to solve specifi problems.

In this chapter we learned about various unconventional search engines, their

features, and functionalities, but what about the conventional search engines like

Google, Bing, Yahoo, etc. that we use on daily basis. Oh! we already know how to

Other search engines worth trying:

• Meta search engine

• Search (http://www.search.com/)

•People search

• ZabaSearch (http://www.zabasearch.com/)

•Company search

• Hoovers (http://www.hoovers.com/)

• Kompass (http://kompass.com/)

•Semantic

• Sensebot (http://www.sensebot.net/)

• Social media search

• Whostalkin (http://www.whostalkin.com/)

•Twitter search

• Mentionmapp (http://mentionmapp.com/)

• SocialCollider (http://socialcollider.net/)

• GeoChirp (http://www.geochirp.com/)

• Twitterfall (http://beta.twitterfall.com/)

• Source code search

• Meanpath (https://meanpath.com)

•Technology search

• Netcraft (http://www.netcraft.com/)

• Serversniff (http://serversniff.net)

• Reverse image search

• NerdyData image search (https://search.nerdydata.com/images)

•Miscellaneous

• Freebase (http://www.freebase.com/)

Introduction 75

use them or do we? The search engines we use on daily basis have various advanced

features which many of the users are unaware of. These features allows users to fiter

out the results so that we can get more information and less noise. In the next chapter

we will be dealing with conventional search engines and will learn how to use them

effectively to perform better search and get specifi results.

Hacking Web Intelligence. http://dx.doi.org/10.1016/B978-0-12-801867-5.00005-7 77

Copyright © 2015 Elsevier Inc. All rights reserved.

CHAPTER

Advanced Web Searching 5

INFORMATION IN THIS CHAPTER

• Search Engines

• Conventional Search Engines

• Advanced Search Operators of various Search Engines

• Examples and Usage

INTRODUCTION

In the last chapter we dealt with some special platforms which allowed us to perform domain-specifi searches; now let’s go into the depths of conventional search

engines which we use on daily basis and check out how we can utilize them more

effiiently. In this chapter, basically, we will understand the working and advanced

search features of some of the well-known search engines and see what all functionalities and fiters they provide to serve us better.

So we already have a basic idea about what search engine is, how it crawls over

the web to collect information, which are further indexed to provide us with search

results. Let’s revise it once and understand it in more depth.

Web pages as we see them are not actually what they look like. Web pages basically contain HyperText Markup Language (HTML) code and most of the times

some JavaScript and other scripting languages. So HTML is basically a markup language and uses tags to structure the information, for example the tag <h1></h1>

is used to create a heading. When we receive this HTML code from the server, our

browsers interpret this code and display us the web page in its rendered form. To

check the client-side source code of a web page, simply press Ctrl+U in the browser

with a web page open.

Once the web crawler of a search engine reaches a web page, it goes through

its HTML code. Now most of the times these pages also contain links to other

pages, which are used by the crawlers to move further in their quest to collect

data. The content crawled by the web crawler is then stored and indexed by

search engine based on variety of factors. The pages are ranked based upon their

structure (as defied in HTML), the keywords used, interlinking of the pages,

media present on the page, and many other details. Once a page has been crawled

and indexed it is ready to be presented to the user of the search engine depending

upon the query.

78 CHAPTER 5 Advanced Web Searching

Once a page has been crawled, the job of the crawler does not fiish for that page.

The crawler is scheduled to perform the complete process again after a specifi time

as the content of the page might change. So this process keeps on going and as new

pages are linked they are also crawled and indexed.

Search engine is a huge industry in itself which helps us in our web exploration,

but there is another industry which depends directly on search engines and that is

search engine optimization (SEO). SEO is basically about increasing the rank of

a website/web page or in other words to bring it up to the starting result pages of a

search engine. The motivation behind this is that it will increase the visibility of that

page/site and hence will get more traffi which can be helpful from a commercial or

personal point of view.

Now we have a good understanding of the search engines and how they operate,

let’s move ahead and see how we can better use some of the conventional search

engines.

GOOGLE

Google is one of the most widely used search engines and is the starting point for

web exploration for most of us. Initially Google search was accessible through very

simple interface and provided limited information. Apart from the search box there

were some special search links, links about the company, and a subscription box

where we could enter our email to get updates. There were no ads, no different language options, no login, etc.

It’s not only the look and feel of the interface that has changed over the years but

also the functionalities. It has evolved from providing simple web links to the pages

containing relevant information to a whole bunch of related tools which not only

allow us to search different media types and categories but also narrow down these

results using various fiters. Today there are various categories of search results such

as images, news, maps, videos, and much more. These plethora of functionalities

provided by Google today has certainly made our lives much easier and made the act

of fiding information on the web a piece of cake. Still sometimes we face diffiulty

in fiding the exact information we are looking for and the main reason behind it is

not the lack of information but to the contrary the abundance of it.

Let’s move on to see how we perform Google search and how to improve it. So

whenever we need to search something in Google we simply think about some of the

keywords associated with it and type them into the search bar and hit Enter. Based

upon the indexing Google simply provides us with the associated resources. Now if

we want to get better results or fiter the existing results based upon various factors,

we need to use Google advanced search operators. Let’s have a look at these operators and their usage.

site:

It fetches results only for the site provided. It is very useful when to limit our

search to some specifi domain. It can be used with another keyword and Google

Google 79

will bring back related pages from the site specifid. For an information security

perspective it is very useful to fid out different sub domains related to a particular

domain.

Examples: site:gov, site:house.gov

FIGURE 5.1

Google “site” operator usage.

inurl:

This operator allows looking for keywords in the uniform resource locator (URL) of

the site. It is useful to fid out pages which follow a usual keyword for specifi pages,

such as contact us. Generally, as the URL contains some keywords associated with

the body contents, it will help us to fid out the equivalent page for the keyword we

are searching for.

Example: inurl:hack

allinurl:

Similar to “inurl” this operator allows looking for multiple keywords in the URL. So

we can search for multiple keywords in the URL of a page. This also enhances the

chances of getting quality content of what we are looking for.

Example: allinurl:hack security

intext:

This operator makes sure that the keyword specifid is present in the text of the page.

Sometimes just for the sake of SEO, we can fid some pages only contain keywords

to enhance the page rank but not the associated content. In that case we can use this

80 CHAPTER 5 Advanced Web Searching

query parameter to get the appropriate content from a page for the keyword we are

looking for.

Example: intext:hack

allintext:

Similar to the “intext” this operator allows to lookup for multiple keywords in the

text. As we discussed earlier the feature of searching for multiple keywords always

enhances the content quality in the result page.

Example: allintext:data marketing

intitle:

It allows us to restrict the results by the keywords present in the title of the pages

(title tag: <title>XYZ</title>). It can be helpful to identify pages which follow a convention for the title of the pages such as directory listing by the keywords “index of”

and most of the sites provide the keywords in the title for improving the page rank.

So this query parameter always helps to search for a particular keyword.

Example: intitle:blueocean

allintitle:

This is the multiple keyword counterpart of “intitle” operator.

Example: allintitle:blueocean market

fietype:

This operator is used to fid out fies of a specifi kind. It supports multiple fie types

such as pdf, swf, kml, doc, svg, txt, etc. This operator comes handy when we are only

looking for specifi type of fies on a specifi domain.

Example: fietype:pdf, site:xyz.com, fietype:doc

ext:

The operator ext simply stands for extension and it works similar to the fietype

operator.

Example: ext:pdf

defie:

This operator is used to fid out the meaning of the keyword supplied. Google returns

dictionary meaning and synonyms for the keyword.

Example: defie:data

AROUND

This operator is helpful when we are looking for the results which contain two

different keywords, but in close association. It allows us to restrict the number

Google 81

of words as the maximum distance between two different keywords in the search

results.

Example: A AROUND(6) Z

AND

A simple Boolean operator which makes sure keywords on both the side are present

in the search results.

Example: data AND market

OR

Another Boolean operator which provides search results that contain either of the

keyword present on both the sides of the operator.

Example: data OR intelligence

NOT

Yet another Boolean operator which excludes the search results that contain the keyword followed by it.

Example: lotus NOT flwer

“”

This operator is useful when we need to search for the results which contain the

provided keyword in the exact sequence. For example we can search pages which

contain quotes or some lyrics.

Example: “time is precious”

-

This operator excludes the search results which contain the keyword followed by it

(no space).

Example: lotus -flwer

*

This wildcard operator is used as a generic placeholder for the unknown term.

We can use this to get quotes which we partially remember or to check variants

of one.

Example: “* is precious”

..

This special operator is used to provide a number range. It is quite useful to enforce

a price range, time range (date), etc.

Example: japan volcano 1990..2000

82 CHAPTER 5 Advanced Web Searching

info:

The info operator provides information what Google has on a specifi domain. Links

to different types of information are present in the results, such as cache, similar

websites, etc.

Example: info:elsevier.com

related:

This operator is used to fid out other web pages similar to the provided domain. It

is very helpful when we are looking for websites which provide similar services to a

website or to fid the competitors of it.

Example: related:elsevier.com

cache:

This operator redirects to the latest cache of the page that Google has crawled. In case we

don’t get a result for a website which was accessible earlier, this is a good option to try.

Example: cache:elsevier.com

Advanced Google search can also be performed using the page

http://www.google.com/advanced_search, which allows us to perform restricted

search without using the operators mentioned above.

FIGURE 5.2

Google advanced search page.

Apart from the operators Google also provide some operations which allow us to

check information about current events and also perform some other useful things.

Some examples are:

Google 83

time

Simply entering this keyword displays the current time of the location we are residing in. We can also use name of region to get its current time.

Example: time france

weather

This keyword shows the current weather condition of our current location. Similar to

“time” keyword we can also use it to get the weather conditions of a different region.

Example: weather sweden

Calculator

Google also solves mathematical equations and also provides a calculator.

Example: 39*(9823-312)+44/3

Convertor

Google can be used to perform conversions for different types of units like measurement units, currency, time, etc.

Example: 6 feet in meters

This is not all, sometimes Google also shows relevant information related to

global events as and when they happen; for example, FIFA World Cup.

Apart from searching the web, in general, Google also allows us to search specifi categories such as images, news, videos, etc. All these categories, including web

have some common and some specifi search fiters of their own. These options can

simply be accessed by clicking on the “Search tools” tab just below the search bar.

We can fid options which allow us to restrict the results based upon the country,

time of publish for web; for images there are options like the color of image, its type,

usage rights, etc. and similarly other relevant fiters for different categories. These

options can be very helpful in fiding the required information of a category as they

are designed according to that specifi category. For example if we are looking for an

old photograph of something it is a good idea to see only the results which are black

and white.

The operators we discussed are certainly very useful for anyone who needs to fid out

some information on the web, but the InfoSec community has certainly taken it to next

level. These simple and innocent operators we just discussed are widely used in the cyber

security industry to fid and demonstrate how without even touching the target system,

critical and compromising information can be retrieved. This technique of using Google

search engine operators to fid such information is termed as “Google Hacking.”

When it comes to “Google Hacking” one name that jumps out in mind is Johnny

Long. Johnny was an early adopter and pioneer in the fild of creating such Google

queries which could provide sensitive information related to the target. These queries

are widely popular by the name Google Dorks.

Let’s understand how this technique works. We saw a number of operators which

can narrow down search results to a specifi domain, fietype, title value, etc. Now

84 CHAPTER 5 Advanced Web Searching

in Google Hacking our motive is to fid sensitive information related to the target;

for this people have come up with various different signatures for different fies and

pages which are known to contain such information. For example, let’s just say we

know the name of a sensitive directory which should not be directly accessible to

any user publicly, but remains public by default after the installation of the related

application. So now if we want to fid out the sites which have not changed the

accessibility for this directory, we can simply use the query “inurl:/sensitive_directory_name/” and we will get a bunch of websites which haven’t changed the setting.

Now if we want to further narrow it down for a specifi website, we can combine

the query with the operator “site,” as “site:targetdomain.com inurl://sensitive_directory_name/.” Similarly we can fid out sensitive fies that are existing on a website

by using the operators “site” and “fietype” in collaboration.

Let’s take another example of Google Hacking which can help us to discover high

severity vulnerability in a website. Many developers use flsh to make websites more

interactive and visually appealing. Small web format (SWF) is a flsh fie format used

to create such multimedia. Now there are many SWF players known to be vulnerable to

cross-site scripting (XSS), which could lead to an account compromise. Now if we want

to fid out if the target domain is vulnerable to such attack, then we can simply put in

the query “site:targetdomain.com fietype:swf SWFPlayer_signature_keyword” and test

the resulting pages using publicly available payloads to verify. There are huge number

of signatures to fid out various types of pages such as sensitive directories, web server

identifiation, fies containing username/password, admin login pages, and much more.

The Google Hacking Database created by Johnny Long can be found at

http://www.hackersforcharity.org/ghdb/ though it is not updated, yet it is a great place

to understand and learn how we can use Google to fid out sensitive information. A

regularly updated version can be found at http://www.exploit-db.com/google-dorks/.

FIGURE 5.3

Google hacking database- www.exploit-db.com/google-dorks/.

Bing 85

BING

Microsoft has been providing search engine solutions from a long time and they

have been known with different names. Bing is latest and most feature-rich search

engine in this series. Unlike its predecessors Bing provides a more clean and simple

interface. As Microsoft covers a major part of operating system market, the general

perspective of a user in terms of search engine is that Bing is just another sideproduct from a technology giant and hence most of them do not take it seriously. But

unfortunately it is wrong. Like all the search engines Bing also has some unique features that will force you to use Bing when you need those features. Defiitely those

features have a unique mark on how we search. We will discuss not only about the

special features but also the general operators which can allow us to understand the

search engine and its functionalities.

+

This operator works quite similar in all the search engines. This allows a user to

forcefully add single or multiple keywords in a search query. Bing will make sure the

keywords come after + operator must present in the result pages.

Example: power +search

-

This operator is also known as NOT operator. This is used to exclude something from

a set of things, such as excluding a cuisine.

Example: Italian food -pizza

Here Bing will display all the Italian foods available but not pizza. We can write

this in another form which can also fetch same result such as the below example

Example: Italian food NOT pizza

“”

This is also same in most of the search engines. This is used to search for exact phrase

used inside double quotation.

Example: “How to do Power Searching?”

|

This is also known as OR operator, mostly used for getting result from one of the two

keywords or one of the many keywords added with this operator.

Example: ios | android

ios OR android

86 CHAPTER 5 Advanced Web Searching

&

This operator is also known as AND operator. This is the by-default used search

operator. If we do nothing and add multiple keywords then Bing will do a AND

search in the backend and give us the result.

Example: power AND search

power & search

As this is the default search, it’s very important to keep in mind that until and

unless we use OR and NOT in capital, Bing won’t understand it as operators.

()

This can be called as group operator.

As parenthesis has the top priority order, we can add the lower preferred operators

such as OR in that and create a group query to execute the lower priority operators

fist.

Example: android phone AND (nexus OR xperia)

site:

This operator will help to search a particular keyword within a specifi website. This

operator works quite the same in most of the search engines.

Example: site:owasp.org clickjacking

fietype:

This allows a user to search for data in specifi type of fie. Bing supports all fie

types but few, mostly those are supported by Google are also supported by Bing.

Example: hack fietype:pdf

ip:

This unique operator provided by Bing allows us to search web pages based upon

IP address. Using it we can perform a reverse IP search, which means it allows us to

look for pages hosted on the specifid IP).

Example: ip:176.65.66.66

Grouping of Bing operators supported in following order.

()

“”

NOT/-

And/&

OR/|

Bing 87

feed:

Yet another unique operator provided by Bing is feed, which allows us to look for

web feed pages containing the provided keyword.

One other feature that Bing provides is to perform social search using the page

https://www.bing.com/explore/social. It allows us to connect our social network

accounts with Bing and perform search within them.

FIGURE 5.5

Bing social search.

FIGURE 5.4

Bing “ip” search.

88 CHAPTER 5 Advanced Web Searching

YAHOO

Yahoo is one of the oldest players in the search engine arena and has been quite popular. The search page for Yahoo also has a lot of content such as news, trending topics,

weather, fiancial information, and much more. Earlier Yahoo has utilized third party

services to power its search capabilities, later it shifted to become independent and

once again has joined forces with Bing for its searching services. Though there is

not too much that Yahoo offers in terms of advanced searching as compared to other

search engines, the ones provided are worth trying comparing to others. Let’s see

some of the operators that can be useful.

+

This operator is used to make sure the search results contain the keyword followed by it.

Example: +data

-

Opposite to the “+” operator, this operator is used to exclude any specifi keyword

from the search results.

Example: -info

OR

This operator allows us to get results for either of the keywords supplied.

Example: data OR info

site:

This operator allows restricting the result only to the site provided. We will only get

to see the links from the specifid website. There are two other operators which work

like this operator but do not provide results as accurate or in-depth as they are domain

and hostname. Their usage is similar to the “site” operator.

Example: site:elsevier.com

link:

It is another interesting operator which allows us to lookup web pages which link to

the specifi web page provided. While using this operator do keep in mind to provide

the URL with the protocol (http:// or https://).

Yahoo 89

Example: link:http://www.elsevier.com/

defie:

We can use this operator to fid out the dictionary meaning of a word.

Example: defie:data

intitle:

The “intitle” operator is used to get the results which contain the specifid keyword

in their title tag.

Example: intitle:data

So these are the operators which Yahoo supports. Apart from these we can access

the Yahoo advanced search page at http://search.yahoo.com/search/options?fr=

fp-top&p=, which allows us to achieve well-fitered search results. One other thing

that Yahoo offers is advanced news search which can be performed using the page

http://news.search.yahoo.com/advanced .

FIGURE 5.6

Yahoo “link” search.

90 CHAPTER 5 Advanced Web Searching

FIGURE 5.7

Yahoo advanced search page.

YANDEX:

Yandex is Russian search engine and is not too much popular outside the country,

but it’s one of the most powerful search engines available. Like Google, Bing, Yahoo

it has its own unique keywords and data indexed. Yandex is the most popular and

widely used search engine in Russia. It’s the fourth largest search engine in the world.

Apart from Russia, it is also used in countries like Ukraine, Kazakhstan, Turkey, and

Belarus. It is also most under rated search engine as its use is only limited to specifi

country but in security community we see it otherwise. Most of the people are either

happy with their conventional search engine or they think all the internet information

is available in the search engine they are using. But the fact is that search engines like

Yandex also have many unique features that can provide us with way effiient result

as compared to other search engines.

Here we will discuss how Yandex can be a game changer in searching data on

internet and how to use it effiiently.

As discussed earlier like other search engines, Yandex has its own operators such

as lang, parenthesis, Boolean, and all. Let’s get familiar with these operators and

their usage.

+

This operator works quite same for all the search engines. Here also for Yandex, +

operator is used to include a keyword in a search result page. The keyword added

after + operator is the primary keyword in the search query. The result fetched by the

search engine must contain that keyword.

Yandex 91

Example: osint +tools

Here the result page might not contain the OSINT keyword but must contain tools

keyword. So when we want to focus on a particular keyword or set of keywords in

Yandex, we must use + operator.

∼∼

This is used as NOT operator which is used to exclude a keyword from a search result

page. It can be used in excluding a particular thing from a set of the things. Let’s say

we want to buy mobile phone but not windows phone. Then we can craft a query

accordingly to avoid windows phone from search result by using ∼∼ operator.

Example: mobile phone ∼∼ windows

∼

Unlike ∼∼ operator ∼ is used to exclude a keyword not from search result page but

search result sentence. That means we might have both or all the keywords present

in the query in a page but the excluded keyword must not be in any sentence with the

other keywords mentioned. I understand it being little complicated so let me explain

simply. Let’s start with the above query

mobile phone ∼∼ windows

Here if a page contains both mobile phone as well as windows, Yandex will

exclude that page from search result.

Example: mobile phone ∼ windows

But for the example shown above, it will show all the pages that contains both

mobile phone as well as windows but not if these two keywords are in same sentence.

&&

The && operator is used to show pages that contains both the keywords in search

result.

Example: power && searching

It will provide the results of all the pages that contain both these keywords.

&

This operator is used to show only pages that contains both the keywords in a sen-

tence. It provides more refied result for both the keywords.

Example: power & searching

/number

It’s a special operator which can be used for different purposes according to the number used after slash. It’s used for defiing the closeness of the keywords. It is quite

similar to AROUND operator of Google and NEAR operator of Bing. The number

used with slash defies the word distance between two keywords.

92 CHAPTER 5 Advanced Web Searching

Example: power /4 searching

Yandex will make sure that the result page must contain these two keywords with

in four words from each other irrespective of keyword position. That means the order

in which we created the query with the keywords might change in result page.

What if we need to fi the order? Yes, Yandex has a solution for that also: adding

a +sign with the number.

Example: power /+4 searching

By adding the + operator before the number will force Yandex to respond with the

results with only pages where these two keywords are in same order and in within 4

word count.

What if we need the reverse of it, let’s say we need to get results of keyword

“searching” fist and after that “power” within 4 word count and not vice versa. In

that case negative number will come pretty handy where we can use - sign to reverse

what we just did without getting the vice versa result.

Example: power /-4 searching

This will only display pages which contain searching keyword and power after

that within 4 word count.

Let’s say we want to setup a radius or boundary for a keyword with respect to

another; in that case we have to specify that keyword in second position.

Example: power /(-3 +4) searching

Here we are setting up a radius for searching with respect to power. This means

that the page is displayed in results shown only if either “searching” will be found

within 3 words before or after “power” within 4 word count.

This can be helpful when we are searching for two people’s names. In that case

we cannot guess that which name will come fist and which name will come next

so it’s better to create a radius for those two names, and the query will serve our

purpose.

As we discussed a lot about word-based keyword search, now let’s put some light

on sentence-based keyword search. For sentence based keyword search we can use

Yandex && operator with this number operator.

Example: power && /4 searching

In this case we can get result pages containing these two keywords with in 4

sentence difference irrespective of the position of the keyword. That means either

“power” may come fist and “searching” after that or vice versa.

!

This operator does something special. And this is one of my favorite keyword. It

gives a user freedom to only search a specifi keyword without similar word search

or extended search and all. What exactly happens in general search is that if you

Yandex 93

search for a keyword, let’s say AND, you will get some results showing only AND

and then the results will extend to ANDroid or AMD and so on. If we want to get only

result for AND keyword; use this operator.

Example: !and

This will restrict the search engine to provide results only showing pages which

contains this particular keyword AND.

!!

It can be used to search the dictionary form of the keyword.

Example: !!and

()

When we want to create a complex query with different keywords and operators we

can use these brackets to group them. As we already used these brackets above, now

we will see some other example to understand the true power of this.

FIGURE 5.8

Yandex complex query.

Example: power && (+searching | !search)

Here the query will search for both sets of keywords fist power searching and

power search but not both in same result.

“”

Now it’s about a keyword let’s say we want to search a particular string or set of

keywords then what to do? Here this operator “” comes for rescue. It is quite similar

94 CHAPTER 5 Advanced Web Searching

as Google’s “”. This will allow a user to search for exact keywords or string which is

put inside the double quotes.

Example: “What is OSINT?”

It will search for exact string and if available will give us the result accordingly.

*

This operator can be refereed as wildcard operator. The use of this operator is quite

same in most of the search engines. This operator is used to fil the missing keyword

or suggest relevant keywords according to the other keywords used in the search

query.

Example: osint is * of technology

It will search for auto fil the space where * is used to complete the query with

relevant keywords. In this case that can be ocean or treasure or anything. We can also

use this operator with double quote to get more effiient and accurate result.

Example: “OSINT is * of technology”

|

This is also quite similar to OR operator of Google. It allows us to go for different

keywords where we want results for any of them. In-real time scenario we can search

for options using this operator. Let’s say I want to buy a laptop and I have different

options: in that case this operator will come to picture.

Example: dell | toshiba | macbook

Here we can get result for any of these three options but not all in one result.

<<

This is an unusual operator known as non-ranking “AND.” It is basically used to

add additional keywords to the list of keywords without impacting the ranking of

the website on result. We might not get to know what exactly it does by just going

through its defiitions. So in simple words it can be used to tag additional keywords

to the query list without impacting the page rankings.

Example: power searching << OSINT

It can be used to additionally search for OSINT along with the other two keywords without impacting the page ranking in the result page.

title:

This is quite equivalent to the “intitle.” It can be used to search the pages with the

keyword (s) specifid after title query parameter.

Example: title:osint

Yandex 95

This will provide pages that contain OSINT in the title of the web page. Similarly

we can use this title query parameter to search for more than one keyword.

Example: title:(power searching)

url:

This “url” search query parameter is also an add-on. It searches for the exact URL

provided by the user in Yandex database.

Example: url:http://attacker.in

Here Yandex will provide a result if and only if the URL has been crawled and

indexed in its database.

inurl:

It can be used to search for keywords present in a URL or in other words for URL

fragment search. This “inurl” query parameter works quite similar in all the search

engines.

Example: inurl:osint

It will search for all the URLs that contain osint keyword no matter what the position of the keyword is.

mime:fietype

This query parameter is quite similar to “fietype” query parameter of Google. This

helps a user to search for a particular fie type.

Example: osint mime:pdf

FIGURE 5.9

Yandex fie search.

96 CHAPTER 5 Advanced Web Searching

It will provide us all the PDF links that contains osint keyword. The fie types

supported by Yandex mime are

PDF, RTF, SWF, DOC, XLS, PPT, DOCX, PPTX, XLSX, ODT, ODS, ODP,

ODG

host:

It can be used to search all the available hosts. This can be used by the penetration

testers mostly.

Example: host:owasp.org

rhost:

It is quite similar to host but “rhost” searches for reverse hosts. This can also be used

by the penetration testers to get all the reverse host details.

It can be used in two ways. One is for subdomains by using the wildcard operator

* at the end or another without that.

Example: rhost:org.owasp.*

rhost:org.owasp.www

site:

This operator is like the best friend of a penetration tester or hacker. This is available in most of the search engines. It provides all the details of subdomains of the

provided URL.

For penetration testers or hackers fiding the right place to search for vulnerability is most important. As in most cases the main sites are much secured as

compared to the subdomains, if any operator helps to simplify the process by

providing details of the subdomains to any hacker or penetration tester then half

work is done. So the importance of this operator is defiitely felt in security

industry.

Example: site:http://www.owasp.org

It will provide all the available subdomains of the domain owasp.com as well as

all the pages.

date:

This query can be used to either limit the search data to a specifi date or to specifi

period by a little enhancement in the query.

Example: date:201408*

In this case, format of date used is YYYYMMDD, but in case of the DD we used

wildcard operator “*” so we will get results limited to August 2014.

Yandex 97

We can also limit the same to a particular date of the August 2014 by changing a

bit in the query.

date:20140808

It will only show results belong to that date.

We can also use “=” in place of “:” and it will still work the same. So the above

query can be changed to

date=201408*

date=20140808

As we discussed earlier we can also limit the search results to a particular time

period. Let’s say we want to search something from a particular date to till date. In

that case we can use

date=>20140808

It will provide results from 8th August 2014 to till date, but what if we want to

limit both the start date and the end date. In that case also Yandex provide us a provision of providing range.

date=20140808..20140810

Here we will get the results form date 8th August 2014 to 10th August 2014.

domain:

It can be used to specify the search results based of top level domains (TLDs). Mostly

this type of the domain search was done to get results from country-specifi domains.

Let’s say we wanted to get the list of CERT-empanelled security service providing

company names from different countries. In that case we can search for the countryspecifi domain extension let’s say we want to get these details for New Zealand then

its TLD is nz. So we can craft a query like

Example: “cert empanelled company” domain:nz

lang:

It can be used to search pages written in specifi languages.

Yandex supports some specifi languages such as

RU: Russian

UK: Ukrainian

BE: Belorussian

EN: English

FR: French

DE: German

KK: Kazakh

TT: Tatar

TR: Turkish

98 CHAPTER 5 Advanced Web Searching

Though we can always use Google translator to translate the page from any

languages to English or any other languages, it’s an added feature provided by

Yandex to fulfil minimum requirements of the regions where Yandex is used

popularly.

So to search a page we need to provide the short form of the languages.

Example: power searching lang:en

It will search for the pages in English that contains power searching.

cat:

It is also something unique provided by Yandex. Cat stands for category. Yandex categorizes different things based on region id or topic id. Using cat we can search for a

result based on region or topic assigned in Yandex database.

The details of Regional codes: http://search.yaca.yandex.ru/geo.c2n.

The details of Topic codes: http://search.yaca.yandex.ru/cat.c2n.

Though the pages contains data in Russian language, we can always use Google

translate to serve this purpose.

As we discussed in the beginning that Yandex is an underrated search engine

some of its cool features are defiitely going to put a mark on our life once we go

through this chapter. One of such feature is its advanced search GUI.

There are lazy people like me who want everything in GUI so that they just have

to customize everything by providing limited details and selecting some checkbox or

radio buttons. Yandex provides that in the below link

http://www.yandex.com/search/advanced?&lr=10558

Here we have to just select what we want and most importantly it covers most

of the operators we discussed above. So go to the page, select what you want, and

search effiiently using GUI.

Defiitely after going through all these operators we can easily feel the impact

of the advance search or we can also use the term power search for that. The

advance search facilitates a user with faster, effiient, and reliable data in the result.

It always reduces our manual efforts to get the desired data. And the content quality is also better in advance search as we limit the search to what we are actually

looking for. It can be either country-specifi domain search, a particular fie type,

or content from a specifi date. These things cannot be done easily with simple

keyword search.

We are in an age where information is everything. Then the reliability factor

comes in to picture and if we want bulk of reliable information from the net in very

less time span then we need to focus on the advance search. We can use any conventional search engine of our choice. Most of the search engines have quite similar

operators to serve the purpose but there are some special features present; so look

for those special features and use different search engines for different customized

advance search.

Yandex 99

So we learned about various search engines and their operators and how to utilize

these operators to search better and get precise results. For some operators we say

their individual operations and how they can help to narrow down the results and for

some we saw how they can be used with other operators to generate a great query

which directly gets us to what we want. Though there are some operators for different search engines which work more or less in the same fashion yet as the crawling

and indexing techniques of different platforms are different, it is worthwhile to check

which one of them provides better results depending upon our requirements. One

thing that we need to keep in mind is that the search providers keep on deprecating

the operators or features which are not used frequently enough and also some functionalities are not available in some regions.

We saw how easily we can get the results that we actually want with the use

of some small but effective techniques. The impact of these techniques is not just

limited to fiding out the links to websites, but if used creatively they can be implemented in various filds. Apart from fiding the information on the web, which certainly is useful for everyone, these techniques can be used to fid out details which

are profession specifi. For example a marketing professional can scale the size of

the website of competitor using the operator “site,” or a sales professional can fid

out emails for a company using the wildcard operator “*@randomcompany.com.”

We also saw how search engine dorks are used by cyber security professionals to fid

out sensitive and compromising information just by using some simple keywords and

operators. The takeaway here is not just to learn about the operators but also about

how we can use them creatively in our profession.

We have covered a lot about how to perform searching using different searching

platforms in this and some previous chapters. Till now we have mainly focused on

browser-based applications or we can say web applications. In the next chapter we

will be moving on and learn about various tools which need to be installed as applications and provide us various features for extracting data related to various filds,

using various methods.

Hacking Web Intelligence. http://dx.doi.org/10.1016/B978-0-12-801867-5.00006-9 101

Copyright © 2015 Elsevier Inc. All rights reserved.

CHAPTER

OSINT Tools and

Techniques 6

INFORMATION IN THIS CHAPTER

• OSINT Tools

• Geolocation

• Information Harvesting

• Shodan

• Search Diggity

• Recon-ng

• Yahoo Pipes

• Maltego

INTRODUCTION

In the previous chapters we learned about the basics of the internet and effective ways

to search it. We went to great depths of searching social media to unconventional

search engines and further learned about effective techniques to use regular search

engines. In this chapter we will move a step further and will discuss about some of

the automated tools and web-based services which are used frequently to perform

reconnaissance by professionals of various intelligence-related domains specially

information security. We will start from the installation part to understanding their

interface and will further learn about their functionality and usage. Some of these

tools provide a rich graphic interface (GUI) and some of them are command line

based (CLI), but don’t judge them by their interface but by their functionality and

relevance in our fild of work.

Before moving any further we must install the dependencies for these tools so that

we don’t have to face any issues during their installation and usage. The packages

we need are

• Java latest version

•Python 2.7

• Microsoft .NET Framework v4

We simply need to download the relevant package depending upon our system

confiuration and we are good to go.

102 CHAPTER 6 OSINT Tools and Techniques

CREEPY

Most of us are addicted to social networks, and image sharing is one of the most utilized

features of these platforms. But sometimes when we share these pictures it’s not just the

image that we are sharing but might also the exact location where that picture was taken.

Creepy is a Python application which can extract out this information and display

the geolocation on a map. Currently Creepy supports search for Twitter, Flickr, and

Instagram. It extracts the geolocation based on EXIF information stored in images,

geolocation information available through application programming interface (API),

and some other techniques.

It can be downloaded from http://ilektrojohn.github.io/creepy/. We simply need

to select the version according to our platform and install it. The next phase after

installation of Creepy is to confiure the plugins that are available in it, for which

we simply need to click on the Plug-in Confiuration button present under the edit

tab. Here we can select the plugins and using their individual confiuration wizard

confiure them accordingly. Once the confiuration is done we can check whether it

is working properly or not using the Test Plugin Confiuration button.

FIGURE 6.1

Confiure Creepy.

After the confiuration phase is done, we can start a new project by clicking on

the person icon on the top bar. Here we can name the project and search for people

on different portals. From the search results we can select the person of interest and

include him/her in the target list and fiish the wizard. After this our project will be

displayed under the project bar at the right-hand side.

Creepy 103

FIGURE 6.2

Search users.

Now we simply need to select our project and click on the target icon or right

click on the project and click Analyze Current Project. After this Creepy will start

the analysis, which will take some time. Once the analysis is complete, Creepy will

display the results on the map.

FIGURE 6.3

Creepy results.

Now we can see the results in which the map is populated with the markers

according the identifid geolocation. Now Creepy further allows us to narrow down

these results based on various fiters.

104 CHAPTER 6 OSINT Tools and Techniques

Clicking on the calendar button allows us to fiter the results based on a time

period. We can also fiter the results based upon area, which we can defie in the form

of radius in kilometers from a point of our choice. We can also see the results in the

form of a heat map instead of the markers. The negative sign (−) present at the end

can be used to remove all the fiters imposed on the results.

FIGURE 6.4

Applying fiter.

The results that we get from Creepy can also be downloaded in the form of CSV

fie and also as KML, which can be used to display the markers in another map.

Creepy can be used for the information-gathering phase during a pentest

(penetration test) and also as a proof-of-concept tool to demonstrate to users what

information they are revealing about themselves.

FIGURE 6.5

Download Creepy results.

TheHarvester 105

THEHARVESTER

TheHarvester is an open source intelligence tool (OSINT) for obtaining e-mail

addresses, employee name, open ports, subdomains, hosts banners, etc. from public

sources such as search engines like Google, Bing and other sites such as LinkedIn. It’s

a simple Python tool which is easy to use and contains different information-gathering

functions. Being a Python tool it’s quite understandable that to use this tool we must

have Python installed in our system. This tool is created by Christian Martorella and

one of the simple, popular, and widely used tools in terms of information gathering.

TheHarvester can be found here: http://www.edge-security.com/theharvester.php

Generally we need to input a domain name or company name to collect relevant

information such as email addresses, subdomains, or the other details mentioned in

the above paragraph. But we can use keywords also to collect related information.

We can specify our search, such as from which particular public source we want to

use for the information gathering. There are lots of public source that Harvester use for

information gathering but before moving to that let’s understand how to use Harvester.

EX: theharvester -d example.com -l 500 -b Google

-d = Generally, domain name or company name

-l = Number of result limits to work with

-b = Specifying the data source such as in the above command its Google, but

apart from that we can use LinkedIn and all (to use all the available public

sources) as a source also to collect information.

FIGURE 6.6

TheHarvester in action.

106 CHAPTER 6 OSINT Tools and Techniques

Apart from the above mentioned one harvester also has other options to specify,

such as:

-s = to start with a particular result number (the default value is 0)

-v = to get virtual hosts by verifying hostnames via DNS resolution

-f= for saving the data. (formats available either html or xml)

-n = to perform DNS resolve query for all the discovered ranges

-c = to perform DNS bruteforce for all domain names

-t= to perform a DNS TLD expansion discovery

-e = to use a specifi DNS server

-l = To limit the number of result to work with

-h = to use Shodan database to query discovered hosts.

FIGURE 6.7

TheHarvester HTML results.

The sources it uses are Google, Google profies, Bing, pretty good privacy

(PGP) servers, LinkedIn, Jigsaw, Shodan, Yandex, name servers, people123, and

Shodan 107

Exalead. Google, Yandex, Bing, and Exalead are search engines that are used in

backend as a source, while Shodan is also a search engine but not the conventional one and we already discussed a bit about it earlier and we will discuss in

detail about the same in this chapter later. PGP servers are like key servers used

for data security and those are also a good source to collect e-mail details. The

people123 is for searching for a particular person and Jigsaw is the cloud-based

solution for lead generation and other sales stuffs. From different sources harvester collects different information such as for e-mail harvesting it uses Google,

Bing, PGP servers, and sometimes Exalead and run their specifi queries in the

background to get the desired result. Similarly for subdomains or host names it

uses again Google, Bing, Yandex, Exalead, PGP servers, and Exalead. And fially

for the list for employee names it uses LinkedIn, Google profies, people123, and

Jigsaw as a main source.

This is how theHarvester harvests all the information and gives us the desired

result as per our query. So craft your query wisely to harvest all the required

information.

SHODAN

We have previously discussed about Shodan briefl in Chapter 4, but this unique

search engine deserves much more than a paragraph to discuss its usage and impact.

As discussed earlier Shodan is a computer search engine. The internet consists of

various different types of devices connected online and available publicly. Most of

these devices have a banner, which they send as a response to the application request

send by a client. Many if not most of these banners contains information which

can be called sensitive in nature, such as server version, device type, authentication

mode, etc. Shodan allows us to search such devices over internet and also provides

fiters to narrow down the results.

It is highly recommended to create an account to utilize this great

tool, as it removes some of the restrictions imposed on the free usage. So

after logging into the application we will simply go to the dashboard at

http://www.shodanhq.com/home. Here we can see some the recent searches as

well as popular searches made on this platform. This page also shows a quick reference to the fiters that we can use. Moving on let’s see more popular searches

listed under the URL http://www.shodanhq.com/browse. Here we can see there

are various different search queries which look quite interesting, such as webcam, default password, SCADA, etc. Clicking on one of these directly takes us

to the result page and lists details of machines on the internet with that specifi

keyword. The page http://www.shodanhq.com/help/fiters shows the list of all

the fiters that we can use in Shodan to perform a more focused search, such as

country, hostname, port, etc., including the usual fiters “+,”“-,” and “|.”

108 CHAPTER 6 OSINT Tools and Techniques

FIGURE 6.8

Shodan popular searches.

FIGURE 6.9

Shodan fiters.

Let’s perform a simple search on Shodan for the keyword “webcam.” Shodan has

simply found more than 15,000 results for this keyword; though we cannot view all the

results under the free package, yet what we get is enough to understand its reach and

availability of such devices on the internet. Some of these might be protected by some

kind of authentication mechanism such as username and password, but some might be

publicly accessible without any such mechanism. We can simply fid out by opening

Shodan 109

their listed IP address in our browsers (Warning: It might be illegal to do so depending

upon the laws of the country, etc.). We can further narrow down these results to a

country by using the “country” fiter. So our new query is “webcams country:us” which

gives us a list of webcams in the United States of America.

FIGURE 6.10

Shodan results for query “webcam”

To get a list of machines with fie transfer protocol (FTP) service, residing in India,

we can use the query “port:21 country:in”. We can also perform search for specifi IP

address or range of it using the fiter “net.” Shodan is providing a great deal of relevant

information and its application is only limited by the creativity of its users.

FIGURE 6.11

Shodan results for query “port:21 country:in.”

110 CHAPTER 6 OSINT Tools and Techniques

Apart from this Shodan also offers an API to integrate its data into our own

application. There are also some other services provided by it at a price and are

worth a try for anyone working in the information security domain. Recently there

has been a lot of development in Shodan and its associated services which makes

this product a must try for information security enthusiasts.

SEARCH DIGGITY

In the last chapter we learned a lot about using advanced search features of various

search engines and also briefl discussed about the term “Google Hacking.” To perform such functions we need to have the list of operations that we can use and will

have to type each query to see if anything is vulnerable, but what if there was a tool

which has a database of such queries and we can simply run it. Here enters the Search

Diggity. Search Diggity is tool by Bishop Fox which has a huge set of options and a

large database of queries for various search engines which allow us to gather compromising information related to our target. It can be downloaded from http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/. The basic

requirement for its installation is Microsoft .NET framework v4

Once we have downloaded and installed the application, the things we need are

the search ids and API keys. These search ids/API keys are required so that we can

perform more number of searcher without too many restrictions. We can fid how

to get and use these keys in the contents section under the Help tab and also from a

some simple Google searches. Once all the keys (Google, Bing, Shodan, etc.) are at

their place we can move forward with the usage of the tool.