Vulnerability Assessment and Penetration Testing – Reconnaissance

If you are not familiar with the term VAPT then it is recommended that you read this blog first.

In case you are already familiar with the phases/stages of VAPT then let’s talk about Reconnaissance. It is the first thing that we do during VAPT. It is a very crucial phase and a good amount of time should be spent for it. Reconnaissance is a military term which means,

military observation of a region to locate an enemy or ascertain strategic features

Hacking in the real world is no way close to what they show in movies. No, we don’t work on a laptop with a black long hoodie and gloves. Nor do we straight away start typing certain commands and the information about the target magically starts flowing in.

You will be amazed to know that the most basic tool that we start with is none other than Google. Yes, this is the first thing that we start with. Just type the name of your target and see what information you get. Gradually start filtering the data by changing your search query. The best thing to use for filtering google search result is the technique known as Google Dorking. Now, we are talking about something fancy.

How can someone use Google for hacking?

Well, to your disappointment, you can’t directly use Google to hack anyone but since it has very powerful crawlers and it indexes almost every information about a site, sometimes one unknowingly exposes sensitive information to Google. With the help of Google Dorking, which is an advanced Google search, we try to look for such sensitive information.

Google Dorking in action

Whenever we do a simple Google Search then based on several algorithms, our search result is displayed. We may or may not get the desired (sensitive) information with our search query. However, with the help of Dorking, we can force Google to only display the information that we want to see. Due to this reason, it is also called Google Hacking.

Some of the common dorks are:

  • site:
  • inurl:
  • intext:
  • filetype:

Let’s see how does dorking actually work. Suppose we want to search for password files.

Filetype:"txt | csv | xls | xlsx | doc | docx" password | credentials | users

Let’s filter it further and limit the results from github by adding site: github.com

Filetype:"txt | csv | xls | xlsx | doc | docx" password | credentials | users site:github.com

You can see the drastic drop in results from 2,50,00,000 to 75,300. We can further filter the results by mentioning specific text we are looking for by using allintext:

Google Hacking for Penetration Testers

Filetype:”txt | csv | xls | xlsx | doc | docx” password | credentials | users site:github.com allintext:@gmail.com

Although the results have dropped to mere 6 but it is not what we were looking for. This means we will have to tweak our query a bit.

Filetype:”txt | csv | xls | xlsx | doc | docx” site:github.com intext:(gmail.com & password)

How is this information useful while doing Reconnaissance during VAPT?

As you would have seen by crafting a special google query we are able to fetch information which should not be present publicly, for eg: API Keys, Passwords, etc. If an attacker lays their hand on any such information then it can be misused for further attacks on the assets. So as a security tester we should ensure such information is not available publicly. This is just one activity that we do as a part of Reconnaissance, in the next blog we learn about another Recon technique. Till then stay safe and happy learning.

You may also like...