Using Search Engines as Penetration Testing Tools

Search engines are a treasure trove of beneficial delicate information and facts, which hackers can use for their cyber-attacks. Excellent news: so can penetration testers. 

From a penetration tester’s point of perspective, all look for engines can be mostly divided into pen examination-precise and frequently-applied. The article will include 3 research engines that my counterparts and I widely use as penetration screening applications. These are Google (the normally-made use of) and two pen examination-particular types: Shodan and Censys.

Penetration tests engineers make use of Google state-of-the-art research operators for Google dork queries (or simply just Google dorks). These are look for strings with the next syntax: operator:lookup time period. Further, you are going to come across the listing of the most beneficial operators for pen testers:

  • cache: gives access to cached pages. If a pen tester is on the lookout for a certain login website page and it is cached, the professional can use cache: operator to steal user qualifications with a net proxy.
  • filetype: limits the research result to particular file styles. 
  • allintitle: and intitle: both of those offer with HTML page titles. allintitle: finds web pages that have all of the research phrases in the site title. intitle: restricts effects to these containing at the very least some of the look for conditions in the web page title. The remaining conditions ought to look somewhere in the entire body of the website page.
  • allinurl: and inurl: use the exact same basic principle to the page URL. 
  • web page: returns results from a site situated on a specified area. 
  • related: permits discovering other internet pages comparable in linkage patterns to the presented URL. 

What can be uncovered with Google advanced look for operators?
Google advanced lookup operators are utilised along with other penetration tests tools for nameless facts accumulating, network mapping, as well as port scanning and enumeration. Google dorks can supply a pen tester with a huge array of sensitive information, this sort of as admin login webpages, usernames and passwords, delicate paperwork, military services or governing administration data, corporate mailing lists, lender account specifics, and so forth. 

Shodan is a pen test-particular look for engine that helps a penetration tester to locate precise nodes (routers, switches, desktops, servers, and so forth.). The search engine interrogates ports, grabs the ensuing banners and indexes them to locate the necessary info. The price of Shodan as a penetration testing tool is that it delivers a range of convenient filters:

  • nation: narrows the search by a two-letter state code. For case in point, the request apache nation:NO will demonstrate you apache servers in Norway.
  • hostname: filters results by any part of a hostname or a area name. For illustration, apache finds apache servers in the .org area.
  • net: filters success by a specific IP vary or subnet.
  • os: finds specified working systems.
  • port: lookups for particular solutions. Shodan has a constrained selection of ports: 21 (FTP), 22 (SSH), 23 (Telnet) and 80 (HTTP). On the other hand, you can send a ask for to the lookup engine’s developer John Matherly by means of Twitter for much more ports and services.

Shodan is a business challenge and, while authorization is not expected, logged-in users have privileges. For a every month payment you are going to get an prolonged number of query credits, the skill to use country: and internet: filters, help save and share queries, as perfectly as export effects in XML format. 

A further useful penetration testing software is Censys – a pen check-precise open-source look for motor. Its creators claim that the motor encapsulates a “complete databases of anything on the World wide web.” Censys scans the internet and supplies a pen tester with three facts sets of hosts on the public IPv4 deal with place, internet websites in the Alexa major million domains and X.509 cryptographic certificates.

Censys supports a whole textual content look for (For case in point, certificate has expired question will deliver a pen tester with a checklist of all equipment with expired certificates.) and frequent expressions (For case in point, metadata. Manufacturer: “Cisco” question shows all lively Cisco devices. Plenty of them will absolutely have unpatched routers with recognized vulnerabilities.). A far more in depth description of the Censys look for syntax is offered listed here.

Shodan vs. Censys
As penetration screening resources, both of those search engines are utilized to scan the internet for vulnerable devices. Still, I see the variation amongst them in the use plan and the presentation of look for results.

Shodan doesn’t have to have any proof of a user’s noble intentions, but a single really should fork out to use it. At the exact same time, Censys is open-supply, but it involves a CEH certificate or other doc proving the ethics of a user’s intentions to lift sizeable use limits (entry to more characteristics, a query limit (five for every day) from just one IP tackle). 

Shodan and Censys current research benefits in another way. Shodan does it in a a lot more hassle-free for consumers variety (resembles Google SERP), Censys – as raw data or in JSON format. The latter is additional acceptable for parsers, which then current the info in a much more readable sort.

Some protection scientists assert that Censys features superior IPv4 handle space protection and fresher final results. However, Shodan performs a way far more in-depth world-wide-web scanning and gives cleaner outcomes. 

So, which 1 to use? To my intellect, if you want some recent data – choose Censys. For everyday pen screening reasons – Shodan is the right select.

On a closing note
Google, Shodan and Censys are effectively truly worth adding to your penetration testing resource arsenal. I advise employing all the a few, as each and every contributes its part to a thorough info accumulating.

Certified Moral Hacker at ScienceSoft with 5 years of working experience in penetration testing. Uladzislau’s spheres of competence involve reverse engineering, black box, white box and gray box penetration tests of net and cell apps, bug searching and investigate work in the place of information protection.

By Kelli