Using Search Engines as Penetration Testing Tools

Look for engines are a treasure trove of important sensitive details, which hackers can use for their cyber-attacks. Great information: so can penetration testers. 

From a penetration tester’s point of perspective, all search engines can be largely divided into pen exam-particular and generally-applied. The short article will cover 3 lookup engines that my counterparts and I broadly use as penetration tests resources. These are Google (the usually-utilized) and two pen take a look at-particular kinds: Shodan and Censys.

Penetration tests engineers hire Google superior research operators for Google dork queries (or only Google dorks). These are look for strings with the adhering to syntax: operator:look for time period. Even more, you are going to locate the list of the most helpful operators for pen testers:

  • cache: supplies entry to cached web pages. If a pen tester is on the lookout for a particular login page and it is cached, the expert can use cache: operator to steal user credentials with a net proxy.
  • filetype: restrictions the search outcome to unique file kinds. 
  • allintitle: and intitle: both equally deal with HTML site titles. allintitle: finds pages that have all of the lookup phrases in the site title. intitle: restricts success to those that contains at minimum some of the look for phrases in the site title. The remaining phrases must show up someplace in the entire body of the site.
  • allinurl: and inurl: use the very same theory to the page URL. 
  • internet site: returns final results from a site located on a specified area. 
  • connected: allows getting other internet pages similar in linkage patterns to the presented URL. 

What can be identified with Google superior research operators?
Google innovative look for operators are applied along with other penetration screening instruments for anonymous information collecting, network mapping, as properly as port scanning and enumeration. Google dorks can give a pen tester with a wide array of sensitive facts, these as admin login web pages, usernames and passwords, sensitive paperwork, army or govt data, corporate mailing lists, bank account information, and so forth. 

Shodan is a pen check-precise look for motor that allows a penetration tester to discover specific nodes (routers, switches, desktops, servers, and so on.). The lookup motor interrogates ports, grabs the ensuing banners and indexes them to find the required facts. The price of Shodan as a penetration testing tool is that it provides a range of practical filters:

  • nation: narrows the lookup by a two-letter state code. For instance, the request apache nation:NO will display you apache servers in Norway.
  • hostname: filters success by any portion of a hostname or a domain title. For instance, apache finds apache servers in the .org domain.
  • web: filters effects by a distinct IP variety or subnet.
  • os: finds specified functioning methods.
  • port: queries for precise solutions. Shodan has a minimal selection of ports: 21 (FTP), 22 (SSH), 23 (Telnet) and 80 (HTTP). Nevertheless, you can send a ask for to the research engine’s developer John Matherly via Twitter for additional ports and products and services.

Shodan is a commercial job and, despite the fact that authorization is not necessary, logged-in end users have privileges. For a monthly rate you are going to get an prolonged variety of question credits, the capacity to use country: and web: filters, help save and share searches, as perfectly as export final results in XML structure. 

Yet another practical penetration screening instrument is Censys – a pen take a look at-unique open-supply lookup engine. Its creators assert that the motor encapsulates a “complete database of every thing on the Net.” Censys scans the internet and supplies a pen tester with three info sets of hosts on the community IPv4 address place, internet sites in the Alexa top million domains and X.509 cryptographic certificates.

Censys supports a whole textual content look for (For illustration, certification has expired question will present a pen tester with a record of all units with expired certificates.) and regular expressions (For case in point, metadata. Producer: “Cisco” question displays all lively Cisco devices. A lot of them will surely have unpatched routers with identified vulnerabilities.). A far more comprehensive description of the Censys look for syntax is specified listed here.

Shodan vs. Censys
As penetration testing resources, both equally lookup engines are utilized to scan the world wide web for susceptible units. However, I see the change in between them in the usage policy and the presentation of lookup final results.

Shodan doesn’t call for any evidence of a user’s noble intentions, but just one should shell out to use it. At the exact time, Censys is open up-source, but it involves a CEH certification or other doc proving the ethics of a user’s intentions to raise sizeable use restrictions (entry to more features, a question limit (five for each day) from a single IP tackle). 

Shodan and Censys present research results differently. Shodan does it in a far more practical for end users variety (resembles Google SERP), Censys – as raw details or in JSON format. The latter is much more appropriate for parsers, which then current the data in a additional readable sort.

Some security scientists assert that Censys features improved IPv4 tackle space coverage and fresher results. Nevertheless, Shodan performs a way far more comprehensive world wide web scanning and presents cleaner outcomes. 

So, which 1 to use? To my intellect, if you want some latest figures – decide on Censys. For everyday pen testing needs – Shodan is the correct pick.

On a final be aware
Google, Shodan and Censys are well worthy of including to your penetration testing device arsenal. I recommend applying all the three, as each and every contributes its portion to a complete information gathering.

Licensed Ethical Hacker at ScienceSoft with 5 yrs of practical experience in penetration testing. Uladzislau’s spheres of competence consist of reverse engineering, black box, white box and gray box penetration screening of internet and cell applications, bug searching and investigation do the job in the area of info security.