Publicly available information serves as a launching pad for attackers initial efforts to research potential areas of exploitation.
While your organization may be exercising efforts to reduce vulnerabilities, many times attackers are looking for weaknesses in your defenses that when combined with other methodologies, can serve as an initial vector of entry or further exploit.
In this video, Nate Drier, Secureworks Managing Principal Consultant, gives a demonstration of how an attacker would utilize Google to conduct passive reconnaissance on a target.
So, one of the first places I had when I get a new enviro or a new target environment to go after is over to Google, to do some searching and see what Google's indexed against that client. So obviously if our fictional target was Dell, we'd do a search for dell.com. And we could see through the testing for this video, Google has decided I'm a robot so I need to fill out their captcha-
Anyway, so we can see this brings back lots of results, not all of it is very specific to Dell. We can see there's a link for "alienware", a link for "retailmenot" for some coupons there. So if we want to tell Google only return things off the dell.com domain, we can say site:dell.com. Now we can see that all the results are off the main dell.com domain.
They're all www so if we want to get rid of that, find some additional domains, additional hosts to target possibly, we could say tick www. That would remove all those results and obviously documents ".software.dell", "jobs.dell.com" so some additional sites there.
They'll also allow a modifier such as filetype. Say you want to find all the TXT files hosted on any sub.dell.com domain. That would allow you to do it, things like: cgi. Those can be interesting. Let's see if there's any cgi scripts out there that we could potentially abuse.
Another interesting one is .key files to see if anybody is inadvertently allowed Google to index a private key. You know obviously, Dell's got some public key information out there, nothing too interesting here. Another modifier we can use is inurl:. So this'll be anything in the url, this'll help us look for popular web frame works and things.
Say we want to look for WordPress, we'd look for a common WordPress directory like wp– content and we can run that and see there's a list, it looks like it's all the same host here but we've found a WordPress installation, we can go and do some farther exploration there. Another modifier is in intitle: , so say we want to do intitle:Login.
This will show us all the sites on subdomain.dell.com that have Login in the title, which probably means it wants you to login with some sort of user and password. That'll be very handy if we phish credentials or got credentials on this test somehow and then wanted to see where those credentials worked. This is a query we could run to get a bunch of different locations to log into.