Google Hacking 101: Learn the Secrets of Hakin9 and How to Protect Yourself
Hakin9 : Dangerous Google Searching for Secrets
Google is the most popular search engine in the world, with billions of queries every day. But did you know that Google can also be used to find secrets that are not meant to be public? Secrets such as passwords, credit card numbers, confidential documents, and more. This is called Google hacking, and it is a technique that hackers use to exploit the power of Google to find vulnerabilities and sensitive information on websites and servers. In this article, we will explore what Google hacking is, how it works, why it is dangerous, and how to protect yourself from it. We will also look at some examples of Google hacking queries that can reveal secrets from the website of Hakin9, a monthly magazine dedicated to hacking and cybersecurity.
Hakin9 : Dangerous Google Searching for Secrets
Introduction
What is Hakin9?
Hakin9 is a monthly magazine that covers various topics related to hacking and cybersecurity. According to its website, "In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them." Hakin9 also offers online courses, workshops, webinars, and ebooks for aspiring hackers and security professionals. Some of the topics that Hakin9 covers include:
Blockchain
OSINT
IoT
Malware analysis
Penetration testing
Cyber forensics
Reverse engineering
Cryptography
And more
Hakin9 has a website where you can access its magazines, courses, shop, subscription, and other resources. The website also has a blog where you can read articles written by experts and instructors in the field of cybersecurity.
What is Google hacking?
Google hacking is a technique that uses Google's advanced search operators and syntax to find information that is not easily accessible through normal searches. Google hacking can be used for various purposes, such as:
Finding vulnerabilities and misconfigurations on websites and servers
Finding sensitive information such as passwords, credit card numbers, email addresses, etc.
Finding confidential documents such as reports, contracts, invoices, etc.
Finding open directories and files that are not meant to be public
Finding hidden pages and features that are not linked from the main website
Finding subdomains and domains that are related to a target website
Finding cached versions of web pages that have been removed or changed
And more
Google hacking works by exploiting the fact that Google indexes a large amount of data from the web, including data that may be unintentionally exposed by webmasters or developers who do not follow best practices or security guidelines. By using specific keywords and operators, Google hackers can narrow down their search results to find exactly what they are looking for.
Why is Google hacking dangerous?
Google hacking is dangerous because it can expose secrets that can compromise the security and privacy of individuals, organizations, and governments. For example:
If a hacker finds a vulnerability or misconfiguration on a website or server, they can exploit it to gain unauthorized access, inject malicious code, steal data, deface the website, or launch other attacks.
If a hacker finds sensitive information such as passwords, credit card numbers, email addresses, etc., they can use it to impersonate, blackmail, scam, or harm the owners of that information.
If a hacker finds confidential documents such as reports, contracts, invoices, etc., they can use it to gain competitive advantage, leak secrets, or sabotage the reputation of the parties involved.
If a hacker finds open directories and files that are not meant to be public, they can download them and use them for their own purposes, or expose them to the public.
If a hacker finds hidden pages and features that are not linked from the main website, they can access them and use them for their own purposes, or expose them to the public.
If a hacker finds subdomains and domains that are related to a target website, they can use them to map the network structure and find more targets to attack.
If a hacker finds cached versions of web pages that have been removed or changed, they can use them to recover information that was deleted or modified.
As you can see, Google hacking can have serious consequences for the security and privacy of individuals, organizations, and governments. Therefore, it is important to be aware of this technique and how to prevent it from affecting you.
How to use Google hacking for secrets
Basic operators and syntax
Before we dive into some examples of Google hacking queries, let's review some basic operators and syntax that are commonly used in Google hacking. These operators and syntax can help you refine your search results and find what you are looking for more easily. Here are some of the most useful ones:
Operator/Syntax
Description
Example
" "
Search for an exact phrase or word
"hakin9 magazine"
-
Exclude a word or phrase from the search results
hakin9 -magazine
OR
Search for either one of two words or phrases
hakin9 OR hacking
*
Replace any word or phrase with a wildcard
"hakin9 * course"
site:
Search only within a specific website or domain
site:hakin9.org
inurl:
Search for a word or phrase in the URL of the web page
inurl:hakin9
intitle:
Search for a word or phrase in the title of the web page
intitle:hakin9
...
The full table is too long to fit here. Please see this link for more operators and syntax.
Advanced operators and syntax
In addition to the basic operators and syntax, there are some advanced ones that are more specific to Google hacking. These operators and syntax can help you find more information that is not normally displayed by Google. Here are some of the most useful ones:
Operator/SyntaxDescriptionExample
filetype:Search for a specific file type or extensionfiletype:pdf hakin9
cache:Show the cached version of a web page stored by Googlecache:hakin9.org/magazines/
allinurl:Search for multiple words or phrases in the URL of the web pageallinurl:hakin9 magazine pdf
allintitle:Search for multiple words or phrases in the title of the web pageallintitle:hakin9 blockchain course
allintext:Search for multiple words or phrases in the text of the web pageallintext:hakin9 osint fundamentals workshop ebook </div Examples of Google hacking queries
Now that we have learned some basic and advanced operators and syntax for Google hacking, let's see some examples of how we can use them to find secrets from the website of Hakin9. Note that these examples are for educational purposes only and should not be used for malicious purposes.
Finding PDF files on Hakin9
One of the things that we might want to find on Hakin9 are PDF files that contain magazines, courses, ebooks, or other resources. To do this, we can use the filetype operator to search for PDF files on the hakin9.org domain. For example, we can use the following query:
filetype:pdf site:hakin9.org
This query will return PDF files that are hosted on the hakin9.org domain. Some of the results include:
Hakin9_01_2018_EN.pdf
Hakin9_02_2018_EN.pdf
Hakin9_03_2018_EN.pdf
Hakin9_04_2018_EN.pdf
Hakin9_05_2018_EN.pdf
Hakin9_06_2018_EN.pdf
Hakin9_07_2018_EN.pdf
Hakin9_08_2018_EN.pdf
Hakin9_09_2018_EN.pdf
Hakin9_10_2018_EN.pdf
And more
These PDF files contain various issues of the Hakin9 magazine from 2018. We can download them and read them for free. However, this might not be ethical or legal, as these files are supposed to be paid or subscribed to access. Therefore, we should respect the intellectual property rights of the authors and publishers and not misuse these files.
Finding open directories on Hakin9
Another thing that we might want to find on Hakin9 are open directories that contain files or folders that are not meant to be public. To do this, we can use the intitle operator to search for web pages that have "index of" in their title and "hakin9" in their URL. For example, we can use the following query:
intitle:"index of" inurl:hakin9
This query will return web pages that have "index of" in their title and "hakin9" in their URL. Some of the results include:
Index of /wp-content/uploads/2017/12/hakin9/
Index of /wp-content/uploads/2017/12/hakin9/01/
Index of /wp-content/uploads/2017/12/hakin9/02/
Index of /wp-content/uploads/2017/12/hakin9/03/
Index of /wp-content/uploads/2017/12/hakin9/04/
Index of /wp-content/uploads/2017/12/hakin9/05/
Index of /wp-content/uploads/2017/12/hakin9/06/
Index of /wp-content/uploads/2017/12/hakin9/07/
Index of /wp-content/uploads/2017/12/hakin9/08/
Index of /wp-content/uploads/2017/12/hakin9/09/
And more
These web pages contain open directories that have various files and folders related to Hakin9. We can browse them and download them for free. However, this might not be ethical or legal, as these files and folders are not supposed to be public. Therefore, we should respect the privacy and security of the website owners and not misuse these resources.
Finding subdomains on Hakin9
A third thing that we might want to find on Hakin9 are subdomains that are related to the main domain. To do this, we can use the site operator to search for web pages that have hakin9.org in their domain, but not in their subdomain. For example, we can use the following query:
site:*.*.hakin9.org -site:www.hakin9.org
This query will return web pages that have hakin9.org in their domain, but not in their subdomain, excluding the www subdomain. Some of the results include:
And more
These web pages contain subdomains that are related to Hakin9. We can visit them and see what they offer. However, we should be careful not to access any subdomains that are not intended for public use, such as test, dev, admin, etc. These subdomains might contain sensitive information or vulnerabilities that could be exploited by hackers.
How to protect yourself from Google hacking
Use robots.txt file
One of the simplest ways to protect yourself from Google hacking is to use a robots.txt file on your website. A robots.txt file is a text file that tells web crawlers, such as Google bots, which pages or files they can or cannot access on your website. By using a robots.txt file, you can prevent Google from indexing sensitive information or resources that you do not want to be public. For example, you can use a robots.txt file to disallow Google from crawling your admin panel, your backup files, your configuration files, etc.
To use a robots.txt file, you need to create a text file named robots.txt and place it in the root directory of your website. Then, you need to write some rules that specify which web crawlers and which pages or files are allowed or disallowed. For example, you can write something like this:
User-agent: *\nDisallow: /admin/\nDisallow: /backup/\nDisallow: /config/\nDisallow: /secret/
This robots.txt file tells all web crawlers (*) to not crawl any pages or files that are under the /admin/, /backup/, /config/, or /secret/ directories.
However, you should note that using a robots.txt file is not a foolproof way to protect yourself from Google hacking. This is because:
A robots.txt file is only a suggestion, not a command. Web crawlers can choose to ignore it and crawl your pages or files anyway.
A robots.txt file is public and can be accessed by anyone. Hackers can use it to find out which pages or files you are trying to hide and target them specifically.
A robots.txt file does not prevent Google from showing links to your pages or files in its search results. If someone else links to your pages or files, Google might still index them and display them in its search results.
Therefore, you should not rely on a robots.txt file alone to protect yourself from Google hacking. You should also use other methods, such as the ones below.
Use noindex and nofollow meta tags
Another way to protect yourself from Google hacking is to use noindex and nofollow meta tags on your web pages. A noindex meta tag tells Google not to index a web page and not to show it in its search results. A nofollow meta tag tells Google not to follow any links on a web page and not to pass any link juice to them. By using these meta tags, you can prevent Google from indexing sensitive information or resources that you do not want to be public. For example, you can use these meta tags on your admin panel, your backup files, your configuration files, etc.
To use these meta tags, you need to add them inside the section of your HTML code. Then, you need to specify the content attribute as "noindex" or "nofollow" or both. For example, you can write something like this:
This meta tag tells Google not to index this web page and not to follow any links on it.
However, you should note that using these meta tags is not a foolproof way to protect yourself from Google hacking either. This is because:
A meta tag is only a suggestion, not a command. Google can choose to ignore it and index your web page or follow your links anyway.
A meta tag does not prevent other web crawlers from indexing Use encryption and authentication
A third way to protect yourself from Google hacking is to use encryption and authentication on your website. Encryption is a process that scrambles the data you send and receive over the Internet, making it unreadable for anyone who intercepts it. Authentication is a process that verifies the identity of the parties involved in a communication, making sure they are who they claim to be. By using encryption and authentication, you can prevent hackers from eavesdropping, tampering, or impersonating your website or users.
One of the most common ways to use encryption and authentication on your website is to use TLS (Transport Layer Security), which is an updated version of SSL (Secure Sockets Layer). TLS is a protocol that establishes a secure connection between a web browser and a web server, using certificates to authenticate their identities and encrypt their data. TLS is what enables HTTPS (Hyper Text Transfer Protocol Secure), which is an implementation of HTTP (Hyper Text Transfer Protocol) over TLS. HTTPS is what you see in the URL when a website uses TLS encryption and authentication.
To use TLS on your website, you need to obtain a TLS certificate from a trusted certificate authority (CA), such as DigiCert. A TLS certificate contains information about your domain name, your organization name, your server's public key, and the CA's digital signature. The CA verifies your identity and ownership of your domain before issuing you a certificate. You then need to install the certificate on your web server and configure it to use HTTPS for all your web pages.
However, you should note that using TLS is not a foolproof way to protect yourself from Google hacking either. This is because:
A TLS certificate does not guarantee that your website is secure or trustworthy. It only proves that your website has a secure connection and a verified identity. You still need to follow other security best practices, such as keeping your software updated, using strong passwords, implementing firewalls, etc.
A TLS certificate does not prevent Google from indexing or caching your web pages. It only prevents Google from reading or modifying your data in transit. You still need to use other methods, such as robots.txt or meta tags, to control what Google can index or cache.
A TLS certificate does not prevent hackers from attacking your website or users through other means. It only prevents hackers from intercepting or impersonating your website or users over the Internet. You still need to use other methods, such as malware protection, spam filtering, phishing awareness, etc., to protect yourself from other threats.
Therefore, you should not rely on TLS alone to protect yourself from Google hacking. You should also use other methods, such as the ones above.
Conclusion
In this article, we have learned what Google hacking is, how it works, why it is dangerous, and how to protect yourself from it. We have also seen some examples of Google hacking queries that can reveal secrets from the website of Hakin9.
Google hacking is a technique that uses Google's advanced search operators and syntax to find information that is not easily accessible through normal searches. Google hacking can be used for various purposes, such as finding vulnerabilities and misconfigurations on websites and servers, finding sensitive information such as passwords, credit card numbers, email addresses, etc., finding confidential documents such as reports, contracts, invoices Monitor your web server logs
A fourth way to protect yourself from Google hacking is to monitor your web server logs regularly. Web server logs are text files that contain a record of all the requests and responses that occur on your web server. Web server logs can help you detect and analyze any suspicious or malicious activity on your website, such as unauthorized access attempts, error messages, unusual traffic patterns, etc.
To monitor your web server logs, you need to access them on your web server and use some tools to view and analyze them. The location and format of your web server logs may vary depending on the type of web server you are using, such as Apache, Nginx, IIS, etc. You can check the documentation of your web server for more details on how to access and configure your web server logs.
Some of the tools that you can use to monitor your web server logs are:
Text editors: You can use any text editor, such as Notepad or Vim, to open and read your web server log files. However, this method may not be very efficient or convenient, especially if your log files are large or complex.
Command-line tools: You can use command-line tools, such as cat, tail, grep, awk, sed, etc., to view and filter your web server log files. These tools can help you perform various operations on your log file