Using Search Engines as Penetration Testing Tools

Search engines are a treasure trove of precious sensitive information, which hackers can use for their cyber-attacks. Excellent information: so can penetration testers. 

From a penetration tester’s position of watch, all look for engines can be mostly divided into pen examination-particular and normally-used. The write-up will cover a few lookup engines that my counterparts and I commonly use as penetration screening instruments. These are Google (the frequently-employed) and two pen check-unique types: Shodan and Censys.

Google
Penetration testing engineers use Google sophisticated search operators for Google dork queries (or basically Google dorks). These are look for strings with the pursuing syntax: operator:research term. Even further, you will locate the list of the most helpful operators for pen testers:

• cache: gives obtain to cached webpages. If a pen tester is seeking for a specific login webpage and it is cached, the specialist can use cache: operator to steal consumer qualifications with a world-wide-web proxy.
• filetype: limitations the search outcome to precise file types. 
• allintitle: and intitle: each offer with HTML website page titles. allintitle: finds webpages that have all of the research phrases in the site title. intitle: restricts outcomes to those people made up of at minimum some of the search terms in the website page title. The remaining conditions must appear someplace in the human body of the page.
• allinurl: and inurl: utilize the similar basic principle to the web site URL. 
• web-site: returns final results from a web site found on a specified area. 
• linked: makes it possible for finding other web pages equivalent in linkage designs to the provided URL. 

What can be identified with Google state-of-the-art research operators?
Google advanced lookup operators are applied together with other penetration testing equipment for nameless information and facts gathering, community mapping, as perfectly as port scanning and enumeration. Google dorks can offer a pen tester with a extensive array of delicate information and facts, this kind of as admin login web pages, usernames and passwords, sensitive documents, military or governing administration facts, company mailing lists, financial institution account aspects, and so on. 

Shodan
Shodan is a pen test-particular lookup motor that allows a penetration tester to locate certain nodes (routers, switches, desktops, servers, and many others.). The look for engine interrogates ports, grabs the resulting banners and indexes them to come across the demanded details. The value of Shodan as a penetration screening device is that it gives a selection of handy filters:

• region: narrows the research by a two-letter region code. For example, the ask for apache region:NO will clearly show you apache servers in Norway.
• hostname: filters outcomes by any portion of a hostname or a domain title. For case in point, apache hostname:.org finds apache servers in the .org area.
• internet: filters final results by a particular IP vary or subnet.
• os: finds specified working systems.
• port: queries for specific companies. Shodan has a limited assortment of ports: 21 (FTP), 22 (SSH), 23 (Telnet) and 80 (HTTP). However, you can mail a ask for to the search engine’s developer John Matherly via Twitter for more ports and expert services.

Shodan is a professional venture and, though authorization is not required, logged-in users have privileges. For a regular monthly fee you’ll get an prolonged variety of question credits, the capability to use region: and web: filters, help save and share lookups, as effectively as export effects in XML structure. 

Censys
A further practical penetration tests tool is Censys – a pen check-certain open up-source search motor. Its creators declare that the engine encapsulates a “complete database of every thing on the Online.” Censys scans the web and gives a pen tester with 3 facts sets of hosts on the community IPv4 address place, internet websites in the Alexa prime million domains and X.509 cryptographic certificates.

Censys supports a whole text lookup (For example, certificate has expired question will deliver a pen tester with a checklist of all equipment with expired certificates.) and standard expressions (For instance, metadata. Maker: “Cisco” question reveals all energetic Cisco units. Tons of them will definitely have unpatched routers with recognised vulnerabilities.). A extra comprehensive description of the Censys research syntax is offered listed here.

Shodan vs. Censys
As penetration tests resources, each look for engines are used to scan the world wide web for vulnerable systems. Even now, I see the big difference amongst them in the utilization coverage and the presentation of lookup final results.

 
Shodan doesn’t involve any evidence of a user’s noble intentions, but one particular should fork out to use it. At the same time, Censys is open-source, but it calls for a CEH certification or other document proving the ethics of a user’s intentions to lift substantial utilization limitations (obtain to supplemental capabilities, a query restrict (5 per day) from one IP address). 

Shodan and Censys existing search effects in different ways. Shodan does it in a much more effortless for end users form (resembles Google SERP), Censys – as uncooked info or in JSON structure. The latter is a lot more ideal for parsers, which then current the details in a extra readable variety.

Some safety researchers assert that Censys offers better IPv4 tackle area coverage and fresher results. Yet, Shodan performs a way additional in-depth net scanning and gives cleaner results. 

So, which one particular to use? To my intellect, if you want some latest data – opt for Censys. For everyday pen tests uses – Shodan is the correct select.

On a remaining note
Google, Shodan and Censys are effectively really worth adding to your penetration screening instrument arsenal. I recommend applying all the 3, as each and every contributes its component to a thorough details gathering.

Licensed Ethical Hacker at ScienceSoft with 5 yrs of working experience in penetration tests. Uladzislau’s spheres of competence involve reverse engineering, black box, white box and grey box penetration testing of net and mobile programs, bug hunting and research perform in the area of information safety.