Using Search Engines as Penetration Testing Tools

ByErma F. Brown

Jun 2, 2022 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Search engines are a treasure trove of precious delicate information, which hackers can use for their cyber-assaults. Excellent information: so can penetration testers. 

From a penetration tester’s stage of check out, all lookup engines can be largely divided into pen take a look at-particular and generally-applied. The short article will protect 3 search engines that my counterparts and I widely use as penetration screening applications. These are Google (the generally-used) and two pen exam-precise ones: Shodan and Censys.

Google
Penetration screening engineers make use of Google state-of-the-art lookup operators for Google dork queries (or merely Google dorks). These are research strings with the subsequent syntax: operator:look for phrase. Even further, you will come across the record of the most beneficial operators for pen testers:

  • cache: offers accessibility to cached internet pages. If a pen tester is seeking for a certain login web site and it is cached, the expert can use cache: operator to steal user credentials with a website proxy.
  • filetype: restrictions the search outcome to certain file kinds. 
  • allintitle: and intitle: both equally deal with HTML web site titles. allintitle: finds webpages that have all of the research conditions in the webpage title. intitle: restricts success to individuals made up of at minimum some of the search conditions in the webpage title. The remaining phrases ought to surface someplace in the entire body of the page.
  • allinurl: and inurl: implement the similar theory to the website page URL. 
  • site: returns outcomes from a web site situated on a specified domain. 
  • similar: will allow acquiring other internet pages comparable in linkage patterns to the supplied URL. 

What can be identified with Google highly developed research operators?
Google state-of-the-art lookup operators are utilized alongside with other penetration testing tools for nameless details collecting, network mapping, as nicely as port scanning and enumeration. Google dorks can deliver a pen tester with a vast array of delicate facts, this kind of as admin login internet pages, usernames and passwords, sensitive paperwork, navy or authorities facts, corporate mailing lists, lender account information, etcetera. 

Shodan
Shodan is a pen check-unique research engine that allows a penetration tester to come across certain nodes (routers, switches, desktops, servers, etcetera.). The search engine interrogates ports, grabs the resulting banners and indexes them to obtain the essential details. The benefit of Shodan as a penetration screening tool is that it offers a number of hassle-free filters:

  • nation: narrows the lookup by a two-letter country code. For case in point, the request apache region:NO will display you apache servers in Norway.
  • hostname: filters effects by any part of a hostname or a area title. For illustration, apache hostname:.org finds apache servers in the .org domain.
  • net: filters effects by a individual IP range or subnet.
  • os: finds specified working methods.
  • port: searches for unique providers. Shodan has a constrained assortment of ports: 21 (FTP), 22 (SSH), 23 (Telnet) and 80 (HTTP). Nonetheless, you can ship a ask for to the search engine’s developer John Matherly by using Twitter for additional ports and solutions.

Shodan is a commercial undertaking and, despite the fact that authorization isn’t needed, logged-in people have privileges. For a every month charge you’ll get an extended range of query credits, the potential to use nation: and net: filters, conserve and share searches, as nicely as export effects in XML structure. 

Censys
An additional handy penetration testing resource is Censys – a pen take a look at-particular open up-source lookup engine. Its creators claim that the engine encapsulates a “complete databases of almost everything on the World-wide-web.” Censys scans the net and offers a pen tester with three info sets of hosts on the public IPv4 handle room, internet websites in the Alexa leading million domains and X.509 cryptographic certificates.

Censys supports a comprehensive textual content research (For instance, certificate has expired question will offer a pen tester with a list of all equipment with expired certificates.) and standard expressions (For instance, metadata. Manufacturer: “Cisco” question demonstrates all lively Cisco gadgets. Heaps of them will undoubtedly have unpatched routers with known vulnerabilities.). A far more specific description of the Censys look for syntax is presented right here.

Shodan vs. Censys
As penetration screening resources, both equally lookup engines are employed to scan the world-wide-web for vulnerable systems. Still, I see the distinction in between them in the utilization coverage and the presentation of search final results.

 
Shodan doesn’t require any evidence of a user’s noble intentions, but one particular really should fork out to use it. At the similar time, Censys is open up-source, but it involves a CEH certification or other document proving the ethics of a user’s intentions to raise considerable usage limitations (entry to additional capabilities, a question limit (5 for each working day) from one IP deal with). 

Shodan and Censys current research outcomes in different ways. Shodan does it in a a lot more hassle-free for customers kind (resembles Google SERP), Censys – as raw info or in JSON format. The latter is a lot more suitable for parsers, which then present the details in a extra readable sort.

Some protection scientists claim that Censys presents superior IPv4 handle area protection and fresher benefits. Nonetheless, Shodan performs a way more in depth net scanning and provides cleaner results. 

So, which 1 to use? To my brain, if you want some current statistics – pick Censys. For every day pen screening reasons – Shodan is the correct decide on.

On a last observe
Google, Shodan and Censys are well well worth including to your penetration testing device arsenal. I recommend making use of all the three, as every single contributes its section to a complete info accumulating.


Accredited Ethical Hacker at ScienceSoft with 5 years of working experience in penetration tests. Uladzislau’s spheres of competence incorporate reverse engineering, black box, white box and gray box penetration screening of internet and cell applications, bug looking and investigate perform in the location of information protection.