The following tip is one of a series on why and how to perform security scans against your public-facing servers using Google. Return to the main series page for the complete list of tips.
In addition to the automated tools listed in the previous tip, you may want to perform your own manual Google queries. I've used these in previous tests run on servers, and they will get you started.
Note: These are only a tiny, tiny fraction of what you can actually look for using Google. Combine the previous tools listed with your imagination, and there is simply no limit to the number of queries you can perform.
- site:your~host~or~domain~name keywords-to-look-for
This test searches a specific Internet host or entire domain name for any keyword you list. You can look for words such as SSN, confidential, finance, student and more.
- filetype:file-extension-to-search-for site:your~host~or~domain~name
This test searches your system(s) for specific files. You can enter any file extension such as doc, pdf, ppt, db, dbf – basically anything you can imagine.
Unless you are checking to make sure your information hasn't leaked to other sites, use the site: operator to narrow your search results. Use the link: operator to search for terms within a hyperlink on a page.
If Google returns results for a query, but the links are dead, be sure to click on the Cached link beneath the finding. This will search Google's cache, and odds are good that the information is there. Also, be sure to search Google Groups for sensitive information. I've been able to find some pretty juicy stuff this way. Check out these Interesting Google Queries for some Microsoft-specific Google tricks.
Click for the next tip in this series, Four steps to safeguard Windows data from Google hackers, or return to the main series page.
About the author: Kevin Beaver is an independent information security consultant, author and speaker with Atlanta-based Principle Logic, LLC, where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author of the book Hacking For Dummies and co-author of the upcoming book Hacking Wireless For Dummies, both by Wiley Publishing. Send your ethical hacking questions to Kevin today.
This was first published in May 2005