Posted: . At: 11:45 AM. This was 4 years ago. Post ID: 14434
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.


How to use Google Dorks to find usernames and passwords posted online.

by

Google Dorks can be very useful for finding user information posted online.

This Google Dork will find logfiles and other things with usernames and passwords posted online.

allintext:username filetype:log

This will find putty information including server hostnames as well as usernames. A very good starting point.

ext:reg “username=*” putty

To find a lot of interesting server logs look for Microsoft IIS server logs, you can see what people have been doing online.

ext:log “Software: Microsoft Internet Information Services *.*

This Google Dork will find files that contain usernames and passwords.

filetype:dat "password.dat"

The files you find should look like this.

cocosc:$apr1$mt3rCVud$u/87HR92N6WdOKHtyRxfj1

This one will find information about databases including passwords and usernames. You can find quite a lot of results with this Google Dork.

filetype:sql (\"passwd values\" | \"password values\" | \"pass values\" )

It is even possible to find Linux machines with the / directory exposed to the Internet. I found one and I accessed the /etc/passwd file.

intitle:"Index of..etc" passwd

This is the /etc/passwd file I accessed. But I could not access the /etc/shadow file to get the password hashes.

/etc/passwd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
webmaster:x:1000:1000:webmaster,,,:/home/webmaster/www:/bin/bash
proftpd:x:108:65534::/run/proftpd:/bin/false
ftp:x:109:65534::/srv/ftp:/bin/false
mysql:x:110:114:MySQL Server,,,:/nonexistent:/bin/false

But the machine`s entire configuration is exposed to the web, even the folders under /home. People really need to secure their online machines and have strict practices concerning the configuration of the Apache webserver.

The machine is running Debian GNU/Linux. This is a sample of the grub.cfg file.

/boot/grub.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-ea023db7-d096-4c89-b1ef-45d83927f34b' {
	load_video
	insmod gzio
	if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
	insmod part_msdos
	insmod ext2
	set root='hd0,msdos1'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  ea023db7-d096-4c89-b1ef-45d83927f34b
	else
	  search --no-floppy --fs-uuid --set=root ea023db7-d096-4c89-b1ef-45d83927f34b
	fi
	echo	'Carregando o Linux 3.16.0-4-amd64...'
	linux	/boot/vmlinuz-3.16.0-4-amd64 root=UUID=ea023db7-d096-4c89-b1ef-45d83927f34b ro  quiet
	echo	'Carregando o ramdisk inicial...'
	initrd	/boot/initrd.img-3.16.0-4-amd64
}
submenu 'Opções avançadas para Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-ea023db7-d096-4c89-b1ef-45d83927f34b' {
	menuentry 'Debian GNU/Linux, com o Linux 3.16.0-4-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.16.0-4-amd64-advanced-ea023db7-d096-4c89-b1ef-45d83927f34b' {
		load_video
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_msdos
		insmod ext2
		set root='hd0,msdos1'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1  ea023db7-d096-4c89-b1ef-45d83927f34b
		else
		  search --no-floppy --fs-uuid --set=root ea023db7-d096-4c89-b1ef-45d83927f34b
		fi
		echo	'Carregando o Linux 3.16.0-4-amd64...'
		linux	/boot/vmlinuz-3.16.0-4-amd64 root=UUID=ea023db7-d096-4c89-b1ef-45d83927f34b ro  quiet
		echo	'Carregando o ramdisk inicial...'
		initrd	/boot/initrd.img-3.16.0-4-amd64
	}

If no one takes security seriously, then why even bother being online.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.