Read NBlog, the NoticeBored blog
Click banner for site map
Review: Google Hacking for Pen Testers

Click here to buy me

Google Hacking

for Penetration Testers

by Johnny Long

Published by Syngress, 2005

~500 scary pages

ISBN 1-931836-36-1

First edition out of print,
replaced in 2007 by “Volume 2

 

Following the widely acclaimed Johnny.IHackStuff.com, “Johnny Long” has written a full manual on the ins -and-outs of using Google for hacking or penetration testing websites and web applications.  There is lots of advice in here for other Googlies too.  If you work your way methodically through this book, patiently trying out the Google queries as you go, you will learn a lot about Google’s search syntax plus the pros and cons of using Google. 

After introducing Google’s syntax, the main part of the book follows the conventional sequence of a typical penetration test, starting with the initial identification and exploration of potential targets.  Pretty soon, any webmaster reading this book is likely to begin checking out their own website as the power of Google starts to sink in.  This is one terrifying book if you are a slightly paranoid information security professional at a major corporation.  You’ll soon be turning the pages with a look of shock and fear on your face, gripped by the unfolding horror story.  Google Hacking puts the spotlight firmly on those dark places that many security managers fear to tread: firewall, IDS and IPS configurations, security patching practices, web application security ... need I go on?

Most chapters include ‘interesting’ example searches.  Queries that expose passwords, credit card numbers and exploitable vulnerabilities are dotted throughout the book.  Information security security managers and IT auditors at large corporations are inevitably drawn to check how many of these queries will find sensitive information from their own organizations.

The penultimate chapter outlines some of the techniques to ensure that your organization does not reveal too much to Google, although if you have published sensitive stuff on the Web, the cat is already well and truly out of the bag even if you make the effort to pull it from Google.  The final chapter discusses scripts and programs to automate the Google searches - handy if you are a professional penetration tester or busy hacker.

The book is a shining example of how to write a readable and accessible technical book.  It uses humor and cynicism to brighten up otherwise potentially tedious information, and is a gripping read for those who appreciate the power (and the implicit threat) of Google.

 

PS  Although we haven’t read it, the second edition (~US$30 from Amazon) is probably much the same.  If you like Johnny Long’s writing style, try No Tech Hacking too.
HomeBook reviews > Google Hacking >

Copyright © 2013  IsecT Ltd.