Leveraging search engines to identify vulnerable systems and data in corporate networks, websites and services is generally known as Google Hacking, with Google standing synonymous for all search engines.
Recent changes in Google’s SOAP-API rendered many security tools using Google useless. The aim of the Diggity project is to provide security researchers and network admins with a toolset to utilize Google Search and Bing again to uncover security vulnerabilities.
The two command line programs for Windows, Google Diggity and Bing Diggity, are offered as a free download on the project website.
Google Diggity:
The command line tool comes with a dataset of more than 1500 different vulnerability signatures, including insecure admin interfaces, SQL-injections, Cross-Site-Scripting vulnerabilities or documents that contain sensible information like passwords or financial data.
The commands define the nature of the search. It is possible to run the full set of known signatures against a website, server or IP, or perform a Google custom search which is limited to the first 64 results.
google diggity
With the retirement of Google’s SOAP Search API on September 7, 2009, most of the security utilities available for Google Hacking cease to function, leaving the security industry with a need for new and innovative tools. GoogleDiggity is a new MS Windows command line utility designed to help fill that need. GoogleDiggity leverages the Google AJAX API, so it will not get you blocked by Google bot detection while scanning. Also, unlike other Google Hacking tools available, GoogleDiggity actually allows you to specify a Google Custom Search Engine (CSE) id to run Google Hacking vulnerability checks against a customized version of Google that will only return results tailored to your organization.
BingDiggity
Bing Diggity has not been released yet, but will be available for download shorty.
BingDiggity is a new command line utility that leverages the new Bing 2.0 API and Stach & Liu’s newly developed Bing Hacking Database (BHDB) to find vulnerabilities and sensitive information disclosures related to your organization that are exposed via Microsoft’s Bing search engine. This utility also provides footprinting functionality that allows you to enumerate URLS, hosts, domains, IP-to-virtual host mappings, etc. for target companies
Google Hacking Alerts and Bing Hacking Alerts
Google Alerts and Bing Alerts have been created for every vulnerability signature to assist network administrators, security researchers and webmasters with the monitoring of security vulnerabilities.
Currently, only Google Hacking Alerts are offered, with Bing Hacking Alerts released in the near future. Google Hacking Alerts make use of Google Alerts to provide realtime information about new websites appearing in Google Search that are vulnerable to one of the 1623 signatures. A Google Reader compatible RSS feed is provided on the project homepage. The RSS feed alerts are grouped into categories.
google alerts
This, in conjunction with filters makes it a solid defense strategy. The RSS feed is compatible not only with Google Reader but also other feed readers. Downloads and additional information are provided at the project website.
Related Articles:
Google AlertsReputation Monitoring With Google Alerts
Configure Alerts For News In RSSOwl
Doing some real google hacking
Hacking Demos on Film
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.
The Bing information is now available!
Great, thanks for the information.