Book Review - Google Hacking For Penetration Testers by Johnny Long
Category Book Reviews
Want to be completely unnerved by the power and (mis-)use of Google? If you're at all concerned about system security, you really need to get a copy of Google Hacking For Penetration Testers by Johnny Long (Syngress). The world is more insecure than I thought...
Chapter List: Introduction; Google Searching Basics; Advanced Operators; Google Hacking Basics; Preassessment; Network Mapping; Locating Exploits and Finding Targets; Ten Simple Security Searches That Work; Tracking Down Web Servers, Login Portals, and Network Hardware; Usernames, Passwords, and Secret Stuff, Oh My!; Document Grinding and Database Digging; Protecting Yourself from Google Hackers; Automating Google Searches; Professional Security Testing; An Introduction to Web Application Security; Google Hacking Database; Index
Long walks a fine line in this book, and I think he does it pretty well. His goal is to show the reader how Google can be used to discover a vast array of information that most companies would not willingly divulge. He refrains from showing exact search criteria for finding things like social security number and credit card lists. Additionally, his screen prints of results appropriately blur exact URL information so that he's not giving up personal information. But he does give you enough information that you can understand how certain searches could be used to find files that you may not have realized were indexed.
If you have never used Google for anything more than simple searches from the main page, you'll get a lot of benefit from the first few chapters. He details the Google search keywords and how they can be mixed and matched to dramatically narrow your search focus. Even the simple act of learning how to filter for file types can be immensely valuable. The book kicks into high gear following those first chapters. Long works through various security assessment situations and shows how Google can map your environment far better than you imagined. Simple things like searching for "Powered By" messages or log files with certain strings can tell an attacker what software is running and at what version. This then allows a more refined attack based on known exploits. But instead of leaving the book at that point, he offers some strategies for limiting the amount of information Google can access, as well as ways to remove data that has already gotten out there.
Google Hacking could well be one of the most important security books you buy this year. Even if you're not in charge of security for a company or organization, you should explore some of the techniques to search for your own personal information. Just because *you* didn't expose it doesn't mean that someone else didn't. Highly recommended read...
Want to be completely unnerved by the power and (mis-)use of Google? If you're at all concerned about system security, you really need to get a copy of Google Hacking For Penetration Testers by Johnny Long (Syngress). The world is more insecure than I thought...
Chapter List: Introduction; Google Searching Basics; Advanced Operators; Google Hacking Basics; Preassessment; Network Mapping; Locating Exploits and Finding Targets; Ten Simple Security Searches That Work; Tracking Down Web Servers, Login Portals, and Network Hardware; Usernames, Passwords, and Secret Stuff, Oh My!; Document Grinding and Database Digging; Protecting Yourself from Google Hackers; Automating Google Searches; Professional Security Testing; An Introduction to Web Application Security; Google Hacking Database; Index
Long walks a fine line in this book, and I think he does it pretty well. His goal is to show the reader how Google can be used to discover a vast array of information that most companies would not willingly divulge. He refrains from showing exact search criteria for finding things like social security number and credit card lists. Additionally, his screen prints of results appropriately blur exact URL information so that he's not giving up personal information. But he does give you enough information that you can understand how certain searches could be used to find files that you may not have realized were indexed.
If you have never used Google for anything more than simple searches from the main page, you'll get a lot of benefit from the first few chapters. He details the Google search keywords and how they can be mixed and matched to dramatically narrow your search focus. Even the simple act of learning how to filter for file types can be immensely valuable. The book kicks into high gear following those first chapters. Long works through various security assessment situations and shows how Google can map your environment far better than you imagined. Simple things like searching for "Powered By" messages or log files with certain strings can tell an attacker what software is running and at what version. This then allows a more refined attack based on known exploits. But instead of leaving the book at that point, he offers some strategies for limiting the amount of information Google can access, as well as ways to remove data that has already gotten out there.
Google Hacking could well be one of the most important security books you buy this year. Even if you're not in charge of security for a company or organization, you should explore some of the techniques to search for your own personal information. Just because *you* didn't expose it doesn't mean that someone else didn't. Highly recommended read...
| Permalink |
Comments
Posted by bonj At 21:49:11 On 14/01/2005 | - Website - |