Bruce Schneier

 
 

Schneier on Security

A blog covering security and security technology.

« TrueCrypt 5.0 | Main | Creating and Entrapping Terrorists »

March 4, 2008

Google Vulnerability Scanner

We've all known for years that you can use Google to scan for vulnerabilities. Well, now the process has been automated.

Presenting: Goolag Scanner from the Cult of the Dead Cow.

I've seen a lot of pre-release scanning results from these guys, and it's pretty amazing what they've found.

Posted on March 4, 2008 at 12:12 PM28 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

JackMarch 4, 2008 12:52 PM

http://www.goolag.org/ seems to be a Dead Cow... ;-]

J.


sehlatMarch 4, 2008 1:18 PM

Downloaded the installer and scanned it before running. ZoneAlarm reports it's got a virus.


jayhMarch 4, 2008 1:21 PM

hmmm I just by accident found this article:

"google scanning-- is it legal in the UK"

http://www.heise-online.co.uk/security/...


coquimboMarch 4, 2008 1:22 PM

Yeah, seems a little suspicious that they want all the big websites to download the app and install it. Can anybody confirm that it's malware?


tomMarch 4, 2008 1:47 PM

So it probably won't be long until KZ-hacker is being released? Who gives his software such a stupid name? Or is it there intention to turn the internet into a gulag (pronounced goolag)?


Guillaume TheoretMarch 4, 2008 1:52 PM

I don't understand what's supposed to be showing up in the search on that page.. I searched for config, apache and some others but nothing interesting ever came up.

Surely you don't have to download their "windows only" app to get proper results.

I know I don't plan on infecting my box with whatever trojan it might contain.


the other AlanMarch 4, 2008 1:54 PM

Seems a little "'phishy" to me, too. No thanks!


JoshMarch 4, 2008 2:01 PM

They need the option of entering a google license key like SiteDigger and Wikto does (although this new tool looks nicer and is more recently maintained) so you can submit mass queries without being blocked. Having to stop after every 5-10 queries is annoying when going through thousands.


Clive RobinsonMarch 4, 2008 2:25 PM

@Bruce,

Assuming it has not been released a month early and is not a trojan.

Do you no what's under the bonnet?


KarlMarch 4, 2008 3:24 PM

@Clive

if it's out on GPL then one presumes it can be and has been checked.


PeterMarch 4, 2008 3:28 PM

We posted about this last week... http://securitymusings.com/article/238/... It seems like a handy toolkit -- best handled with care :)


FWIWMarch 4, 2008 4:25 PM

FWIW, McAfee VirusScan, updated this morning, shows no virus.


AndyBMarch 4, 2008 4:43 PM

It is open source, so as soon as someone cares enough to read the source code we'll find out.

cDc are crazy talented hackers, but they don't distribute viruses. Some AV products may call Goolag malware, but the product itself won't harm your PC - it is just a "hack tool".


Roberto ScacciaMarch 4, 2008 5:25 PM

I ran this tool, but the Google block techinque is very noising! I hope in the next release CDC will insert a randomization of the time interval to minimize Google confirmation web page requests.


AnonymousMarch 4, 2008 6:31 PM

@Roberto Scaccia

yeah i found that too - and wondered if cdc are using it to capture capcha's ;-) but am too lazy to read code

But I am finding it really handy to throw in a domain then go down the list manually running one at a time which seem interesting and (possibly) relevant to the domain. It builds the syntax, sends the query and at that speed doesn't offend google


Mark in CAMarch 4, 2008 7:20 PM

My Sana Security Primary Response didn't have any issues with the software.


Krass KattMarch 4, 2008 9:11 PM

Glad you bitches like my app.

Guillaume: click the "download" link on goolag.org to, well, download, genius.


rohitMarch 4, 2008 10:04 PM

A word of Caution:
One might end up blocking his/her IP on Google due to high number of automated search queries. It will result in something like this http://sorry.google.com/sorry


jammitMarch 4, 2008 10:32 PM

The geek shall inherit the truth.
Relevant site:
http://johnny.ihackstuff.com/index.php?...
"Gooscan" for Linux looks interesting:
http://johnny.ihackstuff.com/downloads/...


Jürgen R. PlasserMarch 5, 2008 1:45 AM

And the web based GHDB by Gnucitizen is a very useful tool, too (and always up-to-date):

http://www.gnucitizen.org/ghdb/


big bud goodMarch 5, 2008 2:54 AM

cDc should try and do something useful for society, like help legalize marijuana


AnonymousMarch 5, 2008 4:22 AM

"WHY CULT OF THE DEAD COW WILL PUBLISH CHINESE GOVERNMENT DATA We couldn't care less about these assholes. Any country that props up dictators and practices genocide doesn't catch a break from us."

Bloody hypocrites:

http://en.wikipedia.org/wiki/...


RogerMarch 5, 2008 5:11 AM

@AndyB:
"cDc are crazy talented hackers, but they don't distribute viruses. "

Not true. Previous cDc distributions have ontained viruses, see e.g.:
http://news.zdnet.com/2100-9595_22-515160.html


Ronald van den HeetkampMarch 5, 2008 6:34 AM

It's been done before of course, only not publicly distributed.

I made one myself 2 years ago, It's very easy, just a matter of loading the Google dorks -the attack vectors- into a database, route through a proxy list or Tor and you're done.


Alex LauermanMarch 5, 2008 12:00 PM

It has been done before, and it has been publicly available and it had the same problems of getting blocked by google, which makes it fairly worthless for doing a good amount of scanning, unless you evade their detection. Is there any known way to evade detection logic? Obviously there are probably a lot of complex ways to solve the problem, ut from what I've read it's pretty intelligent.

I've used a few tools that did this and I was always blocked by google after 50 or 100 queries. Some supported using a google API key, but I ran into a wall there too (I can't remember why -- I think google stopped supporting them).

Anyway, there is a chapter on google automation in the book called "Google Hacking for Penetration Testers", by Johnny Long. Page 361 talks about automation tools:

http://books.google.com/books?...

Same answer in a Q/A session:
http://safari.oreilly.com/1931836361/...


chris lMarch 5, 2008 12:32 PM

@Alex

Google stopped issuing the APIs around the middle of last year, which is why Wikto now bundles Spud for the same functionality.


EponymousMarch 5, 2008 7:03 PM

Wikto with Aura/Spud.

Any GHDB scanner without either an API key or a local proxy to simulate it will earn you some CAPTCHAS real fast...unless you scan extremely slowly, which is functionally useless.


MantasMarch 7, 2008 9:43 AM

Hm. My ISP's nameserver doesn't know goolag.org anymore, while all others do.


Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier