Schneier on Security
A blog covering security and security technology.
« TrueCrypt 5.0 |
| Creating and Entrapping Terrorists »
March 4, 2008
Google Vulnerability Scanner
We've all known for years that you can use Google to scan for vulnerabilities. Well, now the process has been automated.
Presenting: Goolag Scanner from the Cult of the Dead Cow.
I've seen a lot of pre-release scanning results from these guys, and it's pretty amazing what they've found.
Posted on March 4, 2008 at 12:12 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Downloaded the installer and scanned it before running. ZoneAlarm reports it's got a virus.
Yeah, seems a little suspicious that they want all the big websites to download the app and install it. Can anybody confirm that it's malware?
So it probably won't be long until KZ-hacker is being released? Who gives his software such a stupid name? Or is it there intention to turn the internet into a gulag (pronounced goolag)?
I don't understand what's supposed to be showing up in the search on that page.. I searched for config, apache and some others but nothing interesting ever came up.
Surely you don't have to download their "windows only" app to get proper results.
I know I don't plan on infecting my box with whatever trojan it might contain.
Seems a little "'phishy" to me, too. No thanks!
They need the option of entering a google license key like SiteDigger and Wikto does (although this new tool looks nicer and is more recently maintained) so you can submit mass queries without being blocked. Having to stop after every 5-10 queries is annoying when going through thousands.
Assuming it has not been released a month early and is not a trojan.
Do you no what's under the bonnet?
if it's out on GPL then one presumes it can be and has been checked.
FWIW, McAfee VirusScan, updated this morning, shows no virus.
It is open source, so as soon as someone cares enough to read the source code we'll find out.
cDc are crazy talented hackers, but they don't distribute viruses. Some AV products may call Goolag malware, but the product itself won't harm your PC - it is just a "hack tool".
I ran this tool, but the Google block techinque is very noising! I hope in the next release CDC will insert a randomization of the time interval to minimize Google confirmation web page requests.
yeah i found that too - and wondered if cdc are using it to capture capcha's ;-) but am too lazy to read code
But I am finding it really handy to throw in a domain then go down the list manually running one at a time which seem interesting and (possibly) relevant to the domain. It builds the syntax, sends the query and at that speed doesn't offend google
My Sana Security Primary Response didn't have any issues with the software.
Glad you bitches like my app.
Guillaume: click the "download" link on goolag.org to, well, download, genius.
A word of Caution:
One might end up blocking his/her IP on Google due to high number of automated search queries. It will result in something like this http://sorry.google.com/sorry
cDc should try and do something useful for society, like help legalize marijuana
"WHY CULT OF THE DEAD COW WILL PUBLISH CHINESE GOVERNMENT DATA We couldn't care less about these assholes. Any country that props up dictators and practices genocide doesn't catch a break from us."
It's been done before of course, only not publicly distributed.
I made one myself 2 years ago, It's very easy, just a matter of loading the Google dorks -the attack vectors- into a database, route through a proxy list or Tor and you're done.
It has been done before, and it has been publicly available and it had the same problems of getting blocked by google, which makes it fairly worthless for doing a good amount of scanning, unless you evade their detection. Is there any known way to evade detection logic? Obviously there are probably a lot of complex ways to solve the problem, ut from what I've read it's pretty intelligent.
I've used a few tools that did this and I was always blocked by google after 50 or 100 queries. Some supported using a google API key, but I ran into a wall there too (I can't remember why -- I think google stopped supporting them).
Anyway, there is a chapter on google automation in the book called "Google Hacking for Penetration Testers", by Johnny Long. Page 361 talks about automation tools:
Same answer in a Q/A session:
Google stopped issuing the APIs around the middle of last year, which is why Wikto now bundles Spud for the same functionality.
Wikto with Aura/Spud.
Any GHDB scanner without either an API key or a local proxy to simulate it will earn you some CAPTCHAS real fast...unless you scan extremely slowly, which is functionally useless.
Hm. My ISP's nameserver doesn't know goolag.org anymore, while all others do.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.