Google Vulnerability Scanner

We've all known for years that you can use Google to scan for vulnerabilities. Well, now the process has been automated.

Presenting: Goolag Scanner from the Cult of the Dead Cow.

I've seen a lot of pre-release scanning results from these guys, and it's pretty amazing what they've found.

Posted on March 4, 2008 at 12:12 PM • 28 Comments


sehlatMarch 4, 2008 1:18 PM

Downloaded the installer and scanned it before running. ZoneAlarm reports it's got a virus.

coquimboMarch 4, 2008 1:22 PM

Yeah, seems a little suspicious that they want all the big websites to download the app and install it. Can anybody confirm that it's malware?

tomMarch 4, 2008 1:47 PM

So it probably won't be long until KZ-hacker is being released? Who gives his software such a stupid name? Or is it there intention to turn the internet into a gulag (pronounced goolag)?

Guillaume TheoretMarch 4, 2008 1:52 PM

I don't understand what's supposed to be showing up in the search on that page.. I searched for config, apache and some others but nothing interesting ever came up.

Surely you don't have to download their "windows only" app to get proper results.

I know I don't plan on infecting my box with whatever trojan it might contain.

JoshMarch 4, 2008 2:01 PM

They need the option of entering a google license key like SiteDigger and Wikto does (although this new tool looks nicer and is more recently maintained) so you can submit mass queries without being blocked. Having to stop after every 5-10 queries is annoying when going through thousands.

Clive RobinsonMarch 4, 2008 2:25 PM


Assuming it has not been released a month early and is not a trojan.

Do you no what's under the bonnet?

KarlMarch 4, 2008 3:24 PM


if it's out on GPL then one presumes it can be and has been checked.

AndyBMarch 4, 2008 4:43 PM

It is open source, so as soon as someone cares enough to read the source code we'll find out.

cDc are crazy talented hackers, but they don't distribute viruses. Some AV products may call Goolag malware, but the product itself won't harm your PC - it is just a "hack tool".

Roberto ScacciaMarch 4, 2008 5:25 PM

I ran this tool, but the Google block techinque is very noising! I hope in the next release CDC will insert a randomization of the time interval to minimize Google confirmation web page requests.

AnonymousMarch 4, 2008 6:31 PM

@Roberto Scaccia

yeah i found that too - and wondered if cdc are using it to capture capcha's ;-) but am too lazy to read code

But I am finding it really handy to throw in a domain then go down the list manually running one at a time which seem interesting and (possibly) relevant to the domain. It builds the syntax, sends the query and at that speed doesn't offend google

Mark in CAMarch 4, 2008 7:20 PM

My Sana Security Primary Response didn't have any issues with the software.

Krass KattMarch 4, 2008 9:11 PM

Glad you bitches like my app.

Guillaume: click the "download" link on to, well, download, genius.

big bud goodMarch 5, 2008 2:54 AM

cDc should try and do something useful for society, like help legalize marijuana

Ronald van den HeetkampMarch 5, 2008 6:34 AM

It's been done before of course, only not publicly distributed.

I made one myself 2 years ago, It's very easy, just a matter of loading the Google dorks -the attack vectors- into a database, route through a proxy list or Tor and you're done.

Alex LauermanMarch 5, 2008 12:00 PM

It has been done before, and it has been publicly available and it had the same problems of getting blocked by google, which makes it fairly worthless for doing a good amount of scanning, unless you evade their detection. Is there any known way to evade detection logic? Obviously there are probably a lot of complex ways to solve the problem, ut from what I've read it's pretty intelligent.

I've used a few tools that did this and I was always blocked by google after 50 or 100 queries. Some supported using a google API key, but I ran into a wall there too (I can't remember why -- I think google stopped supporting them).

Anyway, there is a chapter on google automation in the book called "Google Hacking for Penetration Testers", by Johnny Long. Page 361 talks about automation tools:

Same answer in a Q/A session:

chris lMarch 5, 2008 12:32 PM


Google stopped issuing the APIs around the middle of last year, which is why Wikto now bundles Spud for the same functionality.

EponymousMarch 5, 2008 7:03 PM

Wikto with Aura/Spud.

Any GHDB scanner without either an API key or a local proxy to simulate it will earn you some CAPTCHAS real fast...unless you scan extremely slowly, which is functionally useless.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.