4

I am new to information security and analysis.

Recently, I came across FSDB (Foundstone database) and GHDB (Google Hacking database) while exploring the McAfee Foundstone Sitedigger tool.

What are FSDB and GHDB? And importantly, how can I use the information from these databases to learn about vulnerabilities of websites?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
fortytwo
  • 225
  • 3
  • 7
  • This post sounds pretty much like [this][1] one... [1]: http://security.stackexchange.com/q/34451/24382 – Dr.Ü Apr 18 '13 at 10:39
  • 3
    @Dr.Ü i disagree, This question is asking specifically for information about GHDB and what it actually is. – NULLZ Apr 18 '13 at 13:15

3 Answers3

3

Google Hacking refers to the practice of using search engines, like Google and Bing, in order to discover vulnerable web pages and critical information. It's based on the idea that search engines index a lot of public pages and files, making their discovery a simple matter of building the correct query.

For example, it's trivial to look for a specific type of file (filetype:), on a specific domain (site:), with a specific name (inurl:), containing a certain string (intext:).

The Google Hacking Database (GHDB) was started by Johnny Long, who also published books on the matter, but is now mantained and updated at Exploit Database. I suggest taking a look at some real examples to better understand GH.

As an ending note, the origin of the term google dork, as stated by Johnny himself:

We call them 'googledorks': Inept or foolish people as revealed by Google.

Gurzo
  • 1,117
  • 6
  • 18
2

Surprisingly, nobody answered how to use google dorks. It's easy - paste them into the Google search box and look at the results.

For example, https://encrypted.google.com/search?q=filetype:config%20inurl:web.config%20inurl:ftp

I bet some of them no longer work, because the original GHDB is old and Google has changed quite a few details of handling searches.

Vitaly Osipov
  • 863
  • 6
  • 14
1

The Google Hacking Database (GHDB) is a compiled list of common mistakes web/server admins make, which can be easily searched by using Google. As a result, you can find things like administrator consoles, password files, credit card numbers, unprotected webcams, etc.

These sites: Exploit DB and hackersforcharity have more info on the actual queries, how they're structured, and what kind of information you can find. The SiteDigger tool gives an indication as to the type of information you can find, but is not as specific as the above mentioned sites.

The FSDB is a list of queries that Foundstone (the company that made this software) has included in addition to the public/commonly known GHDB ones.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
NULLZ
  • 11,426
  • 17
  • 77
  • 111