Arts & Photography
Audio CDs
Audiocassettes
Biographies & Memoirs
Business & Investing
Children's Books
Christianity
Comics & Graphic Novels
Computers & Internet
Cooking, Food & Wine
Entertainment
Gay & Lesbian
Health, Mind & Body
History
Home & Garden
Horror
Literature & Fiction
Mystery & Thrillers
Nonfiction
Outdoors & Nature
Parenting & Families
Professional & Technical
Reference
Religion & Spirituality
Romance
Science
Science Fiction & Fantasy
Sports
Teens
Travel
Women's Fiction
|
 |
Google Hacking for Penetration Testers |
List Price: $44.95
Your Price: $31.47 |
 |
|
|
|
| Product Info |
Reviews |
<< 1 >>
Rating: 
Summary: Application reconnaissance taken to the next level
Review: 'Google Hacking for Penetration Testers' (GHFPT) should be a wake-up call for organizations that consider 'information leakage' a theoretical problem. 'Information leakage' refers to the unintentional disclosure of sensitive information to public forums, like the Web. Security staff can use the tools and techniques outlined in Johnny Long's GHFPT to assess the degree of information leakage affecting their organizations. They can then propose, implement, and test remedies. When Google says they are clean, they can be reasonably assured they are.
'Google hacking' is popular because the results are so unambiguous. If you can locate a sensitive configuration file, mail box, registry key, etc., using Google, so can an intruder. GHFPT thoroughly documents multiple ways to find an incredible range of sensitive information using Web searches. Johnny Long takes care not to document how to find Social Security numbers or credit cards, although details on doing so have been posted on the Web.
While companies have performed corporate espionage or collected 'business intelligence' against each other, I wonder how many direct their gaze inwards. Armed with GHFPT, a security administrator should know how to search and secure his organization's Web site. The book explains tools like Sensepost's Wikto, which automate Google-based reconnaissance and use the Google query API. Those who wish to write their own Google query tools will like James Foster's excellent chapter 12. There he demonstrates four implementations, in Perl, Python, C#, and C.
GHFPT concludes with two appendices. The first, by Pete Herzog, outlines professional penetration testing with respect to the Open Source Security Testing Methodology Manual. The second, by Matt Fisher, is a brief discussion of Web application security. Readers who want to know more about the latter subject will enjoy 'Hacking Exposed: Web Applications' by Scambray and Shema; 'Hack Proofing Your E-Commerce Site,' by Russel, et al; and 'Hack Proofing Your Web Applications,' by Forristal. While those books are several years old, they are thorough and still relevant.
When you hire your next penetration testing team, be sure to ask if they offer Google assessment services. I see this as the next step in application reconnaissance. I also highly recommend all security staff read GHFPT. You are responsible now if an intruder compromises your Web server via an application attack. You will soon find yourself responsible if an intruder queries Google and discovers an exposed password file that yields the same level of access. Reading and experimenting with GHFPT is the best insurance policy you could buy in 2005.
Rating:
Summary: A True Eye Opener
Review: I have been using this book for three weeks. Every time Google Hacking gets further than three feet from my keyboard, I get up, find it, put it back by my side. I first used the "recipies" in the book to locate intellectual property violations of SANS material. Next, I went on a digital painting campaign and created over 150 images and used the book to help me find the raw source material. Most recently, I have used the optimized searches the book shows one how to do to help with a research project.
Buy the book, try the searches, learn what is possible. It wouldn't hurt to use the book for its intended purpose as well, to see what information about you, about your organization is exposed on the Internet.
Rating: 
Summary: Beyond Google Hacks
Review: I was impressed with this book.It should be considered a "must"
read for security professionals,network and sysadmins,and anybody
who has a personal or business web page.Anybody who uses Google
could benefit from reading it.I thought I was a pretty good
Googler before I read this book,but I was learning new things by
the second chapter.You'll definitely see Google in a whole new
light after finishing it.This book will get you thinking
"outside the globe".
Crackers know this stuff.Shouldn't you?
Although I know the author doesn't condone it,
if you are a multi-media type,you can uninstall those spyware
infested p2p apps and buy a bigger hard drive.You'll need it.
I read a ton of network security books each year.This one made
the top three,IMO.
Have Fun
Rating:
Summary: A must have for any IT or security professional
Review: If you are responsible for IT resources you must have this book. If you are a security professional you must have this book.
This book will illustrate how Google can used by the bad guys to profile and enumerate your network infrastructure. Johnny Long does an excellent job explaining how Google works with advanced operators and how fiddling with syntax can yield interesting results.
He shows how a hacker can learn a ton of information about your network and company without ever sending a packet at your network.
You will learn how to find out information about misconfigured servers, "interesting" files left laying around servers, locating exploits, mapping networks and quite a bit more. But, you will learn how to defend and protect yourself against the evil Google hacker.
You will learn how to Google hack yourself as part of your penetration testing.
This is an easy read. You don't have to know about the OSI model or ACL rulesets. It should be on the bookshelf of every IT professional, and should be referred to often.
Hats off to Johnny Long for writing such an incredibly valuable resource.
Rating:
Summary: Could be the most important security book you read this year
Review: Want to be completely unnerved by the power and (mis-)use of Google? If you're at all concerned about system security, you really need to get a copy of Google Hacking For Penetration Testers by Johnny Long (Syngress). The world is more insecure than I thought...
Chapter List: Introduction; Google Searching Basics; Advanced Operators; Google Hacking Basics; Preassessment; Network Mapping; Locating Exploits and Finding Targets; Ten Simple Security Searches That Work; Tracking Down Web Servers, Login Portals, and Network Hardware; Usernames, Passwords, and Secret Stuff, Oh My!; Document Grinding and Database Digging; Protecting Yourself from Google Hackers; Automating Google Searches; Professional Security Testing; An Introduction to Web Application Security; Google Hacking Database; Index
Long walks a fine line in this book, and I think he does it pretty well. His goal is to show the reader how Google can be used to discover a vast array of information that most companies would not willingly divulge. He refrains from showing exact search criteria for finding things like social security number and credit card lists. Additionally, his screen prints of results appropriately blur exact URL information so that he's not giving up personal information. But he does give you enough information that you can understand how certain searches could be used to find files that you may not have realized were indexed.
If you have never used Google for anything more than simple searches from the main page, you'll get a lot of benefit from the first few chapters. He details the Google search keywords and how they can be mixed and matched to dramatically narrow your search focus. Even the simple act of learning how to filter for file types can be immensely valuable. The book kicks into high gear following those first chapters. Long works through various security assessment situations and shows how Google can map your environment far better than you imagined. Simple things like searching for "Powered By" messages or log files with certain strings can tell an attacker what software is running and at what version. This then allows a more refined attack based on known exploits. But instead of leaving the book at that point, he offers some strategies for limiting the amount of information Google can access, as well as ways to remove data that has already gotten out there.
Google Hacking could well be one of the most important security books you buy this year. Even if you're not in charge of security for a company or organization, you should explore some of the techniques to search for your own personal information. Just because *you* didn't expose it doesn't mean that someone else didn't. Highly recommended read...
Rating:
Summary: how to [mis-] use Google
Review: We all use Google, for many different reasons. But Long points out that its sheer effectiveness has lead to an insidious activity. By crackers and phishers ("black hats"), who are trying to break into systems and get confidential data. Like being able to find a person's real name and US Tax Id or credit card numbers.
Long shows how Google's many search options and comprehensive data can be used by a cracker. For example, searching for a text string written by a common web search, like Apache or IIS, that gives the server's name and version number. Typically, these are default strings that some sysadmins don't bother changing. So when the pages are made public, those strings appear, and Google lets the cracker find them. If she knows of a security bug in that server version, she can Google for who is running it and then drill down. Long goes into far more complicated attacks than that. But the example shows the gist of how Google can be (mis-)used.
Long writes a disquieting text for sysadmins and Web administrators. In the rush by so many organisations to make information available, even if ostensibly only to your employees and customers, Google can expose you to vulnerability. A compelling read.
<< 1 >>
|
|
|
|
