Comments on: The Goolag Scanner and Google Hacking

By: Martina

Martina — Mon, 04 Aug 2008 07:30:34 +0000

Goolag Scanner It essentially automates a technique called Google Hacking,

By: Avery Sawaba

Avery Sawaba — Thu, 27 Mar 2008 02:20:44 +0000

FYI - This is not a new technique. Foundstone’s free SiteDigger tool has been using the GHDB to do this for years: http://www.foundstone.com/us/resources/proddesc/sitedigger.htm

Back in the day, when SiteDigger was more popular, it was much easier to do an automated scan. You just had to go through a few steps to get a Google API key that would allow you to do a limited number of automated scans (a few thousand, I think it was) per day. Now, Goolag and SiteDigger are less useful tools, as Google has tightened contols around automated scanning using their search engine. There are no API keys anymore, either.

By: cbhacking

cbhacking — Tue, 11 Mar 2008 12:22:41 +0000

This is, indeed, a dual-use tool. However, like most such tools, it serves a vital purpose: it protects against itself. To put it another way, if the Goolag Scanner is outlawed, only outlaws will have Goolag Scanners.

This doesn’t mean that using the GS to find secret information or vulnerable software with intent to use maliciously is legal. Retrieving private info or attacking a system would certainly still be illegal. In other words, the GS is a tool. The legality of its use should depend on how it is used. More specifically, as a tool to fortify your own systems, its use should be permitted.

Of course, one disadvantage of the tool is that it requires having your site already indexed. In other words, there’s probably no way to test a system using the GS before exposing it to the Internet (and the scanners of all possible adversaries). Nonetheless, to deny sysadmins the use of such a tool would be to pointlessly give the attackers a usable tool - such programs are essentially impossible to keep out of circulation entirely.