The Goolag Scanner and Google Hacking
Bruce Schneier posted on his blog earlier in the week about a new, free, open source application by the “Cult of the Dead Cow” (cDc) called Goolag Scanner. It essentially automates a technique called Google Hacking, which was pioneered by a hacker going by the handle “Johnny I Hack Stuff”. Google Hacking entails using the massive Google search engine to discover vulnerabilities on a given server or domain by using targeted searches. These searches are aimed at finding back doors, sensitive information accidentally made publicly available, vulnerabilities in server software, and more. The software, along with a friendly voice that guides you through the installation process, comes with 1,500 built-in searches to use out of the box.
The legality of such a tool naturally comes to question. This article discusses the topic in the context of the “Computer Misuse Act 1990” in the UK. According to the author, if it can be proven that an individual had the intent to gain unauthorized access to digital material and had knowledge that the material was confidential, the act can be punishable by law. Though this would not apply to a web surfer who finds confidential material completely by chance, the author claims that vulnerabilities and private information found via the Goolag Scanner would most likely not be considered accidental because the application is intentionally designed to find these things. Those laws, however, have yet to be tested fully in court.
I would find it very interesting to see how analogous laws here in U.S. draw these lines.
Along with tools like port scanners, the Goolag Scanner falls under the category of “dual-use” tools. These tools are capable of being used for legitimate purposes, such as finding and patching vulnerabilities, but these tools can be just as easily used to exploit those very same vulnerabilities.
Goolag Scanner can be downloaded here, but one word of warning if you intend on downloading and installing this software: cDc has been known to have malware in its free software, though this particular case was accidental and only affected their official CD-ROMs rather than the downloads from their website.
Comment by cbhacking
March 11, 2008 @ 4:22 am
This is, indeed, a dual-use tool. However, like most such tools, it serves a vital purpose: it protects against itself. To put it another way, if the Goolag Scanner is outlawed, only outlaws will have Goolag Scanners.
This doesn’t mean that using the GS to find secret information or vulnerable software with intent to use maliciously is legal. Retrieving private info or attacking a system would certainly still be illegal. In other words, the GS is a tool. The legality of its use should depend on how it is used. More specifically, as a tool to fortify your own systems, its use should be permitted.
Of course, one disadvantage of the tool is that it requires having your site already indexed. In other words, there’s probably no way to test a system using the GS before exposing it to the Internet (and the scanners of all possible adversaries). Nonetheless, to deny sysadmins the use of such a tool would be to pointlessly give the attackers a usable tool – such programs are essentially impossible to keep out of circulation entirely.
Comment by Avery Sawaba
March 26, 2008 @ 6:20 pm
FYI – This is not a new technique. Foundstone’s free SiteDigger tool has been using the GHDB to do this for years: http://www.foundstone.com/us/resources/proddesc/sitedigger.htm
Back in the day, when SiteDigger was more popular, it was much easier to do an automated scan. You just had to go through a few steps to get a Google API key that would allow you to do a limited number of automated scans (a few thousand, I think it was) per day. Now, Goolag and SiteDigger are less useful tools, as Google has tightened contols around automated scanning using their search engine. There are no API keys anymore, either.
Comment by Martina
August 3, 2008 @ 11:30 pm
Goolag Scanner It essentially automates a technique called Google Hacking,
Comment by goolag noob
January 17, 2009 @ 7:26 pm
i have the goolag software installed.I also have the google desktop installed.What do i do now?