Duck Hacking – for fun and profit
Search Engine Reconnaissance (or "Google Hacking") is the art of using search engines to find weak configurations and sensitive information. After some research I'd say DuckDuckGo is really quite good for this purpose. Finally there's a cheatsheet to get you started testing if your website (or webcam) is affected.
Steve Tabernacle, December 2016
simple robots.txt search revealing potentially sensitive resources
DuckDuckGo
DuckDuckGo (DDG) respects the end user's privacy and even has a Tor Hidden Service making it a prime service for the privacy aware hacker. After making cristal clear that abusers are a tiny tiny percentage and the privacy provided is awesome, let's see if "Duck Hacking" even works. First off, you need to know that DuckDuckGo doesn't quite work like other search engines:
In fact, DuckDuckGo gets its results from over four hundred sources. These include hundreds of vertical sources delivering niche Instant Answers, DuckDuckBot (our crawler) and crowd-sourced sites (like Wikipedia, stored in our answer indexes). We also of course have more traditional links in the search results, which we source from Bing, Yahoo, and Yandex.Source: https://duck.co/help/results/sources
This is indeed interesting. Assume website X have notified Google and Bing that resource Y should be removed because of its sensitive nature. DDG could possibly list it anyways because Yandex still indexes it.
Dorks
No need to reinvent the wheel. However most need a bit of modification as seen below.
Search operators
Note that the syntax is strict e.g.:
((disallow)AND(inurl:robots.txt)AND(filetype:txt)) works fine yet disallow inurl:robots.txt AND filetype:txt returns zero results.
| Operator | Purpose | Example | Notes |
|---|---|---|---|
| inurl | Search URL | inurl:tabernacle | Works just as google's inurl |
| title | Search page title | title:tabernacle | Works just as google's intitle |
| inbody | Search page body | inbody:tabernacle | Works just as google's inbody |
| - | Excluding matches | steve -tabernacle | Works as google's - |
| filetype | Match filetype | filetype:txt | Supports: htm(l), pdf, txt, doc(x), xls(x) and ppt(x). |
| site | Restrict to domain | site:stevetabernacle.github.io | Max 1 domain per search |
| region | Boost results from region | region:cc | Use region:none to turn off |
| OR | Search URL | ((profit)OR(academic credz)) | Tems inside parenthesis is the same as quoted content |
| AND | Search URL | ((fun)AND(profit)) | |
| ) ( | Grouping search terms | ((term1)OR(term2)AND(term3)OR(term4)) | Precedence works as you'd expect |
| " | Exact match | "For fun and profit" |
Don't be a skiddie
Information provided on this blog are for educational purposes only. Do NOT misuse this information for any illegal purpose. Note that mere recon may be illegal in your country.
Please report any found vulnerability or leakage per responsible disclosure to the affected vendor or through their bug bounty program (if any).
UPDATE 2016-12-26
Did not expect this feedback, the folks at DuckDuckGo are really awesome!
@tabernacle__ awesome to have you on the Duck Side! An anonymous easter egg in your honor https://t.co/ZPX6cNYKAo
— DuckDuckGo (@duckduckgo) December 25, 2016