Dorking for vulnerabilities
Vulndork is an OSINT tool, based on Google Dorks. Google dorks are specific filters applied to google search strings. Exploit-db have a public database of dorks, called Google Hacking Database and vulndork use this database, trying to make continuous google searches to check for vulnerable pages. A specific possible dork which indicates a vulnerable web-site looks like:
inurl /admin/login.php intitle panel admin
This dork indicates that is looking for a login.php page inside admin directory, having panel admin in the title of the page. This could be a possible attack vector, so a vulnerability is found.
For the installation step, you will just need python3. Vulndork is written with Python 2.7.18
git clone https://github.com/cataiovita/vulndork/
cd vulndork
pip install -r requirements.txt
Google will start to block the requests after a limit between 6 and 10 (with low time delay between requests). So we need to increase the time delay and also add a random jitter for every requests. Also, we're using an User-Agents rotator, a google language randomizer and an IP Address rotator.
- Having a low API Rating, we will need to rotate the IP addresses for every request. For this, vulndork uses tor package:
sudo apt-get install tor
We need to open the /etc/tor/torrc
file and uncomment the ControlPort 9051
line.
- Tor is using a hashed password, so to generate it use the command below. We will need to insert the hashed password inside the tor config file.
tor --hash-password "passwordhere"
- Open the
/etc/tor/torrc
file with your favorite text editor and comment the line set before:
#CookieAuthentication 0
- Find the
#HashedControlPassword 16:2283409283049820409238409284028340238409238
line and uncomment it and replace the password hash with your password generated at step 1 and save the changes.
HashedControlPassword 16:113BD60B17CD1E98609013B4426860D576F7096C189184808AFF551F65
- Restart TOR service and now it should be an available TOR network connection.
sudo /etc/init.d/tor restart
- First, we need to extract all dorks from exploit-db dorks. So, you have to run
scraper.py
script with the following command:
python3 scraper.py
All the GHDB will be saved into a directory called dorks then will be stored into different files, taken by dork category.
- There are 14 dork categories, stored inside a dictionary and saved inside different files. We can run vulndork without argument and the dork file will be, by default, ghdb.dorks. Vulndork also uses a language randomization, cloning a gist which contains google-language format list. To use vulndork in minimal form, we need to specifify the site with the
-d
argument.
python3 vulndork.py -d web-site.com
- Vulndork also has an extra delay which can be added, if Google is blocking you. You can add, for example, an extra delay of 10 seconds between the requests.
python3 vulndork.py -d web-site.com -f dorks/footholds.dork -r 10
- For every google search, vulndork rotates the google-lanaguages codes, doing this using a list, contained into a gist. This method helps the API Rating, and reduce the change to get a 429 response. This gist is cloned inside the script: google language codes
- You can use TOR, after you get through the steps above, using the
-p
parameter, representing the password of TOR.
python3 vulndork.py -d web-site.com -p passwordhere
A significant improvement of this tool will be to remove the high delay between requests. You can do that by using some of AWS Lambda functions.