Goolag Scanner Specifications
Software Specifications
This is a general specification for the Goolag Scanner Beta release. Its purpose is to describe what
Goolag Scanner does and how that is achieved.
http://www.goolag.org/specifications.txt
-----
Software Requirements Specification for
Goolag Scanner
By CULT OF THE DEAD COW/cDc communications
------------------------------------------------------------------------------
Version of the software: Bay-tah
Version of this document: 1.0
Last changes of this document:
20080127 : krass katt - initial dump
------------------------------------------------------------------------------
1. INTRODUCTION
1.1 This Document
This is a general specification for the Goolag Scanner Beta release. Its
purpose is to describe what Goolag Scanner does and how that is achieved.
This document should not serve as a user-manual, technical
documentation, or development roadmap.
The layout of this document is based loosely on the IEEE-standard 830,
sections 1 and 2.
1.2 Software
To understand Goolag Scanner, it is important to understand how "dorks"
work (see 1.4) and with that, to establish the use of dorks as an
acceptable tool for information security experts, penetration testers,
and practical paranoids.
1.3 Resources And References
Google Hacking Database
http://johnny.ihackstuff.com/ghdb.php
We'd just like to take a moment to kiss Johnny's ass and acknowledge
the outstanding work that he has done in this field.
Microsoft .NET Framework Version 2.0
http://www.microsoft.com/
The download will depend on the OS-Version, hardware architecture and
language you choose.
Microsoft Visual C# 2005 Express Edition
http://www.microsoft.com/express/2005/download/default.aspx
1.4 Terms And Abbreviations
* Dork = A detailed search pattern - heretofore used with Google's
search engine - that uses Google to show untapped results for web
sites previously indexed by Google.
The intention of a dork is to find results that might show
information relevant to security issues and/or confidential data.
From our point of view, dorks are not limited to Google. Frankly,
they are malicious patterns that apply to most search engines.
* gS = Goolag Scanner
* cDc = CULT OF THE DEAD COW/cDc communications
------------------------------------------------------------------------------
2. DESCRIPTION
2.1 Perspective
Dorks have been around for several years and have been researched most
assiduously by Johnny I Hack Stuff, cited above.
If one searches the Web, one will find multiple collections of dorks,
and also some applications - standalone and Web-based - offering
certain "scanning" possibilities.
Nevertheless, gS is different from other applications released to
date for the following reasons:
* There is no need for a special tool to use dorks other than a
browser, but scanning hundreds of dorks 'by hand' is impossible.
* Goolag Scanner is focused on usability. It simplifies the use of
myriad numbers of dorks to a few mouse clicks. No cryptic command
line options and no knowledge of Google hacking are required to test
one's host.
* Goolag Scanner comes with its own dorks-database, but it is not limited
to such.
* gS uses a very simple xml-document, which is readable and part of
the distribution.
2.2 Functions And Features
Goolag Scanner is a standalone windows GUI based application.
* Configuration. gS uses one xml-based configuration file for its
settings (see Settings).
* Data-House-holding. All dorks coming with the distribution of gS
are kept inside one file, which resides in
{$Goolag Scanner-Installation Directory}/DorkData/gdorks.xml
The name gdorks.xml is predefined from the configuration (see
above).
* User-Interface.
The main menu offers the following functions:
File -> New Scan
- Clears all results, un-marks all previous marked dorks.
File -> Open
- Opens an additional or user-supplied dork-file, expected in
the same format as gdorks.xml.
File -> Save as
- Saves the results from a previous scan to a text-file.
File -> Save
- Saves the results like "Save as," but overwrites previously
saved data.
File -> Exit
- Quits Goolag Scanner
Edit -> Cut
- Cuts the selected lines from the Result-View to the
clipboard.
Edit -> Copy
- Copies the selected lines from the Result-View to the
clipboard.
Edit -> Clear Results
- Clears the Result-View, deletes all results.
Edit -> Find in Dorks
- Opens a "Search" dialog to find a specific dork in the
Dork-Tree on the basis of a string. Searches can be made on
dork-title, comment or query, or a combination of these.
Edit -> Select All
- Selects all results from the Result-View.
Scan -> Scan Marked
- Scans all dorks that are marked, indicated by a green ball.
If no dork is marked, but one is selected, the selected dork
is used for scanning.
Scan -> Stop Scan
- Stops a running scan.
Scan -> Edit and Scan
- Opens a new dialog where the currently selected dork can be
manipulated. This feature can be used to debug dorks or to
easily create new dorks.
Tools -> Options
- Shows a dialog box with all settings available to the user
(see Settings).
Help -> About
- Shows a dialog box with a short description and information
on gS. This dialog box also gives the user the possibility
to browse the GNU-Affero-license and the Google Terms of
service.
The main window of gS is divided into 5 main sections:
- Toolstrip with "Host" field, "Scan" and "Stop" buttons
The "Host" field is one of the most important elements of
gS. It is in this field that the user enters the site to be
searched. So "www.microsoft.com," "bka.de" and "gov.cn" are
valid entries, for example. One should keep in mind that
this is pattern-matching, not host-/or ip-resolution.
The "Scan" and "Stop" buttons work exactly the same as the
corresponding menu-items.
- Dork-Tree
The Dork-Tree functions as a representation of gS's internal
database. All dorks are shown in a tree, sorted by their
category and ordered alphabetically. Double-clicking on a
single dork initiates a scan of that dork. Clicking on the
grey ball will mark the dork for a mass scan (the ball
becomes green). Clicking again will unmark the dork. This
can also be done to marking complete categories. The
context menu (right click on a dork or category) offers
identical functionality, with the addition of "Properties"
and "Open in browser."
"Properties" shows a tool window (which means it can be left
open) with detailed information on the dork.
"Open in browser" - obviously - will open your selected
browser with the query to this dork. This could also be
achieved by dragging a single dork into a browser-window.
- Dork-Information
This shows the detailed, formatted, easily understandable
information about the currently selected dork. While
scanning, the information about the scanned dork is shown.
- Result-View
The Result-View shows dorks while they are scanned and the
results of a dork after the scan.
* While scanning, the status is "Scan" indicated by an
orange ball.
* If the dork has positive results, these will be shown as
"Success," indicated by a green ball. The URL grabbed
from Google is displayed in the "URL"-column. Double-
clicking on this will open your browser with this target.
* "Cancel," with blue balls, is shown if a mass-scan is
canceled.
* "Block", with black balls, is shown if this dork (or your
complete scan) was blocked by Google. If this happens,
Google's unlock-page is displayed in the URL-column.
Double-clicking on this will open it, letting you manually
unlock your access to Google.
- Console
The Console gives you a view of what Goolag Scanner is doing
internally. In fact, this console is a TraceListener that
supports different levels of tracing. Currently, this
cannot be controlled by the user. (This may be subject to
change, and could be added to the Settings.)
- Settings
There are a lot of settings, grouped into two main
categories: Scanner and Miscellaneous.
* Scanner:
"Warn if scanning more dorks than" : numeric : default 10
"Time-out" : numeric : default 20000 msec
"Show summary" : Boolean : default true
"Sleep between requests" : numeric : default 400 msec
"Request pages at once" : numeric : default 1
"Allow scanning without host entered" : Boolean : default
false
"Show progress dialog on mass scan" : Boolean : default
true
"Randomize scan order" : Boolean : default false
"Parallel scan threads" : numeric : default 8
"Blocking detection" : selectable string : default "Select
once, stop all ongoing scans"
"Mimic Browser User Agent" : string : default "Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11"
"Proxy address" : string : default [empty]
"Use system default proxy" : Boolean : default false
* Miscellaneous
"Dork File" : string : default "gdorks.xml"
"Preferred Browser" : string : default "firefox.exe"
"Use system default browser" : boolean : default true
"Show splash on startup" : boolean : default true
2.3 Use-cases
The most interesting use-case is running a mass-scan. A typical
scenario follows:
User types in a target host, e.g. "happy.com."
User selects the dorks he wants from the Dork-Tree, by clicking on
the indicator balls of the dorks or whole categories.
User hits the Scan-button (or selects "Scan Marked" from the scan
menu or hits F9 - all the same).
gS checks if the user has entered a host. If not, it checks if a host
is required (Settings: "Allow scanning without host entered").
In this example, everything is okay to start scanning. gS looks for
the "Parallel scan threads"-setting and starts this number of threads
in parallel, each one feed with one dork out of the selected.
Each thread now does the following:
A well-formed URI-address is built out of the Scan-Provider - which
is currently google.com - the query of the dork and the host the user
entered. With this address and query, an http connection is made and
the results are parsed and analyzed. The result is shown in the
Result-View.
The finished thread is removed and the next dork in the list is
started.
Assuming gS has finished scanning all selected dorks, the user has
various possibilities of what to do with the results (sort them,
rescan single result, query Google for more results, save them, clear
them or only clear the unsuccessful results). Double-clicking on a
successful result will open the target in the selected browser,
while double-clicking on a failed dork will display the detailed
error message.
2.4 Constraints
To lamerZz: buy some mouthwash. Gargle. And suck our dick.
To real people: we expect that you might find some vulnerabilities on
your websites. Although this is not a perfect tool, we'd appreciate
your feedback.
To developers: the biggest issue is probably the usage of the .NET
Framework and C#.
NOTE: If you use C#, you probably feel the need for C++, if you use
C++ you may need Python, in a Python-project you'll learn the need for
Java, using Java, you will love C# or Fortran. Or Assembler. Or
simply commit suicide. (Programming is a bitch.)
2.5 Presumptions and dependencies
Goolag Scanner, in this version, relies on the Microsoft .NET Framework
Version 2.0. No other libraries or frameworks are needed.
------------------------------------------------------------------------------
Copyright (c) 2008 CULT OF THE DEAD COW/cDc communications. All Rights
Reserved. Permission to use, copy, modify, and distribute this software and
its documentation for educational, research, and not-for-profit purposes,
without fee and under the terms of the GNU Affero General Public License, is
hereby granted, provided that the above copyright notice, this paragraph and
the following three paragraphs appear in all copies, modifications, and
distributions. It would also be nice, but not binding, if you sent us a
picture of your sister drunk and nekid.
IN NO EVENT SHALL CULT OF THE DEAD COW/cDc COMMUNICATIONS BE LIABLE TO ANY
PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES,
INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS
DOCUMENTATION, EVEN IF CULT OF THE DEAD COW/cDc COMMUNICATIONS HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
CULT OF THE DEAD COW/cDc COMMUNICATIONS SPECIFICALLY DISCLAIMS ANY WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE AND ACCOMPANYING DOCUMENTATION,
IF ANY PROVIDED HEREUNDER IS PROVIDED "AS IS". CULT OF THE DEAD COW/cDc
COMMUNICATIONS HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES,
ENHANCEMENTS, OR MODIFICATIONS.
--
THE STANLEY KOWALSKI VERSION
The cDc developed this software. It's issued under the terms of the GPL. If
this software does something bad to your computer or network or provides
information that you have no legal right to see, then that's your problem. In
some countries this software might be illegal. Don't be stupid, and don't
come whining to us if you get into trouble. You've been warned.
-----