-- Software Requirements Specification for Goolag Scanner By CULT OF THE DEAD COW/cDc communications ------------------------------------------------------------------------------ Version of the software: Bay-tah Version of this document: 1.0 Last changes of this document: 20080127 : krass katt - initial dump ------------------------------------------------------------------------------ 1. INTRODUCTION 1.1 This Document This is a general specification for the Goolag Scanner Beta release. Its purpose is to describe what Goolag Scanner does and how that is achieved. This document should not serve as a user-manual, technical documentation, or development roadmap. The layout of this document is based loosely on the IEEE-standard 830, sections 1 and 2. 1.2 Software To understand Goolag Scanner, it is important to understand how "dorks" work (see 1.4) and with that, to establish the use of dorks as an acceptable tool for information security experts, penetration testers, and practical paranoids. 1.3 Resources And References Google Hacking Database http://johnny.ihackstuff.com/ghdb.php We'd just like to take a moment to kiss Johnny's ass and acknowledge the outstanding work that he has done in this field. Microsoft .NET Framework Version 2.0 http://www.microsoft.com/ The download will depend on the OS-Version, hardware architecture and language you choose. Microsoft Visual C# 2005 Express Edition http://www.microsoft.com/express/2005/download/default.aspx 1.4 Terms And Abbreviations * Dork = A detailed search pattern - heretofore used with Google's search engine - that uses Google to show untapped results for web sites previously indexed by Google. The intention of a dork is to find results that might show information relevant to security issues and/or confidential data. From our point of view, dorks are not limited to Google. Frankly, they are malicious patterns that apply to most search engines. * gS = Goolag Scanner * cDc = CULT OF THE DEAD COW/cDc communications ------------------------------------------------------------------------------ 2. DESCRIPTION 2.1 Perspective Dorks have been around for several years and have been researched most assiduously by Johnny I Hack Stuff, cited above. If one searches the Web, one will find multiple collections of dorks, and also some applications - standalone and Web-based - offering certain "scanning" possibilities. Nevertheless, gS is different from other applications released to date for the following reasons: * There is no need for a special tool to use dorks other than a browser, but scanning hundreds of dorks 'by hand' is impossible. * Goolag Scanner is focused on usability. It simplifies the use of myriad numbers of dorks to a few mouse clicks. No cryptic command line options and no knowledge of Google hacking are required to test one's host. * Goolag Scanner comes with its own dorks-database, but it is not limited to such. * gS uses a very simple xml-document, which is readable and part of the distribution. 2.2 Functions And Features Goolag Scanner is a standalone windows GUI based application. * Configuration. gS uses one xml-based configuration file for its settings (see Settings). * Data-House-holding. All dorks coming with the distribution of gS are kept inside one file, which resides in {$Goolag Scanner-Installation Directory}/DorkData/gdorks.xml The name gdorks.xml is predefined from the configuration (see above). * User-Interface. The main menu offers the following functions: File -> New Scan - Clears all results, un-marks all previous marked dorks. File -> Open - Opens an additional or user-supplied dork-file, expected in the same format as gdorks.xml. File -> Save as - Saves the results from a previous scan to a text-file. File -> Save - Saves the results like "Save as," but overwrites previously saved data. File -> Exit - Quits Goolag Scanner Edit -> Cut - Cuts the selected lines from the Result-View to the clipboard. Edit -> Copy - Copies the selected lines from the Result-View to the clipboard. Edit -> Clear Results - Clears the Result-View, deletes all results. Edit -> Find in Dorks - Opens a "Search" dialog to find a specific dork in the Dork-Tree on the basis of a string. Searches can be made on dork-title, comment or query, or a combination of these. Edit -> Select All - Selects all results from the Result-View. Scan -> Scan Marked - Scans all dorks that are marked, indicated by a green ball. If no dork is marked, but one is selected, the selected dork is used for scanning. Scan -> Stop Scan - Stops a running scan. Scan -> Edit and Scan - Opens a new dialog where the currently selected dork can be manipulated. This feature can be used to debug dorks or to easily create new dorks. Tools -> Options - Shows a dialog box with all settings available to the user (see Settings). Help -> About - Shows a dialog box with a short description and information on gS. This dialog box also gives the user the possibility to browse the GNU-Affero-license and the Google Terms of service. The main window of gS is divided into 5 main sections: - Toolstrip with "Host" field, "Scan" and "Stop" buttons The "Host" field is one of the most important elements of gS. It is in this field that the user enters the site to be searched. So "www.microsoft.com," "bka.de" and "gov.cn" are valid entries, for example. One should keep in mind that this is pattern-matching, not host-/or ip-resolution. The "Scan" and "Stop" buttons work exactly the same as the corresponding menu-items. - Dork-Tree The Dork-Tree functions as a representation of gS's internal database. All dorks are shown in a tree, sorted by their category and ordered alphabetically. Double-clicking on a single dork initiates a scan of that dork. Clicking on the grey ball will mark the dork for a mass scan (the ball becomes green). Clicking again will unmark the dork. This can also be done to marking complete categories. The context menu (right click on a dork or category) offers identical functionality, with the addition of "Properties" and "Open in browser." "Properties" shows a tool window (which means it can be left open) with detailed information on the dork. "Open in browser" - obviously - will open your selected browser with the query to this dork. This could also be achieved by dragging a single dork into a browser-window. - Dork-Information This shows the detailed, formatted, easily understandable information about the currently selected dork. While scanning, the information about the scanned dork is shown. - Result-View The Result-View shows dorks while they are scanned and the results of a dork after the scan. * While scanning, the status is "Scan" indicated by an orange ball. * If the dork has positive results, these will be shown as "Success," indicated by a green ball. The URL grabbed from Google is displayed in the "URL"-column. Double- clicking on this will open your browser with this target. * "Cancel," with blue balls, is shown if a mass-scan is canceled. * "Block", with black balls, is shown if this dork (or your complete scan) was blocked by Google. If this happens, Google's unlock-page is displayed in the URL-column. Double-clicking on this will open it, letting you manually unlock your access to Google. - Console The Console gives you a view of what Goolag Scanner is doing internally. In fact, this console is a TraceListener that supports different levels of tracing. Currently, this cannot be controlled by the user. (This may be subject to change, and could be added to the Settings.) - Settings There are a lot of settings, grouped into two main categories: Scanner and Miscellaneous. * Scanner: "Warn if scanning more dorks than" : numeric : default 10 "Time-out" : numeric : default 20000 msec "Show summary" : Boolean : default true "Sleep between requests" : numeric : default 400 msec "Request pages at once" : numeric : default 1 "Allow scanning without host entered" : Boolean : default false "Show progress dialog on mass scan" : Boolean : default true "Randomize scan order" : Boolean : default false "Parallel scan threads" : numeric : default 8 "Blocking detection" : selectable string : default "Select once, stop all ongoing scans" "Mimic Browser User Agent" : string : default "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" "Proxy address" : string : default [empty] "Use system default proxy" : Boolean : default false * Miscellaneous "Dork File" : string : default "gdorks.xml" "Preferred Browser" : string : default "firefox.exe" "Use system default browser" : boolean : default true "Show splash on startup" : boolean : default true 2.3 Use-cases The most interesting use-case is running a mass-scan. A typical scenario follows: User types in a target host, e.g. "happy.com." User selects the dorks he wants from the Dork-Tree, by clicking on the indicator balls of the dorks or whole categories. User hits the Scan-button (or selects "Scan Marked" from the scan menu or hits F9 - all the same). gS checks if the user has entered a host. If not, it checks if a host is required (Settings: "Allow scanning without host entered"). In this example, everything is okay to start scanning. gS looks for the "Parallel scan threads"-setting and starts this number of threads in parallel, each one feed with one dork out of the selected. Each thread now does the following: A well-formed URI-address is built out of the Scan-Provider - which is currently google.com - the query of the dork and the host the user entered. With this address and query, an http connection is made and the results are parsed and analyzed. The result is shown in the Result-View. The finished thread is removed and the next dork in the list is started. Assuming gS has finished scanning all selected dorks, the user has various possibilities of what to do with the results (sort them, rescan single result, query Google for more results, save them, clear them or only clear the unsuccessful results). Double-clicking on a successful result will open the target in the selected browser, while double-clicking on a failed dork will display the detailed error message. 2.4 Constraints To lamerZz: buy some mouthwash. Gargle. And suck our dick. To real people: we expect that you might find some vulnerabilities on your websites. Although this is not a perfect tool, we'd appreciate your feedback. To developers: the biggest issue is probably the usage of the .NET Framework and C#. NOTE: If you use C#, you probably feel the need for C++, if you use C++ you may need Python, in a Python-project you'll learn the need for Java, using Java, you will love C# or Fortran. Or Assembler. Or simply commit suicide. (Programming is a bitch.) 2.5 Presumptions and dependencies Goolag Scanner, in this version, relies on the Microsoft .NET Framework Version 2.0. No other libraries or frameworks are needed. ------------------------------------------------------------------------------ Copyright (c) 2008 CULT OF THE DEAD COW/cDc communications. All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for educational, research, and not-for-profit purposes, without fee and under the terms of the GNU Affero General Public License, is hereby granted, provided that the above copyright notice, this paragraph and the following three paragraphs appear in all copies, modifications, and distributions. It would also be nice, but not binding, if you sent us a picture of your sister drunk and nekid. IN NO EVENT SHALL CULT OF THE DEAD COW/cDc COMMUNICATIONS BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF CULT OF THE DEAD COW/cDc COMMUNICATIONS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. CULT OF THE DEAD COW/cDc COMMUNICATIONS SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE AND ACCOMPANYING DOCUMENTATION, IF ANY PROVIDED HEREUNDER IS PROVIDED "AS IS". CULT OF THE DEAD COW/cDc COMMUNICATIONS HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. -- THE STANLEY KOWALSKI VERSION The cDc developed this software. It's issued under the terms of the GPL. If this software does something bad to your computer or network or provides information that you have no legal right to see, then that's your problem. In some countries this software might be illegal. Don't be stupid, and don't come whining to us if you get into trouble. You've been warned. ------------------------------------------------------------------------------ ------------------------------------------------------------------------------