Google Hacking for Penetration Testers by Johnny Long
|
Our Price: $44.95 Availability: Available for download now Category: Book See more book details and other editions |
|---|
Book Reviews of Google Hacking for Penetration Testers
Book Review: Required reading for network and security admins
Summary: 5 Stars
If you are at the book store trying to decide if the book is worth spending $44.95, just flip open to Chapter 7: Ten Simple Security Searches That Work. This chapter alone is probably worth the price of the book.
There are some aspects of security that are core fundamentals that remain true throughout time. Then, there are some aspects of security that are created by new technology. A few years ago, securing wireless networks was unheard of. Now it is at the forefront of many security administrator's concerns. Google is the latest hot technology to create its own security field.
There are other search engines, but Google is the one that has become synonymous with the act of Web searching itself. Google is an excellent tool. But, like many excellent tools, it is also somewhat of a double-edged sword. The same aspects that make it excel at what it does also make it gather sensitive and private information which may be used to compromise systems or gain unauthorized access.
This book is a must-read in my opinion. Network and security administrators should be required to read this book and follow the advice at the end to ensure that Google hackers don't compromise your network.
(...)
Book Review: Awesome!!!
Summary: 5 Stars
You don't know how powerful Google is until you read Google Hacking for Penetration Testers.
This is a great book!
Book Review: Best search engine feature summary on the marcet
Summary: 4 Stars
The book "Google Hacking for penetration testers" is no doubt a real eye opener and as far as I know the first book on the marcet thoroughly covering this important issue. I am confident that this will soon be refered to as a "Standard" literature for IT security.
It is also a nice additional feature that each chapter has its summary at the end.
The actual "contents" of the book is (currently) well worth the money, however there are a few things which I didnt like about the book:
- Book layout should be easier readable / accessable
- The physical pages look like photocopies or copy of a novell that I picked up in a sale.
- optional overview chart tables (take out) would have been a very helpful addition.
- The book reads like an interview or keynote speech, but should actually be more engineering like.
- Whats the point in printing pages of scripts ? Shouldnt that be downloadable or on a cd ? Or at least in the Appendix ?
Summary:
For now probably the "best search engine feature summary on the marcet". The layout of the book should be newly structured to be in an easier accessable format. I guess what I dislike most about the book is the casual writing style and the missing engineer style. The book is hardly usable as a reference but more as a one time read.
If the contents wouldnt be worth it, I would rate it with less. Unfortunately the layout absolutely disvalues the contents value. Usually casual writing style is used to fill the pages, with content thats not thoroughly researched.
Book Review: Application reconnaissance taken to the next level
Summary: 5 Stars
'Google Hacking for Penetration Testers' (GHFPT) should be a wake-up call for organizations that consider 'information leakage' a theoretical problem. 'Information leakage' refers to the unintentional disclosure of sensitive information to public forums, like the Web. Security staff can use the tools and techniques outlined in Johnny Long's GHFPT to assess the degree of information leakage affecting their organizations. They can then propose, implement, and test remedies. When Google says they are clean, they can be reasonably assured they are.
'Google hacking' is popular because the results are so unambiguous. If you can locate a sensitive configuration file, mail box, registry key, etc., using Google, so can an intruder. GHFPT thoroughly documents multiple ways to find an incredible range of sensitive information using Web searches. Johnny Long takes care not to document how to find Social Security numbers or credit cards, although details on doing so have been posted on the Web.
While companies have performed corporate espionage or collected 'business intelligence' against each other, I wonder how many direct their gaze inwards. Armed with GHFPT, a security administrator should know how to search and secure his organization's Web site. The book explains tools like Sensepost's Wikto, which automate Google-based reconnaissance and use the Google query API. Those who wish to write their own Google query tools will like James Foster's excellent chapter 12. There he demonstrates four implementations, in Perl, Python, C#, and C.
GHFPT concludes with two appendices. The first, by Pete Herzog, outlines professional penetration testing with respect to the Open Source Security Testing Methodology Manual. The second, by Matt Fisher, is a brief discussion of Web application security. Readers who want to know more about the latter subject will enjoy 'Hacking Exposed: Web Applications' by Scambray and Shema; 'Hack Proofing Your E-Commerce Site,' by Russel, et al; and 'Hack Proofing Your Web Applications,' by Forristal. While those books are several years old, they are thorough and still relevant.
When you hire your next penetration testing team, be sure to ask if they offer Google assessment services. I see this as the next step in application reconnaissance. I also highly recommend all security staff read GHFPT. You are responsible now if an intruder compromises your Web server via an application attack. You will soon find yourself responsible if an intruder queries Google and discovers an exposed password file that yields the same level of access. Reading and experimenting with GHFPT is the best insurance policy you could buy in 2005.
Book Review: A True Eye Opener
Summary: 5 Stars
I have been using this book for three weeks. Every time Google Hacking gets further than three feet from my keyboard, I get up, find it, put it back by my side. I first used the "recipies" in the book to locate intellectual property violations of SANS material. Next, I went on a digital painting campaign and created over 150 images and used the book to help me find the raw source material. Most recently, I have used the optimized searches the book shows one how to do to help with a research project.
Buy the book, try the searches, learn what is possible. It wouldn't hurt to use the book for its intended purpose as well, to see what information about you, about your organization is exposed on the Internet.