pagodo automates Google searching for potentially vulnerable web pages and applications on the Internet. It replaces manually performing Google dork searches with a web GUI browser.
There are 2 parts. The first is ghdb_scraper.py that retrieves the latest Google dorks and the second portion is
pagodo.py that leverages the information gathered by ghdb_scraper.py.
HakByte created a video tutorial on using pagodo. It starts around 8 minutes in and you can find it here https://www.youtube.com/watch?v=lESeJ3EViCo&t=481s
Offensive Security maintains the Google Hacking Database (GHDB) found here: https://www.exploit-db.com/google-hacking-database. It is a collection of Google searches, called dorks, that can be used to find potentially vulnerable boxes or other juicy info that is picked up by Google's search bots.
Scripts are written for Python 3.6+. Clone the git repository and install the requirements.
git clone https://github.com/opsdisk/pagodo.git
cd pagodo
virtualenv -p python3 .venv # If using a virtual environment.
source .venv/bin/activate # If using a virtual environment.
pip install -r requirements.txtTo start off, pagodo.py needs a list of all the current Google dorks. The repo contains a dorks/ directory with
the current dorks when the ghdb_scraper.py was last run. It's advised to run ghdb_scraper.py to get the freshest
data before running pagodo.py. The dorks/ directory contains:
- the
all_google_dorks.txtfile which contains all the Google dorks - Individual dork category dorks
Dork categories:
categories = {
1: "Footholds",
2: "File Containing Usernames",
3: "Sensitives Directories",
4: "Web Server Detection",
5: "Vulnerable Files",
6: "Vulnerable Servers",
7: "Error Messages",
8: "File Containing Juicy Info",
9: "File Containing Passwords",
10: "Sensitive Online Shopping Info",
11: "Network or Vulnerability Data",
12: "Pages Containing Login Portals",
13: "Various Online devices",
14: "Advisories and Vulnerabilities",
}
Fortunately, the entire database can be pulled back with 1 HTTP GET request using ghdb_scraper.py. You can dump all
dorks to a file, the individual dork categories to separate dork files, or the entire json blob if you want more
contextual data about each dork.
To retrieve all dorks:
python ghdb_scraper.py -j -sTo retrieve all dorks and write them to individual categories:
python ghdb_scraper.py -iThe ghdb_scraper.retrieve_google_dorks() returns a dictionary with the following data structure:
ghdb_dict = {
"total_dorks": total_dorks,
"extracted_dorks": extracted_dorks,
"category_dict": category_dict,
}Using a Python shell (like python or ipython) to explore the data:
import ghdb_scraper
dorks = ghdb_scraper.retrieve_google_dorks(save_all_dorks_to_file=True)
dorks.keys()
dorks["total_dorks"]
dorks["extracted_dorks"]
dorks["category_dict"].keys()
dorks["category_dict"][1]["category_name"]Now that a file with the most recent Google dorks exists, it can be fed into pagodo.py using the -g switch to start
collecting potentially vulnerable public applications. pagodo.py leverages the google python library to search
Google for sites with the Google dork, such as:
intitle:"ListMail Login" admin -demo
The -d switch can be used to specify a domain and functions as the Google search operator:
site:example.com
Performing ~4600 search requests to Google as fast as possible will simply not work. Google will rightfully detect it
as a bot and block your IP for a set period of time. In order to make the search queries appear more human, a couple of
enhancements have been made. A pull request was made and accepted by the maintainer of the Python google module to
allow for User-Agent randomization in the Google search queries. This feature is available in
1.9.3 and allows you to randomize the different user agents used for each search.
This emulates the different browsers used in a large corporate environment.
The second enhancement focuses on randomizing the time between search queries. A minimum delay is specified using the
-e option and a jitter factor is used to add time on to the minimum delay number. A list of 50 jitter times is created
and one is randomly appended to the minimum delay time for each Google dork search.
# Create an array of jitter values to add to delay, favoring longer search times.
self.jitter = numpy.random.uniform(low=self.delay, high=jitter * self.delay, size=(50,))Latter in the script, a random time is selected from the jitter array and added to the delay.
pause_time = self.delay + random.choice(self.jitter)Experiment with the values, but the defaults successfully worked without Google blocking my IP. Note that it could take a few days (3 on average) to run so be sure you have the time.
To run it:
python3 pagodo.py -d example.com -g dorks.txt -l 50 -s -e 35.0 -j 1.1If you start getting HTTP 429 errors, Google has rightfully detected you as a bot and will block your IP for a set period of time. The solution is to use proxychains and a bank of proxies to round robin the lookups.
Install proxychains4
apt install proxychains4 -yEdit the /etc/proxychains4.conf configuration file to round robin the look ups through different proxy servers. In
the example below, 2 different dynamic socks proxies have been set up with different local listening ports
(9050 and 9051). Don't know how to utilize SSH and dynamic socks proxies? Do yourself a favor and pick up a copy of
Cyber Plumber's Handbook and interactive lab to learn all about Secure Shell
(SSH) tunneling, port redirection, and bending traffic like a boss.
vim /etc/proxychains4.confround_robin
chain_len = 1
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks4 127.0.0.1 9050
socks4 127.0.0.1 9051Throw proxychains4 in front of the Python script and each lookup will go through a different proxy (and thus source
from a different IP). You could even tune down the -e delay time because you will be leveraging different proxy boxes.
proxychains4 python3 pagodo.py -g ALL_dorks.txt -s -e 17.0 -l 700 -j 1.1Comments, suggestions, and improvements are always welcome. Be sure to follow @opsdisk on Twitter for the latest updates.