Bing Hacking, Other Tools and Defenses
Bing API has a few advantages that Google API lacks, which translates into different information available through SearchDiggity. Some of that includes the useful linkfromdomain search directive, amongst others, which can find external links of applications or domains on your site.
That’s a useful tool because the external links found can then be sorted into applications, host names, and domains. Other tools that are useful in search hacking include Maltego, an information gathering tool, the Harvester, a footprinting tool (Gathers email accounts, usernames, hostnames, and subdomains. ), SHODAN, a hacker search engine, DeepMagic DNS, a DNS footprinting search engine, and PasteBin Leaks, a twitter feed tracking leaked passwords appearing on PasteBin.
Another Clever Use
MalwareDiggity can be used to check your off-site links for malware! How? It leverages Bing’s linkfromdomain to find off-site links, and then compares them to Google’s Safe Browsing API to see if any links are malware distribution sites. This can be sent to an RSS feed, and an alert sent to your phone.
Defenses and Conclusion
The old methods of hacking yourself to find out what information was leaked through Google caches, and updating robots.txt just fails as a primary defense, according to Brown. Stach and Liu have a new defense: Google and Bing Hacking Alerts are a better alternative, as there are 118 dorks for SharePoint hacking, and 26 dorks for Shodan Hacking Alerts. This combined database lists approximately 3000 new vulnerabilities per day. Francis’s recommendation is to subscribe to all the RSS feeds using Google Reader Bundle to get the Diggity Hacking Alerts bundle by Stach & Liu (“the FUNdle Bundle”). There’s a SHODAN alert bundle available as well.
Some of the alerts are also available on mobile devices (iDiggity). Another recommended defensive tool is Alerts Diggity. What makes these tools more valuable than past defensive measures is that the tools have real time updates, boast multi-engine results, have historical data, and do multi-domain searching. Gathers email accounts, usernames, hostnames, and subdomains.
Remember, you aren’t querying your web site at all: you are using known vulnerabilities and common “stupid” strings to match against the search engine database. Even better, you may then customize notifications and set an alert to notify you if your website matches. Google alerts has over 2400 hack queries; the Bing Hacking Alerts has over 900 hack queries. That’s the genesis of the FUNdle Bundle – over 3000 combined hack queries.