Menu
homeiOS

Privacy settings for posts on Facebook: how to hide a Facebook post from prying eyes. Facebook Secrets

And today I will tell you about another search engine that is used by pentesters/hackers - Google, or more precisely about the hidden capabilities of Google.

What are Google Dorks?

Google Dork or Google Dork Queries (GDQ) is a set of queries for identifying the worst security holes. Anything that is not properly hidden from search robots.

For brevity, such requests are called Google dorks or simply dorks, like those admins whose resources were hacked using GDQ.

Google Operators

To begin with, I would like to provide a small list of useful Google commands. Among all the Google advanced search commands, we are mainly interested in these four:

  • site - search on a specific site;
  • inurl - indicate that the searched words should be part of the page/site address;
  • intitle - search operator in the title of the page itself;
  • ext or filetype - search for files of a specific type by extension.

Also, when creating Dork, you need to know several important operators, which are specified by special characters.

  • | - the OR operator, also known as a vertical slash (logical or), indicates that you need to display results containing at least one of the words listed in the query.
  • "" - The quote operator indicates an exact match.
  • — - the minus operator is used to exclude from displaying results with words specified after the minus.
  • * - the asterisk or asterisk operator is used as a mask and means “anything.”

Where to find Google Dorky

The most interesting dorks are the fresh ones, and the freshest ones are those that the pentester found himself. True, if you get too carried away with experiments, you will be banned from Google... before entering the captcha.

If you don’t have enough imagination, you can try to find fresh dorks on the Internet. The best site to find dorks is Exploit-DB.

The Exploit-DB online service is a non-profit Offensive Security project. If anyone is not aware, this company provides training in the field of information security and also provides pentesting services.

The Exploit-DB database contains a huge number of dorks and vulnerabilities. To search for dorks, go to the website and go to the “Google Hacking Database” tab.

The database is updated daily. At the top you can find the latest additions. On the left side is the date the dork was added, name and category.


Exploit-DB website

At the bottom you will find dorks sorted by category.


Exploit-DB website
Exploit-DB website

Another good site is . There you can often find interesting, new dorks that don’t always end up on Exploit-DB.

Examples of using Google Dorks

Here are examples of dorks. When experimenting with dorks, do not forget about the disclaimer!

This material is for informational purposes only. It is addressed to information security specialists and those who are planning to become one. The information presented in this article is provided for informational purposes only. Neither the editors of the website www.site nor the author of the publication bear any responsibility for any harm caused by the material in this article.

Doors for finding website problems

Sometimes it is useful to study the structure of a site by obtaining a list of files on it. If the site is made on the WordPress engine, then the repair.php file stores the names of other PHP scripts.

The inurl tag tells Google to search for the first word in the body of the link. If we had written allinurl, the search would have occurred throughout the entire body of the link, and the search results would have been more cluttered. Therefore, it is enough to make a request like this:

inurl:/maint/repair.php?repair=1

As a result, you will receive a list of WP sites whose structure can be viewed via repair.php.


Studying the structure of a website on WP

WordPress causes a lot of problems for administrators with undetected configuration errors. From the open log you can find out at least the names of the scripts and downloaded files.

inurl:"wp-content/uploads/file-manager/log.txt"

In our experiment, a simple request allowed us to find a direct link to the backup in the log and download it.


Finding valuable information in WP logs

A lot of valuable information can be gleaned from logs. It is enough to know what they look like and how they differ from the mass of other files. For example, an open source database interface called pgAdmin creates a service file pgadmin.log. It often contains usernames, database column names, internal addresses, and the like.

The log is found with a simple query:

ext:log inurl:"/pgadmin"

There is an opinion that open source is safe code. However, the openness of source codes in itself only means the opportunity to explore them, and the goals of such research are not always good.

For example, Symfony Standard Edition is popular among frameworks for developing web applications. When deployed, it automatically creates a parameters.yml file in the /app/config/ directory, where it saves the database name, as well as login and password.

You can find this file using the following query:

inurl:app/config/ intext:parameters.yml intitle:index.of


f Another file with passwords

Of course, the password could then be changed, but most often it remains the same as it was set at the deployment stage.

The open source UniFi API browser tool is increasingly used in corporate environments. It is used to manage segments of wireless networks created according to the “seamless Wi-Fi” principle. That is, in an enterprise network deployment scheme in which many access points are controlled from a single controller.

The utility is designed to display data requested through Ubiquiti's UniFi Controller API. With its help, it is easy to view statistics, information about connected clients, and other information about the server’s operation via the UniFi API.

The developer honestly warns: “Please do keep in mind this tool exposes A LOT OF the information available in your controller, so you should somehow restrict access to it! There are no security controls built into the tool...". But many people don't seem to take these warnings seriously.

Knowing about this feature and asking another specific request, you will see a lot of service data, including application keys and passphrases.

inurl:"/api/index.php" intitle:UniFi

General search rule: first we determine the most specific words that characterize the selected target. If this is a log file, then what distinguishes it from other logs? If this is a file with passwords, then where and in what form can they be stored? Marker words are always found in some specific place - for example, in the title of a web page or its address. By limiting your search area and specifying precise markers, you will get raw search results. Then clean it of debris, clarifying the request.

Doors for searching open NAS

Home and office network storage is popular nowadays. The NAS function is supported by many external drives and routers. Most of their owners don’t bother with security and don’t even change default passwords like admin/admin. You can find popular NAS by the typical titles of their web pages. For example, the request:

intitle:"Welcome to QNAP Turbo NAS"

will display a list of NAS IPs made by QNAP. All that remains is to find the weakest one among them.

The QNAP cloud service (like many others) has the function of providing file sharing via a private link. The problem is that it's not that closed.

inurl:share.cgi?ssid=


Finding shared files

This simple query shows files shared through the QNAP cloud. They can be viewed directly from the browser or downloaded for more detailed information.

Doors for searching IP cameras, media servers and web admin panels

In addition to NAS, you can find a ton of other web-managed network devices with advanced Google queries.

The most common way to do this is CGI scripts, so the main.cgi file is a promising target. However, he can meet anywhere, so it is better to clarify the request.

For example, by adding a standard call to it?next_file. As a result, we get a dork like:

inurl:"img/main.cgi?next_file"

In addition to cameras, there are similarly media servers that are open to anyone and everyone. This is especially true for Twonky servers manufactured by Lynx Technology. They have a very recognizable name and default port 9000.

For cleaner search results, it is better to indicate the port number in the URL and exclude it from the text part of web pages. The request takes the form

intitle:"twonky server" inurl:"9000" -intext:"9000"


Video library by year

Typically, a Twonky server is a huge media library that shares content via UPnP. Authorization for them is often disabled “for convenience.”

Doors for searching for vulnerabilities

Big data is a buzzword now: it is believed that if you add Big Data to anything, it will magically begin to work better. In reality, there are very few real experts on this topic, and with the default configuration, big data leads to large vulnerabilities.

Hadoop is one of the simplest ways to compromise tera- and even petabytes of data. This open-source platform contains well-known headers, port numbers and service pages that make it easy to find the nodes it manages.

intitle:"Namenode information" AND inurl:":50070/dfshealth.html"


Big Data? Big vulnerabilities!

With this concatenation query we get search results with a list of vulnerable Hadoop-based systems. You can browse the HDFS file system directly from your browser and download any file.

Google Dorks is a powerful tool for any penetration tester, which not only an information security specialist, but also an ordinary network user should know about.

Who called from an unknown number and snorted into the phone? Who is "Lena of Mordor" who appeared in the phone book after Saturday's party? Enter the last 10 digits of your phone number into the search bar on Facebook and you'll likely get the answers. By default, the ability to find a person by phone number is enabled for all users.


If you don't want this trick to happen to you, change your privacy settings.


2. Disable the “Viewed” status in messages

This feature ruins relationships and lives! Of course, who likes it when personally selected funny pictures and important news are openly ignored?


If you are not one of those who can calmly leave messages from acquaintances unanswered, use a browser extension. It disables the “Viewed/Unviewed” message status on the desktop version of Facebook. For the Chrome browser this is Facebook Unseen. For Firefox and Explorer - Chat Undetected. But there is also a negative point: with these extensions you will also not be able to see the read status.


3. Hide your online status from annoying friends

If you are completely tired of a friend, then turn off the chat with him. Click on the gear in the right column with the list of friends and select “Advanced settings”.


Messages from the disabled chat will be stored in the “Inbox” folder, but, unlike the previous point, you will not be able to read them unnoticed.


4. Look in your news feed only for posts from friends and communities you are subscribed to

Facebook wants to drag everyone into its quagmire as deeply as possible. This is why it shows users posts liked and commented on by friends. But there is a way to leave only posts from friends and communities you follow in your feed.

Install the friends feed extension in Chrome. With it, extraneous posts will either be hidden or covered with a gray veil - choose in the settings.

5. Read hidden messages

Who knows, maybe your life is not as boring as it seems. Perhaps you were called to the job of your dreams, secret admirers confessed their love, and their admirers threatened to kill you. But you didn’t know anything about it, because Facebook puts messages from strangers in a hidden folder and doesn’t notify you about them in any way. Click on the “Other” tab (for many people it has recently been called “Correspondence Request”) next to the main messages and see everything that was hidden!

6. Hide your friends list from prying eyes

Let's not even speculate why you might be shy about your Facebook acquaintances. Just go to the “Friends” tab on your personal page, click on the pencil and indicate who can see the circle of your Facebook friends.

7. Disable video autoplay

In one fell swoop, you can bring a little peace to your feed and save on mobile traffic. To do this, disable automatic video playback. In the native Facebook application, go to your account settings > “Video and Photos” > “Autoplay” > select the desired setting.

8. Share GIFs on Facebook

Do you love GIFs as much as ? If the answer is positive, we will tell you how to share them on Facebook. Insert a link to the GIF into the status field (yes, you won’t be able to upload it directly from your computer). After it is loaded, the link can be deleted. Publish.

9. Change your relationship status without unnecessary drama

A long time may pass between the internal decision to end the relationship and the announcement of this to the other party. And I want to start looking for new romantic adventures on Facebook right away. By default, a notification about a change in your personal life appears in all friends' feeds. So don't forget to select the "Only Me" setting under "Information" > "Family and Relationships."

10. Bookmark interesting posts to read them later

Thousands of posts appear on your Facebook feed every day, it’s impossible to read everything, even if you completely abandon the idea of ​​working. Fortunately, the social network has a built-in bookmarking service. To save a post for later, click the arrow in the upper right corner.

The Facebook interface is strange and in some places completely illogical. But it just so happens that almost everyone I talk to ended up there, so I have to endure it.

Much about Facebook is not obvious. I tried to collect in this post what I did not find right away, and many probably have not found until now.

Ribbon

By default, Facebook generates a feed of popular posts. However, it can be completely different on different computers. To force Facebook to generate a “regular” timeline, click the checkbox to the right of the word “News Feed” and select “Latest” there.

Unfortunately, in the Android mobile app, the feed is formed only by popularity.

Cleaning the tape

On Facebook, I always add as friends everyone who asks, but I don’t want to read any nonsense in my feed at all. In order to remove unnecessary publications from your feed, there is no need to remove anyone from your friends list, just disable the subscription. As soon as you see something unnecessary in your feed, click the checkbox on the right and select “Unsubscribe to...”. After this, this user's posts will never appear in your feed again.

Notifications

When you leave any comment on any post or photo, Facebook will start notifying you of any new comments. To refuse this, you need to turn off notifications. For different objects this is done in different places. With the status, everything is simple - click the checkbox to the right of the status and select “Do not receive notifications”.

Unfortunately, you cannot unsubscribe from comments in the Android mobile app.

Search by messages

Facebook has a search for personal messages, but few people know where it is hidden. Click on the messages button, then click "show all" at the bottom of the window that opens.

The message interface will open, with a second search bar appearing at the top.

There you can search for any words in all personal messages written during your entire use of Facebook.

Fighting Messenger

Facebook requires mobile devices to have a separate messaging app, Facebook Messenger. Many people really don't like him. For now, there is a way to continue messaging on Facebook itself. When Facebook once again refuses to show messages, requiring you to install Messenger, go to the application manager (in Android - System Settings - Applications), find Facebook there and click the "Erase data" button. After that, launch Facebook and re-enter your username and password. After this, messages will work for some time, although Facebook will periodically display a window asking you to install Messenger.

Action log

It's often very difficult to find something on Facebook. The following diagram helps a little. If you see something that might be useful later, give it a like. In the future, this like will be used to find a publication in the activity log. To open the log, click the small checkmark in the upper right corner of the interface and select “Action Log” from the menu that opens.

Inserting a publication

Every post on Facebook has an "Insert Post" link. It produces a code that can be inserted into any site where you can insert html (including LiveJournal). Unfortunately, the ability to embed videos seems to have been closed. It worked a week ago, but now on any view it says “This Facebook post is no longer available. It may have been deleted or its privacy settings have been changed.”

Disable video autoplay

By default, Facebook automatically plays all videos in your feed without sound. On mobile devices this can be a problem as it consumes a lot of bandwidth.

In the browser, video autoplay is disabled as follows: click the checkmark in the upper right corner, there are settings, then video.

In Android - click the three bars on the right in the icon line, there "Application Settings" - "Autoplay video" - set "Off." or "Wi-fi only". In the latter case, videos will autoplay only when connected via Wi-Fi.

Go to publication

In order to go from the feed to a specific publication, just click on the publication date, and a link to the publication can be obtained by simply right-clicking on the date and selecting “Copy link” there. Thanks for this advice samon , zz_z_z , borhomey .

Surely, the mysterious Facebook still has many secrets that I haven’t gotten to yet.

If you know about other Facebook secrets, write in the comments, I’ll add them to the post.


Saved

Good day. Today we’ll talk about protection and access to CCTV cameras. There are quite a lot of them and they are used for different purposes. As always, we will use a standard database that will allow us to find such cameras and select passwords for them. Theory Most devices are not configured or updated after installation. Therefore, our target audience is located under the popular ports 8000, 8080 and 554. If you need to scan the network, it is better to immediately select these ports. Method No. 1 For a clear example, you can look at interesting queries in the Shodan and Sensys search engines. Let's look at some illustrative examples with simple queries. has_screenshot:true port:8000 // 183 results; has_screenshot:true port:8080 // 1025 results; has_screenshot:true port:554 // 694 results; In this simple way you can access a large number of open cameras, which are located in interesting places: shops, hospitals, gas stations, etc. Let's look at a few interesting options for clarity. A doctor's waiting room Private somewhere in the depths of Europe A class somewhere in Chelyabinsk A women's clothing store In this simple way you can find quite a lot of interesting objects to which access is open. Don't forget that you can use the country filter to get data by country. has_screenshot:true port:8000 country:ru has_screenshot:true port:8080 country:ru has_screenshot:true port:554 country:ru Method No. 2 You can use the search for standard social networks. To do this, it is better to use page headers when viewing images from cameras, here is a selection of the most interesting options: inurl:/view.shtml inurl:ViewerFrame?Mode= inurl:ViewerFrame?Mode=Refresh inurl:view/index.shtml inurl:view/ view.shtml intitle:”live view” intitle:axis intitle:liveapplet all in title:”Network Camera Network Camera” intitle:axis intitle:”video server” intitle:liveapplet inurl:LvAppl intitle:”EvoCam” inurl:”webcam. html” intitle:”Live NetSnap Cam-Server feed” intitle:”Live View / - AXIS 206M” intitle:”Live View / - AXIS 206W” intitle:”Live View / - AXIS 210″ inurl:indexFrame.shtml Axis intitle: start inurl:cgistart intitle:”WJ-NT104 Main Page” intitle:snc-z20 inurl:home/ intitle:snc-cs3 inurl:home/ intitle:snc-rz30 inurl:home/ intitle:”sony network camera snc-p1″ intitle:”sony network camera snc-m1″ intitle:”Toshiba Network Camera” user login intitle:”i-Catcher Console - Web Monitor” Reaping the benefits and finding the airport Company office Add another port to the collection and you can complete Method No. 3 This method is the target. It is used when we either have one point and need to guess a password, or we want to run a database using standard passwords and find valid results. Hydra is perfect for these purposes. To do this, you need to prepare a dictionary. You can go through and look for standard passwords for routers. Let's look at a specific example. There is a camera model, DCS-2103. It occurs quite often. It works through port 80. Let's use the corresponding data and find the necessary information in shadan. Next, we collect all the IPs of potential targets that are interesting to us. Next, we create a list. Let's collect a list of passwords and use it all using the hydra utility. To do this, we need to add a dictionary, a list of IPs to the folder and run the following command: hydra -l admin -P pass.txt -o good.txt -t 16 -vV -M targets.txt http-get There should be a file in the root folder pass.txt with passwords, login we use one admin with the -l parameter, if you need to set a dictionary for logins, then you need to add a file to the root directory and register it with the -L parameter. The selected results will be saved in the file good.txt. The list of IP addresses must be added to the root directory with the targets.txt file. The last phrase in the http-get command is responsible for connecting via port 80. Example of the program Entering the command and getting started At the end I would like to add some information about scanning. To get network numbers you can use an excellent service. Next, these meshes need to be checked for the presence of the ports we need. I won’t recommend scanners, but I will say that it’s worth moving towards such and similar scanners as masscan, vnc scanner and others. You can write it based on the well-known nmap utility. The main task is to scan the range and find active IPs with the necessary ports. Conclusion Remember that in addition to standard viewing, you can also take photos, record videos and download them for yourself. You can also control the camera and rotate it in the desired directions. And the most interesting thing is the ability to turn on sounds and speak on some cameras. What can I recommend here? Set a strong access password and be sure to forward ports.

The social network Facebook is becoming more and more popular, and accordingly the number of its users and the average number of Facebook friends these users have are increasing. Sometimes we add as friends on Facebook people we barely know or complete strangers whom we have never even met in real life.
And I am sure that in connection with this, many people from time to time have the need to publish posts on Facebook “not for everyone.” That is, when you want your Facebook post to be seen only by certain people from your circle of friends, but not everyone. Or, conversely, you want to hide a post from certain people on Facebook. I would even say that everyone has such a need, but most simply do not realize it, not caring at all about the privacy of their data. And unfortunately, not everyone knows that Facebook has subtle settings for displaying posts that help maintain privacy online and avoid problems caused by certain posts.
When you post on Facebook, below the input form you will see the option to customize the display of the post, thanks to which you can choose who can see your publication. By default, two options are available there - “Shared to everyone” (i.e., your publication will be available throughout the Internet), and “Friends” (i.e., only your Facebook friends will see your publication).

However, sometimes these settings may not be enough, so you can select the “Advanced settings” option.

In additional settings, you can select the following options for displaying your Facebook post:


Also, the settings allow you to share your post only for your colleagues or for people from your region, or for your own list of friends.

If all these options specially created by Facebook developers are not enough for you, you can create your own settings. This is very convenient for special cases - for example, you want to share photos from a past corporate event with your colleagues, but without the boss seeing it.
To create your own post display rule, select “User Settings” in the post publishing settings.

You will see a window in which you can select both individual people for whom you want to publish a post (just start typing the person’s name and he will appear in the drop-down list), and vice versa, people for whom your post will not be available.