Every day, Google processes over 8.5 billion searches. We know how much we use Google daily.
With the crawling capabilities of Google, it can also be a powerful tool for pen testers. Google can help us find exposed files, scripts, and other critical resources in web applications.
To find this type of sensitive information, hackers use specific search terms in Google. We call them Google Dorks.
Google Dorks are special search terms that help locate information which is not found through regular web searches.
In this article, we will look at what Google Dorks are and how they can help us in penetration testing.
What are Google Dorks?
A Google Dork is a special search term. These terms, when used with regular search keywords can help us discover hidden resources crawled by Google.
These resources include sensitive information such as usernames, passwords, credit card numbers, email addresses, shell scripts, user accounts, and so on.
These Dorks are not limited to Google. We can also use them with search engines like Bing and Yahoo. The results might vary, but they still serve the purpose.
To harness the full potential of Google Dorking, we’ll need to master some specialized search operators. These operators will fine-tune our search results and help us find exactly what we are looking for.
Let’s try a few Google dorks.
Common Google Dorks
Some of the common query operators in Google Dorking include search modifiers. These search modifiers allow us to find specific information that may not be accessible through traditional search methods.
Here are some of the most common operators used in Google Dorking.
The “intitle” operator searches for web pages with specific words or phrases in the title tag. For instance, if you’re looking for pages that contain the phrase “password” and have “index of” in the title, you would use the search term:
intitle:”index of” password
The “inurl” operator searches for web pages that contain specific words or phrases in the URL. For example, if you’re looking for pages that contain “admin.php” in the URL, you would use the search term:
The “site” operator allows you to search within a specific website or domain. For instance, if you’re looking for pages on the example.com domain that contain the word “Steganography”, you would use the search term:
The “filetype” operator allows you to search for specific file types, such as PDFs or Word documents. For example, if you’re looking for PDF files that contain the phrase “confidential report”, you would use the search term:
filetype:pdf "Advanced Network Security"
The “intext” operator searches for pages that contain specific words or phrases within the body of the page. For instance, if you’re looking for pages that contain both the words “login” and “password” within the body of the page, you would use the search term:
The “link” operator searches for web pages that link to a specific URL. For example, if you’re looking for web pages that link to the example.com domain, you would use the search term:
The “cache” operator is used to retrieve the cached version of a web page. When you search for a website using Google, Google creates a cached version of that page in its system. This version can be useful if the original website is temporarily down or if you want to view an older version of the website.
Here is the syntax to find the cached version of yahoo.com.
The “related” operator is used to find web pages that are related to a specific URL. Here is the syntax to use the “related” operator to find sites similar to yahoo.com.
By combining these operators in creative ways, you can find specific types of information on the web that can be useful for penetration testing and other purposes.
Structure of Query Operators
Google Dorking query operators have a structure similar to regular Google search query operators. This technique involves using advanced operators and search queries to uncover information that is not typically available through regular searches.
The general structure of query operators in Google Dorking includes three elements:
- Operator: A specific keyword or symbol that instructs Google what to search for. For instance, the “inurl” operator searches for pages that contain a particular keyword in their URL.
- Keyword: The search term or phrase that you want to find. If you are looking for a specific password file, then “password” is your keyword.
- Modifier: An additional search parameter that you can use to further refine your search. For example, the “filetype” modifier searches for a specific file type, such as a PDF.
Here’s an example of a query operator structure in Google Dorking:
intitle: “index of” site:example.com password filetype:pdf
This query uses the “intitle” operator to search for pages with “index of” in their title, the “site” operator to search within the example.com domain, the keyword “password,” and the “filetype” modifier to search for PDF files.
By utilizing query operators in Google Dorking, we can find useful and often vulnerable information that might not be accessible through regular searches.
Google Hacking Database (GHDB)
The Google Hacking Database (GHDB) is a compilation of search queries and query operators that help us in Google Dorking.
Johnny Long, a well-known security researcher and author, established the GHDB. It has since become a valuable resource for security engineers like you and me.
The GHDB has several search queries and operators that can uncover numerous sensitive files, vulnerable web servers, and applications. It can also discover default login pages and credentials, as well as network and security devices that may be prone to attack.
GHDB is arranged into categories such as “Files containing passwords” “Vulnerable servers” “Footholds” and “Error Messages”. Each category contains several search queries and operators crafted to reveal information specific information about a target.
Please note that search queries and operators in the GHDB might produce false positives or outdated information. Always verify the information obtained through these search operators.
A Dorking Scenario
Let’s assume you have to conduct a pentesting audit for a client. Here is a sample dorking scenario.
- Use the “site” operator to limit your search to the company’s website: site:example.com. This returns all pages on the example.com website.
- Use the “intitle” operator to search for pages containing specific keywords in the title: intitle:”login” site:example.com. This helps identify potential login pages vulnerable to attack.
- Use the “filetype” operator to search for specific file types: filetype:pdf site:example.com. This helps identify potential documents or reports containing sensitive information.
- Use the “inurl” operator to search for specific URLs: inurl:”admin” site:example.com. This helps identify potential administrative pages vulnerable to attack.
- Use the “cache” operator to view the cached version of a webpage Google has indexed: cache:example.com/login.php. This provides access to the page contents even if the original page is removed or no longer accessible.
- Use the “related” operator to find similar websites: related:example.com. This helps identify potential partners or third-party vendors with access to the company’s network.
Google Dorking is a powerful technique that allows us to perform advanced searches on Google. We can use Google Dorks to find specific information and publicly exposed vulnerabilities. It is an essential tool in a pentester’s toolkit.
Google Hacking Database (GHDB) provides a collection of pre-defined Google Dorks. Given the harm that someone can cause using dorking, it is important to use it ethically and with permission. Ensure that you have permission and follow ethical guidelines when using dorking for security audits.