The idea of using Google as a hacking tool or platform certainly isn’t a novel idea, and hackers have been leveraging this incredibly popular search engine for years. In fact, Google Dorks have their roots in 2002 when a man by the name of Johnny Long started using custom queries to search for elements of certain websites that he could leverage in an attack. At its core, that’s exactly what Google Dorks are – a way to use the search engine to pinpoint websites that have certain flaws, vulnerabilities, and sensitive information that can be taken advantage of. As a side note, some people refer to Google Dorks as Google Hacking (they’re more or less synonymous terms).
Google Dorking is a technique used by hackers to find the information which is exposed accidentally to the internet. For example, log files with usernames and passwords or cameras etc. It is done mostly by using the queries to go after a specific target gradually. We start off with collecting as much data as we can using general queries and then we can go specific by using complex queries.
Believe it or not, Google Dorks can uncover some incredible information such as email addresses and lists, login credentials, sensitive files, website vulnerabilities, and even financial information (e.g. Payment card data). In fact, in our WordPress hacking tutorial, we listed a few Google Dorks that could be used to find SQLi (SQL injection) vulnerabilities. And the wonderful thing is that this is an incredibly passive form of attack that doesn’t draw much attention to the hacker. Unfortunately, some people use these techniques for illicit and nefarious activities such as cyberwarfare, digital terrorism, identity theft, and a whole host of other undesirable activities.
If you are reading this to learn how to break into a website and harm others just for kicks, perhaps you should pursue other interests. Let me caution you by stating that breaking into websites is an illegal activity, and it violates not only laws but moral codes as well. If you get caught, the consequences could be dire. Then why learn this, to begin with, you ask? Well, the first place any white-hat hacker needs to start is with understanding how hackers operate. Only then can they plug up security holes to prevent future attacks.
Fundamentals of Google Dorking
There are seven fundamentals of google Dorking. These are nothing but just how we can use google with advanced techniques. These seven fundamentals are seven types of main queries which make the basic structure of google Dorking. We will now see one by one how these queries are used by hackers(back/grey/white hat) to get the information related to an organization or even an individual.
Google Dorking is not hacking itself. Google Dorking is a technique that comes in handy in one of the phases of hacking i.e. Information Gathering and this the most important phase of hacking. There are a total of five phases of hacking i.e. reconnaissance, scanning, gaining access, maintaining access, and clearing tracks. Google Dorking is used in the starting phases where hackers try to get all the information linked to any specific organization or an individual. After getting all information then hackers pick-out the information they need for the next phases.
Captcha Issue while using Google Dork
As we can use google for the activity which can disclose the information of others and that information can be used for wrong purposes. Many black hat hackers have put bots online to scrawl the websites and find weaknesses in the pages and then send information back to servers. To stop and degrade this issue, Google has introduced captcha in this process. You will need to enter a captcha almost every time you use a drok. This way google stops bots from using google for illegal purposes.
Understanding Google Dorks Operators
Just like in simple math equations, programming code, and other types of algorithms, Google Dorks has several operators that aspiring white hat hackers need to understand. There are far too many to include in this guide, but we will go over some of the most common:
- intitle – this allows a hacker to search for pages with specific text in their HTML title. So intitle: “login page” will help a hacker scour the web for login pages.
- allintitle – similar to the previous operator, but only returns results for pages that meet all of the keyword criteria.
- inurl – allows a hacker to search for pages based on the text contained in the URL (i.e. “login.php”).
- allinurl – similar to the previous operator, but only returns matches for URLs that meet all the matching criteria.
- filetype – helps a hacker narrow down search results to specific types of files such as PHP, PDF, or TXT file types.
- ext – very similar to filetype, but this looks for files based on their file extension.
- intext – this operator searches the entire content of a given page for keywords supplied by the hacker.
- allintext – similar to the previous operator, but requires a page to match all of the given keywords.
- site – limits the scope of a query to a single website.
Google not only lists current versions of web pages, it also stores the previous versions of websites in its cache and those pages sometimes can give you a lot of information about the technology being used by the developers. It can also sometimes disclose information that was initially used for testing purposes only and was removed in the later versions but still viewable in the versions that Google has in its cache.
Its syntax is “cache:website address”. For example, let’s use the cache command for a random website and see the results. Results may vary from time to time as we see updates from google as well.
As you can see that we have got multiple results related to our research. We can use further those links to get useful information related to that website.
We can also use this search query to highlight some keywords in our search results. Let us suppose that we want to highlight “flex” word in our research then we will write the query as follows:
“cache:https://flexstudent.nu.edu.pk/Login flex”. It will highlight this keyword in the results.
intext & allintext Command
The intext command is used to get the webpages in the result that contain the specified words in the text of the webpages. Intext can be used in two ways. First is to get a single keyword in the results and the second way is to get multiple keywords in the search. To accomplish first task, the syntax for command is
To accomplish the second task, we simply use allintext instead of intext. And we separate the keywords using single space. If we use allintext, then google will add all those pages in the result which have all the keywords in their text that we have mentioned in the query. If a web page has some keywords but it is missing at least one, it will be discarded from the results and the user will not see that webpage. That is the reason that these commands are used with proper keywords so that necessary information is not discarded.
Let’s say we want to find out some pages having information related to usernames and passwords then we will write query as follows:
And the result we got in the result is as follows:
As you can see that all the pages in return have username and password in them and that is because of our query which we have used. It has given us those pages that have both keywords in them.
Filetype is one of those seven famous fundamentals of google dorking as it helps in filtering out a large number of files. It can filter pdf files for you. It can even filter log files for you. Log files are very useful for collecting information related to an organization as these are the files which keep track of all the events that happen in an organization. If we want to get access to simple log files then we can simply write this command: filetype:log and it will give us all types of log files but this cannot be of much help until and unless we try to narrow down our search with some filters.
Let us make it more specific by specifying that we want those files which have usernames and passwords in them. For this purpose, we will modify our query like this:
It will display those results that have usernames and passwords mentioned in them. If these files belong to any server then one cannot imagine how much damage it can cause.
Opening a random file after gettings result by applying this query is as follows:
As you can see, for beginners it may not have any meaning, but it may play an important role in information gathering related to a company or a server. This information can be the key for many new adventures.
Looking at another file on the internet, we may end up having usernames and passwords as well.
You can use this technique to narrow down the results to some specific user.
First, you will get log files using this query and then you can easily find the required username after searching through that document.
Intitle is a command which is used when we want to filter out the documents based on the titles of HTML pages. As we know that HTML pages have those keywords in the title that define the whole document. They represent the summary of what is described in the document. We can use this feature to get exactly what we want. Suppose we are looking for documents that contain the information related to IP-Camera then we will write a query to tell google that filter out all the pages based on the provided argument.
The basic syntax to use this command is as follows:
We also have an option to use multiple keywords to get more precise results. To use multiple keywords, we write them in separate commas. Google gets all the pages first and it then applies filters on the results. Those web pages that do not have provided keywords in the title of the website are discarded. The syntax for using this command is as follows:
allintitle:”ip camera” “dvr”
Below is the result of this query. You can see that it has shown us all those pages that have both these keywords in their title. We can use this technique to filter our results very effectively.
Inurl command works the same as intitle. The difference is that Inurl is a command which is used when we want to filter out the documents based on the text of url. As we know that HTML pages have those keywords in the url that define the whole document. They represent the summary of what is described in the document. We can use this feature to get exactly what we want. Again, suppose we are looking for documents that contain the information related to IP-Camera then we will write a query to tell google that filter out all the pages based on the provided argument. We also have an option to use multiple keywords to get more precise results.
The basic syntax to use this command is as follows:
Below is the result of this query. You can see that it has shown us all those pages that have both these keywords in their url. We can use this technique to filter our results very effectively. First have a look at urls we got in response:
And many more…..
We have another command which is very useful when we want to do searching related to a specific entity. At first, we make our search criteria broad and collect information that may or may not be related to our needs. After getting enough for a starting point, we start narrowing down our search using other commands. For example, suppose we want to buy a car and we were searching about cars who were introduced later in 2020. After getting a list from the results, we studied the pages and found that Honda and Ford are reliable. Now our next step would be to gather information about these cars from authentic websites. So here comes the use of site command. Now, we will narrow down our search to some specific websites only.
It will give us all related to this website only.
Similarly, if we want to search about ford now, we may only change the website address and we will get our results.
Sometimes, we want to search for documents that are of a specific type. For example, we want to write an article about “phishing detection”. We cannot just start writing about it until and unless we first do our own research on it. Research articles are mostly published in pdf formats. Now if we want to read previous research that has been done on this topic, we would add another dork in our command which is called ext. Ext is a command that is used to specify file extensions. This works like a filetype command. If we modify our previous search which we did about ford cars, we may now want to look for only pdf files then we will write the query as follows:
From the results below, you can see that we now have only pdf files as our results.
More Sample Examples
Suppose we want to access an ftp server. The command would be to mix queries and then achieve what we want.
Finding FTP servers
Syntax is : intitle:”index of” inurl:ftp
It will find all the index pages related to an ftp server and will show the directories as well.
After getting results, we can check different URLs for information.
We can even see the source code sometimes which should not be public. The image attached below cannot be considered something which is confidential, but the procedure for this activity is the same.
Accessing Online Cameras
Now, as we have read a lot about these dorks, we may come across something that should not be accessed because it may hurt someone’s privacy. The purpose of this activity is to spread the word that we need to take our privacy seriously. People nowadays are putting cctv cameras in place to make them secure, but they are not making those cameras secure. They are even doing it worse by making them public. Below are some screenshots of cameras that are public and anyone can see what is going on there.
You can see that these people are more vulnerable now because people can keep trac of their activities easily.
Some more examples:
Even I cannot post more than that. People are even exposing their homes which is not ethical to see even if we access it.
The purpose of using google dorking should be to use these tricks to make people and yourself secure. If you are reading this, it means you have to some extent in cybersecurity. It is the responsibility of every individual to use information for the well being and that should be the final goal as well.
To get more knowledge about complex commands you can refer to Github. People have written complex commands by combining two or more dorks for accurate results. In the end, it is all about practice.
Custom Crafting Google Dork Queries
Now that we have a basic understanding of some of the operators and how Google Dorks can be used to scour the web, it’s time to look at query syntax. The following is the high level structure of Google Dorks that targets a specific domain:
- “inurl: domain/” “additional dorks”
A hacker would simply plug in the desired parameters as follows:
- inurl = the URL of a site you want to query
- domain = the domain for the site
- dorks = the sub-fields and parameters that a hacker wants to scan
If a hacker wishes to search by a field other than the URL, the following can be effectively substituted:
These options will help a hacker uncover a lot of information about a site that isn’t readily apparent without a Google Dork. These options also offer ways to scan the web to located hard to find content. The following is an example of a Google Dork:
Making Effective Use of Operators
It may seem a little cryptic at first, so let me provide a few examples that show how the different operators can be used to locate content and website data. A user can make effective use of the intitle operator to locate anything on a website. Perhaps they are scraping email addresses and want to scan sites for the “@” symbol, or maybe they are looking for an index of other files.
Furthermore, the intext operator can basically be used to scan individual pages for any text you want, such as a target’s email address, name, the name of a web page (like a login screen) or other personal information to collect data about them.
The more you practice, the further you’ll be able to hone your queries to pinpoint different types of websites, pages, and vulnerabilities. Again, I need to caution you not to use these queries to attack another website, because that would be illegal and could get you into a lot of trouble. Still, Google Dorks are a great way to locate hidden information on the web, which is why hackers love to use them to find security flaws in websites.
If you want to dig into some more queries, there are some great Google Dork resources on the web.