Google dorking or Google Hacking is a hacking technique that uses the advance search functionality in Googles search engine.
Now a hacker isn’t going to just search your company name and have Google return all of your vulnerable web applications or exposed documents. What it will do is return hundreds of sites that match or are similar to each word that you have searched for. Some will be relevant and a lot of it won’t be. You would be pretty desperate to ever go past page 6 and a hacker isn’t going to waste time doing this. Instead, they are going to use Google Dorks to have Google return specific queries such as URLs that contain certain file extensions.
If you don’t want to go through the hassle of remembering them, you could also use the advance search page:
The other thing to note is that Google records all searches. If you are thinking about doing some reconnaissance under the radar, you would be better using DuckDuckGo.
If you want to use the examples below, you will just need to replace [Keyword] with your query. You can also add another layer by adding keywords in front of the query or other Dorks, such as:
“Why did they make Vista site:Microsoft.com”
The “” are needed.
If you wanted to search keywords within a URL, you could use:
If you wanted to only search withing a given domain:
If you wanted to only search for certain files:
If you wanted to search the body of the website for specific text:
Example: intext:username filetype:log
If you wanted to search for links:
If you wanted to find information Google has on a page:
These are very basic examples in which you can use to return specific information from Google. When you mix these with known vulnerabilities or common vendor variables you can get some pretty interesting results.
Finding indexed SSH private keys:
intitle:index.of id_rsa -id_rsa.pub
Fetching SSH usernames from logs:
filetype:log username putty
Open FTP servers:
intitle:”index of” inurl:ftp
Finding saved email addresses:
If you wanted to search a specific company, remember you can add a common search or add another dork:
“[Keyword]” filetype:xls inurl:”email.xls”
IP Based Cameras:
Juniper Web Device Manager Login:
intitle:”Log In – Juniper Web Device Manager”
Dell Server IDRAC Login Portals:
Finding company default passwords. You can either narrow it down by one file type or pipe several, like so:
“your default password is” filetype:doc | filetype:pdf | filetype:csv | filetype:pdf | filetype:docx
filetype:pcf “cisco” “GroupPwd”
As you can see, if you get creative, you can find some really interesting stuff. Vendors often follow common patterns, so try and have a think of keywords you could use to pull specific results back. If you can’t think of any, try looking through the Google Hacking DB: https://www.exploit-db.com/google-hacking-database?
Remember, reconnaissance isn’t illegal but acting on what you fine might.