1.6 C
Paris
Wednesday, December 7, 2022

What Is Google Dorking?

Efficient Reconnaissance During Penetration Testing

For normal users, Google is the most famous search engine in the world. For those who know how to perform advanced Google searches it can also become a very useful and powerful hacking tool.

WHAT IS GOOGLE DORKING

Google Dork or Google Dorking is a great resource for security research.

- Advertisement -

It has been around since the early 2000s. It simply requires the use of certain operators, which are special keywords supported by google (or any other search engine).

In this article we are going to focus on Google Dorking because it is the best web crawler in the world at the moment.

It leverages Google’s indexing capabilities to list all resources in a website including private information. The only way to block particular resources from being indexed is to add them to your website’s robot.txt file.

In simple terms, google dorking is advanced google search queries.

HOW TO USE IT

There are resources online which have many queries ready for you to use so you don’t need to think of any by yourself.

One of the best resources is GHDB.
Offensive Security has created a database called Google Hacking Database or “GHDB” where they list all search terms or “Dorks”.

You can search through the GHDB here

The entries are categorized and you can quickly search for a Dork you may already have in mind.

The GHDB categories are:

  1. Footholds
  2. Files containing usernames
  3. sensitive directories
  4. Web server detection
  5. Vulnerable files
  6. Error messages
  7. Files containing juicy info
  8. Files containing databases
  9. Sensitive online shopping info
  10. Network or vulnerability data
  11. Pages containing login portals
  12. Various online devices
  13. Advisories and vulnerabilities

DOWNLOAD THE LATEST GOOGLE DORK LIST FOR 2020

You can also download this list which contains more than 4000 entries you can search for on Google.

Below is a list of commonly used keywords and their explanation:

cache: 
If you include other words in the query, Google will highlight those words within
the cached document. 

For instance, [cache:www.google.com web] will show the cached
content with the word “web” highlighted. This functionality is also accessible by
clicking on the “Cached” link on Google’s main results page. The query [cache:] will show the version of the web page that Google has in its cache. 

For instance,
[cache:www.google.com] will show Google’s cache of the Google homepage. Note there
can be no space between the “cache:” and the web page url.

link: 
The query [link:] will list webpages that have links to the specified webpage.

For instance, [link:www.google.com] will list webpages that have links pointing to the Google homepage. Note there can be no space between the “link:” and the web page url.

related: The query [related:] will list web pages that are “similar” to a specified web page. 

For instance, [related:www.google.com] will list web pages that are similar to
the Google homepage. Note there can be no space between the “related:” and the web
page url.

info: The query [info:] will present some information that Google has about that web page. 

For instance, [info:www.google.com] will show information about the Google homepage. Note there can be no space between the “info:” and the web page url.

define: The query [define:] will provide a definition of the words you enter after it, gathered from various online sources. The definition will be for the entire phrase entered (i.e., it will include all the words in the exact order you typed them). 

stocks: If you begin a query with the [stocks:] operator, Google will treat the rest of the query terms as stock ticker symbols, and will link to a page showing stock information for those symbols. 

For instance, [stocks: intc yhoo] will show information about Intel and Yahoo. (Note you must type the ticker symbols, not the company name.)

site: If you include [site:] in your query, Google will restrict the results to those websites in the given domain. 

For instance, [help site:www.google.com] will find pages about help within www.google.com. [help site:com] will find pages about help within .com urls. Note there can be no space between the “site:” and the domain.


allintitle: If you start a query with [allintitle:], Google will restrict the results to those with all of the query words in the title. 

For instance,[allintitle: google search] will return only documents that have both “google” and “search” in the title.

intitle: If you include [intitle:] in your query, Google will restrict the results
to documents containing that word in the title. For instance, [intitle:google search] will return documents that mention the word “google” in their title, and mention the word “search” anywhere in the document (title or no). Note there can be no space between the “intitle:” and the following word. Putting [intitle:] in front of every word in your query is equivalent to putting [allintitle:] at the front of your query: [intitle:google intitle:search] is the same as [allintitle: google search].

allinurl: 
If you start a query with [allinurl:], Google will restrict the results to
those with all of the query words in the url. 

For instance, [allinurl: google search]will return only documents that have both “google” and “search” in the url. Note that [allinurl:] works on words, not url components. In particular, it ignores punctuation. Thus, [allinurl: foo/bar] will restrict the results to page with the words “foo” and “bar” in the url, but won’t require that they be separated by a slash within that url, that they be adjacent, or that they be in that particular word order. There is currently no way to enforce these constraints. 

inurl: If you include [inurl:] in your query, Google will restrict the results to documents containing that word in the url. 

For instance, [inurl:google search] will return documents that mention the word “google” in their url, and mention the word “search” anywhere in the document (url or no). Note there can be no space between the “inurl:” and the following word. Putting “inurl:” in front of every word in your query is equivalent to putting “allinurl:” at the front of your query: [inurl:google inurl:search] is the same as [allinurl: google search].

filetype: If you include [filetype:pdf] with your Google search, you will get PDF documents as results. You can use this keyword with many other filetypes like: docx,xlsx,txt and so on.

GOOGLE DORKING FOR DEFENSE

Google Dorking is great for penetration testing activities and security researching but can also be used to aid in the protection of sensitive information.

You can lookup information on services you or your company owns and administers, like FTP and Web servers as well as information about yourself, a company’s employees and data related to them which may potentially be exposed.

A simple process to use when checking for potential data leak of sensitive information is the following:

  1. [Your Name] filetype:pdf
    Do the same search for other file types like doc, docx, xlsx, xls, txt and so on
  2. [Your Name] intext:[personal information like ID, Phone number etc]
  3. site:[Your Websites Address] filetype:pdf (or any other filetype)

You can use the GHDB from Offensive Security to perform more advanced queries as you go on with your research.

Website | + posts

Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.

Also Read