Google Dorking (also known as Google Hacking) is a resource often used by cybersecurity specialists. It consists in using the basic and advanced operators supported by Google to perform very specific searches to detect vulnerabilities or sensitive information incorrectly published on a website or a web application.
Firstly, to clarify how these operators can be used in this way, a list of basic search operators supported by Google is detailed below [1]:
Secondly, a list with the most important advanced search operators is detailed below:
To conclude, varied search examples are presented which combine the above listed operators in order to illustrate how they can be used to detect vulnerabilities or critical information incorrectly published in a website or web application.
Example 1: Find .pdf files
When doing this Google search, all the files with a .pdf extension indexed in the domain openminds.com.ar will be displayed. A simple search like this one may more often than not throw results with documents which contain critical information and are erroneously accesible in a public mode. Instead of the .pdf file extension this search can be performed wiht any other file type like .txt, .doc, .xls, .sql, etc.
Example 2: Search websites or web applications which are not using HTTPS
When executing this search, all the websites and web applications within the domain openminds.com.ar which are not using HTTPS will be displayed. This is a tremendous help when there is a transition process from HTTP to HTTPS in order to encrypt the communication with the web server.
Example 3: Find log files with sensitive information
In this case, all the .log file extensions which contain the terms username or password stored in the domain openminds.com.ar will be displayed. In other words, what this search is trying to find is any log file incorrectly published through the web server which contains sensitive information such as usernames or passwords. Another similar variant of this search would be to specify the extension .txt and include the terms robots.txt and disallow. The goal here would be to obtain access to the content of the robots.txt file where the domain admin specifies files and folders that should not be indexed by Google. These files and folders will not be indexed but they are still public and they may also contain sensitive information.
Example 4: Find files within a directory listed by a web server
In this example the idea is to find in the domain openminds.com.ar a particular directory whose content is being listed by the web server and that inside this directory there is a file named contraseñas.txt or passwords.txt. Using the operator intitle:"Index of /" together with a domain is very useful to detect directories whose content is being mistakenly listed. Instead of the files .txt specified, the search could be performed with other interesting file names like: databases.sql.zip, emails.xls o id_rsa with the objective of finding zipped databases, spread sheets with email addresses or RSA private keys, respectively.
Example 5: Find public directories listed by a FTP server
Google not only indexes content from web servers but also from the FTP servers. In this case the search aims to find within the domain openminds.com.ar any public directory that is being listed by the FTP server. This is another interesting example of how to use the operator intitle:"Index of /" to detect information that is being published by mistake.
Example 6: Find pages potentially vulnerable to an SQL injection attack
In this example web pages are searched within the domain openminds.com.ar which have a defined parameter called id with a value between 1 and 10. The results can later be analyzed to prove if the value of the parameter is correctly validated before operating on the database or if it is vulnerable to an SQL injection attack. The name of the parameter and the range of values specified in this case is just one possibility between the many other combinations that can be used to detect this kind of vulnerability.
These examples are far from being an exhaustive list of searches to determine if a web site or application present vulnerabilities or sensitive information erroneously published. The objective is to illustrate how Google can be used as a tool to detect these issues. In practice, the possible combinations of operators and searches are endless. Luckily, there are several public lists of these dorks that can be used to perform a deeper analysis. There are also very useful tools such as DorkMe [2], dorkbot [3], BinGoo [4] o Zeus-Scanner [5] that can be of great help to automatize this process.
References:
[1] https://support.google.com/websearch/answer/2466433?hl=en
[2] https://github.com/blueudp/DorkMe
[3] https://github.com/utiso/dorkbot
[4] https://github.com/Hood3dRob1n/BinGoo
[5] https://github.com/Ekultek/Zeus-Scanner
Firstly, to clarify how these operators can be used in this way, a list of basic search operators supported by Google is detailed below [1]:
| Operator | Example search | Meaning |
| "" | "MySQL dump 10.13" | Exact search. It only shows results which contain the exact expression MySQL dump 10.13. |
| AND | computer AND security | Logical operator AND. Used by default if no other operator is specified. It shows results with the term computer and also the term security. |
| OR | computer OR security | Logical operator OR. It shows results which contain the term computer, security or both. |
| | | computer | security | Synonym of operator OR but shorter and more intuitive if you are used to using regex. |
| * | computer * security | Wild card operator. Very useful when combined with the exact search operator. It shows results which contain the term computer (followed by one or more terms) and which then also contain the term security. |
| - | computer -security | Negation operator. It can be applied on terms or other search operators. It shows results with the term computer but not with the term security. |
| ~ | ~cybersecurity | Similar search. It shows results with similar terms or synonyms of such as cyber security or cyber-security. |
| () | (pc | computer) security | Operator for sorting and grouping search terms. It shows results which contain the term security and that they also contain computer, pc or both. |
| .. | port 1..1024 | Operator for specifying a range of numbers. Very useful when combined with the exact search operator. It shows results with the term port followed by a number between 1 and 1024. |
Secondly, a list with the most important advanced search operators is detailed below:
| Operator | Example | Meaning |
| site: | site:openminds.com.ar | It shows only results indexed within the domain openminds.com.ar. |
| cache: | cache:openminds.com.ar | It shows the content of the website openminds.com.ar stored in the Google cache during the last time it indexed the page. |
| intitle: | intitle:cybersecurity | It shows results which contain the term cybersecurity within the HTML title tag. One or various terms can be specified grouped with the logical operator OR. |
| allintitle: | allintitle:secret document | It shows results which contain both the term secret as well as document within the HTML title tag. More than one term separated by a blank space can be specified. |
| inurl: | inurl:cybersecurity | It shows results which contain the term cybersecurity within the URL. One or various terms can be specified grouped with the logical operator OR. |
| allinurl: | allinurl:secret document | It shows results which contain both the term secret as well as document within the URL.More than one term separated by a blank space can be specified. |
| intext: | intext:cybersecurity | It shows results which contain the term cybersecurity in any part of the web page content. One or various terms can be specified grouped with the logical operator OR. |
| allintext: | allintext:secret document | It shows results which contain both the term secret as well as the term document in any part of the web page content. More than one term separated by a blank space can be specified. |
| filetype: | filetype:pdf | It shows only results which are files with a .pdf extension. It can be used with any other extension such as .doc, .xls, .txt, etc. |
| ext: | ext:pdf | Synonym of the filetype operator but shorter. |
To conclude, varied search examples are presented which combine the above listed operators in order to illustrate how they can be used to detect vulnerabilities or critical information incorrectly published in a website or web application.
Example 1: Find .pdf files
site:openminds.com.ar filetype:pdf
When doing this Google search, all the files with a .pdf extension indexed in the domain openminds.com.ar will be displayed. A simple search like this one may more often than not throw results with documents which contain critical information and are erroneously accesible in a public mode. Instead of the .pdf file extension this search can be performed wiht any other file type like .txt, .doc, .xls, .sql, etc.
Example 2: Search websites or web applications which are not using HTTPS
site:openminds.com.ar -inurl:https
When executing this search, all the websites and web applications within the domain openminds.com.ar which are not using HTTPS will be displayed. This is a tremendous help when there is a transition process from HTTP to HTTPS in order to encrypt the communication with the web server.
Example 3: Find log files with sensitive information
site:openminds.com.ar filetype:log intext:(username|password)
In this case, all the .log file extensions which contain the terms username or password stored in the domain openminds.com.ar will be displayed. In other words, what this search is trying to find is any log file incorrectly published through the web server which contains sensitive information such as usernames or passwords. Another similar variant of this search would be to specify the extension .txt and include the terms robots.txt and disallow. The goal here would be to obtain access to the content of the robots.txt file where the domain admin specifies files and folders that should not be indexed by Google. These files and folders will not be indexed but they are still public and they may also contain sensitive information.
Example 4: Find files within a directory listed by a web server
site:openminds.com.ar intitle:“Index of /” (contraseñas.txt|passwords.txt)
In this example the idea is to find in the domain openminds.com.ar a particular directory whose content is being listed by the web server and that inside this directory there is a file named contraseñas.txt or passwords.txt. Using the operator intitle:"Index of /" together with a domain is very useful to detect directories whose content is being mistakenly listed. Instead of the files .txt specified, the search could be performed with other interesting file names like: databases.sql.zip, emails.xls o id_rsa with the objective of finding zipped databases, spread sheets with email addresses or RSA private keys, respectively.
Example 5: Find public directories listed by a FTP server
site:openminds.com.ar intitle:"Index of /" inurl:ftp
Google not only indexes content from web servers but also from the FTP servers. In this case the search aims to find within the domain openminds.com.ar any public directory that is being listed by the FTP server. This is another interesting example of how to use the operator intitle:"Index of /" to detect information that is being published by mistake.
Example 6: Find pages potentially vulnerable to an SQL injection attack
site:openminds.com.ar inurl:php?id=1..10
In this example web pages are searched within the domain openminds.com.ar which have a defined parameter called id with a value between 1 and 10. The results can later be analyzed to prove if the value of the parameter is correctly validated before operating on the database or if it is vulnerable to an SQL injection attack. The name of the parameter and the range of values specified in this case is just one possibility between the many other combinations that can be used to detect this kind of vulnerability.
These examples are far from being an exhaustive list of searches to determine if a web site or application present vulnerabilities or sensitive information erroneously published. The objective is to illustrate how Google can be used as a tool to detect these issues. In practice, the possible combinations of operators and searches are endless. Luckily, there are several public lists of these dorks that can be used to perform a deeper analysis. There are also very useful tools such as DorkMe [2], dorkbot [3], BinGoo [4] o Zeus-Scanner [5] that can be of great help to automatize this process.
References:
[1] https://support.google.com/websearch/answer/2466433?hl=en
[2] https://github.com/blueudp/DorkMe
[3] https://github.com/utiso/dorkbot
[4] https://github.com/Hood3dRob1n/BinGoo
[5] https://github.com/Ekultek/Zeus-Scanner