A Google Dork, also known as Google Dorking or Google hacking, is an advanced technique to retrieve or obtain information from google. It is mostly used to find vulnerable targets and sensitive data using advanced search queries. It is a valuable resource for security researchers. Google is known as a search engine used to find text, images, videos, and news. However, it can also be manipulated to serve as a useful hacking tool. In this post I will be showing you how google dorks is used.

How is it possible to use Google in hacking websites?

Websites  are not hacked directly using Google. What is actually done is to leverage on the crawling capabilities of google to get information you would ordinarily not have access to.
Google has an impressive web crawling capabilities that can index almost anything within your websites which also includes sensitive information.
What this means is that sensitive information could be expose like Web technologies, usernames, passwords etc without even knowing it.
Now specific resources from your website can be blocked from being crawled by gogle using a robots.txt file. Google indexes all the information that is present on any website but will skip the contents listed in the robot.txt.

Before we begin
while this information is publicly available on the Internet, and it is provided and encouraged to be used by Google on a legal basis, people with the wrong intentions could use this information to harm others online. Thus if you are reading this post you are please advised to be careful and mature about its use
Using google DorksLet’s look at useful Google Dorks and what they do. All you have to do is just to past the dorks in the google search box and watch the wonder.
Mostly for my example, I will be using http://google-gruyere.appspot.com. This is a deliberately vulnerable site which is full of holes and aimed for those just starting to learn application security. You can check it out

1. cache: This dork will show you the cached version of any website, in this example I will chack out the cache for a site called google-gruyere.appspot.com. e.g cache: google-gruyere.appspot.com

2. allintext: searches for specific text contained on any web page, e.g. allintext: pentesting tools

3. allintitle: exactly the same as allintext, but will show pages that contain the stated titles, e.g. allintitle:”infosec”

4. allinurl: This can be used to fetch results whose URL contains all the specified characters, e.g: allinurl: google-gruyere.appspot.com

5. filetype: This dork is used to search for any kind of file extensions, for example, if you want to search for jpg files you can use: filetype: jpg

6. inurl: This is exactly the same as allinurl, but it is only useful for one single keyword,
e.g. inurl: admin

7. intitle: This is used to search for various keywords inside the title, for example, intitle:security tools will search for titles beginning with “security” but “tools” can be somewhere else in the page.

8. inanchor: This is useful when you need to search for an exact anchor text used on any links, e.g. inanchor:”cyber security”

9. intext: Useful to locate pages that contain certain characters or strings inside their text, e.g. intext:”pentest”

10. link: will show the list of web pages that have links to the specified URL,
e.g. link: microsoft.com
11. site: This will show you the full list of all indexed URLs for the specified domain and subdomain, e.g. site:google-gruyere.appspot.com

12. *: This is a wildcard used to search pages that contain “anything” before your word, e.g. how to * a website, will return “how to…” design/create/hack, etc… “a website”.

Accessing Log files with Google dorks
Log files are prime targets because of the sensitive information that can be found within it on any website. Error logs, access logs and other types of application logs are often discovered inside the public HTTP space of websites. This can help hackers find the webserver version being used, as well as the critical system path of your CMS or frameworks.

For this kind of dork we can combine two Google operators, allintext and filetype, lets look at an example:

allintext:username filetype:log

This will show a lot of results that include username inside all *.log files.
you can see from the screenshot username and passwords were also exposed

Vulnerable web servers
The following Google Dork can be used to detect vulnerable or hacked servers that allow appending “/proc/self/cwd/” directly to the URL of your website. Now this is the current working directory of the page being served to you. What this means is that you can have direct access to that directory straight from your browser

inurl:/proc/self/cwd

As you can see in the following screenshot, vulnerable server results will appear, along with their exposed directories that can be accessed from your own browser.

Exposing ENV files
.env files are used by popular web development frameworks to declare general variables and configurations for local and online development environments.
One of the recommended practices is to move these .env files to somewhere that isn’t publicly accessible. However, as you will see, there are a lot of developers who don’t care about this and insert their .env file in the main public website directory.
As this is a critical dork I will advise you to be very careful with its usage

filetype:env APP_ENV

Exposing Email lists
You can easily find email lists using Google Dorks. The example below will be used to extract excel files which may contain a lot of email addresses.

filetype:xls inurl:”email.xls”

Exposing Live cameras
With this dork ip cameras that are accessible over the internet can also be watched by you thanks to google dork.
The following Google hacking techniques below can help you fetch live camera web pages that are not restricted by IP.
inurl:top.htm inurl:currenttime

To find WebcamXP-based transmissions:
intitle:”webcamXP 5″

To find for general live cameras:
inurl:”lvappl.htm”

There are a lot of live camera dorks that can let you watch any part of the world, live. You can find education, government, and even military cameras without IP restrictions.
….Interesting

Exposing MP3, Movie, and PDF files
Yes and this one my friend is the ultimate. Yeah I left the best for the last. Google dorks can be used to download movies , musics and books (pdfs, epub etc). To perform that just use the following dorks

intitle: index of mp3

The same applies to any media files or PDF documents you may need just replace with the file type and you are good to go

intitle: index of mp4
intitle: index of avi
intitle: index of mkv
intitle: index of pdf

There are pretty complex google dorks for advance searches but these basic ones still do the magic

There is a site that keep a database of google dorks. Click on the link below to access this site:
https://www.exploit-db.com/google-hacking-database

Preventing Google Dorks
The following measure listed below can help protect your website from google dork hacks.

1. Protect private areas with a user and password authentication and also by using IP-based restrictions.
2. Encrypt your sensitive information (user, passwords, credit cards, emails, addresses, IP addresses, phone numbers, etc).
3. Run regular vulnerability scans against your site. Particularly, use these Google Dorks queries to see how exposed your website is. You can find a great list of popular dorks at the Exploit DB Dorks database. Link is provided https://www.exploit-db.com/google-hacking-database
4. If you find sensitive content exposed, request its removal by using Google Search Console.
5. Block sensitive content by using a robots.txt file located in your root-level website directory.

And that’s it. Hope you enjoyed this educative post?