Google Dorks for Pentesters

What is google Dorking ?

Google dorking is a method or technique used to find precise search results,but with a little creativity we can find all kinds of data exposed in the internet accidentally. This technique can also be used to get precise information on any topic while googling things. The first thing that a cyber security enthusiat thinks when he hears accidentally connected to the internet might be shodan,but we are going to see how we can see these search results through a simple google search tricks,things like log files, error files,index of files, webcams,sites without an SSL certificate, admin pages and what not.For this we will be using specific search strings.From a bug hunters perspective these are low severity bugs or server misconfiguration, even though it is a very powerful technique.

How does the google give us search results ?

Google uses an automated powerful software called crawlers or web crawlers to go through all the web pages.While the crawlers crawl through the web pages it learns about the content,images,video files etc and create index for the web page.These index are stored in large servers.Whenever we search for anything in Google,these Indexes are later used to give search results faster to the user who is searching. 

Is Google Dorking legal?

First of all and the important part is that it’s legal! It’s all indexed, publicly available information. However, what you do with this is where the question of legality comes in to play.In simple words you can find anything on the internet using google dorks,including files exposed to the internet too. These can be called as advanced google search operators also. From a security researchers perspective Google dorking can be a passive information gathering/foot printing technique that is used to discover vulnerabilities,data exposure and security misconfiguration in websites.

It involves using of specialized search query operators to fine tune results based on what we are looking for.Some of the very common google search operators are mentioned below.

inurl:Restricts results to the URL of a website.

intext :Searches through the text in the webpages

intitle:Restricts results to the titles of a website.

An simple example of what is what is shown in the image below.

Do you want more strings?

intext or allintext:Searches through the text in the webpages

site: Narrows results to a site or a specific site.

filetype : Searches for specific file types based on the extensions (iso, pdf, jpeg etc).

cache: Searches for a cached copy of a webpage when it was indexed by google usually used to find old version of webpages.

inanchor: This can be used when you need to search for exact anchor text used on any links.

* : used to search pages that contain “anything” before your input word. example: How to * a system?

| : This is a logical operator used to give multiple search input in a single search.

+ :Used to concatenate words.

 :Minus operator used to remove or avoid showing results that contain certain words.

Let’s see Some real life google dorks example

These are presented for strictly educational purposes only.I am not responsible for any misuse of these contents. 

The interesting things we can find on google includes Log files,vulnerable web servers,open FTP servers, ENV files,SSH private keys,Email lists, Live cctv cameras,PDF files,Zoom videos,Admin pages of websites,Government documents, and the list goes on.Let’s see a few examples of these.

  • Vulnerable web servers

 inurl:/proc/self/cwd

Here we got vulnerable web servers

  • Open FTP servers

intitle:”index of” inurl:ftp

With the following dork, you’ll be able to explore public FTP servers, which can often reveal great things.

  • SSH private keys

intitle:index.of id_rsa -id_rsa.pub

With the following dork, you will be able to find SSH private keys that were indexed by Google crawlers

  • Email lists

filetype:xls inurl:”email.xls”

It’s just that easy to find email stored excel files.

live cameras

ip based cameras :- inurl:top.htm inurl:currenttime

Next time when you setup a IP camera be careful or else the whole world can see you.

To search WebcamXP-based transmition :- intitle:”webcamXP 5″

There are a lot of live camera dorks that will let you watch any part of the world, that too live in your room. You can find education, government, and even military cameras without IP restrictions out there.

If you can get creative you can even do some white hat penetration testing on these cameras; you’ll be surprised at how you’re able to take control of the full admin panel remotely, and even re-configure the cameras as you need them to.

Zoom videos

“Zoom-bombing” became a popular during online meetings in 2020 during the initial lockdown time. The company has since tried to placed some restrictions to make it harder to find/disrupt Zoom meetings, but as long as a URL is shared, a Zoom meeting can still be found in the internet. Some times it will take crowlers some time ti find the meeting.Sometimes the meeting might have been over also.

inurl:zoom.us/j and intext:scheduled for

Many more things can be found using google dorks but for now let’s conclude with some safety tips.

How to Prevent Google Dorks from hunting you

There are a lot of ways to avoid falling into the eyes of a Google Dork.These measures are suggested to prevent your sensitive information from being indexed by search engines like Google.

  • Protect private areas with a user and password authentication and also by using IP-based restrictions.
  • Encrypt your sensitive data(user names, passwords, credit cards, email, addresses, IP addresses, phone numbers, and all other data).
  • Run regular dork queries against your own website to see if you can find any important information leaked before the bad guys can find them. You can find a great list of popular dorks at the Exploit DB Dorks database.
  • Run regular vulnerability scans against your own site, these usually use popular Google Dorks queries and can be pretty effective in detecting the most common ones easily.
  • If you find sensitive content exposed, you can request its removal by using Google Search Console.
  • Block sensitive content by using a robots.txt file located in your root-level website directory of your wesite.
  • some configurations to prevent Google dorks are as mentioned:-
User-agent: *
Disallow: /
Disallow: /admin/
Disallow: /privatearea/file.htm

Disallow: /*?
Disallow: /*.php$/

You can connect with me on Linkedin,Twitter , Medium

Happy hacking ✌️ Peace out

Arnold Prakash
I'm a degree student following my passion in the field of cyber security.