What is Google Dork?
Google Dork, also known as Google Dorking or Google Hacking, is a valuable resource for security researchers. For the average person, Google is simply a search engine used to search for text, images, videos, and news. However, in the world of information technology, Google is a useful hacking tool.How can you use Google to hack websites?
You can't hack websites directly using Google, but since it has huge website crawling capabilities, it can index almost everything on websites, including sensitive information.This means that a site owner could be revealing too much information about their web technologies, usernames, passwords and general vulnerabilities without even realizing it.
In other words: Google Dorking is the practice of using Google to find vulnerable web applications and servers using Google's own search engine capabilities.
If the site owner does not block certain resources on his website using the robots.txt file, then Google will index all the information that will be present on it. It is logical that after a while, anyone in the world can access this information if they know what and how to look for.
Keep in mind that Google also knows who you are when you make such a request. For this and many other reasons, it is recommended that you use it only with good intentions, whether for your own research or when looking for ways to protect your site from these types of vulnerabilities.
Although some web developers disclose sensitive information on their own (unintentionally), this does not mean that it can be legally used. And there is a possibility of being included in the list of cybercriminals. Even a VPN won't save you.
Before reading further, keep in mind that Google will start blocking your connection if you connect from a single static IP address. It will request verification from robots to prevent automated requests.
Popular Google Dork Operators
The Google search engine has its own built-in query language. The following list of queries can be run to search for a list of files, information about your competitors, people, information about SEO backlinks, as well as to create email lists and, of course, discover web vulnerabilities.Let's take a look at the most popular Google Dorks
- cache: this dork will show you the cached version of any website
- allintext: search for specific text contained in any web page, eg allintext: hacking tools
- allintitle: just like allintext but will show pages that contain titles with X characters, for example allintitle: "Security Companies "
- allinurl: This can be used to return results whose URL contains all specified characters, for example allinurl client area
- filetype: used to search for any file extension, for example if you want to search for jpg files you can use: filetype: jpg
- inurl: this is exactly the same as allinurl , but it is only useful for one keyword, for example inurl: admin
- intitle: used to search for various keywords within a title, for example Intitle: security tools - will look for titles starting with "security", but "tools" could be somewhere on the page itself
- inanchor: This is useful when you need to find the exact anchor text used in any links, for example inanchor:"cyber security"
- intext: useful to find pages that contain certain characters or strings within their text, for example intext:"safe internet"
- link: will display a list of web pages that have links to the specified URL, for example, link: microsoft.com
- site: will show you a complete list of all indexed URLs for the specified domain and subdomain, for example site:securitytrails.com
- * : A wildcard used to find pages that contain “anything” before your word, such as how to * a website , will return how to…” design/create/hack, etc… “a website”.
- | : This is a Boolean operator, such as "safety" | "tips" will show all sites that contain "safety" or "tips", or both words
- + : Used to concatenate words, useful for finding pages that use more than one specific key, such as security + trails
- - : The minus operator is used to avoid displaying results that contain certain words, for example security -trails will show pages that use "security" in their text, but not those that have the word "trails".
Google Dork Examples
Let's look at some practical examples. You will be surprised how easy it is to extract sensitive information from any source simply by using Google hacking techniques.Logs
Logs are a great example of how sensitive information can be found on any website. Error logs, access logs, and other types of application logs are often found in the public HTTP space of websites. This can help attackers find the version of PHP you are using, as well as the system path of your CMS or frameworks.For this type we can combine two Google operators, allintext and filetype, like this:
This will show many results that include the username in all *.log files.
As a result, we found one particular website showing a SQL error log from the database server that contained important information:
This example showed the current database name, username, password and internet email values. We have replaced the original values with "XXX".
Vulnerable web servers
The following Google Dork can be used to detect vulnerable or hacked servers that allow you to add “/proc/self/cwd/” directly to your website URL.As you can see in the following screenshot, the results of the affected server will be displayed along with their open directories, which can be viewed from your own browser.
Open FTP servers
Google not only indexes HTTP servers, but also indexes public FTP servers.On the next page you can explore public FTP servers where you can often find interesting things.
In this example, we discovered an important government server with an open FTP space. This was most likely done on purpose, but it could also be a security issue.
ENV files
.env files are files used by popular web development environments to declare common variables and configurations for local and online development environments.One recommended method is to move these files (*.env) to a location that is not accessible to the public. However, as you will see, many developers don't care about this and insert their .env file into the main directory of the public website.
You will notice that unencrypted usernames, passwords, and IP addresses appear directly in search results. You don't even have to click on the links to get your database login information.
SSH private keys
SSH private keys are used to decrypt information exchanged in the SSH protocol. As a security rule, private keys must always remain on the system used to access the remote SSH server and must not be shared with anyone else.On the next page you will be able to find the SSH private keys that have been indexed by Google.
Let's move on to another interesting SSH Dork.
If today is not your day and you are using a Windows operating system with a PUTTY SSH client, remember that this program always logs the usernames of your SSH connections.
In this case, we can use a simple dork to extract SSH usernames from PUTTY logs:
Email Lists
Finding email lists is quite easy using Google Dorks. In the following example, we are going to retrieve Excel files that may contain many email addresses.We filtered to only check .edu domain names and found a popular university with about 1,800 emails from students and faculty.
Remember, the real power of Google Dorks is the unlimited number of combinations you can use. Spammers know this trick too and use it daily to fill up their spam mailing lists.
Cameras
Have you ever wondered if your personal camera can be viewed in real time not only by you, but also by anyone on the Internet?The following Google hacking methods can help you get the web pages of live cameras that have not restricted IP.
Here's a dork to get the different IP cameras:
To find WebcamXP based broadcasts:
And one more for regular live cameras:
There are many online cameras that can allow you to watch any part of the world, live. You can find educational, government, and even military cameras without IP restrictions.
If you get creative, you can even perform penetration testing (white hat hacking) on these cameras;
You'll be amazed at how you can control your entire admin panel remotely, and even reconfigure the cameras the way you like.
MP3, movies and PDF files
Currently, fewer and fewer people are downloading music after the advent of Spotify, Boom, Yandex.music and Apple Music. However, if you are one of those classic people who still download legal music, you can use this dork to search for mp3 files:The same goes for any legal free media or PDF documents you might need:
Preventing Google Dorks
There are many ways to avoid getting caught by Google Dork.These measures are provided to prevent search engines from indexing your sensitive information.
- Protect private areas with user and password authentication and IP-based restrictions.
- Encrypt your sensitive information (users, passwords, credit cards, emails, addresses, IP addresses, phone numbers, etc.).
- Run vulnerability scans on your site regularly, they usually already use popular Google Dorks queries and can be quite effective at catching the most common ones.
- Run regular queries on your own website to see if you can find any important information before hackers do. You can find a large list of popular dorks in the Exploit DB Dorks database.
- If you find vulnerable content, request its removal using Google Search Console.
- Block sensitive content using a robots.txt file located in the root-level website directory.
Using robots.txt configurations to prevent Google Dorking
One of the best ways to prevent Google dorks is to use a robots.txt file. Let's look at some practical examples.The following configuration prevents any crawling from any directory on your website, which is very useful for private access websites that do not use public Internet content for indexing.
You can also block specific directories to be excluded from scanning. If you have a /admin area and need to protect it, just put this code inside:
This will also protect all subdirectories inside.
Restrict access to certain files:
Restrict access to dynamic URLs that contain the "?"
To restrict access to certain file extensions you can use:
In this case, access to all .php files will be denied.
Conclusion
Google is one of the most important search engines in the world. As we all know, it can index almost anything.Today we learned that Google can also be used as a hacking tool, but you can stay one step ahead of the bad guys and regularly use it to find vulnerabilities in your own sites. You can even integrate this and run automatic crawls using Google SERPs custom third party APIs.
If you are a security researcher, this can be a practical tool for your cybersecurity responsibilities.
