How to use Google like a pro using Google Dorking

In the last article, we had reported how Iranian hackers were able to glean information from Google about the dams in US cities in order to infiltrate and flood the cities. The hackers used a method known as Google Dorking which has been used ever since Google was launched.

It is well known that the Internet is a reservoir of vast information but it is out there in split format. Google Dorking enables users to stitch their queries together in a long query and get hitherto unknown information from Google. Through this article we take the proficiency of Google as a hacking tool.

If you have a PC/laptop, it is guaranteed that you have used Google for searching answers. While we perform relatively simple search queries, what most of don’t realize that Google can be used for far better advanced search. In fact, if used properly, Google can reveal sensitive information that can be used to perform a successful attack. This can be accomplished by using the advanced operator features of Google. The basic syntax for using advanced operator in Google is as follows.

Operator_name:keyword

The syntax as shown above is a Google advanced operator followed by a colon, which is again followed by the keyword without any space in the string. Using such a query in Google is called Dorking and the strings are called Google Dorks a.k.a Google hacks. Dorks come in two forms vis-à-vis Simple dorks and complex dorks.

The above syntax uses a single command so it is called as simple dork whereas using multiple advanced operators put together in a single search string is called as advanced dork. Each keyword/advance operator has a special meaning to the Google engine. It helps you filter out the unwanted results and narrows your searches by a great margin when these dorks are used. Let’s take few examples of simple dorks.

Simple Google Dorks:

Allintext Searches for occurrences of all the keywords given
Intext Searches for the occurrences of keywords all at once or one at a time
Inurl Searches for a URL matching one of the keywords
Allinurl Searches for a URL matching all the keywords in the query
Intitle Searches for occurrences of keywords in URL all or one
Allintitle Searches for occurrences of keywords all at a time
Site Specifically searches that particular site and lists all the results for that site
filetype Searches for a particular filetype mentioned in the query
Link Searches for external links to pages
Numrange Used to locate specific numbers in your searches
Daterange Used to search within a particular date range

Let’s see an illustration as to what this really means.

A single query can be used to get a particular result. But many single queries can be put into one bigger query and using higher degree of filtration we can get almost any information from a particular website.

The above two diagrams illustrate few of the dorks in a pictorial manner. The same can be analogous to other advanced operators. So what can we find out using Google?

  • Admin login pages
  • Username and passwords
  • Vulnerable entities
  • Sensitive documents
  • Govt/military data
  • Email lists
  • Bank account details and lots more

This is an example of a simple query. Next, let’s see some juicy stuff, which comes in handy due to the efficiency of Google crawlers.

Dork: inurl:group_concat(username, filetype:php intext:admin

In the above screenshot, we were able to tap in to some of the SQL injection results done by somebody else on the sites.

By now, I am sure; you would have got an idea as to how dangerous a tool Google can be. The usernames and passwords got from here can be used to strengthen our dictionary attacks by adding these used passwords to the list we already have. This can also be used in user profiling which seems to be in demand in the underground market. The above queries where just simple dorks which gave out sensitive information.

Another dork can be used to glean emails ids from Google.

 

Dork: intext:@gmail.com filetype:xls

Similarly we can use Google for site crawling/Network mapping. We use few other keywords to achieve this feat. What is so special about site crawling/Network mapping i.e. enumerating domain and hostnames? Well, all this is done without any probing at the target. The target that you are trying to enumerate cannot get a hint that you have already started plotting your attack against it. Google APIs used with a script combined with search results can give a big boost in this part of your attack.

site:xyz.com -site:www.xyz.com -site:xyz.com

In the above example, you can see the usage of multiple simple dorks. The possibilities for automation and network mapping using Google are infinite.

Dork: inurl:8443 -intext:8443

This dork lists all the sites running on port 8443. The query calls for sites with 8443 in the URL but excludes the redundant occurrence of 8443 in the text body thereby giving us URLs with respective ports. An automated scan on important ports can give interesting results.

This is the power of Google. If you like the article we will bring another one detailing advanced Google dorking techniques.