How do I use Google Dorks 1

Google Hacking: The Dark Side of the Search Engine

1. The dark side

Most search engines like Google use it for one simple purpose: to find something on the Internet. But Google has one too dark Site that can be used to track down things on the Internet that are not actually intended for general use: Secret documents, passwords, pay slips, copyrighted material (films, music, etc.), unprotected security cameras, data protection violations or security gaps in web applications.

Known as “Google Hacking” or “Google Dorks”, anyone can take a look at confidential regions of the Internet within a few minutes. The tools of the trade are very simple: with a few additional ones Search parameters Google's gigantic search index can be "tapped" and information gained that the respective operator (presumably) does not want to reveal to everyone.

In this post I would like to introduce you to a few of these Google search parameters with which configuration errors and the carelessness of the operator can be made visible.

2. Preface

Before you start experimenting with Google's advanced search parameters, here are some things to consider:

"Hacking" via Google is not initially prohibited or punishable, as the information found through it is unprotected and accessible to anyone from the Internet. Or to put it another way: the operator failed to protect confidential data to a special degree. The threshold to crime or Offense is quickly exceeded, however, if you misuse the data and vulnerabilities that have been spied on for purposes that cause financial, personal or any kind of damage to the person concerned.

Basically, with Google hacking, only one thing happens at first: You use the special search parameters to access Google's databases, which are made available to the public and can be viewed by everyone.

Note

With Google Hacking is by the way no Hacking attack on Google meant, but a way of obtaining information with the help of Google's search engine.

2.1 Why Google Hacking Works

Due to sometimes blatant configuration errors or missing instructions in the robots.txt, Google may index data or information that is not normally intended for general use. The cause of these configuration errors can usually be traced back to two reasons:

  • Lack of knowledge: Private individuals in particular often place sensitive data unprotected on an FTP or web server that they operate from home. No security measures are taken or devices (directly) connected to the Internet that are neither receiving security updates nor are they designed for this purpose. If you come across such unprotected data or information, then you should have the decency and report this to the operator - if you can identify him. The rule is: If you don't know what you are doing, you should possibly refrain from putting data on the Internet or simply pay someone who knows about it.
  • Carelessness:With Google Hacking, however, it is not only possible to track down sensitive information from private users, but also explosive, and sometimes even secret, documents from companies and institutions. Here one can assume that the responsible administrators should normally have sufficient knowledge to avoid such cases. Unpatched web servers, sensitive password lists or complete backups of business e-mail correspondence that can be traced via Google Hacking paint a different picture, however. Here we are talking from carelessness to gross negligence and human error.

Incidentally, Google Hacking goes back to 2002, when Johnny Long (j0hnny) found vulnerable or unpatched systems and sensitive information using special search parameters - he himself describes it as Google Dorks. Dork (idiot) refers to the operators of the website who have not given enough thought to security and who do not have their servers under control.

Anyone who thinks that the situation will have changed by 2017 is seriously mistaken. Thanks to the Internet of Things and the increasing number of devices that are networked with the Internet, vulnerable systems can be tracked down and sensitive information far more frequently than ever before.

Note

Not only Google Hacking is suitable for tracking down sensitive information and unprotected devices, but also other tools and search engines, such as Shodan, that were specifically designed for this.

2.2 Obtaining information during the pentest

When performing a pentetrantion test, Google hacking has become an indispensable tool for me. A penetration test can be divided into different phases, some of which are repeated sequentially:

The first phase (information gathering) is about collecting as much information as possible about the goal, which could be of interest for the further course. For this purpose, various publicly available sources of information are searched and then evaluated. One of these sources of information is Google or “hacking” via Google.

3. Simple examples

Let's start with simple examples and what can be tracked down on the Internet with the special search parameters.

3.1 Video and audio material

Display of websites that provide mp3 files publicly. Be it due to lack of knowledge, carelessness or even intentionally to offer copyrighted material:

intitle: index of inurl: mp3

It works similarly with video material if you pass avi, mp4 or mkv as parameters:

intitle: index of inurl: avi

If you then refine your search and add an artist or film title, then you can condense the results further.

3.2 Vulnerabilities

The output of SQL error messages are a first indication of the vulnerability to an SQL injection:

intext: "sql syntax near" | intext: "syntax error has occurred" | intext: "incorrect syntax near" | intext: "unexpected end of SQL command" | intext: "Warning: mysql_connect ()" | intext: "Warning: mysql_query ()" | intext: "Warning: pg_connect ()"

Detection of sensitive configuration files that contain MySQL login data such as usernames and passwords:

mysqli_connect ext: inc

Representation of vulnerable Apache web servers, with a specific version number and system:

intitle: index of "Apache / 2.4.7 (Ubuntu) Server"

Detection of pages that offer Outlook Web Application (OWA) and thus build on Microsoft Exchange:

inurl: https: // owa

3.3 Sensitive information / documents

Detection of (Cisco) VPN access data with which one can gain access to the local network of companies and institutions:

! Host = *. * Intext: enc_UserPassword = * ext: pcf

Displaying search results for FTP servers with password files in Microsoft XLS format:

inurl: ftp "password" filetype: xls

Or you are specifically looking for pages that should have the term »password«, »secret«, »members« or other expressions directly in the URL:

intitle: index of inurl: password

Search for text files that contain the word "password":

ext: txt intext: password

Display of the (Linux) bash history, which often contains user names for a system:

intitle: index of .bash_history

Display of possibly sensitive Dropbox folders:

intitle: index.of.dropbox

Note

You can find a huge selection of Google Dorks on the Exploit Database under Google Hacking Database (GHDB). There you can then search specifically for a Dork or browse through the different categories such as »Footholds« or »Vulnerable Servers«.

4. Search parameters

You have already got to know some of the most important search parameters that are used in Google hacking in the examples. I will briefly explain the most frequently used search parameters - these can often be wonderfully combined with one another.

4.1 Basic parameters

The double Quotes Everyone knows who has dealt with the principle of a search engine in more detail. They ensure that the specified SEARCHWORD is searched for. If you enter several SEARCHWORDS enclosed by the double quotation marks, the order is also taken into account:

"SEARCHWORD (or several) SEARCHWORDS"

With site: the search is focused on a specific page. This is useful if you want to limit the search for content, sensitive documents or weak points (SEARCHWORD) to a certain DOMAIN (e.g. kuketz-blog.de):

site: DOMAIN SEARCHWORD

The search parameter cache: in connection with a URL shows Google's cache version of the specified website, i.e. the version of the last indexing:

cache: url

A search with the search parameter intitle: in connection with a SEARCH WORD delivers results from websites whose title contains this search term. Often used to find pages or directories that have Directory Listing (index of / index.of) enabled:

intitle: SEARCHWORD

With allintitle: only results that contain all of the specified SEARCHWORDS in the title will be displayed.

allintitle: SEARCH WORDS

With the search parameter intext: In connection with a SEARCH WORD, websites are displayed in which the term occurs in the text of the page:

intext: SEARCHWORD

With allintext: only results are displayed that contain all of the specified SEARCHWORDS in the text of the page:

allintext: SEARCHWORDS

A search with the search parameter inurl: in connection with a SEARCHWORD delivers results from websites whose URL contains the search term:

inurl: SEARCHWORD

A search with the search parameter filetype: or ext: limits the results to documents of a certain FORMAT (e.g. pdf or docx files):

filetype: FORMAT

With the search operator related: and specifying a DOMAIN, pages can be found that are similar in content to the specified page. You can try that out with the Kuketz blog (related: www.kuketz-blog.de):

related: DOMAIN

Note

Incidentally, Google recognizes the use of the extended search parameters and will show you every now and then to find out whether you are human or bot.

4.2 Combining search parameters

The search parameters you just got to know can be wonderfully combined with one another. Here are a few examples.

Display of results that have directory listing activated and in which the search word »backup« occurs within the URL. You will find countless servers or websites on which complete backups of private individuals and companies are stored unprotected:

intitle: index of inurl: backup

Detection of WordPress sites that use the WP Security Audit Log plugin and provide the log files unprotected for everyone:

inurl: "wp-security-audit-log" ext: log

Display of web pages that provide a vulnerability report, carried out by IBM AppScan, unprotected in PDF format. Incidentally, this also works with other vulnerability scanners - including explosive details:

intext: "Web Application Report" intext: "This report was created by IBM Security AppScan" ext: pdf

4.3 "Hack" your own website

Aside from refining your search results, you should primarily use Google Hacking to track down your own configuration errors. Here I have summarized a few standard Google hacks for you, with which you can check your own website / internet presence. Just replace »kuketz-blog.de« with your domain.

Directories in which the directory listing is active:

site: kuketz-blog.de intitle: index.of

Forgotten or unprotected configuration files:

site: kuketz-blog.de ext: xml | ext: conf | ext: cnf | ext: reg | ext: inf | ext: rdp | ext: cfg | ext: txt | ext: ora | ext: ini

Forgotten or unprotected (SQL) databases or backups:

site: kuketz-blog.de ext: sql | ext: dbf | ext: mdb

Forgotten or unprotected log files:

site: kuketz-blog.de ext: log

Backups and obsolete / forgotten (backup) files:

site: kuketz-blog.de ext: bkf | ext: bkp | ext: bak | ext: old | ext: backup

Pages that contain "login" in the URL and indicate an area to be protected:

site: kuketz-blog.de inurl: login

Output of SQL error messages. A first indication of SQL injections:

site: kuketz-blog.de intext: "sql syntax near" | intext: "syntax error has occurred" | intext: "incorrect syntax near" | intext: "unexpected end of SQL command" | intext: "Warning: mysql_connect ()" | intext: "Warning: mysql_query ()" | intext: "Warning: pg_connect ()"

Forgotten or unprotected documents:

site: kuketz-blog.de ext: doc | ext: docx | ext: odt | ext: pdf | ext: rtf | ext: sxw | ext: psw | ext: ppt | ext: pptx | ext: pps | ext: csv

Output of phpinfo ():

site: kuketz-blog.de ext: php intitle: phpinfo "published by the PHP Group"

As you can see there is no special »Hacking software«Necessary to find weak points or configuration errors on your website. With Google Hacking you can get a quick overview and anticipate attackers who are not really good at you.

5. Conclusion

Google hacking is legal, but the threshold for a criminal offense is quickly exceeded. All too quickly one becomes curious and clicks through the huge amounts of data that Google has indexed. Do not be tempted, because some of the results certainly include honeypots that record and analyze your behavior.

With Google Hacking, weak points in the IT of (third-party) companies can also be tracked down, but you should leave this to professional penetration testers, who are mostly order-controlled act. Use the knowledge you have acquired about the Google Dorks to optimize your personal search results or to check your own websites / devices for configuration errors.

Image sources:

Skull: Useful Objects from www.flaticon.com is licensed by CC 3.0 BY
Google: Freepik from www.flaticon.com is licensed by CC 3.0 BY

Google Hacking: The Dark Side of the Search Engine May 28th, 2020Mike Kuketz

Spread the word | Support

If you liked the post, then share him with your friends, acquaintances and fellow human beings. Use social networks, forums, emails or simply the next celebration / event. You are also welcome to support my work!

About the author

My name is Mike Kuketz and I am writing this blog to security- and data protection relevant Making topics easier to understand and accessible to everyone.

In my freelance work as Pentester (Kuketz IT-Security) I slip into the role of a »hacker« and look for weak points in IT systems, web applications and apps. Furthermore, I am Lecturer for IT security at the dual university in Karlsruhe and among other things as an author for the computer magazine c’t.

The Kuketz blog or my person is regularly represented in the media (heise online, Süddeutsche Zeitung, etc.).

Learn more ➡

If you want to be informed about the latest posts, you have several options to follow the blog:

Stay up to date ➡