Google Dorks, also known as Google Hacking is a great technique and a tool to add to your pen-testing tool belt. It’s also a useful skill to know as improving your Google skills will help improve your life. Google Searches are often filled with ads and “sponsor” content so being able to narrow down on what you want will help.
If you are running initial reconnaissance or a red team exercise, the first stage will always be discovery, regardless of framework. The idea here is to gather as much information as possible. This can either be for a “target”, or yourself.
If you have a business of your own, or work in a small business with little security resource, running a Google dork exercise can give you insight into what potential attackers can see.
It can also give you insight into your personal exposure on the internet. With our internet presence forever growing, it might be a useful exercise to see how easily someone can find you and what exactly they can find out about you. This is useful if you are applying for a job, as they sometimes conduct an initial lookup just to check you are who you say you are. A quick Google search is normally a quick win.
Whilst you read this, try and search your username, email address, phone number, or name. You will see that straight off the bat, without any dorking, you get some clear information back. Below is an example of one of my domains, and it finds “links”” across multiple sites. Some are not mine.
Whilst this isn’t dorking, hopefully, you can start to see just how much Google stores or “caches”. It’s a lot!. Span that across the world and you have a database full of information that anyone can access.
Turns out it’s not just something to find meal ideas.
Another good starting point is the advanced search GUI. This is essentially what you are running when you “dork”. It’s just that running it yourself is cooler. It’s kind of like refusing to use ZenMap as Nmap looks cooler
(it does!). Go to Advance search…
You’ve probably started to think to yourself; “This isn’t hacking” and you would be right. Although it’s referred to as Google hacking, you aren’t actually “hacking”. It’s more…using a special technique to find what you want. Also known as cutting through the bull. So why do the bad guys use it so much?
Well aside from finding out company org structures, email addresses, and the CEOs LinkedIn page, they can also find out exposed data or vulnerable systems.
Let’s start with an example:
Once you click Advanced Search, it will translate the search query into a “dork” and run it for you: allinurl: “admin.php”
If you run this yourself, scroll down and you will start to see links that maybe shouldn’t be exposed to the internet. The above would be a basic search, as most would know about admin pages.
The bad guys, they would look for specific areas and have technical knowledge. For example, URL paths or words within admin portals to tech console.
Let me show you another example. I’ve worked with Symatec in the past so I would know the admin login URL. If I didn’t, it’s not the worst thing as I could easily find it on the companies website: Symantec EP
With this information, I can go back into Advance search and run the following:
This now shows multiple companies that have their Symantec manager exposed to the internet. With this, we can go on and on. The idea here is to get creative. A blanket search or LinkedIn profiles can give the feel to what the company runs or person uses and Google dorks can potentially help be the red string.
It doesn’t just stop at tech though. Google has an array of search queries we can use Google helpful lists them out here…
Take a look through the list and start to piece things together. Emails can be searched, files, logins, usernames, and phone numbers. Start thinking about what you use, and figure out what others “may use”. If you are doing research, then read up on the technology or field you are researching. How does it fit?
If it’s for consoles, or sites, run inspect site:
Find keywords that may not be in the URL. The above is an example of Juniper, and here we can use Intitle: or Insite: to narrow down the pages instead of URLs. (intitle:”Log in — juniper Web Device Manager”)
If you are still stumped, not to panic. There is a database that has all the interesting queries that you can run. Here you can find similar queries to use as templates. Running some of these will also give you greater insight into what works and what doesn’t. Google Hacking DB
Below are a few examples of what you can find:
Finding indexed SSH private keys:
intitle:index.of id_rsa -id_rsa.pub
Fetching SSH usernames from logs:
filetype:log username putty
Open FTP servers:
intitle:”index of” inurl:ftp
Finding saved email addresses:
filetype:xls inurl:”email.xls”
If you wanted to search a specific company, remember you can add a common search or add another dork:
“[Keyword]” filetype:xls inurl:”email.xls”
IP Based Cameras:
inurl:top.htm inurl:currenttime
Juniper Web Device Manager Login:
intitle:”Log In — Juniper Web Device Manager”
Dell Server IDRAC Login Portals:
intitle:”iDRAC-login”
Finding company default passwords. You can either narrow it down by one file type or pipe several, like so:
“your default password is” filetype:doc | filetype:pdf | filetype:csv | filetype:pdf | filetype:docx
Cisco GroupPwds:
filetype:pcf “cisco” “GroupPwd”
Hopefully this help start the ball rolling. Google can be a very helpful tool however in the wrong hands, it has quite the negative affect.
If you enjoyed reading my content and want to support, why not consider signing up and becoming a member. It’s $5 a month, for unlimited access to all stories on Medium. Join now! 🙂
Need help? Why not also check out my Fiverr or UpWork.
Regardless, thank you for reading!
amoran.io 
Leave a Reply