Google Dorking, also known as Google hacking, is a technique where advanced search operators are used to find specific information on search engines. It involves crafting search queries to discover vulnerable or exposed data on the internet.
Attack surface management involves identifying and securing all possible entry points into an organization’s systems and networks. It aims to understand and reduce the vulnerabilities that attackers might exploit. Google dorking plays vital role during assessment of attack surface.Below are some of the use cases
- Google Dorking for Reconnaissance
- Google Dorking for Asset Identification e.g. subdomains
- Google Dorking for Unauthorized Access to dashboards
- Exploiting misconfigurations
- Identify low hanging fruits e.g.target functionalities that can be later leveraged for initial access
Analysis of Google Dorks 2023
Based on recent study it was observed that below categories are focused by security researchers and bug bounty hunters in 2023.
Category | Count |
Advisories and Vulnerabilities | 1 |
Files Containing Juicy Info | 243 |
Pages Containing Login Portals | 68 |
Various Online Devices | 11 |
Vulnerable Files | 1 |
Vulnerable Servers | 1 |
It has been observed that the most common category i.e. Files containing Juicy info have been widely adopted by researchers as an attack vector.
Refer : https://github.com/kakdesanket/googledorks2023
Google Dorking for Reconnaissance
Reconnaissance (or recon) is the phase of a security assessment where an attacker gathers information about a target. This can include information about the target’s network, its security measures, and potential vulnerabilities. ASM involves a continuous process of monitoring and managing your organization’s attack surface. This includes identifying and eliminating unnecessary attack vectors, and continuously monitoring for new ones. Recon is a critical part of this process, as it allows you to gather the information you need to understand your organization’s current attack surface.
Here are some examples of Google Dorks that might be useful for reconnaissance:
intitle:index.of This dork looks for directory listings, which can reveal the contents of a server
site:example.com This dork restricts the search to a specific site, which can reveal all the pages that have been indexed by Google.
filetype:pdf This dork looks for PDF files, which can contain valuable information.
ext:php This dork looks for PHP files, which can be exploited in certain circumstances.
intext:username This dork looks for pages that contain the word ‘username’, which can reveal potential points of attack
-> [Request Demo] - Get the Hacker’s View Of Your Attack Surface
Google Dorking for Asset Identification e.g. Subdomains
Google Dorking can be used for subdomain identification by creating specialized Google queries, known as ‘dorks’, that search for specific information.
Here are some examples:
site:*.example.com -www This dork will return all subdomains of example.com, excluding www.
site:example.com filetype:pdf This dork will return PDF files on the main domain, which could be hosted on subdomains.
site:example.com inurl:’&’ This dork will return URLs that contain an ampersand, which could be found in certain types of subdomains.
site:example.com inurl:login,register,upload,logout,redirect,redir,goto,admin This dork will return URLs with common login/logout/register URLs, which could be found on subdomains.
site:example.com ext:php,asp,aspx,jsp,jspa,txt,swf This dork will return specific file types, which could be hosted on subdomains.
site:*.*.example.com This dork will return subdomains of subdomains.
Google Dorking for Unauthorized Access to Dashboards
In the context of finding unauthorized access to dashboards, you might use Google Dorks that look for specific file types or URLs that are common in dashboard applications.
For instance:
intitle:”Dashboard” This dork will return pages with ‘Dashboard’ in the title, which could indicate a dashboard.
site:*.example.com/panel This dork will return all panels of example.com, which could reveal a dashboard.
site:*.example.com/panel -www This dork will return all panels of example.com, excluding www.
site:example.com intitle:”Dashboard” This dork will return the main domain with ‘Dashboard’ in the title, which could indicate a dashboard.
site:example.com ext:php,asp,aspx,jsp,jspa,txt,swf This dork will return specific file types, which could be used in a dashboard application.
-> Hackers Won't Wait For Your Next Pen Test: Know Automated Continuous Pen Test
Security Misconfigurations
Google Dorking can be used to search for specific types of information, such as misconfigurations. Here are some examples of Google Dorks that might be useful for this purpose:
intitle:index.of This dork looks for index pages, which can reveal the contents of a server.
site:example.com This dork restricts the search to a specific site, which can reveal all the pages that have been indexed by Google.
filetype:pdf This dork looks for PDF files, which can contain valuable information.
ext:php This dork looks for PHP files, which can be exploited in certain circumstances.
intext:username This dork looks for pages that contain the word ‘username’, which can reveal potential points of attack.
-> (Request Demo) 10 X Pen Testing Frequency & 100% Asset Coverage
Identify low hanging fruits e.g.target functionalities that can be later leveraged for initial access
Malicious attackers often look for quick wins to exploit low hanging fruit i.e. obvious known vulnerabilities or misconfiguration for target organization.
Here is the list of some interesting Google Dorks that be used :
inurl:.com password | credential | username filetype:log
This dork checks for password, credential and username in a log file, used .com as an example, change it to your target.
inurl:facebook not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:pdf
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private | WS_FTP | ws_ftp | log | LOG filetype:log
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:xls
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:csv
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:doc
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:txt
These dorks searches for confidential data within pdfs ,logs, .txt files , csv files xls files.
Conclusion
Automating Google Dorking has some limitations. Google has rate limits and blocks automated queries to protect its servers from abuse. If your tool or script sends too many requests in a short period of time, you may be blocked. This can disrupt your reconnaissance process and potentially alert the target to your activities. To avoid this, it’s important to use tools that respect Google’s guidelines and to limit the number of requests you send.
Automating Google Dorking can be done using tools like gD0rk or dork-cli. These tools can help you efficiently search for specific types of information. Here’s an example of how you might use dork-cli
dork-cli –dork ‘site:example.com intext:phpmyadmin’ –pages 2 –simple
In this command, –dork ‘site:example.com intext:phpmyadmin’ specifies the dork, –pages 2 limits the search to 2 pages of results, and –simple outputs the results in a simple format. This can be a quick and effective way to gather information about a target.
FireCompass ASM Platform utilizes AI powered engines to query search engines like Google to continuously monitor these assets and alert the organization.
Author: Sanket Kakde
Assisted By: Arnab Chattopadhayay, Jitendra Chauhan
About FireCompass:
FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.
Important Resources:
Get a free demo to find out how FireCompass can help you to prioritize risks with real-time alerts for faster detection and remediation.