The Google Search Engine finds answer to our questions. It is helpful in our daily lives. You can search for your school assignments, reports, presentations and more.
Before I start the tutorial on using use Google Dorks in Penetration Testing and Ethical Hacking, I’m going to share a definition of Google Dork queries that I saw on techtarget.com:
A Google Dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website.
In other words, we can use Google Dorks to find vulnerabilities, hidden information and access pages on certain websites. Because Google has a searching algorithm and indexes most websites. It can be useful to a hacker to find vulnerabilities on the target.The basic syntax for advanced operators in Google is:
For example, this operator_name:keyword syntax can be typed as ‘filetype:xls intext:username’ in the standard search box, which results in a list of Excel files which we contain the term ‘Username’.
Simple Google Dorks Syntax
- site – will return website on following domain
- allintitle and intitle – contains title specified phrase on the page
- inurl – restricts the results contained in the URLS of the specified phrase
- filetype – search for specified filetype formatsSee the images below:
Data Which Can we Find Using Google Dork
.env files are the ones used by popular web development frameworks to declare general variables and configurations for local and online dev environments.
One of the recommended practices is to move these .env files to somewhere that isn’t publicly accessible. However, as you will see, there are a lot of devs who don’t care about this and insert their .env file in the main public website directory.
As this is a critical dork we will not show you how do it; instead, we will only show you the critical results:
You’ll notice that unencrypted usernames, passwords and IPs are directly exposed in the search results. You don’t even need to click the links to get the database login details.
Open FTP servers
Google does not only index HTTP-based servers, it also indexes open FTP servers.
With the following dork, you’ll be able to explore public FTP servers, which can often reveal interesting things.
intitle:"index of" inurl:ftp
In this example, we found an important government server with their FTP space open. Chances are that this was on purpose — but it could also be a security issue.
Have you ever wondered if your private live camera could be watched not only by you but also by anyone on the Internet?
The following Google hacking techniques can help you fetch live camera web pages that are not restricted by IP.
Here’s the dork to fetch various IP based cameras:
To find WebcamXP-based transmissions:
And another one for general live cameras:
There are a lot of live camera dorks that can let you watch any part of the world, live. You can find education, government, and even military cameras without IP restrictions.
If you get creative you can even do some white hat penetration testing on these cameras. You’ll be surprised at how you’re able to take control of the full admin panel remotey. even re-configure the cameras as you like.
Using robots.txt configurations to prevent Google Dorking
One of the best ways to prevent Google dorks is by using a robots.txt file. Let’s see some practical examples.
The following configuration will deny all crawling from any directory within your website, which is pretty useful for private access websites that don’t rely on publicly-indexable Internet content.
User-agent: * Disallow: /
You can also block specific directories to be excepted from web crawling. If you have an /admin area and you need to protect it, just place this code inside:
User-agent: * Disallow: /admin/
This will also protect all the subdirectories inside.
Restrict access to specific files:
User-agent: * Disallow: /privatearea/file.htm
Restrict access to dynamic URLs that contain ‘?’ symbol
User-agent: * Disallow: /*?
To restrict access to specific file extensions you can use:
User-agent: * Disallow: /*.php$/
In this case, all access to .php files will be denied.