Google Dorking

Today I’m going to discuss Google Dorking/Hacking.

 

First of all I want to discuss how disturbingly easy it is to find vulnerabilities or exposed information online simply by using Google. Try this exercise to see for yourself (However, do not break any laws! DO NOT brute-force your way into anything! I am in no way responsible for your actions – this is all for research, appreciation and curiosities sake.)

 

Go to google and type in the following search query:

 

inurl:/remote/logon?ReturnUrl

 

(This google dork was reported by sivabalan (AKA CYBER GENIUS)1 on Exploit Database.)

 

528 results are found and among the first few results are financial services server login pages. Prodding further some of these server login pages do not have a login attempt lockout after a specified number of login attempts. Therefore booting up kali and brute-forcing with the likes of hydra or medusa and a decent password list (such as Rockyou.txt) (and possibly enumerating user names through vulnerable server services with nmap or msf auxiliary modules to make brute-forcing easier) would allow an attacker very easy access to very sensitive information.

 

It’s very scary how exposed our information can be, right?

 

The term Google Dorking refers to the google search engine (obviously) and the fact that inexperienced people (Dorks) sometimes leave sensitive information available for Google to crawl through and list in Google’s search engine. This can be used to a hackers advantage for such things as recon, discovering vulnerable sites and servers and even locating remote device login pages. Google has amazing web crawling/search capabilities however the downfall of this is the fact that many people may be unaware of how much of their information may be so easily and readily exposed.

 

Google dorking can lead to a wealth of information through combinations and tweaking of simple Google querying techniques. Lets take a look at a very simple example; websites vulnerable to a simple union select sql injection can be discovered using the following Google search:

 

inurl: php?id=1.

 

This is all you need to type into Google to come up with thousands of vulnerable websites, many keeping customer records.

 

Google dork queries can be made up of 3 parts – query terms, boolean operators and the actual search information wanted. As a real life (non hacking) example the following query might be entered:

 

site:airbnb.com | stayz.com intext:spa & bean bag

 

The query terms site and intext are used, boolean operator “|” (or) is used and the specific search information is looking for the phrases “spa” and “bean bag” in either a stayz.com or airbnb.com page.

 

Reading through the following document will give you some ideas on advanced query terms and in which combinations they can be applied.

 

https://developers.google.com/custom-search/docs/xml_results#request-parameters

 

Some of the most useful query terms include:

 

Intext or Allintext: searches for pages containing the specified string within the text of the page.

InURL or allinurl: searches for pages containing the specified string within the url of the page.

Filetype: searches for files of a specified type such as pdf, xml, doc.

Ext: Similar to “Filetype” but searches for file extension .pdf, .xml, .doc

Site: searches only within a specified site

Intitle: Searches within the title of webpages

Related: Searches for related content to your query

Link: Searches for external links to a given page

Numrange: Searches for numbers within a given range for the specified search query

Daterange: searches for results within a specified date range (Needs to be in Julian dates – here’s a converter http://aa.usno.navy.mil/data/docs/JulianDate.php)

Cache: Gives you cached versions of a specified website

 

Here’s one of my own dorks.

 

site:pastebin.com intext:@gmail.com | @yahoo.com | @hotmail.com daterange:2457388-2457490  

 

This dork searches the site pastebin.com – a popular site where “hackers” can flaunt doxxed information. This dork is searching the string @gmail.com or @yahoo.com or @hotmail.com within the text of the page and the date-range (in Julian date/time) is set to only show results over the last 3 months. This dork gives us over 2000 lists of email accounts and more often than not passwords associated with these accounts.

 

Google dorking is all about being creative with the query terms chosen, in what order and what you observe that might be unique for a given scenario. You might find that a specifically branded IoT device that can be accessed remotely has a unique string of text in either the login page or in the url. Simply using the intext or inurl query terms in your Google search might unlock a plethora of devices that can be connected to remotely.

 

Understanding how an attacker might use these query terms to discover uniquely vulnerable devices and pages or find sensitive information can make a defender aware of what mistakes to avoid, making sure Google’s web crawler does not have access to sensitive documents or making sure query terms will not deliver obvious vulnerabilities to attackers.

 

Exploit Database has a beautiful list of dorks HERE for you to use or get ideas to create your own.

https://www.exploit-db.com/google-hacking-database/

Also many websites will have large lists of dorks for your review.

Perhaps try making your own dork to find these dork lists!

 

Thank for reading!

 

References

 

  1. Remote server login dork – https://www.exploit-db.com/ghdb/4258/

 

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*