Using Google Dorking For Hacking websites, Databases and Internet of Things devices

Last year we had discussed how Google can be used to almost anything on the Internet using a method called Google Dorking. If you have not read that article, it is available here.

As you know Google is a vast repository of data, some of which are available to people while some are not. Users use Google to find answers to their queries, images, videos, news, and notes, etc. But advanced users use a method called Google Dorking to glean hidden information from Google.

The same Google dorking method can, in fact, be used by hackers to find vulnerable targets and steal unauthorized information. Just like you can use the Shodan search engine to find vulnerable security cameras, with some advanced knowledge of Google commands, you can use Google to find the vulnerable database, websites, security cameras, and other Internet of Things connected devices.

Unlike Shodan which has been built by its developers just to find vulnerable security devices, you have to know certain advanced Google commands, and this method is called Google Dorking. In this article, we will explain what is Google Dorking.

What is Google Dorking?

Google Dorking is nothing but using advanced search syntax to find vulnerable websites or IoT devices.

Normally, Google is used for searching answers to simple queries like ‘What is the Weather Like Today’ or ‘Where is Langley.’ You will notice that we can use Google to perform search to with relatively simple terms

What most of you don’t realize that you can use advanced search terms to make Google divulge certain sensitive information that a normal user would never even know existed. In fact, if used properly, Google can reveal sensitive information that can be used to perform a successful attack. This can be accomplished by using the advanced operator features of Google. The basic syntax for using the advanced operator in Google is as follows.

For example, the basic syntax for using the advanced operator in Google is as follows:

Operator_name:keyword

The syntax, as shown above, is a Google advanced operator followed by a colon, which is again followed by the keyword without any space in the string. Using such a query in Google is called Dorking and the strings are called Google Dorks a.k.a Google hacks.

Again Google Dorking is divided into two forms:

  1. Simple dorks and
  2. Complex dorks.

Google Dorking came into being when in 2002, Johnny Long began to collect interesting Google search queries that uncovered vulnerable systems or sensitive information disclosures. He labeled them Google dorks.

Simple Google Dorking can be used to find hidden information on Google which is a bit hard to find normally. Complex Google Dorking is used by hackers for finding vulnerable targets.

With proper search syntax, Google Dorking can be used to find usernames and passwords, email lists and website vulnerabilities. It can also be used to find vulnerabilities in millions of Internet of Things devices connected to the Internet.

Using Google dorking, hackers can find footholds, sensitive directories hidden from normal view, vulnerable files like XMLPRC which let the hacker enter a WordPress domain. Dorking can also be used to glean passwords and usernames.

Simple Google Dorks:

Allintext Searches for occurrences of all the keywords given
Intext Searches for the occurrences of keywords all at once or one at a time
Inurl Searches for a URL matching one of the keywords
Allinurl Searches for a URL matching all the keywords in the query
Intitle Searches for occurrences of keywords in URL all or one
Allintitle Searches for occurrences of keywords all at a time
Site Specifically searches that particular site and lists all the results for that site
filetype Searches for a particular filetype mentioned in the query
Link Searches for external links to pages
Numrange Used to locate specific numbers in your searches
Daterange Used to search within a particular date range

Using the above commands you can find:

  • Admin login pages
  • Username and passwords
  • Vulnerable entities
  • Sensitive documents
  • Govt/military data
  • Email lists
  • Bank account details and lots more

Here are some examples of using Google Dorking :
Dork: inurl:group_concat(username, filetype:php intext:admin

Using the above information, we were able to tap in to some of the SQL injection results done by somebody else on the sites.

By now, I am sure; you would have got an idea as to how dangerous a tool Google can be. The usernames and passwords got from here can be used to strengthen our dictionary attacks by adding these used passwords to the list we already have. This can also be used in user profiling which seems to be in demand in the underground market. The above queries where just simple dorks which gave out sensitive information.

Another dork can be used to glean emails ids from Google.

Dork: intext:@gmail.com filetype:xls

Similarly we can use Google for site crawling/Network mapping. We use few other keywords to achieve this feat. What is so special about site crawling/Network mapping i.e. enumerating domain and hostnames? Well, all this is done without any probing at the target. The target that you are trying to enumerate cannot get a hint that you have already started plotting your attack against it. Google APIs used with a script combined with search results can give a big boost in this part of your attack.

site:xyz.com -site:www.xyz.com -site:xyz.com

In the above example, you can see the usage of multiple simple dorks. The possibilities for automation and network mapping using Google are infinite.

Dork: inurl:8443 -intext:8443

This dork lists all the sites running on port 8443. The query calls for sites with 8443 in the URL but excludes the redundant occurrence of 8443 in the text body thereby giving us URLs with respective ports. An automated scan on important ports can give interesting results.