A Google Dorking guide to help you maximize OSINT research and push Google Search to its limits.
table of Contents
- Advanced search operators
- Website and INURL
- The innovative operator, Exclusion -
- before and after
- Google advanced search
- LinkedIn Example
- More information Google Dorks
- Still have problems? Try Pentest-Tools.com
- Use of automated tools
Google Dorking is all about pushing Google search to the limit by using advanced search operators to tell Google exactly what you want. Many people think of it as a hacking technique to find unprotected confidential information about a company, but I try to think of it more as a hacker mindset because I use Google Dorks for much more than just security research.
I first became aware of the power of a Google Dork when I was looking up the Cisco Anyconnect software, which is used to connect to Cisco VPNs. However, Cisco did not allow the software to be downloaded or searched on Google.Cisco Anyconnect' made many websites only talk about the software. I've looked into Google's advanced search operators and found that I can search for web page titles. After watching, I might look for that.HTTP Title, I had an idea that if I went after "open directory entries", then my results would be just files. I changed my search query tointitle:index.of-cisco-anyconnectand suddenly I found a bunch of results. I ended up downloading the executable and then generating an MD5sum hash of the file which I then compared to what was on the Cisco website. Once I found a matching file, I knew it hadn't been tampered with and was safe to run.
I didn't know at the time that this was called Google Dorking, but it wasn't until I came across this.Google hack for penetration testersPresentation of BlackHat in which I realized all the power of Google.
Google Dorking Guide: Expanding the Limits of Google Search
Advanced search operators
With advanced search operators, I can find almost anything I want on the web. Most people know queries likesitio:hackthebox.com ext:pdfto view all PDF files hosted on a domain. This can often be combined with Exiftool to extract metadata from documents revealing possible usernames, dates, and software used. However, many people don't think about using it against cloud storage.site: drive.google.com hackthebox. Fortunately, this search result doesn't return too much. Google does not crawl drive.google.com itself, but instead looks for documents that are posted on the public Internet. My favorite Google idiots are:
Website and INURL
These operators examine the URL I use most frequentlyPropertybecause many sites have bad searches. For example, if you used Reddit's built-in search to findipsecand then use google search:site: reddit.com ipsecYou will likely get completely different results.
The IURL piece is valuable when you're looking for a phrase in the URL, but it doesn't matter which site uses it. This is often used to measure the impact of a web exploit. For example, if a vulnerability were to emerge with a WordPress plugin, it would look up and use the plugin's filenameinurl:archive_used_by_plugin.phpand see how many websites could be affected by this vulnerability. I would then create a list of sites that offer bug bounties or participate in programs like Synack and see if any of those sites appear on the list.
The innovative operator, Exclusion -
When you perform a Google query, putting a hyphen subtracts that query from the results. This is extremely useful when it comes to removing websites or parts of URLs from the results. Wear-site:siteweb.comensures that the website does not appear in search results. This is also useful with theURL:piece, as it can remove parts of a website from the results.
before and after
Google records when pages were first accessed or last modified. Using the before/after tag is a great way to narrow your search. There have been many times a recent headline has populated my Google search results. add tagbefore: <date>it's a great way to get rid of it. Even if an exploit comes out, I usually use theafter: <date>-Tag to find the latest proof of concept. If the exploit was released seven days ago, you could set the tag after two days ago and try to find the most recent proof-of-concept, which are usually the most advanced, whereas exploits released immediately after that are usually just denial. They are services.
Websites often present different information to search engines for search engine optimization (SEO) reasons. You can use cache:url to display the page that a website returned to Google. This is useful when the website hides information behind a login. There is a misnomer for this feature, I have seen many people consider this"Passive lighting"This means that if you have accessed a website through Google's cache, the website has no idea that you were there. This is not true because Google's cache often fails to rewrite some links that are loaded automatically when viewing the cached result, and your browser keeps sending web requests to the destination web server.
Google advanced search
if you navigategoogle.com/búsqueda_avanzada, you will be presented with a page that will help you create a Google Dork and show you the syntax for performing the search. The most interesting setting is the ability to change the region to display results. Google returns results that it thinks will be of interest to you, and one of the biggest deciding factors is where it thinks you are. For example, if I do a Google search for "Google", the first result goes to google.com. When I change the locale to UK, I see google.co.uk. This can be useful for mapping different countries where an organization has infrastructure. However, not all Google idiots are for OSINT, this is equally useful for searching for news from abroad. Since I'm in the US, when I search for UK-related news, Google still gives priority to US sites that contain UK news. If I do the same search for the UK, but change the locale to UK, local UK sites are now preferred over US based sites.
My favorite demo of Google Dorking is with LinkedIn, as I use it in almost every engagement to improve the number of employee names I collect in the OSINT phase. If you use LinkedIn to see the employees of a company and you don't have connections to a person, LinkedIn will only show you their avatar, title, and location. You don't have a link to that person's real profile.
However, if you do a Google search likeWebsite: linkedin.com Job Title Company NameGoogle often finds the LinkedIn profile for you that reveals your name! Also remember that LinkedIn is a global company. If the company I'm hiring for is in a different country than mine, I often change my locale to match that company.
More information Google Dorks
Google Dorking has much more to offer than what I've listed here, by far the best resource you can turn toExploit-DB's Google Hacking Database. I'm sure once you start reading google dummies, you'll get a lot of dummy ideas that will be useful to you. If not, look for different cloud providers like Google Drive, OneDrive, Dropbox, etc. and see how you can use Google to crawl these documents.
Still have problems? Try Pentest-Tools.com
HePentest Tools Google Hack Site is a great way to get started with Google Dorking. I really like this site because it offers 14 different types of google dorks e.g. B. search for documents, logs, or configuration files, and then open Google search on a new page. This is a great way to get started with Google Dorking, as it walks you through some of the common Google Dorks. Ultimately though, you should rely less on this tool as you can limit creativity by simply going through a checklist.
Use of automated tools
There are many automated tools that will run a large number of google jerks for you and output them to text files so you can examine the results. This is beneficial as the most time consuming part with Google Dork is clicking through all the Google pages. If you just want a list of all PDFs on a website, it will take a while to type each URL 10 at a time (standard results per page). Fortunately, the programs click for us! These tools change quite often so it's hard to say which one is the best, maybe use onesite:github.com after: (6 months ago) Google DorkConsult and search for the latest tools. However, one that I like to use is thisDork-Scanner.
Many OSINT skills are really just investigative skills. Even if you don't intend to focus on OSINT, you'll be surprised how much knowledge of the basics can help with general research. Google Dorking is a great example of this, but for more information, check out ours.OSINT: Corporate Intelligenceacademy course.