Greetings,
So today I was able to dive in the studies of ethical hacking and security. While on the deep dive, I came across a topic called "Google Dorking". Hehehe.. what the hell is Google Dorking you ask? Well the "Dorking" is a term in which the user feeds advanced search queries into Google search engine to hunt for sensitive data. Important data such as usernames, passwords, log files and etc, of sites that Google is indexing due to misconfig of the site. Dorking involves using parameters and search operators called 'dorks' narrows down search results and hunt for exposed sensitive data and security loopholes in a site. The parameters and operators direct the crawler to find specific file types in any specified URL.
While doing some "dorking" I must add that it is not illegal. That is great because I know so many of you are ready to do this. Keep in the mental bank however that you are tracked by Google in searches all the time. So if you access sensitive data with malicious intent, you will be flagged as a thread actor from Google. Be sure as a pentester or hunting for a bug that you are backed and authorized fully from the organization. If you don't then you will land your ass in jail so please be smart!! Now that we spoke about the legal motion of things, let's speak briefly on some queries that are commonly used.
When finding data using Goggle Dorking queries, you first would want to visit Google.com. Yes... simply going into the search bar and using queries is all you have to do. Nothing more... nothing less. Here are a few examples of how to do the "dorking" of some info such as a great coffee franchise called "Starbucks". Try these and see what query results you find:
Examples:
frenchpress site:starbucks.com
site:starbucks.com inurl:admin
site:starbucks.com intext:admin
site:starbucks.com intitle:login
site:starbucks.com -inurl:/admin.html
This will allow us to find webcams that are connected to the internet vulnerable to the public viewing:
intitle:"webcamXP 5"
A bit more "dorks" that may help you while learning more are below:
Finding database passwords, but don't use them illegally:
filetype:env"DB_PASSWORD"
Finding log files that has invalid log in info:
"authenticaion failure; logname=" filetype:log
Searches for Registry Files which is how win system is configured:
filetype:reg reg HKEY_CURRENT_USER username
Finding vulnerable Remote Desktop connections:
allurl:tsweb/default.htm
Common queries are the following:goog
nurl: Dictates the crawler to search for URLs that contain a specified keyword.
allintext: This parameter searches for user-specified text in a webpage.
filetype: This parameter tells the crawler to look for and display a specific file type.
intitle: Scrapes for sites containing specified keywords in the title.
site: Lists all the indexed URLs for the specified site.
cache: When paired with the site parameter, this one displays the cached or older version of a website.
Pipe operator (|): This logical operator will list results that contain either of two specified search terms.
Wildcard operator (*): This is a wildcard operator that searches for pages that contain anything connected to your search term.
Subtract operator (-): This eliminates unwanted results from your search.
Now that you have a bit of practice with querying for data, let's speak a moment about something called GHDB - Google Hacking Database. The GHDB is a categorized index of internet search engine queries designed to uncover interesting and usually sensitive info made publicly. The info was never meant to be public, but due to any number of factors the info was linked in a web doc. Now if you'd like more insights about Dorking I would highly advise you to check out Network Chuck. He goes in more about Dorking and all it has to offer a ethical hacker such as yourself.
Welp... until next time great people!