Introduction to Google Hacking for penetration testing

Google hacking, also named Google Dorking is a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use. A Google dork query is an advanced search operator to find information that is not readily available on a website.

You can use Google advanced operators help refine searches. They are included as part of a standard Google query. Google advanced operators use the following syntax.

operator:search_term

Do not include space between the operator, the colon, and the search term. The following table shows commonly used operators.

Following example search for Excel files with name, telephone number, email, and password content.

ext:xlsx intext:NAME intext:TEL intext:EMAIL intext:PASSWORD

It yields 57, 900 results. I found various sensitive data through this search. You can include other operators as well.

Some operators search overlapping areas. Consider "site", "inurl", and "filetype". The "site" operator can not search port. The "inurl" operator can search the whole URL, including port and filetype. The "filetype" operator can only search file extension, which may be hard to distinguish in long URLs. Adding advanced operators reduces the number of results adding focus to the search.

You can use the Google Hacking Database (GHDB) to search various operators and use cases.



Putting operators together in intelligent ways can cause a seemingly innocuous query.

The cache link is a great way to grab content after it’s deleted from the site. The question is, where exactly does that content come from?

Some think that by using the cache link as an anonymizer, they can browse the website. However, Google cache tries to reference some resources such as images, style sheets from the server. This may leave your IP address in the server log. Anonymous Googling (cache browsing) can be helpful, especially if combined with a proxy.

Following search characters may help you with custom Google search.

1. ( + ) force inclusion of something common.
2. ( - ) exclude a search term.
3. ( “ ) use quotes to surround search phrases.
4. ( . ) a single-character wildcard.
5. ( * ) any word.
6. ( | ) boolean ‘OR’.
7. Parenthesis group queries (“master card” | mastercard).

You can use the following search term to find websites that are vulnerable to SQL injections. Combine other operators for specific target discovery.

inurl:"index.php?id="

Following example, dork searches for all files within pastebin.com containing email addresses associated with yahoo, gmail or hotmail accounts. Due to the culture of pastebin.com most entries contain associated passwords for these email addresses. Setting a relatively recent date range query term allows for recent files to be displayed. The date range is specified in Julian dates.

site:pastebin.com intext:@gmail.com | @yahoo.com | @hotmail.com daterange:2457755-2458109

Following example finds files within pastebin.com dumped mail lists with passwords. The date range is specified in Julian dates.

site:pastebin.com intext:"*@*.com:*" daterange:2457755-2458109

There are many combinations of search operators that can be used for information gathering using Google hacking.