due to an increase in the number of messages that we are receiving on “google dorks” it’s time to write about the so-called Google Dork.
We’ve also mentioned this type of security problem in previous posts, as it’s a common source for hustlers to find valuable private information about any website.
Today in this post we are going to dig deeper into Google hacking techniques, also known as Google Dorks.
WHAT IS GOOGLE DORK?
A Google Dork, also known as Google Dorking or Google hacking, is a valuable resource for hackers . For the average person, Google is just a search engine used to find text, images, videos, and news. However, in the underground world, Google is a useful hacking tool.
- How would anyone use Google to hack websites?
Well, you can’t hack sites directly using Google, but as it has tremendous web-crawling capabilities, it can index almost anything within your website, including sensitive information. this means vulnerable webmasters could be exposing too much information about their web technologies, usernames, passwords, and general vulnerabilities without even knowing it.
In other words: Google “Dorking” is the practice of using Google to find vulnerable web applications and servers by using native Google search engine capabilities and of course before you ask, our #CashoutMoney is secure and free from leaking suck information.
Unless webmasters block specific resources from their website using a robots.txt file, Google indexes all the information that is present on any website.
Logically, after some time any person in the world can access that information if they know what to search for.
Side Note: While this information is publicly available on the Internet, and it is provided and encouraged to be used by Google on a legal basis, however, hustlers like you with the wrong intentions will use this information to their advantage and why not, if its there then we can all put that information to a good use i.e to our advantage, shhh, you didn’t hear this from us.
Be aware that Google also knows who you are when you perform this kind of query, for this reason, and many others, it’s advised to use it with caution as far as you are OpSec aware you have not much to worry about.
It’s pretty easy to track your browsing IP, even if you’re using a VPN service. It’s not as anonymous as you think unless otherwise as we mentioned above that you are OpSec aware, we may write a comprehensive article about OpSec, how to be anonymous and protect your privacy if we receive 100’s of messages on that, please don’t hound our #cashoutMoney customer service guys, as they are pretty annoyed over receiving useless messages as it is.
Before reading any further, be aware that Google will start blocking your connection if you connect from a single static IP. It may also ask for captcha challenges to prevent automated queries from bots.
GOOGLE DORK OPERATORS
Google’s search engine has its own built-in query language. The following list of queries can be run to find a list of files, find information about your competition, track people, get information about SEO backlinks, build email lists, and of course, discover web vulnerabilities.
Let’s look at the most popular Google Dorks and what they do.
cache: this dork will show you the cached version of any website, e.g.
allintext: searches for specific text contained on any web page, e.g.
allintext: hacking tools
allintitle: exactly the same as allintext, but will show pages that contain titles with C characters, e.g.
allinurl: it can be used to fetch results whose URL contains all the specified characters, e.g:
allinurl client area
filetype: used to search for any kind of file extensions, for example, if you want to search for jpg files you can use:
inurl: this is exactly the same as
allinurl, but it is only useful for one single keyword, e.g.
intitle: used to search for various keywords inside the title, for example,
intitle:credit cardswill search for titles beginning with “Credit” but “Cards” can be somewhere else in the page.
inanchor: this is useful when you need to search for an exact anchor text used on any links, e.g.
intext: useful to locate pages that contain certain characters or strings inside their text, e.g.
link: will show the list of web pages that have links to the specified URL, e.g.
site: will show you the full list of all indexed URLs for the specified domain and subdomain, e.g.
*: wildcard used to search pages that contain “anything” before your word, e.g.
how to * a website, will return “how to…” design/create/hack/card, etc… “a website”.
|: this is a logical operator, e.g.
"carding" "tips"will show all the sites which contain “carding” or “tips,” or both words.
+: used to concatenate words, useful to detect pages that use more than one specific key, e.g.
security + trails
–: minus operator is used to avoiding showing results that contain certain words, e.g.
carding -websitewill show pages that use “carding” in their text, but not those that have the word “website.”
If you’re looking for the complete set of Google Dorks, we promise to write another article in which we will cover almost every known dork available to date (please don’t hound us with messages on this).
GOOGLE DORK EXAMPLES
Let’s take a look at some practical examples. You’ll be surprised how easy is to extract private information from any source just by using these Google hacking techniques.
Log files are the perfect example of how sensitive information can be found within any website.
Error logs, access logs, and other types of application logs are often discovered inside the public HTTP space of websites. This can help attackers find the PHP version you’re running, as well as the critical system path of your CMS or frameworks.
For this kind of dork we can combine two Google operators, allintext and filetype, for example:
This will show a lot of results that include username inside all *.log files.
In the results we discovered one particular website showing an SQL error log from a database server that included critical information:
MyBB SQL Error SQL Error: 1062 - Duplicate entry 'XXX' for key 'username' Query: INSERT INTO XXX (`username`,`password`,`salt`,`loginkey`,`email`,`postnum`,`avatar`,`avatartype`,`usergroup`,`additionalgroups`,`displaygroup`,`usertitle`,`regdate`,`lastactive`,`lastvisit`,`website`,`icq`,`aim`,`yahoo`,`msn`,`birthday`,`signature`,`allownotices`,`hideemail`,`subscriptionmethod`,`receivepms`,`receivefrombuddy`,`pmnotice`,`pmnotify`,`showsigs`,`showavatars`,`showquickreply`,`showredirect`,`tpp`,`ppp`,`invisible`,`style`,`timezone`,`dstcorrection`,`threadmode`,`daysprune`,`dateformat`,`timeformat`,`regip`,`longregip`,`language`,`showcodebuttons`,`away`,`awaydate`,`returndate`,`awayreason`,`notepad`,`referrer`,`referrals`,`buddylist`,`ignorelist`,`pmfolders`,`warningpoints`,`moderateposts`,`moderationtime`,`suspendposting`,`suspensiontime`,`coppauser`,`classicpostbit`,`usernotes`) VALUES ('XXX','XXX','XXX','XXX','XXX','0','','','5','','0','','1389074395','1389074395','1389074395','','0','','','','','','1','1','0','1','0','1','1','1','1','1','1','0','0','0','0','5.5','2','linear','0','','','XXX','-655077638','','1','0','0','0','','','0','0','','','','0','0','0','0','0','0','0','')
This example exposed the current database name, user login, password, and email values to the Internet. We’ve replaced the original values with “XXX”.
#Vulnerable Web Servers
The following Google Dork can be used to detect vulnerable or hacked servers that allow appending “/proc/self/cwd/” directly to the URL of your website.
As you can see in the following screenshot, vulnerable server results will appear, along with their exposed directories that can be surfed from your own browser.
#Open FTP Servers
Google does not only index HTTP-based servers, it also indexes open FTP servers.
With the following dork, you’ll be able to explore public FTP servers, which can often reveal interesting things for the hustlers like you.
intitle:"index of" inurl:ftp
In this example, we found an important government server with its FTP space open. Chances are that this was on purpose — but it could also be a security issue.
.env files are the ones used by popular web development frameworks to declare general variables and configurations for local and online dev environments.
One of the recommended practices is to move these .env files to somewhere that isn’t publicly accessible.
However, as you will see, there are a lot of devs who don’t care about this and insert their .env file in the main public website directory.
As this is a critical dork we will not show you how to do it; instead, we will only show you the critical results:
You’ll notice that unencrypted usernames, passwords, and IPs are directly exposed in the search results. You don’t even need to click the links to get the database login details.
#SSH Private Keys
SSH private keys are used to decrypt information that is exchanged in the SSH protocol. As a general security rule, private keys must always remain on the system being used to access the remote SSH server, and shouldn’t be shared with anyone.
With the following dork, you’ll be able to find SSH private keys that were indexed by Google.
intitle:index.of id_rsa -id_rsa.pub
Let’s move on to another interesting SSH Dork.
If this isn’t your lucky day, and you’re using a Windows operating system with PUTTY SSH client, remember that this program always logs the usernames of your SSH connections.
In this case, we can use a simple dork to fetch SSH usernames from PUTTY logs:
filetype:log username putty
Here’s the expected output:
It’s pretty easy to find email lists using Google Dorks. In the following example, we are going to fetch excel files that may contain a lot of email addresses.
We filtered to check out only the .edu domain names and found a popular university with around 1800 emails from students and teachers.
site:.edu filetype:xls inurl:"email.xls"
Remember that the real power of Google Dorks comes from the unlimited combinations you can use. Hustlers especially the spammers know this trick too and use it on a daily basis to build and grow their spamming email lists.
Have you ever wondered if your private live camera could be watched not only by you but also by anyone on the Internet?
The following Google hacking techniques can help you fetch live camera web pages that are not restricted by IP.
Here’s the dork to fetch various IP based cameras:
To find WebcamXP-based transmissions:
And another one for general live cameras:
There are a lot of live camera dorks that can let you watch any part of the world, live. You can find education, government, and even military cameras without IP restrictions.
If you get creative you can even do some white hat penetration testing on these cameras; you’ll be surprised at how you’re able to take control of the full admin panel remotely, and even re-configure the cameras as you like.
#MP3, Movie, and PDF files
Nowadays almost no one downloads music after Spotify and Apple Music appeared on the market. However, if you’re one of those classic individuals who still download legal music, you can use this dork to find mp3 files:
intitle: index of mp3
The same applies to legal free media files or PDF documents you may need:
intitle: index of pdf
Google hacking techniques can be used to fetch any kind of information, and that includes many different types of electronic devices connected to the Internet.
In this case, we ran a dork that lets you fetch Weather Wing device transmissions. If you’re involved in meteorology stuff or merely curious, check this out:
intitle:"Weather Wing WS-2"
The output will show you several devices connected around the world, which share weather details such as wind direction, temperature, humidity, and more.
So all in all, Google is one of the most important search engines in the world. As we all know, it has the ability to index everything unless the webmasters explicitly deny it, but most don’t because they simply don’t know how to.
Today in this #CashoutMoney article about Google Dorks we taught you that Google can be also used as a carding tool for your advantage, you can even integrate this and run automated scans by using custom third-party Google SERPs APIs.
While Google Dorking can be used to reveal sensitive information on just about any website that is located and indexable via the HTTP protocol.