Turning Google Dorks Into A Weapon: Using Google Dorks for Pentesters

Google has become an integral part of our daily lives. Usually, it’s the first place we go when we want to learn something, find a place, or make a purchase. However, while surfing on the surface of Google, could we realize that there is a much more powerful tool hidden in the depths of Google? This tool is Google dorks. A pentester effectively using Google dorks can quickly find weak points in a target’s defense and ethically use this information.

Basic Structure and Types of Google Dorks

The structure of Google dorks usually involves a specific operator and a query applied to it.

For example,

1. The “site:” operator is used to search on a specific website. For example, with the phrase “site:example.com”, we can only display results on the example.com site.
2. The “intitle:” operator is used to search for a specific word or phrase in the title. For example, with the phrase “intitle:admin login”, we can find administrator login pages.
3. The “inurl:” operator is used to search for a specific word or phrase in the URL. For example, with the phrase “inurl:login.php”, we can find login.php pages.
4. The “filetype:” operator is used to search for specific file types. For example, with the phrase “filetype:pdf”, we can see only results containing PDF files. Chapter 2: Using Google Dorks for Discovering Security Vulnerabilities How can you use Google Dorks to detect security vulnerabilities? Here are some examples:
5. Finding Weak Passwords: With the phrase “inurl:login.php intext:username password”, you can find login pages displaying usernames and passwords.
6. Detecting Open Ports: With the phrase “site:example.com port”, you can find open ports on a specific website.
7. Access to Security Cameras: With the phrase “inurl:/view/viewer_index.shtml”, you can access images of security cameras open to the internet.
8. Finding Sensitive Files: With the phrase “filetype:sql intext:username password”, you can obtain results containing usernames and passwords in SQL database files.

Example Usage to Find SQL Files

Use of Security Cameras for Access

Access of Security Cameras

Using Google Dorks for Automated Information Collection

Using Google dorks during a pentest is a powerful technique, but it can also be time-consuming. Therefore, I developed a Python tool that automates Google dorks. This script automatically applies a specific set of Google dorks on the target site and gives the results it finds as output.

GitHub - tunahantekeoglu/t4dork

Click on the link for usage details.

Conclusion

Google dorks can be a powerful pentest tool when used correctly. However, remember that this powerful tool must be used responsibly. Unauthorized pentesting is against the law, and you should always get the target’s permission when using this tool. Google dorks are a tool for finding information and increasing security, but it’s also our responsibility not to misuse this information.

Resources

1. Google Hacking Database (GHDB) — Exploit Database by Offensive Security
2. Google Advanced Search Operators — Google Guide
3. Google Dorking — Wikipedia

Leaving All Dorks with Explanations for Manual Use

Make sure you have the necessary permissions for the legal use of these examples.

1. `site:target.com`: Lists all pages belonging to the target site.
2. `site:target.com filetype:pdf`: Lists all PDF files on the target site.
3. `site:target.com inurl:admin`: Lists pages with the word 'admin' in their URLs.
4. `site:target.com intext:password`: Lists pages where the word 'password' appears in the page text.
5. `site:target.com ext:sql`: Lists all SQL files on the target site.
6. `site:target.com inurl:login`: Lists pages with the word 'login' in their URLs.
7. `site:target.com filetype:txt`: Lists all TXT files on the target site.
8. `site:target.com intitle:index.of`: Lists pages with 'index.of' in the title.
9. `site:target.com ext:doc | ext:docx | ext:odt`: Lists files with specific document extensions on the target site.
10. `site:target.com filetype:xls | filetype:xlsx | filetype:ods`: Lists Excel files on the target site.
11. `site:target.com filetype:log`: Lists log files on the target site.
12. `site:target.com intext:username`: Lists pages where the word 'username' appears in the page text.
13. `site:target.com inurl:php?id=`: Lists pages with 'php?id=' in their URLs. May indicate a SQL Injection vulnerability.
14. `site:target.com ext:xml | intext:password`: Lists pages where the word 'password' appears in XML files.
15. `site:target.com ext:conf inurl:wp-`: Lists WordPress configuration files.
16. `site:target.com ext:env`: Lists .env files on the target site.
17. `site:target.com inurl:wp-content | inurl:wp-includes`: Lists WordPress content and plugin folders.
18. `site:target.com inurl:.git`: Lists '.git' directories, which may reveal accidentally shared code.
19. `site:target.com inurl:test/ | inurl:demo/`: Lists test or demo folders.
20. `site:target.com ext:bak`: Lists backup files.
21. `site:target.com inurl:phpinfo.php`: Lists PHP info files.
22. `site:target.com inurl:robots.txt`: Lists robots.txt files.
23. `site:target.com ext:csv | intext:email`: Lists email addresses in CSV files.
24. `site:target.com intitle:"index of /"`: Searches for publicly accessible directories.
25. `site:target.com inurl:debug`: Lists debug pages.
26. `site:target.com inurl:ftp://`: Lists FTP addresses.
27. `site:target.com intext:"access denied for user" intext:"using password"`: Lists incorrect SQL queries or details.
28. `site:target.com ext:swf`: Lists SWF files.
29. `site:target.com ext:asp`: Lists ASP files.
30. `site:target.com intitle:"webcam inurl:"ViewerFrame?Mode="`: Lists open web cameras.
31. `site:target.com inurl:public/`: Lists folders named 'public'.
32. `site:target.com inurl:private/`: Lists folders named 'private'.
33. `site:target.com ext:old`: Lists files with the '.old' extension.
34. `site:target.com inurl:attachments/`: Lists attachment folders.
35. `site:target.com ext:tmp | ext:temp`: Lists temporary files.
36  `site:target.com inurl:download/`: Lists folders named 'download'.
37. `site:target.com intext:confidential`: Lists pages containing the word 'confidential'.
38. `site:target.com intitle:"report" filetype:xls`: Lists pages with 'report' in the title and an XLS file.
39. `site:target.com ext:json`: Lists JSON files.
40. `site:target.com inurl:admin/`: Lists folders named 'admin'.
41. `site:target.com inurl:500.shtml`: Lists 500 error pages.
42. `site:target.com inurl:trace.axd`: Lists ASP.NET trace files.
43. `site:target.com ext:yml | intext:password`: Lists pages where the word 'password' appears in YML files.
44. `site:target.com intext:db_password`: Lists pages where the word 'db_password' appears in the page text.
45. `site:target.com ext:rb | intext:password`: Lists pages where the word 'password' appears in Ruby files.
46. `site:target.com filetype:ldif ldif`: Lists LDIF files.
47. `site:target.com intitle:"web service" filetype:asmx`: Lists webservice and ASMX files.
48. `site:target.com inurl:"web.config" filetype:config`: Lists web.config files.
49. `site:target.com ext:jsp`: Lists JSP files.
50. `site:target.com inurl:"id=" & intext:"Warning: mysql_fetch_assoc()` Lists MySQL error messages or details.
51. `site:target.com inurl:"ViewerFrame?Mode="`: Lists open IP cameras.
52. `site:target.com intext:"enable secret 5 $"`: Lists security information on IOS devices.
53. `site:target.com intitle:"Apache::Status" (inurl:server-status | inurl:status.html | inurl:apache.html)`: Lists Apache server status pages.
54. `site:target.com intext:"MOBOTIX M1" intext:"Open Menu" intext:"MOBOTIX M10" intext:"Open Menu" intext:"MOBOTIX D10" intext:"Open Menu"`: Lists MOBOTIX cameras.
55. `site:target.com intitle:"FTP root at"`: Lists open FTP servers.
56. `site:target.com filetype:bak`: Lists backup files.
57. `site:target.com inurl:top.htm inurl:currenttime`: Lists network cameras.
58. `site:target.com allinurl:/examples/jsp/snp/snoop.jsp`: Lists Apache Tomcat server information.
59. `site:target.com intitle:"Under construction" "does not currently have"`: Lists pages under construction.
60. `site:target.com intitle:"Test Page for Apache Installation"`: Lists test pages for Apache installations.
61. `site:target.com "VNC Desktop" inurl:5800`: Lists VNC Desktop users.
62. `site:target.com "phone * * *" "address *" "e-mail" intitle:"curriculum vitae"`: Searches for CVs.
63. `site:target.com "robots.txt" "Disallow:" filetype:txt`: Lists robots.txt files.
64. `site:target.com intext:"Network Vulnerability Assessment Report"`: Lists network vulnerability assessment reports.
65. `site:target.com filetype:pwd service`: Lists UNIX /etc/passwd files.
66. `site:target.com inurl:"webalizer.conf" intext:passwd -sample`: Lists Webalizer configurationfiles.
67. `site:target.com filetype:sql ("passwd values ****" | "password values ****" | "pass values ****")`: Lists SQL dump files.
68. `site:target.com filetype:xls inurl:"email.xls"`: Lists Excel files containing email lists.
69. `site:target.com intitle:index.of passwd passwd.bak`: Lists password files.
70. `site:target.com intitle:"index of" people.lst`: Searches for people lists.
71. `site:target.com intitle:"usage statistics" "Microsoft-IIS/6.0"`: Lists usage statistics for IIS 6.0.
72. `site:target.com intitle:index.of administrators.pwd`: Lists administrator passwords.
73. `site:target.com intitle:index.of trillian.ini`: Lists Trillian configuration files.
74. `site:target.com intitle:index.of ws_ftp.ini`: Lists WS_FTP configuration files.
75. `site:target.com inurl:admin inurl:backup intitle:index.of`: Lists administrator backups.
76. `site:target.com inurl:ospfd.conf intext:password -sample -test -tutorial -download`: Lists OSPF daemon configuration files.
77. `site:target.com intitle:index.of master.passwd`: Lists UNIX master passwords.
78. `site:target.com filetype:inc dbconn`: Searches for PHP database connections made with filetype ".inc" on the target site.
80. `site:target.com inurl:temp | inurl:tmp | inurl:backup | inurl:bak`: Lists temporary and backup files.
81. `site:target.com inurl:"/phpmyadmin/"`: Lists phpMyAdmin panels.
82. `site:target.com inurl:"/cacti/"`: Lists Cacti device monitoring software.
83. `site:target.com inurl:webvpn.html`: Lists Cisco WebVPN services.
84. `site:target.com inurl:.htpasswd`: Lists .htpasswd files.
85. `site:target.com inurl:"server-status"`: Lists Apache server status pages.
86. `site:target.com inurl:"/phpinfo.php"`: Lists PHP info pages.
87. `site:target.com intitle:"PHPMyAdmin" "running on" inurl:"main.php"`: Lists phpMyAdmin panels.
88. `site:target.com inurl:":2082/frontend"`: Lists cPanel login pages.
89. `site:target.com inurl:"/zabbix/"`: Lists Zabbix monitoring software.
90. `site:target.com inurl:"/jenkins/script"`: Lists Jenkins script consoles.
91. `site:target.com inurl:"webdav/xmlrpc"`: Lists XMLRPC servers.
92. `site:target.com inurl:"/horde/imp/test.php"`: Lists Horde/IMP test pages.
93. `site:target.com inurl:"servlet/webacc"`: Lists GroupWise WebAccess.
94. `site:target.com inurl:".nsf"`: Lists Domino access controls.
95. `site:target.com inurl:"axis-cgi/mjpg"`: Lists Axis video servers.
96. `site:target.com inurl:"/names.nsf"`: Lists Domino access controls.
97. `site:target.com intitle:"index of" "wp-admin"`: Lists WordPress admin folders.
98. `site:target.com intitle:"index of" ".well-known"`: Lists .well-known folders.
99. `site:target.com intitle:"index of" ".git"`: Lists .git folders.
100. `site:target.com intitle:"index of" ".svn"`: Lists .svn folders.

Thank you for your time, see you in the next articles