As a pentester, the ability to effectively use search engines like Google can be one of your most valuable tools. With the right techniques, you can quickly and easily gather information that can help you identify potential vulnerabilities and security flaws in your target systems. In this post, we’ll explore two key concepts that can help you refine your search skills: Google Fu and Google Dorks.
Google Fu: Mastering Search Techniques
Google Fu is the art of getting the most out of Google search to find exactly what you're looking for. To master Google Fu, you need to understand how Google works, know the right syntax and search operators to use, and how to refine your searches to get the most relevant results.
Here are some examples of Google search operators that can help you refine your search results:
Site operator: Use the “site:” operator to search only within a particular website or domain. For example, if you are searching for information about a specific organization, you could use the query “site:example.com information security” to search only within the example.com domain.
Filetype operator: Use the “filetype:” operator to search for specific file types. For example, if you are looking for PDF files that may contain sensitive information, you could use the query “filetype:pdf sensitive information” to search for all PDF files containing the term “sensitive information”.
Intitle operator: Use the “intitle:” operator to search for specific words in the title of a webpage. For example, if you are looking for pages related to password security, you could use the query “intitle:password security” to search for pages that have “password security” in the title.
Inurl operator: Use the “inurl:” operator to search for specific words in the URL of a webpage. For example, if you are searching for pages related to login portals, you could use the query “inurl:login portal” to search for pages that have “login” and “portal” in the URL.
Google Dorks: Advanced Search Queries
Google Dorks are specialized search queries that use advanced operators to find specific information that may not be easily found through a standard search. Google Dorks can be extremely powerful for pentesters, as they can help identify sensitive information that may be inadvertently exposed online.
Here are some examples of Google Dork queries:
Site-based Dork: “site:example.com filetype:pdf” - This query will search for all PDF files within the example.com domain, which could reveal sensitive information that is not intended for public viewing.
Title-based Dork: “intitle:admin login” - This query will search for pages that have “admin login” in their title, which could lead to the discovery of unsecured login portals.
Password Dork: “intitle:index.of password” - This query will search for directories containing files with the word “password” in their title, which could lead to the discovery of unsecured password files.
Vulnerability Dork: “site:example.com intitle:index.of .php” - This query will search for directories containing .php files within the example.com domain, which could reveal vulnerable web applications.
Exposed Configurations Dork: “filetype:conf inurl:ftp -intext:password” - This query will search for configuration files that contain the word “ftp” in the URL, but do not contain the word “password” in the file contents, which could reveal exposed FTP configurations
You can see below a table with frequently used Google hacking methods:
| DORK | DESCRIPTION | EXAMPLE |
|---|---|---|
| "phrase" | Searches for exact phrase match | "admin password" |
| intext:"phrase" | Searches for pages containing the specified phrase | intext:"login credentials" |
| allintext:"phrase" | Searches for pages containing all of the specified words | allintext:"login username password" |
| inurl:"text" | Searches for pages containing the specified text in the URL | inurl:"admin" |
| intitle:"phrase" | Searches for pages containing the specified phrase in the title | intitle:"login page" |
| allintitle:"phrase" | Searches for pages containing all of the specified words in the title | allintitle:"password reset" |
| filetype:extension | Searches for pages containing files with the specified extension | filetype:pdf |
| site:url | Limits search results to the specified website | site:example.com |
| related:url | Searches for sites related to the specified URL | related:example.com |
| info:url | Provides information about the specified URL | info:example.com |
| cache:url | Shows the cached version of the specified URL | cache:example.com |
| intext:username | Searches for pages containing the word "username" | intext:username |
| intext:password | Searches for pages containing the word "password" | intext:password |
| intext:email | Searches for pages containing the word "email" | intext:email |
| inanchor:word | Searches for pages containing the specified anchor text | inanchor:"reset password" |
| link:url | Finds pages that link to the specified URL | link:example.com |
| site:example.com filetype:doc | Searches for Word documents on the specified website | site:example.com filetype:doc |
| site:example.com intext:@gmail.com | Searches for email addresses on the specified website | site:example.com intext:@gmail.com |
| site:example.com intitle:index.of | Searches for directory listings on the specified website | site:example.com intitle:index.of |