This is another of my ethical hacking course assignments, we were required to look into Google's search operators. There are documents all over the internet covering this topic, I just thought it would be nice to have my own version here.
Google hacking also known as "Google dorks" is a very efficient way of information retrieval and Passive Reconnaissance or discovering potential vulnerabilities. Google provides many operators that can be used to refine your search to an extensive level. This makes it easy to retrieve very specific sensitive files, locate hidden directories or find login panels. It is also possible to discover a large amount of detailed information about a target/client, that could potentially lead to other security issues. Database dumps may be found, banking information, even passwords. I will give a brief summary of some of these useful operators.
Firstly, Google has a lot of basic operators, serving as a calculator, document finder, dictionary and even a conversion tool. Here are some of these easy to use tools.
Operator | Finds... |
word1 word2 | Page that contains word1 and word2. |
word1 OR word2 | Page that contains either word1 or word2. "|" could also be used |
“word1 word2” | Page that contains the exact phrase. |
word1 -word2 | Page that contains word1 but But not word2. |
Word1 +3 | Text with numbers, such as a movie title. (ie. Toy Story +2) |
word1 word2 * word3 | word1, word2 and word3 seperated by one word or more. A wildcard. (useful for lyrics etc.) |
+ - * / | Basic arithmetic operators. (ie. 1+1 returns 2, 1,369,088 / 1024 returns 1337 etc.) |
10% of 100 | The percentage of a number. (The result from a search of the values on the left is 10.) |
^ or ** | The power of a number. (ie. 2^2 would result in 4, 3**2 would result in 9) |
X IN Y | This is used for conversion. X could be kilometres, stone, kilos and Y could also be anything similar. This can be used for weight/money/distance and many others. |
~word1 | Pages that match word1 and any synonyms of word1 |
For someone looking to perform reconnaissance, Google is an essential tool. It is extremely easy to refine your search to very accurate and precise conditions. Using googles advanced operators it is very easy to quickly track down information.
Operator | Finds... |
allintext:Search Term | results to those containing all the query terms you specify in the text of the page |
allintitle:Search Term | results to those containing all the query terms you specify in the title. |
allinurl:Search Term | restricts results to those containing all the query terms you specify in the URL. |
cache:Search URL | display Google’s cached version of a web page, instead of the current version of the page. |
define:Word | useful for finding definitions of words, phrases, and acronyms. |
Filetype:doc,php,txt,xls etc. | restrict the results to pages whose names end in the specified file type. |
Info:Search URL | present some information about the corresponding web page. |
Intext:Word | restricts results to documents containing only the search Word in the text. |
Intitle:Word | restricts results to documents containing only the search Word in the title. |
Inurl:Word | restricts results to pages containing only the search Word in the URL. |
link:Search URL | Search only for pages that link to the search page |
related:Search URL | list web pages that are similar to the web page you specify. |
site:Search URL | Restricts the search to within a site or domain. |
Number1 ... Number2 | This includes all numbers in the number range specified. |
daterange:Date-Date2 | Restricts search date within a range of dates. |
It should now be apparant how easy it is to refine your search. In an attack scenario it is more likely the attacker would use combinations of all of the above operators. Using the site:� operator the attacker can focus all of his other search queries to a specific domain. Greatly increasing the potential for information disclosure. For example, the search query site:attacksite.com inurl:admin filetype:php� could disclose an admin login page or maybe site:attacksite.com allintitle:content management� There is an extremely large amount of searches that could performed on any one site, that could lead to compromise or information leakage.
Finding versions of a filesystem or content management system that is known to have exploitable vulnerabilities is also possible. This could lead to the user getting full access to the server. Not only is this an issue, the attacker/pentester could also find direct database dumps or log files that could lead to information disclosure. All that is needed by the attacker is a foothold. The only limit here is your imagination.
A few examples of such queries can be found here: