Google Hacking

Google is one of the most famous search engines in the world. However, searching Google is an art that many people don’t quite understand. And a case apart are those who prefer to ask you rather than do a simple google search. Luckily, there are awareness pages like lmgtfy Do you want to know how to be a hacker? Here’s the link: http://lmgtfy.com/?q=how+to+be+a+hackerhttp://lmgtfy.com/?q=As+ser+hacker

But in this article we will go further. Google has advanced search options: the so-called Google Dorks. Here I’ll explain each of the different dorks that exist, and show you some examples of how you can discover sensitive information and find pages and files of a target through Google Dorks.

Types of Google Dorks

DorkDescripción
“t1 t2”Forces the terms t1 and t2 to appear in sequence.
t1 AND t2Displays pages containing the terms t1 and t2.
t1 OR t2Displays pages that contain t1 and pages that contain t2.
+t1Forces t1 to appear.
-t1Excludes pages containing t1 from the results.
intitle:t1t1 appears in the html title tag or by the page.
allintitle:t1 t2Both t1 and t2 appear in the title tag. Cannot be used with other operators.
allintext:t1Searches for t1 in the text of the page (anywhere except the title, URL and links). Cannot be used with other operators
inurl:t1Searches for t1 in the URL or by page.
allinurl: t1 t2Look for t1 and t2 only in the URL (Must be both). Cannot be used with other operators.
site:t1Searches only in the t1 domain or its subdomains
filetype:t1Search for files with extension t1
link:t1Look for pages with links to t1. t1 must be a domain.
inanchor: t1Look for links to t1, even if those links do not refer to anything related to t1.
cache:t1Displays the google cached content of t1. t1 must be a domain/url, and cannot be used with other operators.
numrange: t1-t2Look for a range number t1-t2
daterange:date1 – date2Search pages published between date1 and date2. Dates must be in Julian format.
&as_qdr=m3This dork has to be put in the url. Displays pages updated 3 months or less ago.
&as_qdr=3mAs above, but with pages that have not been updated for 3 months or more.
info:t1Displays a summary result on t1. t1 must be a domain/url.

Google Hacking

Now let’s see some tricks to take advantage of these dorks in the face of ethical hacking. 

Google Cache

You can use google’s cache to view a website anonymously. That way, you can crawl the entire web without sending a single package to that domain.

Proxy

You can also crawl anonymously using google’s online web page translator. Translate into any language and then select “orignal text” and you will be able to browse the page using google as a proxy.

Directory Listening

Finding a directory listening is something very interesting when auditing, since in them you can find files with sensitive information. Through google dorks you can find directory listenings indexed in google that otherwise would go unnoticed. Let’s see some examples:

  • intitle: index of “parent directory”
  • intitle: index of name size
  • intitle:index.of.admin
  • inttitle:index.of inurl:admin
  • filetype:log inurl:ws_ftp log
  •  intitle:index.of “server at”
  • intitle:index.of “Apache/1.3.27 Server at”

 

If you want to search directory listenings of a specific domain, just concatenate the previous dorks with site:[domain].

Intranets

It is possible that a corporation’s internal network is misconfigured and can be accessed from outside. If so, and google has indexed it, you can discover intranets using the following google dorks:

  • intitle:intranet 
  • inurl:intranet 
  • intext:”human resources”
  • intranet | help.desk
  • “help.desk” | help.desk

E-mails

You can find emails with which you can later perform social engineering using the following dork:

“@gmail.com” -www.gmail.com
With this dork you would get the gmail accounts (change it to get accounts from another host).

Site crawling

Finally, here you can find a list of interesting crawling dorks. To exemplify, I will assume that we want to find out information from hackinglethani.com:

DorkDescripción
site:hackinglethani.com -www.hackinglethani.comUsed to find subdomains.
site:hackinglethani.com intitle:error|warningTo search for error pages.
site:hackinglethani.com login|logonTo search for logins.
site:hackinglethani.com admin|administratorTo search for administration pages.
site:hackinglethani.com inurl:temp | inurl:backup | inurl:bakTo search for backups and temporary files.
site:hackinglethani.com -ext:htmlDisplays all files in the domain except those with an html extension.
site:hackinglethani.com inurl:admin inurl:uselistSearch for user lists.

 

Google is undoubtedly a powerful tool that can be very useful when performing an audit.

Lethani.

Leave a Reply