Google Hacking
Google Hacking is a technique that consists of using Google advanced operators in order to refine the results returned by the search engine.
It can be used by security professionals to find sensitive information that has been inadvertently exposed online or to identify servers that are misconfigured or have other security weaknesses.
The syntax of a Google advanced search query is : operator:search_string
It is important to not insert a space before or after the operator as well as the search_string , otherwise you will probably get inaccurate results.
Throughout this article, we will explore the following points:
- Google Advanced Search operators
- Google Hacking Database (GHDB)
- Google Hacking practical examples
- Google Hacking tricks and tips
- Conclusion
All you need is to open your web browser and practice all the examples listed below. Trust me guys, this is the best way to grasp very well what we are going to cover in this article.
Well, let’s get started :)
Google Advanced Search operators
Google has several advanced search operators that can be used alone or combined with other operators for more specific queries.
In this section we are going to see the vast majority of them.
Exclusion operator (-)
Every so often, when you google something, the search engine returns tons of information that could not be related to your search.
In this particular situation, the exclusion operator- can be handy.
Indeed, this will help you get more accurate results.
The figure below is an illustration of how you can use this operator:
In the second query, the search engine returns all the webpages that contain the word OpenAI in their content, but Chatgpt.
As you probably notice, this reduces the number of results returned by the search engine.
Site
site is an operator used for limiting the search results to the URL or the domain name you specified in your query.
For instance, the querysite:medium.com will return all medium websites .
The figure below is an illustration of how you can use this operator:
As you probably notice, we got 34.600.000 results which give us an approximation of the number of Medium webpages that exist.
You can also search for governmental websites using the querysite:gov .
Note: Make sure to not insert a space between the site operator and the domain or URL. If you do so, the search engine will send you back inaccurate results.
Specific search term (“”)
Sometimes, you may look for a specific term.
In such case, double quotes can help you find precise results.
Let’s assume that you enter the name Steve Wozniak in your search box and then click enter.
For a better understanding, let’s take a look at the figure below:
As you can see, when you enter Steve Wozniak in your search box without using the double quotes, the search engine returns the webpages that contain either the words Steve and Wozniak as two different words or webpages that contain “Steve Wozniak” as one word.
Let’s now place Steve Wozniak in double quotes as follows:“Steve Wozniak”.
The figure below is an illustration of how to do it:
When you enter “Steve Wozniak” using double quotes in the search box, the search engine only returns the webpages that contain the specific word “Steve Wozniak” in their content.
NOTE📝: As you may notice, the search string (Steve Wozniak) is case insensitive which means that the search engine does not take letter case into consideration.
Super, let’s move on to the next operator which is the or operator.
OR (in uppercase)
OR is an operator used as a disjunction to link two or more search terms together.
Disjunction indicates that at least one of the terms must be on the webpage content.
For instance Like OR Subscribe will return webpages that contain either Like or Subscribe or both words (Like and Subscribe) in their content.
Note: It’s worth stressing that you can use the vertical bar symbol | as a shorthand for the OR operator.
Using that, we can re-write our query as follows: Like | Subscribe.
The figure below is an illustration of how you can use this operator:
In the second query, we repeated the same query as the first one, excepted that this time we excluded the webpages that contained the words “Steve Jobs” in their content.
NOTE📝: Using -Steve Jobs without the double quotes will return possible inaccurate results.
AND (in uppercase)
AND is an operator used as conjunction to link two or more search terms together.
Conjunction indicates that both of the terms must be on the webpage.
For instance Like AND Subscribe will return webpages that contain Like and Subscribe in their content (url, title, body).
Note: By default, Google search replaces any space between two or more unquoted words by a AND operator unless you specify another operator.
Thus, we can replace the previous query by: Like Subscribe without the AND operator between the two words.
The figure below is an illustration of how you can use the AND operator :
As you can see, this returns webpages that contain the words “Steve Wozniak” and “John Draper” in their content.
Wildcard (*)
* is an operator used to replace zero or more characters in your query. This can be handy, if you don’t know exactly a word or expression you are looking for.
Dot (.)
. is an operator used to replace only one character in your query. This is also very useful.
Cache
cache is an operator used when you are looking for an old version of a particular website or for a content that no longer exists.
This can be tremendously useful, especially when you are looking for a content that has been deleted.
For instance, let’s say after writing a controversial article, you decide to remove it, in order to not tarnish your reputation.
Well, after removing it, you feel relieved and you forget it.
Unfortunately, it is not that easy. Indeed someone can retrieve this article using Google cache operator or the WaybackMachine , and that’s it.
To do that, this person can use Google cache operator as follows:
cache:url_of_the_article_that_has_been_deleted
For confidential purposes, i am not going to illustrate this dork. However you can try it and have fun :-)
Great, let’s move on now to our next operator which is: related .
Related
related operator lists webpages that are similar to the webpage or domain name you specified in your query.
This feature can be handy to find relationships between a specific webpage and other webpages.
The figure below is an illustration of how you can use it:
As you can see, related:medium.com returns webpages that are related to medium.com such as quora.com, dribble.com and so on.
Link
link operator shows webpages that point to the URL or domain name you specified in your query.
The figure below shows how you can use it:
At (@)
@ operator searches for a word on social media.
To use it, you only need to specify the word that you are looking for after the operator @ as follows: @word .
Let’s check if “Kevin Mitnick” (one of my favorite hacker) uses social media:
As you can see, the search engine returns social media on which Kevin Mitnick created an account.
Note: It’s worth mentioning that the @ operator does not work properly all the time. It depends on some criteria like your target’s account visibility, the username used by your target (do they use a pseudonym or not?) , on and on.
Similarly you can look for hashtag, using the # operator as follows:#word .
Inurl
inurl operator limits the search results to webpages that contain the word specified in their URL.
The figure below is an illustration of how you can use the inurl operator:
As you can see, in the example above, i firstly looked for webpages that don’t have https in their URL, then i looked for webpages that don’t have http in their URL.
Intitle
intitle operator limits the search results to webpages, that contain the search string you specified, in their title.
The query above will return the web servers that have the title : “index of /” and contain the word “passwords” in their content.
Intext
intext operator limits the search results to webpages, that contain the search string you specified, in their body.
Inanchor
inanchor operator limits the results to webpages, that contain the search string you specified, in their anchor text or links to the page.
map
map operator returns the geographic location of a given place.
The figure below is an illustration of how you can use it:
Filetype or ext
filetype or ext operator enables the search engine to sort the files it returns, based on your query specification.
Here is how you can use this operator:
Info
info operator returns some information about the URL or domain name you specified in your query.
Define
define operator allows you to get the definition of the word you specified in your query.
This can be handy to find definitions of words, phrases and acronyms.
Here is an illustration of how you can use it:
Before and After
before and after operators can be useful, especially when you are looking for results that have been published on a specific date.
You can use them as follows:
before:YYYY-MM-DD,before:YYYY-MM,before:YYYYafter:YYYY-MM-DD,after:YYYY-MM,after:YYYY
All prefix
Some of the operators (inurl ,intitle ,intext ,inanchor ) listed above can take the prefix all.
In such case, they becomeallinurl ,allintitle,allintext ,allinanchor.
In this section, i am going to explain one of them. Then, you can apply the same concept to others as well.
What the difference between allinurl and inurl ?
allinurl allows you to avoid using multiple inurl operator in your query.
Let’s assume that we are looking for a Medium user whose name is foobar.
Knowing that the URL nomenclature of Medium’s users can either be username.medium.com or medium.com/@username, we can write our query as follows: inurl:username inurl:medium.
By substituting username by foobar, our query becomes:
inurl:foobar inurl:medium.
Based on that, the search engine will look for webpages that have all these words (foobar and Medium) in their URLs.
However, it is worth mentioning that the search engine will take into consideration the order of the operators used in our query.
This simply means that it will return the webpages whose URLs have “Medium” word preceded by “foobar”.
This query can return webpages like:
# Each of these URLs contain our keywords: "Medium" and "Foobar"
# These are just random examples to understand how things work
https://example.foobar.medium.google
https://foobar.medium.com
https://foobar-medium-hacking.comUsing several inurl operators can be tedious to write and read.
That is where the allinurl operator comes into play.
Here is how we can use it to simplify our previous query:
allinurl:foobar medium will return the same results as inurl:foobar inurl:medium.
Nevertheless, it is undeniable that this time, our query is shorter and prettier than the previous one.
Note: As previously mentioned, this also works for allintitle , allintext and allinanchor operators which simply means that instead of using several intitle , intext , inanchor operators, we can use their short and elegant form which consists of prefixing them with all.
Excellent, let’s take now a quick look at the Google Hacking DataBase.
Google Hacking DataBase (GHDB)
The GHDB is an index of search queries (called dorks) used to find publicly available information, intended for pentesters and security researchers (source: GHDB).
Simply put, it is a huge database that contains thousands of Advanced Google search queries (called dorks) organized in categories.
This helps us to cut down on the time spent to write a Google Advanced Search, see that we can quickly find the dorks that we were looking for, only by sending a simple query.
Here is the main interface of Google Hacking DataBase:
Among the different sections on the figure above, we have:
- Quick Search: return a list of dorks based on the keyword we entered in the search box. For instance, if we enter a keyword like “password”, we will have the following results :
Once we copied our dork, we can then paste it in our Google search box and observe the magic.
- Category: returns a list of dorks based on the category we selected.
The figure below shows the different categories that we can choose:
Let’s select the “Sensitive Directories” category, in order to get dorks related to that.
As you can observe, we got a list of dorks related to the “Sensitive Directories” category.
Great! Hope you have a better understanding of Google Hacking DataBase.
Let’s cover some practical examples of Google Advanced Search.
Google Advanced Search examples
Here are a few dorks that i think could be interesting:
- Identify login pages
Note: You can also look for Outlook Web Access (OWA) URLs using the following dork: inurl:*owa/auth .
2. Find account password reinitialization webpages
3. Search for exposed /phpinfo.php file
The /phpinfo.php path in a URL is a reference to a PHP script named phpinfo.php that displays information such as the current PHP version, installed extensions, server configuration options and other details.
Exposing the /phpinfo.php output publicly can be a security risk, as it can provide attackers with detailed information about the server configuration and potentially reveal vulnerabilities that could be exploited. For this reason, it's generally recommended to avoid making the /phpinfo.php output publicly available, and to restrict access to it to authorized users and administrators.
4. Find robots.txt file
5.Find sitemap.xml file
6. Download musics and videos
NOTE: Pay attention to not download any file, see that some of them can be infected by a malware.
7. Find a domain name subdomains
The general syntax is inurl:*.domain_name.*
Let’s look at to the following example using facebook.com:
Talking about Facebook, for those of you who have no idea concerning the Facebook Law enforcement Online requests, you could visit this website, after finishing reading this article of course 😁.
8. Get a resume or curriculum vitae (cv) information
[Target_name] [Target_company_name] site:linkedin.com "curriculum viate" OR cv OR resume
9. Find documents published by a website
site:Target_website ext:(pdf | docx | xls | xlsx | pptx)
10. Check content plagiarism
For that, you need first to select a piece of text on your website. Then use the intext operator as follows: intext:"piece of text you selected" .
This will normally return all the webpages that copied your content.
11. Find Netgear login pages
intitle:"Netgear System Login" intext:"system name"
Google Hacking tricks and tips
- Google Hacking is a powerful tool when well used. In fact it could take time before mastering it very well. To understand how it works, it could be interesting to use the google search_advanced page for a start.
- It is important to use an anonymity tool (VPN, TOR) when using Google advanced search during your reconnaissance phase or investigations. In addition to do that, you can use browser extensions in order to prevent browser fingerprinting.
- Furthermore, in order to avoid resolving captcha every time, you can create a fake Gmail account. Note that, this will not prevent captchas. However it will reduce them considerably or enable you to resolve them just in a matter of click without neeeding to select chimneys, bridges, traffic lights, stairs, motorcycles buses or bicycles (piss me off 🤨).
- Also make sure to not use personal identification information which could disclose your identity.
- It is advisable to do your investigation using a Virtual Machine.
Great, let’s end our Google Hacking journey :-)
Conclusion
- Google Hacking is not illegal at all! It a means used by security researchers or OSINT investigators to find publicly available information on the Internet. Nevertheless, it is worth stressing to not use these information you collected for illegal purposes.
- Before using Google advanced search, you must firstly know exactly what information you are looking for. This will help you make the right query and find the desired information. Indeed, using well chosen search operators and search strings together will allow you to save lots of time.
- The Google Hacking Database is your friend. When looking for a particular dork, it can be tremendously helpful.
- Protect your identity when using Google advanced search by utilizing anonymity tools, browser extensions, Virtual Machine.
- Finally, i would like to end with this quote that i do appreciate: “The best tool is useless without a good strategy”.
Well done guys 👏!
Hope you learnt something.
Thanks to subscribe to my newsletter to keep up with my latest articles.
