Skip to content

Google Dorking for Continuous Attack Surface Management

Google Dorking, also known as Google hacking, is a technique where advanced search operators are used to find specific information on search engines. It involves crafting search queries to discover vulnerable or exposed data on the internet.

Attack surface management involves identifying and securing all possible entry points into an organization’s systems and networks. It aims to understand and reduce the vulnerabilities that attackers might exploit. Google dorking plays vital role during assessment of attack surface.Below are some of the use cases

  • Google Dorking for Reconnaissance 
  • Google Dorking for Asset Identification e.g. subdomains 
  • Google Dorking for Unauthorized Access to dashboards 
  • Exploiting misconfigurations
  • Identify low hanging fruits e.g.target  functionalities that can be later leveraged for initial access

Analysis of Google Dorks 2023

Based on recent study it was observed that below categories are focused by security researchers and bug bounty hunters in 2023.

CategoryCount
Advisories and Vulnerabilities1
Files Containing Juicy Info243
Pages Containing Login Portals68
Various Online Devices11
Vulnerable Files1
Vulnerable Servers1

It has been observed that the most common category i.e. Files containing Juicy info have been widely adopted by researchers as an attack vector.
Refer : https://github.com/kakdesanket/googledorks2023 

Google Dorking for Reconnaissance

Reconnaissance (or recon) is the phase of a security assessment where an attacker gathers information about a target. This can include information about the target’s network, its security measures, and potential vulnerabilities. ASM involves a continuous process of monitoring and managing your organization’s attack surface. This includes identifying and eliminating unnecessary attack vectors, and continuously monitoring for new ones. Recon is a critical part of this process, as it allows you to gather the information you need to understand your organization’s current attack surface. 

Here are some examples of Google Dorks that might be useful for reconnaissance:


intitle:index.of  This dork looks for directory listings, which can reveal the contents of a server
site:example.com This dork restricts the search to a specific site, which can reveal all the pages that have been indexed by Google.
filetype:pdf  This dork looks for PDF files, which can contain valuable information.
ext:php This dork looks for PHP files, which can be exploited in certain circumstances.
intext:username This dork looks for pages that contain the word ‘username’, which can reveal potential points of attack

Google Dorking for Asset Identification e.g. Subdomains

Google Dorking can be used for subdomain identification by creating specialized Google queries, known as ‘dorks’, that search for specific information.

Here are some examples:

site:*.example.com -www This dork will return all subdomains of example.com, excluding www.
site:example.com filetype:pdf This dork will return PDF files on the main domain, which could be hosted on subdomains.
site:example.com inurl:’&’ This dork will return URLs that contain an ampersand, which could be found in certain types of subdomains.
site:example.com inurl:login,register,upload,logout,redirect,redir,goto,admin This dork will return URLs with common login/logout/register URLs, which could be found on subdomains.
site:example.com ext:php,asp,aspx,jsp,jspa,txt,swf This dork will return specific file types, which could be hosted on subdomains.
site:*.*.example.com This dork will return subdomains of subdomains.

Google Dorking for Unauthorized Access to Dashboards

In the context of finding unauthorized access to dashboards, you might use Google Dorks that look for specific file types or URLs that are common in dashboard applications. 

For instance:

intitle:”Dashboard” This dork will return pages with ‘Dashboard’ in the title, which could indicate a dashboard.
site:*.example.com/panel This dork will return all panels of example.com, which could reveal a dashboard.
site:*.example.com/panel -www This dork will return all panels of example.com, excluding www.
site:example.com intitle:”Dashboard” This dork will return the main domain with ‘Dashboard’ in the title, which could indicate a dashboard.
site:example.com ext:php,asp,aspx,jsp,jspa,txt,swf  This dork will return specific file types, which could be used in a dashboard application.

Security Misconfigurations

Google Dorking can be used to search for specific types of information, such as misconfigurations. Here are some examples of Google Dorks that might be useful for this purpose:

intitle:index.of This dork looks for index pages, which can reveal the contents of a server.
site:example.com This dork restricts the search to a specific site, which can reveal all the pages that have been indexed by Google.
filetype:pdf This dork looks for PDF files, which can contain valuable information.
ext:php This dork looks for PHP files, which can be exploited in certain circumstances.
intext:username This dork looks for pages that contain the word ‘username’, which can reveal potential points of attack.

Identify low hanging fruits e.g.target  functionalities that can be later leveraged for initial access

Malicious attackers often look for quick wins to exploit low hanging fruit i.e. obvious known vulnerabilities or misconfiguration for target organization.

Here is the list of some interesting Google Dorks that be used :

inurl:.com password | credential | username filetype:log

This dork checks for password, credential and username in a log file, used .com as an example, change it to your target.

inurl:facebook not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:pdf
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private | WS_FTP | ws_ftp | log | LOG filetype:log
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:xls
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:csv
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:doc
inurl:.gov not for distribution | confidential | “employee only” | proprietary | top secret | classified | trade secret | internal | private filetype:txt

These dorks searches for confidential data within pdfs ,logs, .txt files , csv files xls files.

Conclusion

Automating Google Dorking has some limitations. Google has rate limits and blocks automated queries to protect its servers from abuse. If your tool or script sends too many requests in a short period of time, you may be blocked. This can disrupt your reconnaissance process and potentially alert the target to your activities. To avoid this, it’s important to use tools that respect Google’s guidelines and to limit the number of requests you send.

Automating Google Dorking can be done using tools like gD0rk or dork-cli. These tools can help you efficiently search for specific types of information. Here’s an example of how you might use dork-cli

dork-cli –dork ‘site:example.com intext:phpmyadmin’ –pages 2 –simple

In this command, –dork ‘site:example.com intext:phpmyadmin’ specifies the dork, –pages 2 limits the search to 2 pages of results, and –simple outputs the results in a simple format. This can be a quick and effective way to gather information about a target.

FireCompass ASM Platform utilizes AI powered engines to query search engines like Google to continuously monitor these assets and alert the organization.

Author: Sanket Kakde
Assisted By:
Arnab Chattopadhayay, Jitendra Chauhan

About FireCompass:

FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming  and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.

Important Resources:

Get a free demo to find out how FireCompass can help you to prioritize risks with real-time alerts for faster detection and remediation.