Reconnaissance: A Google-Dorking Affair

Note: Whilst Google Dorking itself is legal, the abuse of information, applications or systems identified without consent of the target is not.

High quality reconnaissance is a key skill in many areas of information security, from threat landscape mapping, through to penetration testing, bug bounty activities and much more. Knowing how to leverage good quality Google Dorking to achieve high quality results and discovery of lesser known attack vectors.

This article will outline and demonstrate the most common operators and keywords used for Google Dorking as if attempting to research a company/website.

Google Dorking is the practice of using specific keywords and logical operators to refine google searches to return higher quality of results. For example the below image shows a basic search on Google for Google.

A search for “google.com” on Google

This has returned over 25,000,000,000 or over 25 Billion results, now a simple refine with the -site keyword can drastically reduce this.

A search for site:google.com on Google

Already this has reduced our search results down to 452,000,000 or 452 Million results, a reduction of over 98%.

Two important concepts for any successful dorking are the differences between keywords and operators

Keywords: Are full words that impact how a search is executed, for example “site”Operator: Are logical symbols for how keywords or terms are interpreted, for example ( ) for creating groups.

Google stores results in a structured format and to best leverage Google Dorks we need to understand what the different areas are:

URL: This is short for the Uniform Resource Locator and is the full path to the page, including Top Level Domain, Domain, Subdomain and path.Description: This is the short description that is returned from the page as part of the search, a shortened description is returned if you see the three dots at the end of a line “…”.Title: This is the title of the page which has been returned as part of the search, this is often a descriptive of the article, document, folder you have found.

The below image illustrates the three main areas when performing a search for Google Gemini.

Google Results — Searching for Google Gemini

Keywords

The below list contain core keywords used for Google Dorking, a short description and an example search therm.

Operators

The below table contains the core operators used when Google Dorking,

Now that we have covered how you can build Google Dorks lets look at some example Dorks.

Finding a Site and Subdomains

Using the “site” keyword and the not operator it is possible to identify indexed subdomains of a target domain.

- Base Search: site:google.com (379,000,000 results)
- Removing www: site:google.com -www (159,000,000 results)
- Removing other common Google Subdomains:
site:google.com -www -maps -translate -messages -fonts -gemini -code -support -assistant -store
(43,300,000)

By iteratively applying the not operator (-) to exclude the known subdomains of interest we can narrow the results down to potentially unknown, less common or interesting results.

Finding Files of Potential Interest via Extensions

Once we have identified a site we can then use the “ext” keyword to identify files of interest

Base Search: site:google.com (379,000,000 results)
Filtering for PDF: site:google.com ext:pdf (203,000 results)
Filtering for Log files: site:google.com ext:log (6 results)
Filtering for APK: site:google.com ext:apk (728 results)

Finding Files of Interest by Content

If the extension is unknown by using the “intext” keyword can identify interesting strings in search results

Base Search: site:google.com (379,000,000 results)
Looking for "secret_key": site:google.com intext:secret_key (1,630 results)
Looking for the "Security.txt" file: site:google.com ext:txt intext:security (498 results)

Google Dorking is a truly powerful method of conducting structured reconnaissance against a company, website or organisation. The purpose of this article was to outline the keywords and operators associated with Google Dorking and an illustration of how these can be combined to return interesting results.

For more information there is the Google Hacking Database which provides example Dorks that can be used, at the time of writing housing nearly 8,000 examples.