Google Hacking is evergreen topic in Cyber Security. They said if you can’t use google at his best you are not really a hacker.
Before we go in depth on this topic, let me clear some basic things about “Google Hacking.”
Google hacking is a term defined by Jonny Long, the maintainer of the Google hacking database.
Google hacking is best known as “Google Dorking”. It’s not a hacking of a google infrastructure and google products or their subsidiaries.
Google hacking is an Information Gathering technique which is helpful to find sensitive files or sensitive information exposed on the internet.
So, if you are wondering that, “is dorking works on other search engines?” The answer would be “yes”!
It doesn’t matter if you use google.com or duckduckgo.com, you will get results according to your queries.
Basically, using dorking you can find Vulnerabilities on web applications and on servers with the help of almost any search engines.
Well, you can’t hack sites directly using Google, but as it has tremendous web-crawling capabilities, it can index almost anything within your website, including sensitive information. This means you could be exposing too much information about your web technologies, usernames, passwords, and general vulnerabilities without even knowing it.
Apart from the search engines you can do some dorking in GitHub for sensitive information. We will see dorks for that later in this blog.
Be aware that Google also knows who you are when you perform this kind of query for this reason and many others, it’s advised to use it only with good intentions.
Also Google will start blocking your connection if you connect from a single static IP. It will ask for captcha challenges to prevent automated queries.
To take a note, GitHub dorks works differently than google dorks.
Operators and How to use them!
There are number of google dorks available which you can use to get juicy information.
Here’s how you put your query in search box
Operator: Search Term
· Inurl: It will search the specified keyword in URL.
Ex: target.com inurl:admin
· Allinurl: This is similar to above with a difference of multiple keywords you can use in a single query.
Ex: target.com allinurl:wp-content/plugins/wptf-image-gallery/
· Intext: It will search for specific text on a webpage.
Ex: target.com intext:Table structure for table `wp_users`
· Allintext: searches for multiple specific text contained on web page
Ex: target.com allintext: /iissamples/default/
· Intitle: It will search for various keywords inside the title of the HTML page.
Ex: target.com intitle:Index of /__MACOSX ...
· Filetype: It will query for certain file type
Ex: target.com filetype:csv
· Ext: it is similar to filetype.
Ex: target.com ext:sql
· Site: It will show you results just for mentioned website
Ex: site:target.com
· Cache: This will show you cached version of any website.
Ex: cache:target.com
· Link: This will show the list of web pages that have links to the specified URL.
Ex: link: facebook.com
· *: This works as a wildcard, which can be used to find the pages that contains anything before your word.
Ex: How to * a cake.
· |: This is a logical operator which works like a “or”.
Ex: intitle:"NetCamSC*" | intitle:"NetCamXL*" inurl:index.html
· +: this is used to concatenate two words.
Ex: inurl:8080 intext:"httpfileserver 2.3"
· –: This is used to query a negative search.
Ex: jdbc:mysql://localhost:3306/ username password ext:yml | ext:java -git –gitlab
Using above dorks for better results
Let's say you want to find a log file of a firewall system which has a title “firewall.log” on page. The following dork will be useful for finding such files.
intitle:"index of" "firewall.log" | "firewall.logs"
Some of the “intitle” and “allintitle” dorks which worth of looking
intitle:"Index of /" .htaccess.old
intitle:"Wing FTP Server - Web"
allintitle: \"index of/admin\"
Another example of a great dork, to find exposed git directory is following
inurl: /.git
"Reflector Dashboard" inurl:/db/index.php/
allinurl:index.php?db=information_schema
Combining dorks for better results.
Let’s say you want to find passwords in a log file
allintext:password filetype:log
Some other dorks which combined with other operators to make it more powerful.
filetype:env "DB_PASSWORD"
allintext:username,password filetype:log
intext:"wordpress" filetype:xls login
Finding live webcams
intitle:"webcamXP 5" inurl:8080 'Live'
intitle:"WEBCAM 7 " -inurl:/admin.html
intitle:"EvoCam" inurl:"webcam.html"
Using ext operator with other operators,
"spring.datasource.password=" "spring.datasource.username=" ext:properties -git -gitlab
"db.username" "db.password" ext:properties
GitLab ssh.log ext:log
Database:phpmyadmin intext:mysql ext:sql inurl:phpmyadmin
Using filetype operator with other operators,
intitle:"index of" inurl:/*sql* filetype:log
s3 site:amazonaws.com filetype:xls password
filetype:svn -gitlab -github inurl:"/.svn"
inurl:/php-errors.log filetype:log
GitHub Dorking:
GitHub dorking is similar to google dorking with a difference of,
Google dorks searches on whole internet which also includes GitHub whereas GitHub dorks only searches on publicly available GitHub repositories. You can also search for code within a particular repository or organization.
You can normally find sensitive files, API keys, Passwords, Customer data, subdomains, sensitive urls while doing GitHub Dorking.
The format is similar to the google dork
Operator keyword
Let’s say you want to find a specific file on GitHub. You can use following dork for that.
Filename .bash_profile
The above dork will find all “.bash_profile” files available on GitHub. Now you want to reduce your searches to specific things. Say you want to find passwords in “.bash_profile” so you can use,
Filename .bash_profile password
There are couple of things you can do with “filename”,
filename:.env DB_USERNAME
filename:.esmtprc password
filename:credentials aws_access_key_id
There is one option which you can use to search a term in specific programming language file,
language:sql username
language:java api key
language:shell secret
You can also find data using specific extensions,
extension:sql mysql dump
extension:json api.segment.io
extension:yaml mailchimp.com
Disclaimer:
This blogspot is written for those who have no idea and/or new to the information security. The information shared in this blog are only for educational purpose.
Author and Secure Logic aren't in charge of any and have/has no responsibility for any kind of:
· Malicious act, capable of causing damage to any organizations using above information.
References:
All dorks are taken from exploit-db and credit goes to the original authors.
https://www.bugcrowd.com/resources/webinars/github-recon-and-sensitive-data-exposure/
Every cloud provider has their own claim, AWS says if you don't know to use Amazon cloud services, you are not an IT professional or a cybersecurity guy, it's good to know major CSP platforms & their services, best practices around the same as cybersecurity person.