Disclaimer – Please note that the information and examples herein are intended for ethical use and educational purposes only. Furthermore, just because network assets are improperly facing the public domain does not necessitate that accessing these systems is permitted and legal.
I was first introduced to Google Dorks as far back as 2007, back in the glory days when I used to sit at my computer, hunting for targets across the web while Pendulum’s Voodoo People remix pounded through my headphones. Dorking opened up infinite doors to new intrusion possibilities and exploration.
In my world, there was no wrong way to break into systems. So, I turn to Google Dorks and start poking around misconfigured private directories, rifling through folders, and downloading exposed files.
This happens every day because it's so easy that even a child can do it, even if they do not understand the process.
Due to its simplicity, combined with Google indexing content, default configurations, a lack of proper access controls, and good old-fashioned human error, it’s the perfect recipe for threat actors looking to uncover unprotected sensitive information and network devices otherwise meant to be private.
Hackers publish lists of the most interesting Google dorks, which are constantly being updated as new Google search queries are realized, producing new results. Combining and mixing filters will output all kinds of interesting information.
Although dorking is popular among hackers of every ilk, it also has ethical uses. For example, I have used this method to locate important files during research, especially information that has been removed from its source. Copies can be uncovered elsewhere, hiding in plain sight. It always boils down to intent.
An introduction to Dorking
Dorking is a hacking method that uses Google’s advanced search filters to locate specific information and devices rather than the generalized results commonly returned from an everyday Google search.
For example, we know that printers, CCTV cameras, File Transfer Servers (FTPs), and web servers are supposed to be protected. For them to be compromised, a threat actor must take several steps to achieve illicit access.
This may include probing network protocols for weaknesses, cracking passwords, and of course, exploiting flaws in the web applications. However, Google dorks provides a less sophisticated approach since these files, directories, and network devices are already exposed to the public.
For example, the Dork intitle:"index of" inurl:ftp cues Google to filter out everything except for web pages that list directory contents of FTP servers.
- intitle:"index of" tells Google to search web pages containing the phrase “index of” in the title. Consequently, because web directories commonly contain “index of” in their directory listings created by web servers which will display folder contents, it can be searched, and exposed.
- Inurl:ftp query filters the search to show only URLs that contain the string or phrase “ftp.” Therefore, when you put it together, it combines the two relative elements and will return a listing of FTP servers indexed by Google.
As shown in this example, the directory index page for the following FTP servers is facing the public domain. This does not mean that exposed directories have write privileges. However, it is enough that they have read access.
Prevention tips
If you scan your website for exposed elements that might been indexed by search engines, there are some workarounds to disallow certain parts from being indexed and consequently exposed.
- Robots.txt: For your website, use a robots.txt file to control which elements of your website are permitted to be indexed by search engines.
Example:
User-agent: *
Disallow: /admin/
Disallow: /includes/
Disallow: /login/
Disallow: /cpanel/
- Noindex Meta tag: You can also use the Noindex Meta tag in your page’s source code, which will also prevent them from being indexed by search engines.
- File permissions: In the same way you’d make sure files and directories in a workgroup with different user permissions wouldn’t be accessible to just anybody, make sure all your files and corresponding directories have proper permissions.
- Search engine auditing: To see which pages of your site are indexed by search engines, try searching site:yoursite.com. This is something I often do, ensuring that my own site’s configurations are in order, are not exposed, and the right pages are being indexed.
Linux scripts
Let’s face it. You want to add a little flair to your Google dorks research so you can showcase some snazzy screenshots on your LinkedIn profile. You download a couple of command-line scripts from Github like ‘DorkScraper’ to automate the process.’
In my opinion, the only reason why using a script like this might be useful is if it has a file output option, which will enrich your research by allowing you to output your search query results to a file.
Scripts like this one work almost the same way as searching in the web browser, with the additional option to save the results to a text file. It requires users to input the Google dork they wish to search.
Google dorking cyberwarfare
Since the onset of Russia’s war with Ukraine (#OpRussia) and Israel’s military campaign against Gaza (#OpPalestine), weaponizing Google Dorks has been at the forefront of hacktivists' support for both Ukrainians and Palestinians.
While dorks have been used in a variety of ways, none have been as extensively utilized as hunting for web cameras and CCTVs, especially in military conflict zones. Hacktivists have been able to use this to provide tactical support to the Ukrainian military. Hacked CCTV cameras have been used for moving impacted civilians out of war zones and providing visual aid for troop movements. The fact that the Ukrainian military has relied so much upon unconventional aid in unexpected ways has given them a creative edge in their war efforts.
Like with anything involving the dark side of technology, ethics, and intent are what ultimately determine the difference between what is lawful and what is defined as criminal.
Your email address will not be published. Required fields are markedmarked