Google Hacking: An In-Depth Explanation with Examples
Google hacking refers to the practice of using advanced Google search operators and techniques to find sensitive information, vulnerabilities, or unprotected data that has been inadvertently exposed on the internet. This method is used by security professionals for legitimate purposes (like penetration testing) but can also be exploited by malicious hackers.
How Google Hacking Works
Google’s powerful search engine indexes billions of web pages. Many organizations accidentally expose sensitive data through misconfigured servers, unprotected files, or debugging information left in production environments. Google’s advanced search operators allow users to precisely target these exposures.
Key Google Search Operators for Hacking
- site: – Limits search to a specific domain or website
- intitle: – Searches for text in webpage titles
- inurl: – Searches for text in URLs
- filetype: – Searches for specific file types
- ext: – Searches for files with specific extensions
- intext: – Searches for text within page content
- cache: – Shows cached version of a page
- link: – Finds pages that link to a specific URL
- related: – Finds similar sites
- info: – Provides information about a URL
Common Google Hacking Techniques
1. Finding Exposed Administrative Interfaces
intitle:”admin login”
This finds login pages with “admin login” in the title, potentially exposing administrative interfaces.
2. Locating Unprotected Configuration Files
filetype:env intext:”DB_PASSWORD”
Searches for .env files (common in web applications) that contain database passwords.
3. Discovering Open Directory Listings
intitle:”index of” “parent directory”
Finds open directories that may contain sensitive files.
4. Finding Exposed Database Dumps
filetype:sql intext:”CREATE TABLE”
Locates SQL database dumps that might contain sensitive data.
5. Identifying Vulnerable Web Applications
inurl:/phpmyadmin/index.php
Finds exposed phpMyAdmin interfaces which, if unprotected, could allow database access.
Practical Examples
Example 1: Finding Exposed Security Camera Feeds
inurl:/view.shtml intitle:”Live View / – AXIS”
This search finds publicly accessible Axis camera feeds that haven’t been properly secured.
Example 2: Locating Exposed Spreadsheets with Credentials
filetype:xlsx intext:”password”
Searches for Excel files containing the word “password” which might contain credential lists.
Example 3: Discovering Vulnerable WordPress Sites
inurl:/wp-content/uploads/
Finds WordPress sites where directory listings are enabled in the uploads folder, potentially exposing sensitive files.
Example 4: Finding Exposed AWS S3 Buckets
site:s3.amazonaws.com “targetcompany”
Searches for potentially misconfigured AWS S3 buckets belonging to a specific company.
Below is an extensive categorized list of Google dorks that security professionals use for penetration testing and vulnerability assessments. Note: These should only be used ethically with proper authorization.
I. Sensitive File Discovery
Configuration Files
filetype:env DB_USERNAME NOT “DB_PASSWORD”filetype:ini intext:”password”filetype:cfg intext:”passwd”filetype:conf intext:”root”filetype:properties intext:”username”filetype:yml database_password
Database Files
filetype:sql “INSERT INTO” “users”filetype:mdb intext:”password”filetype:accdb intext:”admin”filetype:db intext:”password”filetype:dump intext:”CREATE TABLE”
Log Files
filetype:log “user” AND “password”filetype:log “login” AND “failed”filetype:log “PUT” AND “/etc/passwd”filetype:log intext:”password” AND intext:”failed”
Backup Files
filetype:bak intext:”password”filetype:old intext:”user”filetype:backup “db_password””index of” “backup.zip”
II. System Information Discovery
Server Information
intitle:”Apache HTTP Server” intitle:”documentation”intitle:”index of” “server at””Apache/2.4.7 (Ubuntu) Server at”intext:”Powered by PHP/7.1” -site:php.net
Version Disclosure
intitle:”Welcome to IIS 7.5″”Powered by Drupal” inurl:”CHANGELOG.txt”intext:”Joomla! Version” inurl:”README.txt”intext:”WordPress” inurl:”wp-includes/version.php”
Error Messages
intext:”error in your SQL syntax”intext:”Warning: mysql_connect()”intext:”Microsoft OLE DB Provider for ODBC Drivers error”intext:”ORA-00933: SQL command not properly ended”
III. Authentication Bypass
Login Pages
intitle:”login” “admin”intitle:”admin login”inurl:”/admin/login.php”inurl:”wp-login.php” “Powered by WordPress”
Default Credentials
“default password” filetype:pdf”default username” filetype:xlsintitle:”router” intext:”admin” intext:”password”inurl:”/cgi-bin/luci” intext:”LuCI – Lua Configuration Interface”
IV. Directory Listings
Open Directories
intitle:”index of” “parent directory”intitle:”index of /” “passwd”intitle:”index of” “htpasswd””index of” “/wp-content/uploads/”
Specific File Types
intitle:”index of” “*.sql”intitle:”index of” “*.bak”intitle:”index of” “*.conf”intitle:”index of” “*.log”
V. Web Application Vulnerabilities
SQL Injection
inurl:”id=” & intext:”Warning: mysql_fetch_array()”inurl:”product.php?id=” intext:”Add to Cart”inurl:”page.php?id=” intext:”You have an error in your SQL syntax”
XSS Vulnerabilities
inurl:”search.php?q=”inurl:”.php?q=” intext:”Search results for”inurl:”feedback.php?subject=”
LFI/RFI Vulnerabilities
inurl:”include.php?page=”inurl:”index.php?page=”inurl:”main.php?page=”
VI. Network Device Exposure
Cameras
intitle:”Live View / – AXIS”inurl:”viewerframe?mode=motion”intitle:”webcamXP 5″inurl:”lvappl.htm”
Routers
intitle:”RouterOS router configuration page”inurl:”/system/user.dat”inurl:”/wlsecurity.htm”intitle:”D-LINK” | intitle:”DIR-615″ intext:”Wireless”
Printers
intitle:”Printer Settings” inurl:”/printer.html”intitle:”HP LaserJet” inurl:”/hp/device/this.LCDispatcher”intext:”Brother” inurl:”/printer/main.html”
VII. Document Leaks
Office Documents
filetype:docx intext:”confidential”filetype:xlsx intext:”password”filetype:pptx intext:”proprietary”
PDF Documents
filetype:pdf “internal use only”filetype:pdf “confidential” “draft”filetype:pdf “SSN” OR “Social Security Number”
VIII. API & Developer Information
API Keys
“api_key” filetype:env”aws_access_key_id” filetype:txt”AKIA[0-9A-Z]{16}” -git
Developer Files
filetype:gitignore intext:”secret”filetype:yaml intext:”password””config.js” intext:”API_KEY”
IX. IoT Device Exposure
Smart Devices
intitle:”Smart TV” inurl:”/cgi-bin/”intext:”Hikvision” inurl:”/doc/page/login.asp”intitle:”DVR Login” intext:”username”
SCADA Systems
intitle:”SCADA” inurl:”/scada/”intitle:”WinCC flexible” inurl:”Portal/Portal.mwsl”intext:”Modbus” intitle:”Web Server”
X. Miscellaneous
Git Exposures
“index of” “.git””index of” “.git/config”inurl:”/.git/” intitle:”index of”
Cloud Storage
site:s3.amazonaws.com “targetcompany”site:blob.core.windows.net intext:”connectionString”site:storage.googleapis.com “private_key”
Phone Directories
filetype:vcf “BEGIN:VCARD”filetype:csv intext:”name,phone,email”intitle:”Phone List” filetype:xls
Defensive Measures Against Google Hacking
- txt: Properly configure to prevent sensitive directories from being indexed
- Authentication: Protect sensitive interfaces with proper authentication
- File Permissions: Ensure sensitive files aren’t publicly accessible
- Directory Listings: Disable directory listings on web servers
- Error Messages: Customize error messages to avoid revealing system information
- Regular Audits: Use Google search operators to check what’s exposed about your own organization
Ethical Considerations
While these techniques are valuable for security professionals conducting vulnerability assessments, using them without permission against systems you don’t own is illegal in most jurisdictions. The Google Hacking Database (GHDB) maintained by Offensive Security is a legitimate resource for security researchers.
Google hacking demonstrates how much sensitive information can be exposed through simple search techniques, emphasizing the importance of proper web security configurations.
