Explore our comprehensive guide about advanced search techniques to use Google dorks that will enhance your OSINT research.
Google Dorks is a technique used by the media, investigative agencies, and security engineers to query various search engines to discover hidden information and vulnerabilities that can be found on public servers.
How Does Google Dorking Work?
It is an OSINT tool and is not a system vulnerability or a method to hack a site. It acts as a regular data mining process with advanced features. The algorithm of any search engine is configured to index absolutely all information. Even though the administrators of the web resources had no intention of publishing this material.
Sample Google Dork Queries
You can use Dorking, not only on Google. These operators will work just as well on Bing, Yahoo, and DuckDuckGo. An operator is a keyword or phrase that has a special meaning for a search engine. Here are examples of commonly used operators: “inurl,” “intext,” “site,” “feed,” and “language.” Each operator is followed by a colon followed by the corresponding search term.
They allow you to search for more specific information, such as certain lines of text within the pages of a website or files hosted at a specific URL. Among other things, Google Dorking can also find hidden login pages, error messages that give information about available vulnerabilities, and shared files.
Using the “cache:” operator, you can search for deleted or archived pages. It shows a saved (deleted) version of a web page that is stored by Google.
For example:
cache:www.youtube.com
The command allows you to call the full version of the page, the text version, or the page’s source (integral code). It also indicates the exact time (date, hour, minute, second) of the indexing done by the Google spider. The page is displayed as a graphic file, although the search on the page itself is carried out like on a regular HTML page (key combination CTRL + F). The results of running the “cache:” command depend on how often the web page has been indexed by the search engine. You can try the most popular Google Dorking commands:
Cache: will show the old or deleted version of the site, e.g., sitecache:securitytrails.com
Allintext: Looks for specific text that is on the page, e.g., allintext: hacking tools
Allintitle: same as dork above, but only for titles, e.g., allintitle:”Security Companies”
Filetype: can be used to search for any file extension, e.g., email security filetype: pdf
Site: will show you the complete list of all indexed URLs for the given domain and subdomain, e.g., site:securitytrails.com
*: allows you to search for anything before a word, e.g., how to * a website, will return “how to…” design/create/hack, etc… “a website.”
–: minus operator is used to avoid showing results that contain certain words, e.g., security -trails will show pages that use “security” in their text, but not those that have the word “trails.”
+: used to concatenate words, useful to detect pages that use more than one specific key, e.g., security + trails
More examples and search operators can be found in The Google hacking Database (GHDB) If you want to automate the search process? You can use the following programs.
Useful Google Dorks for Personal Investigations
Okay, how can you use this method for personal investigations? For example, you can search for an email address that is associated with a username on social media like Facebook and Twitter or with a mobile phone number. If you are the same as the vast majority of people who do not think about security on the Internet, most likely you use the same login for many services. Sometimes, this username may contain some information that we may use. For example, the name Anna2000 will give a hint about the year of birth. There are many other examples, but this is not the most important; it is important for the researcher to understand whether this name was used anywhere else on the Internet.
Let’s look at an example of how to search for information about a person if we only have his username using Google Dorks for open source intelligence. Let’s take everything tighter, Anna2000. In order to find public e-mail addresses on the Internet that have been used as an identifier, you need to enter the following query into the search engine
Anna2000*com
Search results won’t always show results that are significantly different than if you just searched for Anna2000, but it’s still a great way to find a person’s email address that you can later use for further research.
Disclosure of New Contact Information from Online Documents
We can learn a lot by knowing only the name of a person. Since this is a public article, we will not look for documents on a real person, but we will show you the principle by which you can easily repeat this search yourself. In order to find all public documents related to our object of study, you need to enter “John J. Doe” and specify the file type: Excel, Doc, PDF, and so on. This will give us a list of documents that mention our object.
“John J. Doe” filetype:pdf OR filetype:xlsx OR filetype:docx
As you can see, we decided to combine three different search operators to get better results. In the future, this combination will help you save a lot of time and effort. The search results for John won’t give us any serious results because of the hidden identity. But if we search for a real person, we will get documents that are in the public domain. These can be court cases, summaries, fines, contracts, and more, which will allow us to continue our investigation.
Best 8 Google Dorks Open Source Projects
- Pagodo – automates searching for potentially vulnerable web pages and applications on the Internet. It replaces manually performing dork searches with a web GUI browser.
- Zeus Scanner is an advanced reconnaissance utility designed to simplify web application reconnaissance.
- Go Dork – The fastest dork scanner written in Go.
- Sitedorks – Search Google, Bing, Ecosia, Yahoo, or Yandex for a search term with several websites. A default list is already provided, containing Github, Gitlab, Surveymonkey, Trello, etc. Currently, a default list of 518 dorkable websites is available.
- DorkScanner – A typical search engine dork scanner that scrapes search engines with queries that you provide in order to find vulnerable URLs.
- Evildork – Dork only has one specific domain or all subdomains available. Dork is targeting a general target (likely to be a person). Produce an HTML output result page with all the Google dorks links. Be aware that Google, after some tries, will add a captcha to check if you’re a bot or not.
- Google Dorks Full List – Approx 10.000 lines of dorks search queries! Please initiate a pull request in order to contribute and have your findings added!
