Advanaced Google Dorking

Table of Contents

Google Dorking makes it easy to spot things like unsecured websites, exposed databases, and sensitive credentials that slipped through the cracks.

The more you know about crafting the right search, the easier it is to see just how important it is to lock down your data and tighten up your security practices. This guide explores how security professionals leverage search operators to find vulnerable data.

Domain and File-Type Specific Searches

Site-Specific Search

site:example.com confidential
  • Purpose: Limits search results to a specific domain.

File-Type Search

filetype:pdf "company budget"
  • Purpose: Finds specific file types.

Search Text in URL

inurl:admin
  • Purpose: Searches for specific text in URLs.

Search Text in Title

intitle:"index of /"
  • Purpose: Searches for specific text in page titles.

Sensitive Information Exposure

Password Exposure

site:example.com intext:password filetype:txt
  • Purpose: Finds plaintext passwords or credentials.

Exposing Database Credentials

"DB_PASSWORD" filetype:env
  • Purpose: Finds database passwords in environment configuration files.

Exposing Passwords in .bash_history

"password" filetype:bash_history
  • Purpose: Finds passwords stored in bash history files.

Private Keys in PEM Files

"BEGIN RSA PRIVATE KEY" filetype:pem
  • Purpose: Finds private keys in PEM files.

Passwords in Configuration Files

"password" filetype:config OR filetype:xml
  • Purpose: Finds passwords stored in configuration files.

Exposing .htpasswd Files

"htpasswd" filetype:htpasswd
  • Purpose: Reveals .htpasswd files used for basic HTTP authentication.

Exposing Private Keys in PEM or PPK Files

"id_rsa" OR "id_dsa" filetype:pem OR filetype:ppk
  • Purpose: Reveals SSH private keys in PEM or PPK files.

API & Cloud Service Keys

Finding API Keys in .env Files

"api_key" OR "apikey" filetype:env
  • Purpose: Finds exposed API keys in .env files.

AWS Access Keys

"aws_access_key_id" filetype:env OR filetype:json OR filetype:yaml
  • Purpose: Locates AWS keys in environment or configuration files.

Heroku API Keys

"HEROKU_API_KEY" filetype:json OR filetype:shell
  • Purpose: Finds Heroku API keys in configuration files.

Google Cloud Credentials

"type": "service_account" filetype:json
  • Purpose: Finds Google Cloud service account keys.

Firebase Credentials

"FIREBASE_API_JSON" OR "firebaseio" filetype:json
  • Purpose: Finds Firebase credentials in JSON files.

Exposing Configuration Files

Config File Leaks

site:example.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini
  • Purpose: Exposes configuration files with system details or credentials.

WordPress Configuration

"DB_PASSWORD" filetype:php "wp-config"
  • Purpose: Finds WordPress configuration files containing database credentials.

Directories and Backup Files

Open Directories

intitle:"Index of" inurl:ftp
  • Purpose: Reveals directories with unrestricted access to files.

Exposed Backup Files

site:example.com ext:bak | ext:old | ext:backup | ext:txt
  • Purpose: Finds forgotten backup files.

Exposed .git Directories

site:example.com inurl:".git" -github.com -gitlab.com
  • Purpose: Locates exposed .git directories.

Vulnerabilities in Web and Application Layers

Vulnerable Parameters

site:example.com inurl:php?id= | inurl:asp?id= | inurl:jsp?id=
  • Purpose: Locates potentially vulnerable parameters.

Finding Exposed API Endpoints

site:example.com inurl:api | inurl:json | inurl:xml | inurl:swagger
  • Purpose: Finds exposed API endpoints.

Locating Admin or Login Pages

site:example.com inurl:admin | inurl:login | inurl:signin | inurl:portal
  • Purpose: Locates admin or login pages.

Discovering Subdomains

site:*.example.com -www
  • Purpose: Finds subdomains of a given domain.

Locating Vulnerable JavaScript Files

site:example.com ext:js inurl:jquery
  • Purpose: Finds potentially vulnerable JavaScript files.

Exposed Log Files

site:example.com ext:log | ext:txt intext:"error" | intext:"warning"
  • Purpose: Locates exposed log files that may contain sensitive error or warning messages.

Database Credentials

Exposing SQL Dump Files

"password" filetype:sql "mysql dump"
  • Purpose: Exposes SQL dump files containing MySQL credentials.

Database Usernames and Passwords in SQL Files

"db_password" OR "db_username" filetype:sql
  • Purpose: Exposes database credentials in SQL dump files.

PostgreSQL Passwords in .pgpass

"pgpass" filetype:conf OR filetype:txt
  • Purpose: Discover PostgreSQL credentials stored in .pgpass files.

Miscellaneous Sensitive Information

Exposing .git-credentials

"username" "password" filetype:git-credentials
  • Purpose: Finds Git credentials stored in .git-credentials files.

Uncovering .npmrc Authentication Tokens

"_auth" filetype:npmrc
  • Purpose: Locates npm tokens used in .npmrc files.

Exposing .ftpconfig

"ftp" "password" filetype:ftpconfig
  • Purpose: Finds FTP configuration files containing login details.

MongoDB Credentials in Config Files

"mongolab.com password" filetype:yaml OR filetype:json
  • Purpose: Finds MongoDB credentials used in hosted services like MongoLab.

Advanced Search Refinement

Excluding Common Directories

"password" filetype:env -site:github.com -site:gitlab.com
  • Purpose: Avoid results from GitHub and GitLab to reduce false positives.

Narrowing Down to Specific Domains

"aws_access_key_id" site:example.com
  • Purpose: Focus Google Dorking on a specific domain or company.

Other resources

Looking for more? We recommend the following resources to read up on more Google Dorking techniques.

https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets

https://github.com/chr3st5an/Google-Dorking

https://github.com/Proviesec/google-dorks

Don’t forget to follow us on LinkedIn for more content!

https://linkedin.com/company/huntrix

To schedule a time to chat:

https://huntrix.io/book