Google Dorks: How to find interesting data and search like hacker

Go the words Google and Hacking together? Well if you thought that we will learn how to use hack Google, you might be wrong.
But we can Use Google search engine to find interesting data accidentally exposed to the Internet.
Such a simple search bar has the potential to help you also protect yourself or your website against unwanted hackers visits. This way if you're a website operator or owner you may try to find out what do you share with the world. If you know HOW!

What is Google hacking?

Let me introduce you to Google hacking, also named Google dorking. It is a “hacker” technique sometimes just referred to as a dork, that uses Advanced Google Search to find security holes in the configuration and website code.
We can use some of these techniques to filter information, get better search results, but in this case, we would focus on the information normally not accessible. Like show camera feeds and documents..

It all started in 2002 when a man called Johnny Long began to collect queries that worked in Google search and with those it could be uncovered vulnerabilities or unveiled sensitive or hidden information. He labeled them google dorks. Later this grew into large database, eventually organized into Google Hacking Database.

It is not hacking, is Google dorks!

Well if you would argue that even Google itself enables its users information how you can refine search, you would have been right.
You cannot hack websites directly using Google, just are making use of publicly available advanced search tools. But since Google uses its engine capabilities to crawl Internet and index page titles, within some poorly secured websites may be included sensitive information. Basically, by dorking you can find vulnerabilities.
There are multiple options how you can more precisely define your query in https://www.google.com/advanced_search, and if you notice on the right side of that page there are even hints.

We already talked about use of special operators and symbols like AND, OR, NOT, also symbols like ~ (synonyms), + (combine), “” (exact phrase), * (wildcard) .

Small recap:

• Google search is case sensitive when we use logical operators. So you cannot type oR, or anD, instead use uppercase or symbols.
• OR can be replaced by pipe symbol | .
• NOT can be replaced by minus(ess) symbol - .
• AND can be replaced by single space (pressing space), but results may differ if we type AND specifically between words.
• City City - show flights from one city to another, even if you enter IATA airport code like ‘PRG LON’
• Link - finds sites that link to your specific domain, like “link:ma-no.org”
• .. - Search within a range of numbers, like ‘2002 .. 2020’ or ‘$25..$75’
• In - converts units, example ‘inches in a foot’
• Site - show your searched term within specific site, like ‘site:elcorteingles.es watches’ or specific domain ‘site:uk amazon’
• Allintitle - shows results with the searched phrase in the title, ‘allintitle:nasa moon landing’
• Intitle - shows result with a single term in the title, example ‘intitle: "sauce"’
• Inblogtitle - shows results of blogs with the searched phrase in the title, ‘inblogtitle: programming’
• Inposttitle - shows results with a single term in the title, like ‘inposttitle: programming’
• Allintext - shows results to pages with the terms in the content, example ‘Allintext: recipes for a weekend’
• Allinanchor - shows sites with your search term in links, example
• Allinurl
• Inurl - shows results with your first search term in the URL and the second term is content, ‘Inurl: movies view’
• Allinpostauthor - shows content that is written by yours searched author, example ‘allinpostauthor: Bukowski’
• Related - shows results that are related to your searched URL, ‘related:NYtimes.com’
• Info - shows information about searched domain, like ‘Info:diariodemallorca.com’
• Define - ‘define:dorking’ will return definition of the given word.
• Source - searches for mentions of a specific person or thing in a certain news source. ‘metro source:diario de mallorca’
• Location - shows articles based on specified location, like ‘location:Mallorca beaches’
• Filetype - Find documents of the specified type, example ‘filetype:pdf cats’
• Ext - Very similar to Filetype but we can seek uncommon extensions for more accurate results, example ‘ext:flac mysong’
• Movie - shows times for a specific movie in a specific location
• Weather - show results for weather in a specific location, example “weather:palma de mallorca”
• Stocks - shows stock price of a specific company. I.e ‘stocks:Starbucks’
• Cache - shows most recent cache of specific webpage, example ‘cache:ma-no.org’
• Map - shows map of specified location, like ‘map:"sierra de tramuntana"’
• Equation - calculates numbers, for example ‘10x4’
• Tip calculator - calculator to help you decide how much to tip, example ‘’
• Minute timer - shows a timer with your specified time, like ‘2 minute timer’
• Stopwatch - shows a stopwatch, example ‘stopwatch’
• Sunrise | Sunset - shows the time of sunrise and sunset for specific location, example ‘sunrise palma’
• Flight number - shows the status of a specific flight, example ‘FR 6363’
• Sports team - shows the score of a current game ‘real madrid barcelona’
• Insubject - Find group messages with specific content, like ‘insubject:"website crawlers" ’
• Group - Finds group messages from specific source, example ‘group:"google dorks" ’
• Numrange - Finds range of numbers in a query upto 5 digits
• Daterange - Searches in range of dates, with use of julian dates, example ‘daterange:2452463.5 2452464’
• Msgid - Message Identification Line used in email and Usenet newsgroups.

In this article you can read more about google “secret” queries .
https://www.ma-no.org/en/security/google-hacking-secrets-the-hidden-codes-of-google.

Bonanza of data, Juicy information and Some Examples

We need to make sure that we’re not logging into anything that requires a password even if that password is shown to us in plain text, because that’s a line at which it becomes illegal access to a device that we don’t have permission to use.
It would also be a good idea to use some proxy or VPN like hide.me to change your IP address when Google would start querying you with captchas.

This query would search text files in sites which have domain .org and in the text file it searches for strings “password OR passwords OR contraseñas OR login OR contraseña”.
filetype:txt site:web.com password|passwords|contraseñas|login|contraseña

This query shows registers of conversations that remained on servers.
“Index of” / “chat/logs”

This searches for backup directories.
intitle:"index of" inurl:/backup

This searches mp3 files on various types of servers
intitle:index.of mp3

This shows spilled data from MySQL databases where you are searching for pass|password|passwd|pwd.
filetype:sql “MySQL dump” (pass|password|passwd|pwd)

We can use some of these techniques to localize cameras of the manufacturer AXIS.
Inurl:axis-cgi
Inurl:"lvappl.htm"

We can obtain some feed of the IP cameras, some of them we can even control.
inurl:”ViewerFrame?Mode=”
If you’re into webcams, here is good source of query strings. Its a bit creepy if you ever wondered if somebody could be watching some(yours) feed?
http://suryachandiran.blogspot.com/2015/05/google-hacking-to-hack-into-live.html
inurl:top.htm inurl:currenttime
inurl:”lvappl.htm”

This can show enjoyable reading among government sited files of type PDF.
site:gov filetype:pdf allintitle:restricted

This query searches documents with sensitive character, but in the intranet of the sites.
inurl:intranet filetype:doc confidential

This is supposed to find the .LOG files accidentally exposed on the internet.
allintext:password filetype:log after:2020

This searches for string “username” in a log type files
allintext:username filetype:log

This will expose .env files - used by various popular web development frameworks to declare general variables and configurations for local as well as dev environment.
DB_USERNAME filetype:env
DB_PASSWORD filetype:enc=v

The file robots.txt is for preventing crawlers and spiders or any other search engine to enter into your website and you can block indexing specific pages or directories with it. Anyhow, by typing a query like this, you can look into different robots.txt files to see what you are not able to access.
“robots.txt” “disallow:” filetype:txt

These queries help you browse open FTP servers
intitle:"index of" inurl:ftp
intitle:"index of" inurl:http after:2020

Search for specific website under defined domain
inurl:.es/index.php?id=

SSH private keys
intitle:index.of id_rsa -id_rsa.pub

Putty logs
filetype:log username putty

Email lists
filetype:xls inurl:"email.xls"

How to mitigate Dorking

There are ways to not expose your system. Keep Operating system, services and applications patched and up-to-date. Use security solutions like antivirus and firewall for blocking access. Audit your exposure. Do not store sensitive information on public locations. Perform penetration testing.
Website owners must configure a file name robots.txt file properly. That is to prevent Google Dorks from accessing important data of your site, which can have serious consequences for your image and reputation.

xplanations:
cache: If you include other words in the query, Google will highlight those words within
the cached document. For instance, [cache:www.google.com web] will show the cached
content with the word “web” highlighted. This functionality is also accessible by
clicking on the “Cached” link on Google’s main results page. The query [cache:] will
show the version of the web page that Google has in its cache. For instance,
[cache:www.google.com] will show Google’s cache of the Google homepage. Note there
can be no space between the “cache:” and the web page url.
------------------------------------------------------------------------------------------
link: The query [link:] will list webpages that have links to the specified webpage.
For instance, [link:www.google.com] will list webpages that have links pointing to the
Google homepage. Note there can be no space between the “link:” and the web page url.
------------------------------------------------------------------------------------------
related: The query [related:] will list web pages that are “similar” to a specified web
page. For instance, [related:www.google.com] will list web pages that are similar to
the Google homepage. Note there can be no space between the “related:” and the web
page url.
------------------------------------------------------------------------------------------
info: The query [info:] will present some information that Google has about that web
page. For instance, [info:www.google.com] will show information about the Google
homepage. Note there can be no space between the “info:” and the web page url.
------------------------------------------------------------------------------------------
define: The query [define:] will provide a definition of the words you enter after it,
gathered from various online sources. The definition will be for the entire phrase
entered (i.e., it will include all the words in the exact order you typed them).
------------------------------------------------------------------------------------------
stocks: If you begin a query with the [stocks:] operator, Google will treat the rest
of the query terms as stock ticker symbols, and will link to a page showing stock
information for those symbols. For instance, [stocks: intc yhoo] will show information
about Intel and Yahoo. (Note you must type the ticker symbols, not the company name.)
------------------------------------------------------------------------------------------
site: If you include [site:] in your query, Google will restrict the results to those
websites in the given domain. For instance, [help site:www.google.com] will find pages
about help within www.google.com. [help site:com] will find pages about help within
.com urls. Note there can be no space between the “site:” and the domain.
------------------------------------------------------------------------------------------
allintitle: If you start a query with [allintitle:], Google will restrict the results
to those with all of the query words in the title. For instance,
[allintitle: google search] will return only documents that have both “google”
and “search” in the title.
------------------------------------------------------------------------------------------
intitle: If you include [intitle:] in your query, Google will restrict the results
to documents containing that word in the title. For instance, [intitle:google search]
will return documents that mention the word “google” in their title, and mention the
word “search” anywhere in the document (title or no). Note there can be no space
between the “intitle:” and the following word. Putting [intitle:] in front of every
word in your query is equivalent to putting [allintitle:] at the front of your
query: [intitle:google intitle:search] is the same as [allintitle: google search].
------------------------------------------------------------------------------------------
allinurl: If you start a query with [allinurl:], Google will restrict the results to
those with all of the query words in the url. For instance, [allinurl: google search]
will return only documents that have both “google” and “search” in the url. Note
that [allinurl:] works on words, not url components. In particular, it ignores
punctuation. Thus, [allinurl: foo/bar] will restrict the results to page with the
words “foo” and “bar” in the url, but won’t require that they be separated by a
slash within that url, that they be adjacent, or that they be in that particular
word order. There is currently no way to enforce these constraints.
------------------------------------------------------------------------------------------
inurl: If you include [inurl:] in your query, Google will restrict the results to
documents containing that word in the url. For instance, [inurl:google search] will
return documents that mention the word “google” in their url, and mention the word
“search” anywhere in the document (url or no). Note there can be no space between
the “inurl:” and the following word. Putting “inurl:” in front of every word in your
query is equivalent to putting “allinurl:” at the front of your query:
[inurl:google inurl:search] is the same as [allinurl: google search].
------------------------------------------------------------------------------------------
Nina Simone intitle:”index.of” “parent directory” “size” “last modified” “description” I Put A Spell On You (mp4|mp3|avi|flac|aac|ape|ogg) -inurl:(jsp|php|html|aspx|htm|cf|shtml|lyrics-realm|mp3-collection) -site:.info
Bill Gates intitle:”index.of” “parent directory” “size” “last modified” “description” Microsoft (pdf|txt|epub|doc|docx) -inurl:(jsp|php|html|aspx|htm|cf|shtml|ebooks|ebook) -site:.info
parent directory /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
parent directory DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
parent directory Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
parent directory Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
parent directory MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
parent directory Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
filetype:config inurl:web.config inurl:ftp
“Windows XP Professional” 94FBR
ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary | intext:"budget approved") inurl:confidential
ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary | intext:”budget approved”) inurl:confidential
ext:inc "pwd=" "UID="
ext:ini intext:env.ini
ext:ini Version=... password
ext:ini Version=4.0.0.4 password
ext:ini eudora.ini
ext:ini intext:env.ini
ext:log "Software: Microsoft Internet Information Services *.*"
ext:log "Software: Microsoft Internet Information
ext:log "Software: Microsoft Internet Information Services *.*"
ext:log "Software: Microsoft Internet Information Services *.*"
ext:mdb   inurl:*.mdb inurl:fpdb shop.mdb
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
filetype:SWF SWF
filetype:TXT TXT
filetype:XLS XLS
filetype:asp   DBQ=" * Server.MapPath("*.mdb")
filetype:asp "Custom Error Message" Category Source
filetype:asp + "[ODBC SQL"
filetype:asp DBQ=" * Server.MapPath("*.mdb")
filetype:asp DBQ=" * Server.MapPath("*.mdb") 
filetype:asp “Custom Error Message” Category Source
filetype:bak createobject sa
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
filetype:bak inurl:"htaccess|passwd|shadow|htusers" 
filetype:conf inurl:firewall -intitle:cvs 
filetype:conf inurl:proftpd. PROFTP FTP server configuration file reveals
filetype:dat "password.dat
filetype:dat "password.dat" 
filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To"
filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To" 
filetype:eml eml +intext:”Subject” +intext:”From” +intext:”To”
filetype:inc dbconn 
filetype:inc intext:mysql_connect
filetype:inc mysql_connect OR mysql_pconnect 
filetype:log inurl:"password.log"
filetype:log username putty PUTTY SSH client logs can reveal usernames
filetype:log “PHP Parse error” | “PHP Warning” | “PHP Error”
filetype:mdb inurl:users.mdb
filetype:ora ora
filetype:ora tnsnames
filetype:pass pass intext:userid
filetype:pdf "Assessment Report" nessus
filetype:pem intext:private
filetype:properties inurl:db intext:password
filetype:pst inurl:"outlook.pst"
filetype:pst pst -from -to -date
filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword"
filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword" 
filetype:reg reg +intext:â? WINVNC3â?
filetype:reg reg +intext:”defaultusername” +intext:”defaultpassword”
filetype:reg reg HKEY_ Windows Registry exports can reveal
filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS
filetype:sql "insert into" (pass|passwd|password)
filetype:sql ("values * MD5" | "values * password" | "values * encrypt")
filetype:sql ("passwd values" | "password values" | "pass values" ) 
filetype:sql ("values * MD" | "values * password" | "values * encrypt") 
filetype:sql +"IDENTIFIED BY" -cvs
filetype:sql password
filetype:sql password 
filetype:sql “insert into” (pass|passwd|password)
filetype:url +inurl:"ftp://" +inurl:";@"
filetype:url +inurl:"ftp://" +inurl:";@" 
filetype:url +inurl:”ftp://” +inurl:”;@”
filetype:xls inurl:"email.xls"
filetype:xls username password email
index of: intext:Gallery in Configuration mode
index.of passlist
index.of perform.ini mIRC IRC ini file can list IRC usernames and
index.of.dcim 
index.of.password 
intext:" -FrontPage-" ext:pwd inurl:(service | authors | administrators | users)
intext:""BiTBOARD v2.0" BiTSHiFTERS Bulletin Board"
intext:"# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd
intext:"#mysql dump" filetype:sql
intext:"#mysql dump" filetype:sql 21232f297a57a5a743894a0e4a801fc3
intext:"A syntax error has occurred" filetype:ihtml
intext:"ASP.NET_SessionId" "data source="
intext:"About Mac OS Personal Web Sharing"
intext:"An illegal character has been found in the statement" -"previous message"
intext:"AutoCreate=TRUE password=*"
intext:"Can't connect to local" intitle:warning
intext:"Certificate Practice Statement" filetype:PDF | DOC
intext:"Certificate Practice Statement" inurl:(PDF | DOC)
intext:"Copyright (c) Tektronix, Inc." "printer status"
intext:"Copyright © Tektronix, Inc." "printer status"
intext:"Emergisoft web applications are a part of our"
intext:"Error Diagnostic Information" intitle:"Error Occurred While"
intext:"Error Message : Error loading required libraries."
intext:"Establishing a secure Integrated Lights Out session with" OR intitle:"Data Frame - Browser not HTTP 1.1 compatible" OR intitle:"HP Integrated Lights-
intext:"Fatal error: Call to undefined function" -reply -the -next
intext:"Fill out the form below completely to change your password and user name. If new username is left blank, your old one will be assumed." -edu
intext:"Generated   by phpSystem"
intext:"Generated by phpSystem"
intext:"Host Vulnerability Summary Report"
intext:"HostingAccelerator" intitle:"login" +"Username" -"news" -demo
intext:"IMail Server Web Messaging" intitle:login
intext:"Incorrect syntax near"
intext:"Index of" /"chat/logs"
intext:"Index of /network" "last modified"
intext:"Index of /" +.htaccess
intext:"Index of /" +passwd
intext:"Index of /" +password.txt
intext:"Index of /admin"
intext:"Index of /backup"
intext:"Index of /mail"
intext:"Index of /password"
intext:"Microsoft (R) Windows * (TM) Version * DrWtsn32 Copyright (C)" ext:log
intext:"Microsoft CRM : Unsupported Browser Version"
intext:"Microsoft ® Windows * ™ Version * DrWtsn32 Copyright ©" ext:log
intext:"Network Host Assessment Report" "Internet Scanner"
intext:"Network Vulnerability   Assessment Report"
intext:"Network Vulnerability Assessment Report"
intext:"Network Vulnerability Assessment Report" 本文来自 pc007.com
intext:"SQL Server Driver][SQL Server]Line 1: Incorrect syntax near"
intext:"Thank you for your order"   +receipt
intext:"Thank you for your order" +receipt
intext:"Thank you for your purchase" +download
intext:"The following report contains confidential information" vulnerability -search
intext:"phpMyAdmin MySQL-Dump" "INSERT INTO" -"the"
intext:"phpMyAdmin MySQL-Dump" filetype:txt
intext:"phpMyAdmin" "running on" inurl:"main.php"
intextpassword | passcode)   intextusername | userid | user) filetype:csv
intextpassword | passcode) intextusername | userid | user) filetype:csv
intitle:"index of" +myd size
intitle:"index of" etc/shadow
intitle:"index of" htpasswd
intitle:"index of" intext:connect.inc
intitle:"index of" intext:globals.inc
intitle:"index of" master.passwd
intitle:"index of" master.passwd 007电脑资讯
intitle:"index of" members OR accounts
intitle:"index of" mysql.conf OR mysql_config
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" spwd
intitle:"index of" user_carts OR user_cart
intitle:"index.of *" admin news.asp configview.asp
intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com
intitle:(“TrackerCam Live Video”)|(“TrackerCam Application Login”)|(“Trackercam Remote”) -trackercam.com
inurl:admin inurl:userlist Generic userlist files
------------------------------------------------------------------------------------------
Using special search string to find vulnerable websites:
inurl:php?=id1
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=

Conclusion

Before you start to use Dorks you need to be aware that Google knows who you are. Use obtained information only for legal purposes and not to harm others. Malicious hackers can type such queries that they can obtain information such as exposed directories, files with usernames and passwords, shopping info and so on. Beware, it might be also regarded as illegal google hacking activity.
We wouldn’t suggest you do harm, but you could Dork yourself. Build queries to search for your vulnerabilities, and learn from it to improve YOUR security.