Google Dorking
Google Dorking
One-liner: Using advanced Google search operators to discover sensitive information, misconfigurations, and exposed files on the internet.
π― What Is It?
Google Dorking (also called Google Hacking) is a passive reconnaissance technique that uses advanced search operators to find information that shouldn't be publicly accessibleβexposed credentials, sensitive documents, vulnerable servers, and misconfigurations.
π¬ How It Works
Common Operators
| Operator | Description | Example |
|---|---|---|
site: |
Limit to specific domain | site:target.com |
filetype: |
Search specific file types | filetype:pdf |
intitle: |
Search page titles | intitle:"index of" |
inurl: |
Search URL content | inurl:admin |
intext: |
Search page body | intext:password |
ext: |
File extension | ext:sql |
cache: |
Cached version | cache:target.com |
- |
Exclude term | -site:www.target.com |
Example Dorks
# Find exposed configuration files
site:target.com filetype:env OR filetype:yml OR filetype:config
# Find login pages
site:target.com inurl:login OR inurl:admin
# Find exposed directories
site:target.com intitle:"index of"
# Find exposed SQL files
site:target.com filetype:sql "password"
# Find exposed credentials
site:target.com filetype:log "password"
# Find WordPress config files
filetype:txt inurl:wp-config
# Find exposed .git directories
intitle:"index of" ".git"
π Common Targets
| Target | Dork Example |
|---|---|
| Config files | filetype:env DB_PASSWORD |
| SQL dumps | filetype:sql "INSERT INTO" password |
| Log files | filetype:log inurl:password |
| Backup files | filetype:bak OR filetype:old |
| Admin panels | inurl:admin intitle:login |
| Open directories | intitle:"index of" parent directory |
| Exposed .git | intitle:"index of" ".git" |
π‘οΈ Detection & Prevention
How to Detect
- Undetectable by target - Queries go to Google, not your server
- Use Google Alerts for your domain + sensitive terms
- Check Google Search Console for indexed sensitive content
How to Prevent / Mitigate
- Proper
robots.txtconfiguration (but not security!) - Remove sensitive files from web roots
- Use
.htaccessto block directory listings - Regular external audits using dorks against your own domain
- Authentication on all sensitive endpoints
# robots.txt (tells crawlers what NOT to index)
User-agent: *
Disallow: /admin/
Disallow: /backup/
Disallow: *.sql
β οΈ Warning: robots.txt is not a security controlβit's a suggestion to crawlers. Attackers can still access these paths directly.
π€ Interview Angles
Common Questions
- "What is Google Dorking and how would you use it in a pentest?"
- "How can an organization protect against Google Dorking?"
- "What sensitive information have you found using dorks?"
STAR Story
Situation: Performing external reconnaissance for a client assessment.
Task: Identify exposed sensitive data without active scanning.
Action: Used Google dorks to search forsite:client.com filetype:sql,site:client.com filetype:env, and directory listing dorks.
Result: Found an exposed database backup containing user credentials. Client was unaware the file was publicly indexed.
β Best Practices
- Always get authorization before dorking a target
- Use Exploit-DB's Google Hacking Database (GHDB) for reference
- Combine with other OSINT techniques
- Document all findings with screenshots
π Related Concepts
π References
- Google Hacking Database (GHDB)
- OWASP - Google Hacking