Open in app

Sign in

Write

Sign in

Google Dorking 101: How to Find the Internet’s Best Kept Secrets

Cybersecurity Stephen
6 min readJun 28, 2024

--

Google dorking at home — NightCafe (by author)

You may be surprised to hear that finding secrets online is easier than you thought.

Google Dorking is a technique where a user can input advanced search features to better uncover what others may be trying to hide. It’s a very powerful method for searching, so use it wisely and legally.

Disclaimer: Google Dorking may reveal sensitive information online.
While using this technique, you are still required to follow the law
and Terms of Service provided by Google. Please use this information
for educational and research purposes only.

Basic Search Operators

Simple Operator Examples with Google Dorks¹

Basic operators tell us how we can more closely refine our searches when “googling” something. As you can see above, you can manipulate the search results based on what you are looking for.

Understanding the basic operators will help you combine them with advanced operators and truly make your searching power grow exponentially.

Advanced Search Operators

Let’s now get into the juicy part of how you can beef up your search results:

  • site: (search only one website)
  • [#]…[#] or numrange: (search within a range of numbers)
  • date: (search only a range of months)
  • safesearch: (exclude adult-content)
  • link: (linked pages)
  • info: (info about a page)
  • related: (related pages)
  • intitle: (searches for strings in the title of the page)
  • allintitle: (searches for all strings within the page title)
  • inurl: (searches for strings in the URL)
  • allinurl: (searches for all strings within the URL)
  • filetype: or ext: (searches for files with that file extension)
  • cache: (display the Google cache of the page)
  • phonebook: (display all phone listings)
  • rphonebook: (display residential phone listings)
  • bphonebook: (display business phone listings)
  • author: (searches for the author of a newsgroup post)
  • insubject: (search only in the subject of a newsgroup post)
  • define: (various definitions of the word or phrase)
  • stock: (get information on a stock abbreviation)¹

Later in the article, I will give some more concrete examples of how you can use these advanced search operators, but as you can probably already envision, there are many ways to use these operators to find things normally not easy to find.

Number Searching

Number Searching with Google Dorks¹
Calculator Operators with Google Dorks¹

If you are looking for a specific number, statistic, tracking number, or anything in between, using the number and calculator operators can help you cut down your search time.

Examples Using Advanced Operators

One that I personally love using when looking for information online is the site: operator. When I look for legitimate resources on topics I will search:

site:.gov topic

The search results will only give you government sites that relate to your topic. If I am looking for authority on a subject matter, this is a super helpful place to start.

Screenshot of Google Dorking Example “site:”

While not all the links are going to be useful, at least you don’t have to wade through a swamp full of articles that aren’t from government sources.

Another very useful advanced operator is filetype: as there may be discoverable and sensitive documents online that the author mistakenly revealed.

Screenshot of Google Dorking with filetype:pdf

In the above example, I searched for only .pdf files that are related to Google dorking. The results only give me links to .pdf files.

In cybersecurity, these file types are especially useful to examine: (.exe, .dll, .bat, .sh, .ps1, .vbs, .js, .php, .doc, .docx, .pdf, .xls, .xlsx, .conf, .ini, .xml, .db, .sql, .mdb, .zip, .rar, .tar.gz, .log, .evt, .dat, .sig)

If you remember a specific topic was in a URL but totally forget where you found it, you could use the inurl: operator to help.

Screenshot of Google Dorking with inurl: operator

In the above example, we can see that the results only list URLs with cybersecurity in them, but really the world is your oyster in terms of searching.

If we type inurl: admin in our search bar, we may be getting into some territory where only admins should be able to access these pages, such as login pages. This would be especially useful for penetration testing or ethical hacking of a website/organization.

Please do not randomly try to log into a website where you are NOT the admin. You COULD face legal repercussions. You have been warned.

A defender of websites from Google dorks — NightCafe (by author)

How to Defend Against Google Dorking

While Google Dorking can certainly expose vulnerabilities on a website, it’s important to realize there are steps we can take to mitigate these risks.

Here are a few ways to defend against Google Dorking:

  • Restrict Information (avoid sharing sensitive info online — if you have to, make sure to appropriately protect/restrict those files)
  • Implement a Robust Robots.txt file (this instructs web robots about which pages on your site to crawl or ignore — configure properly to avoid exposing sensitive data)
  • Use ‘NoIndex’ and ‘NoFollow’ Tags (tells search engines not to index certain pages or follow links on specific pages — helps protect sensitive data)
  • Regularly Conduct Website Audits (helps identify and fix potential vulnerabilities)
  • Limit File and Directory Permissions (ensure file permissions are set correctly and restrict access to sensitive directories)²

Conclusion

Google dorks are difficult to master because valid dorks change often, misuse can lead to serious legal repercussions, and the dangers of accidentally using Google dorking inappropriately is discouraging.³

Unfortunately for us, cyber-criminals care little about the repercussions of the law because they operate outside of it. So, we as cyber-defenders must be smart when using such powerful techniques for good.

I purposefully didn’t give any examples that would reveal sensitive information as that’s not the point of the article. The main takeaway here is that it’s getting easier to find hidden information online nowadays, so we need to educate and defend ourselves accordingly.

I’m confident you learned something useful today, so go and use this knowledge for the greater good in cybersecurity. Like always, keep learning every day and stay safe everyone!

Leveling up with Google dorks — NightCafe (by author)

Buy Me a Coffee

If you appreciated the article or learned something valuable, consider buying me a coffee via the button below. Supporting me helps me stay motivated to write great educational content for everyone. No pressure, but I sincerely thank everyone that helps out. If you have any topics you would like covered, write them in a note, and I will write an insightful article for you.

References

(1) SANS. (2021, February 15). Google Hacking and Defense Cheat Sheet. SANS Stay Sharp Program. https://sansorg.egnyte.com/dl/f4TCYNMgN6

(2) Imperva. (n.d.). Google Dorking. Retrieved on 6/28/2024 from https://www.imperva.com/learn/application-security/google-dorking-hacking/

(3) Lee, Cassandra. (2024, May 10). Google Dorks Cheat Sheet 2024: How to Hack Using Google. StationX. https://www.stationx.net/google-dorks-cheat-sheet/

Google Dork
Cybersecurity
Cyber Security Awareness
Education
Google

--

--

Cybersecurity Stephen

Written by Cybersecurity Stephen

81 Followers

Professional Educator 🏫 Cultivating the Cybersecurity Community 🌱 Come Learn and Grow with Me 🧠 Knowledge is Power 📚 Discover Something New Everyday 🤩

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams