Google Dorking, also known as Google Hacking, is a technique to uncover sensitive information on websites by using advanced Google search operators. It’s a powerful reconnaissance method for penetration testing.
These are simple commands to refine search results.
| Operator | Description | Example |
|---|---|---|
site: |
Restrict results to a specific domain. | site:example.com |
intitle: |
Find pages with specific words in the title. | intitle:login |
inurl: |
Look for URLs containing specific words or parameters. | inurl:admin |
filetype: |
Search for specific file types. | filetype:pdf site:example.com |
ext: |
Similar to filetype:, searches for file extensions. |
ext:sql |
cache: |
View the cached version of a webpage. | cache:example.com |
*"..."* |
Search for exact phrases. | "confidential report" |
OR |
Combine multiple search terms, showing results for either. | password OR login |
- |
Exclude results containing a specific word. | site:example.com -login |
* |
Wildcard to match any word. | "password * username" |
Find specific data that might be exposed unintentionally.
Find login portals that might lead to admin areas:
inurl:login | intitle:login
inurl:admin | intitle:admin
Search for sensitive files like credentials, backups, or configurations:
site:example.com ext:sql | ext:db | ext:log
site:example.com filetype:pdf
intitle:"index of" "backup"
Identify misconfigured servers or environment leaks:
inurl:".env" "DB_PASSWORD"
inurl:config ext:php | ext:xml
intitle:"index of" "config"
Locate exposed password lists or credentials:
filetype:txt inurl:"password"
inurl:ftp "password"
Search for SQL dumps or exposed databases:
ext:sql | ext:db | ext:sqlite
intitle:"index of" "dump"
Scrape email addresses for phishing or credential testing:
site:example.com "@example.com"
Identify exposed directory structures:
intitle:"index of /" site:example.com
intitle:"index of /" +ftp
Find websites running vulnerable software:
intitle:"phpMyAdmin" inurl:"main.php"
intitle:"Apache Tomcat" "manager" "status"
Find pages that leak error messages:
inurl:"error" | inurl:"exception"
"ORA-00933: SQL command not properly ended"
Locate default server configuration or setup pages:
inurl:setup | inurl:install | inurl:default
Find unsecured IP cameras:
intitle:"Live View / - AXIS" | intitle:"Axis Video Server"
inurl:view/view.shtml
Use Google Dorks to gather OSINT (Open Source Intelligence):
Find public WHOIS records:
site:whois.domaintools.com example.com
Identify sensitive information accidentally pushed to GitHub:
site:github.com "DB_PASSWORD"
site:github.com "AWS_SECRET_ACCESS_KEY"
Discover subdomains:
site:example.com -www
- Google Dork Scanner: Automates dorking queries.
- GHDB (Google Hacking Database): Predefined dorks for specific purposes (maintained by Offensive Security).
- Recon-ng: OSINT framework that includes Google Dork modules.
Write a Python script using Google Custom Search API to automate queries:
from googlesearch import search
query = "intitle:'index of' site:example.com"
for result in search(query, num=10, stop=10, pause=2):
print(result)- Always have permission before performing reconnaissance.
- Use incognito mode to prevent personalized search results.
- Combine multiple operators to narrow down results:
site:example.com inurl:admin filetype:php
| Goal | Example |
|---|---|
| Admin Login | intitle:"Admin Login" |
| Open Directories | intitle:"Index of /" |
| Exposed Configs | inurl:"config" ext:php |
| Password Files | filetype:txt inurl:"password" |
| Public Git Repos | site:github.com "DB_PASSWORD" |
| Open Cameras | intitle:"Axis Video Server" |
dork