Google-Fu: A Tour of Google Dorking

Over the last few seasons, Cyber Skyline has introduced Google dorking into the National Cyber League (NCL) Games. So what exactly is Google dorking?

While it is often referred to as “Google hacking” due to the way it can be used, and referring to something as hacking (in the popularized sense) implies that it must be illegal, it’s not inherently a crime. Google dorking refers to the use of publicly available advanced search term filters for deeper investigative purposes, and it is only considered an illegal activity when it is used to commit a cyber crime.

Taisa here! With a little more about why Google dorks get a bad rep…Know how big Google’s database is? Google won’t say, but, back in 2014, xkcd cartoonist Randall Monroe estimated 10 exabytes of data. An exabyte is a billion gigabytes. That’s a massive database. A plain vanilla search of popular, publicly facing websites on Google’s homepage barely scratches the surface of what Google has actually trawled out there on the Internet. Think of Google dorking as advanced query building for the database of the entire Internet. Dorks narrow Internet searches down with such laser-like focus that they’ve become a hacker reconnaissance tool, used to filter out unwanted results so as to uncover hidden directories and files, vulnerable web applications, and other sensitive information such as passwords and bank account information. In 2013, dorking was used to hack a water dam in New York City. Things got bad enough that, in 2014, the FBI published a PSA on the dangers of dork queries. In today’s world, nothing is more valuable than information, and Google dorks are one of the most powerful tools for culling the Big Data of the Internet into something useful—and into something you perhaps were never meant to see. We now return you to your regularly scheduled blog post from JeanaByte…!

As always, the NCL and the NCL Players Committee Members do not condone the use of these tools for illegal activities. And remember, in this case, a cyber crime can be something as small as accessing certain webpages or files that were not intended for the public, or as large as intentionally uncovering vulnerabilities and proceeding to exploit said vulnerabilities. Keep in mind that search providers monitor and indefinitely store all search queries, which could be identified as yours and used against you in legal proceedings.

If Google isn’t your preferred search engine, dorking can also be done through other popular search engines such as Bing, DuckDuckGo (an NCL player favorite), or Yahoo (does anyone use Yahoo anymore?). Most search engines are designed to accept these more advanced filters, although filters and filter definitions may change between search engines. If you do plan on dorking using a search engine other than Google, be sure to double check what filters work and what they do within that specific search engine. For now, we’re just going to continue on with the assumption that you’ll be using Google.

Formatting of Your Dork Query

Regardless of what search filter you’re using (we’ll get into filters in a minute), the format of your query should be in the format:

filter colon search-term → filter:search-term

If you are looking for a very specific string of words, and you want an exact match, you would include quotation marks around your search term.

filter:"search term"

If you are using more than one type of filter, you would include it after the first search term, without any extra punctuation.

filter1:search-term filter2:search-term

You can use as many filters as you want, and generally you’ll be using more than one. However, if you use too many, you may not get any results because the search will become too specific.

Filter Types

Now that you know how to format your searches, let’s jump into the specific filter types. Here, I’ve listed what I think are the most used/useful filters. There are more than just this list, and I’ve linked some resources towards the end of the blog.

DORK	DESCRIPTION	EXAMPLE
`site:[url]`	Limits the search to the specified website.	`site:nationalcyberleague.org`
`intitle:[term]`	Shows pages that have the specified term in their title.	`intitle:cryptography`
`inurl:[text]`	Shows pages that have the specified text in their URL.	`inurl:infosec`
`filetype:[file extension]`OR`ext:[file extension]`	Searches for the specified file type.	`filetype:pdf`OR`ext:pdf`
`intext:[text]`OR`allintext:[text]`	Searches the text of a page. Pretty much how a normal Google search works.	`intext:password`OR`allintext:password`
`cache:[url]`	Shows the cached version of the specified website.	`cache:nationalcyberleague.org`

Combining Filters

Now that you’ve got the basics, let’s put it all together with a couple of examples! Let’s say you want to find all of the blogs on cryptokait.com that have cryptography in the title. Your dork query would look like this:

site:cryptokait.com intitle:cryptography

If you wanted to find all of the PDF files on the NCL website, your query would be:

site:nationalcyberleague.org filetype:pdf

Wrapping It All Up

Like I said before, this is definitely just the basics and there are a ton more filters and complexities when it comes to Google dorking, but this should give you a basic understanding of how Google dorking works and how to do fairly simple dorking searches. If you want more, Wikipedia has a pretty extensive list of advanced operators, and below are the two resources I used in writing this blog:

Exploring Google Hacking Techniques using Dork by Securelca
Search Smarter by Dorking by Gabi Sobliye (This one also has a pretty extensive list of operators, including which operators work on which search engines.)