How to Hack Google Search with Google Dorking
Do you want to become an expert hacker? Try being a dork first. No seriously, one of the first skills you must excel at in order to become an expert hacker is being able to perform passive reconnaissance on targets’ APIs and exposed credentials.
In order to do this you will need to become familiar with “dorking”, or the act of using advanced query filters within search engines. Using these advanced query filters will return and expose potentially useful items such as targeted forum and help posts, API documentation and exposed endpoints and even shared public credentials.
In this article I will look specifically at Google dorking, and how we may use this skill to get better search results as we scan Google Search’s treasure trove of indexed files.
**As a disclaimer, this article is meant to be informational and not as an aide for any improper activities. Dorking is useful for advanced searching in a number of ways including finding better results for questions or public data.***
How to Dork
Dorking makes use of a key value structure for searching data in a search engine. There are a number of possible keys that you can specify in your query, and these keys will be paired with your desired information.
Some of the most common “keys” are: inurl, intitle, filetype, intext and site. Each of these terms can be used by themselves, or grouped together for more targeted searches. One of the most common combinations is something like this:
Here we are searching for any url endpoint that contains “/api/v1” within the site “delta.com”. We could use a query like this to find public endpoints that may allow us to gather and use flight information in our applications.
The pattern we see above could be useful with any combination of:
[site:<www.example.com> key:value]
where the key could be any query parameter key of inurl, intitle, filetype or intext. Specifying the site first narrows our search to a potential targeted service and from there we can check for groups of endpoints (inurl), specific pages (intitle), groups of text (intext) or even types of files (filetype).
These combinations of dork terms greatly narrows the results we are returned and have to review. Oftentimes this will return pages and items that would not show up in the top sets of search results.
Why We Should Dork Search Engines?
Dorking allows us to be almost surgical in what information we access to review when looking at public resources. Sometimes searching for an API will return the public developer docs as is the case for Google:
Here we get back a link to the official publicly facing google API and documentations. Other times when we do dorking we may get not so public documents which will offer insight into how to interact with a company or service’s API.
Either way, by dorking we are able to find resources that may have been hidden before. For instance I can use an intext query to see if there are any pages or posts about Google Maps charges:
Some of the results come back as help pages for Google Support in France. Again, potentially good resources that would definitely not be top results for the default Google results.
Final Thoughts
Dorking is a skill that takes a lot of practice. As you get better with narrowing your dork terms you will get better results. Beyond passive API reconnaissance, you can use dorking to better understand poorly documented APIs and audit your own site to view and then improve SEO performance. Remember with any hacking skill to only use it ethically. Good luck.
Notes
https://www.techtarget.com/whatis/definition/Google-dork-query
