Benjamin Cazier - Cybersecurity consultant
Reading time : 5 min
This isn't the first, nor will it be the last article on this subject, which continues to evolve, partly as a result of the OSINT craze. I'd like to offer you an update on Google Dorks, which will be a great way to discover the subject, and for those in the know, a little reminder and, who knows, why not a little geek culture for social dinners.
It was back in 2002, when modems were still clattering to connect just after the "AOL50 hours free" CD-ROM had been inserted, that Johnny Long (not the American soccer player, nor the musician) - the computer security expert also known as "j0hnny" or "j0hnnyhax" - began to create a list of queries to find non-negligible information such as vulnerable systems or sensitive information.
These queries are called Google dorks (meaning something like an idiot found by Google in good French). Why was it called that? I imagine it was aimed at webmasters of the time, who probably weren't too familiar with the usefulness of the robot.txtfile, the Sitemaps.xml files and the links present on their site. It's also known as a Google hack (don't see the hooded person trying to make money illegally, but rather the original meaning of the term, i.e. pushing (or even hijacking) a technology to its limits).
That's where our Johnny came into his own. When we, the average person, do a Google search, our query is going to look something like " How to make a veggie burger" or "How to go on vacation without a car" - a bit like talking to a friend. But in reality, for a more efficient search, we'd have to make machine-like queries. That's how our Mister Long worked, because he'd discovered what was possible to find...
Disclaimer: But wait, is all this legal? It all depends on your intentions. This article is written for educational purposes, so don't use this technique for any illegal activity. It's by learning the techniques of attack that you can protect yourself accordingly.
" Great power implies great responsibility " said Ben, Spider Man's uncle, or Franklin D. Roosevelt in 1945, or Winston Churchill in 1906, among others.
Even if you think you're safe from prying eyes, don't forget that you're going through Google, which must know a lot more about you than your own mother does... It's already happened here, with someone called Bluetouff being fined €3,000.
What's more, some companies set up honeypots with false information to keep an eye on people who might attack them. So don't be like Winny, caught with your paw in the pot.
There's no need to know how to code or understand the latest routing protocol. All you need to do is type your expression into a search engine. The examples given here are based on Google, but it is possible to use other search engines by adapting the syntax. As a reminder, Google is not case-sensitive (upper/lower case), nor is it sensitive to common structural words (articles, conjunctions).
The query consists of 2 components:
There are different categories of operator: Booleans, punctuation, symbols and specific operators.
If you remember your physics or logic lessons, you've already understood. These are the operators that come from logic functions.
Once again, if you know anything about regular expressions, you won't be lost. Otherwise, here's a quick summary.
There are several dozen of them. The aim is not to show you them all, but to give you a few examples to see how they work. If you want the complete list, it is very easy to find
The operator ends with ":" followed by the search pattern, without spaces 😊
Of course, all these operators can be mixed together. This is what will give the query its full efficiency.
Let's face it, that was the original purpose of dorking, and it still is today. This activity is used by attackers. Let's take the kill chain (created by Lockheed Martin in 2011) as an example. What is the kill chain? In short, it is the modeling of the different steps of a cyber attack.
Dorking is present right from the very first stage, which is Reconnaissance, sometimes called footprinting. This stage corresponds to the collection of information about the target.
From a technical point of view :
Today there is a database of requests, called ghdb for Google Hacking Database, to keep you busy on long winter evenings: https://www.exploit-db.com/google-hacking-database
Nor should we overlook the "human" side of social engineering. Dorking makes it easier:
Or even more directly by finding :
If it's used by attackers, dorking is also used by defenders, during a security audit or during RedTeam periods. There's nothing like putting yourself in the attacker's shoes to be able to defend yourself.
From a technical point of view, here's a closer look at the type of basic searches that will be used:
On a more personal level, you can find out if there's any sensitive information about you with searches like :
This research is also widely used in fields such as OSINT and by investigative journalists, for example. The field of possibilities really has no limits...
Another area where the use of advanced queries can make all the difference is in Search Engine Optimization. You see, these are all the little things you need to do to get your website into Google's top results.
Here are a few examples:
A final area where dorking can become an everyday tool is in the search for recruitment profiles. With the advent of LinkedIn and the like, it has become almost indispensable for someone looking for a new job to publish their profile on the web. This makes it easy to find.
A few examples gleaned here and there. I think you'll see for yourself the purpose of these queries:
Dorks are sometimes where you least expect them. Even in 2020, if you ran the search site:chat.whatsapp.com, Facebook was able to access a list of over 400,000 links to "normally" closed groups.
Almost everyone can be affected. Here's how it works:
You have purchased a surveillance camera that you install in 2 minutes to monitor your cat when you are away. The camera communicates with a server and plays back video in real time, allowing you to connect and open the video stream hosted on this server from your phone. This server doesn't require a password, or it's the default password you've left (so it's not too complicated to use) to access your webcam's stream. This makes your cat's life (and the inside of your home, welcome to Loft Story) accessible to the whole world by searching the text contained in the camera's display page.
There are ways to avoid this. The first obvious but necessary tips to remember are:
On a technical level, if you administer a web server, a website or any other equipment accessible from the Internet, be sure to :
For larger companies, data leakage is also a concern that ranks high on their IT security roadmaps. Specialized companies offer DLP (Data LeakPrevention) and Threat Intelligence services, which can scan the darkweb for corporate data.
Now you know a little more about using search engines. Using dorks is not complicated, the difficulty lies in knowing the structure of the information you are looking for.
This advanced search method is no longer limited to Google or other search engines. It exists for other content-intensive platforms such as Github, Pastebin, Twitter...
Today, our Johnny devotes himself entirely to the Hackers for Charity organization, but he had published several books on Google dorks, most recently in 2015.
Start your cybersecurity training
Breathe new life into your career with our cybersecurity training courses