You might pride yourself on being savvy in cyber security but be prepared for surprises if you test the Google dorks provided. Done right, these Google dorks can identify high-priority vulnerabilities you can investigate further using penetration testing tools.
Once you start using the Google dorks below on your target sites, you’ll be able to discover gems like login credentials, live camera views, and classified documents hidden in plain view on many “secure” websites. That’s because Google is merciless when indexing information that’s usually sensitive or otherwise off-limits to the public.
Keep in mind, abusing Google dorks will get you in trouble legally and otherwise. See the difference between “reconnaissance” and “scanning” in the next section. When in doubt, skip the dork.
When you’re ready, let’s go over the basics of how to Google dork a specific website.
Fundamentals of Google Dorking
To understand how to Google dork, you need to grasp several essential points:
The Anatomy of a Successful Hack
Five phases characterize a successful hack into a target, such as a website or a server:
- Reconnaissance: Gathering intelligence about the target.
- Scanning: Exploring the target, clicking links, using remote scanning tools.
- Gaining access: Actively exploiting the target to get access.
- Maintaining access: Establishing a way to easily reconnect to the target if your connection breaks or you wish to return later.
- Clearing tracks: Exiting the target without a trace, removing all exploits and back doors, clearing logs.
You can use Google dorking to conduct step 1 above, but once you click on the search results, submit data, or access links without proper permissions, you enter step 2 and may be accountable for computer crimes punishable by law.
To Google dork, you include dork commands and operators in a Google query and interpret the search results as you see fit.
As Google dorking can expose sensitive information, and you might be doing several such queries rapidly, don’t be surprised when Google makes you unscramble garbled letters in an image called a captcha before proceeding. It’s frustrating but necessary for the search engine to protect itself from cyberattacks and automated queries.
Let's explore the specifics of Google dorks.
Understanding Google Dorks Commands and Queries
Google has a 32-word limit, so you can only use a finite number of dorks, keywords, and key phrases in a Google search.
This section covers the Google dorks that ethical hackers and penetration testers must learn. Be careful to interact only with vulnerabilities (interactions include clicking on links) where you have obtained explicit legal clearance. Above all, proceed with caution.
|site:||Restrict search to a particular website, top-level domain, or subdomain.|
Additional query items are optional.
|site:google.com, site:maps.google.com, site:.org tax return|
|filetype:, ext:||Restrict the returned web addresses to the designated file type.|
Unlike most other dorks, this requires additional keywords in the search bar or will return no results.
Here is Google’s official list of common file types it can search.
Google also supports the file extensions db, log, html, mpeg, mov, and flv.
Nonetheless, searches on mp3 and mp4 with and without additional search terms have yielded no results.
|filetype:pdf car design, ext:log username|
Compare with filetype:pdf, ext:txt, etc.
|intitle:, allintitle:||Look for pages with titles containing the search terms.|
The dork “intitle:” applies to its search parameter only, while “allintitle:” applies to the entire query string.
|intitle:toy story, intitle:"toy story"|
Compare the above with the number of search results of toy story and "toy story".
Compare with intitle:"toy story" — both have the same number of search results.
|inurl:||Finds links containing the character string.||inurl:login.php|
|allinurl:||Finds links containing all words following the colon (:).|
Equivalent to applying “inurl:” to discrete search strings.
|Compare allinurl: healthy eating vs inurl:healthy inurl:eating:|
|intext:, allintext:||Finds websites containing the payload.|
The dork “intext:” applies to its search parameter only, while “allintext:” applies to the entire query string.
The websites displayed in the results appear similar to a search without either command.
|Compare intext:"Index of /" +.htaccess, allintext:"Index of /" +.htaccess, and "Index of /" +.htaccess.|
|cache:||Get Google’s last saved version of a particular website. A website snapshot like this is called “cache”.|
Asking Google to remove your website from search results may be necessary if the cache contains sensitive information.
Read our Google Dorks Cheat Sheet for a comprehensive list of commands and operators.
Examples of Google Dorking
Here is a sampling of various revealing Google dorks. To avoid accidental misuse, some dorks in this section are not clickable. For more examples, check out the Google Hacking Database.
A warning: Think twice before you try any Google dork. Be mindful that every action on Google is recorded. Unauthorized link-clicking may constitute criminal or dishonest intent required to convict you of computer crimes in many legal jurisdictions.
Explore LOG Files for Login Credentials
These use the dorking commands filetype: and ext:, such as filetype:log / ext:log, filetype:txt / ext:txt, and other file extensions associated with system logs.
You can uncover passwords and email addresses, among other sensitive information, with the following dorks and similarly constructed ones.
|DB_user ext:log||This and the related dangerous dork replacing “user” with “password” can uncover login credentials accidentally leaked through system logs.|
True, developers need to retain all their logs for future troubleshooting. Yet it’s also important to redact sensitive information if they don’t keep those logs offline.
|@gmail.com filetype:txt||This dork reveals Gmail addresses that spammers, for instance, may collect for nefarious purposes.|
A preventative approach is using contact forms or methods that conceal email addresses and phone numbers.
Be careful to whom you entrust your personal information.
Explore Configurations Using ENV Files
Replacing “log” / “txt” from the previous section with “env” gives you the .env files containing environment variables, which typically include login credentials, API keys, and other unique parameters.
Best practices require that you store .env files offline at all times and, if you use Git, include “.env” in your .gitignore file, but if you test the following Google dorks, you'd be shocked at how many servers leave their .env files exposed.
|DB_password ext:env||Popular web development frameworks use .env files to declare general variables and configurations for local and online dev environments, often including passwords.|
This dork exposes database passwords. Hence it’s vital to keep .env files from being publicly accessible.
|ext:env db_pass||This is similar to the previous dork, except that the query keyword is “DB_pass” instead of the longer “DB_password”.|
Google Dork Generator
Say goodbye to the hassle of trying to remember the exact syntax for your Google Dorks! With our Google Dork Generator, you can simply say what you need to do, and we will generate the Google Dork for you.
Explore Live Cameras
The following dorks return web applications showing live webcam (online camera) footage. The key to uncovering such webcam sites is exploiting the webcams’ default URLs.
The following Google dorks work because users forget to restrict permissions, or neglect to cover or disconnect their camera when it’s live.
|inurl:"view.shtml" "Network Camera",|
"Camera Live Image" inurl:"guestimage.html"
|Finds webcams that have in the URL “view.shtml” and titled “Network Camera”, or have in the URL “guestimage.html” and titled “Camera Live Image”.|
|intitle:"webcamXP 5’"||Finds webcams that have in the title “webcamXP 5’”|
|inurl:"guestimage.html"||Finds webcams that have in the URL “guestimage.html”|
|inurl:"viewerframe?mode=motion"||Find webcams that have in the URL “viewerframe?mode=motion”|
Carrying forward the idea of exploiting default URLs, you can also find insecure Wi-Fi routers and other devices connected to the Internet:
|inurl:"cgi-bin" "No password set!" "There is no password set on this router."||Finds routers containing “cgi-bin” in the URL and having no password|
|intitle:"router" inurl:"home.asp"||Finds routers containing “home.asp” in their URLs|
To protect your webcams, routers, and other Internet-connected devices, keep the firmware up-to-date and follow best practices in authentication methods.
Explore Open FTP Servers
A heads-up for penetration testers: This group of dorks work because, as a rule of thumb, web administrators don’t obfuscate the URLs of FTP servers. Hence, the server URLs contain “ftp” and their titles contain “index of”.
Apart from activities such as traversing the directory trees and accessing the contents of open FTP servers, third parties can also attack these servers and cause trouble. Therefore, reserving FTP server access to authorized users is crucial. Keeping them out of reach of Google and other search engines is the best you can do.
|"index of" inurl:ftp|
intitle:"index of" inurl:ftp
intext:"index of" inurl:ftp
|Find public FTP servers|
|"movies" inurl:ftp||Finds the keyword “movies” on open FTP servers|
|intext:"index of" site:org inurl:ftp||Find public FTP servers with the top-level domain “org”|
The final example in this table is a great segue to our final subsection.
Explore Specific Websites with Specific Domains
This section is all about using the “site:” dork. You can specify the top-level domain (com, org, net, gov, etc.), domain names, and subdomains.
|intext:"index of" (site:edu | site:ac.*) inurl:ftp||Find public FTP servers of universities, which assume the top-level domains “edu” and “ac”.|
|site:bbc.co.uk | site:bbc.com inurl:programme||Find URLs containing “programme” (the British spelling for "program") among the official websites of the British Broadcasting Corporation (BBC)|
|site:help.twitter.com verified||Find pages containing the keyword “verified” under the subdomain “help” of the domain name twitter.com.|
Steps to Google Dork a Website
Here’s how to Google dork a specific website safely and legally.
Step 1: Identify Your Targets
Unless you have full authorization to do penetration testing on a given server, you may not know where to begin Google dorking. Common starting points are large corporations and organizations.
Step 2: Reconnaissance
You may find subdomains of your targets and external websites. In the following example, climate data on .uk domains appear on governmental and academic websites.
Familiarize yourself with the target, which may keep its files or have newsletter signup links on external websites, such as Amazon Web Services (site:amazonaws.com), Cloudflare (site:cdn.cloudflare.net) and Mailchimp (site:list-manage.com). Surprisingly, Mailchimp has a welcome message for those doing Google dorking.
Step 3: Scanning
Use the dorks provided here and in our Google Dorks Cheat Sheet to look into your websites. A helpful tool is Pagodo which limits your Google dorking rate and keeps your activities under the radar. Be thorough.
As an illustration, I scanned a company providing services, redacting the target keyword because of what I’m going to show you. It keeps its files and mailing list on external websites:
The keyword didn’t show up in the top results of either search, which may be to its advantage. But an innocuous Google dork on this particular target’s own domain returned something unsettling:
Step 4: Follow Up
If you’re a beginner in Google dorking, you may want to narrow your search to certain files, in which case “filetype:” and “ext:” dorks are applicable, or explore a keyword across a set of websites. Slow down or the Google captcha will catch you.
If your clientele included the example company in step 3, you would write a report to inform it of the severity of the vulnerabilities and give recommendations to mitigate them.
Now that you know how to Google dork a specific website, as risky as Google hacking can be, it’s an invaluable open-source information-gathering method to prepare for penetration testing. Don’t wait for a third party to use Google dorking against you. It’ll be too late by then.
You may also want to check out our courses on website hacking and penetration testing included in our All Access VIP Membership.