How to Google Dork a Specific Website for Hacking

How to Google Dork a Specific Website

You might pride yourself on being savvy in cyber security but be prepared for surprises if you test the Google dorks provided. Done right, these Google dorks can identify high-priority vulnerabilities you can investigate further using penetration testing tools.

Once you start using the Google dorks below on your target sites, you’ll be able to discover gems like login credentials, live camera views, and classified documents hidden in plain view on many “secure” websites. That’s because Google is merciless when indexing information that’s usually sensitive or otherwise off-limits to the public. 

Keep in mind, abusing Google dorks will get you in trouble legally and otherwise. See the difference between “reconnaissance” and “scanning” in the next section. When in doubt, skip the dork.

When you’re ready, let’s go over the basics of how to Google dork a specific website.

Fundamentals of Google Dorking

To understand how to Google dork, you need to grasp several essential points:

The Anatomy of a Successful Hack

Five phases characterize a successful hack into a target, such as a website or a server:

  1. Reconnaissance: Gathering intelligence about the target.
  2. Scanning: Exploring the target, clicking links, using remote scanning tools.
  3. Gaining access: Actively exploiting the target to get access.
  4. Maintaining access: Establishing a way to easily reconnect to the target if your connection breaks or you wish to return later.
  5. Clearing tracks: Exiting the target without a trace, removing all exploits and back doors, clearing logs.

You can use Google dorking to conduct step 1 above, but once you click on the search results, submit data, or access links without proper permissions, you enter step 2 and may be accountable for computer crimes punishable by law.

To Google dork, you include dork commands and operators in a Google query and interpret the search results as you see fit.

Example of a Google dork finding cyber crime PDFs on Cloudflare's content delivery network (site:cdn.cloudflare.net filetype:pdf cyber crime)

Captcha

As Google dorking can expose sensitive information, and you might be doing several such queries rapidly, don’t be surprised when Google makes you unscramble garbled letters in an image called a captcha before proceeding. It’s frustrating but necessary for the search engine to protect itself from cyberattacks and automated queries.

Let's explore the specifics of Google dorks.

Understanding Google Dorks Commands and Queries

Google has a 32-word limit, so you can only use a finite number of dorks, keywords, and key phrases in a Google search.

This section covers the Google dorks that ethical hackers and penetration testers must learn. Be careful to interact only with vulnerabilities (interactions include clicking on links) where you have obtained explicit legal clearance. Above all, proceed with caution.

DorkDescriptionExamples
site:Restrict search to a particular website, top-level domain, or subdomain.
Additional query items are optional.
site:google.com, site:maps.google.com, site:.org tax return
filetype:, ext:Restrict the returned web addresses to the designated file type.
Unlike most other dorks, this requires additional keywords in the search bar or will return no results.
Here is Google’s official list of common file types it can search.
Google also supports the file extensions db, log, html, mpeg, mov, and flv.
Nonetheless, searches on mp3 and mp4 with and without additional search terms have yielded no results.
filetype:pdf car design, ext:log username

Compare with filetype:pdf, ext:txt, etc.
filetype.pdf - Google Search - "Your search - filetype.pdf - did not match any results."

ext:txt - Google Search - About 5,420,000 results (0.21 seconds)
intitle:, allintitle:Look for pages with titles containing the search terms.
The dork “intitle:” applies to its search parameter only, while “allintitle:” applies to the entire query string.
intitle:toy story, intitle:"toy story"
Compare the above with the number of search results of toy story and "toy story".

allintitle:"toy story".
Compare with intitle:"toy story" — both have the same number of search results.
allintitle:"toy story" - Google Search - About 6,240,000 results (0.80 seconds)

intitle:"toy story" - Google Search - About 6,240,000 results (0.70 seconds)
inurl:Finds links containing the character string.inurl:login.php
allinurl:Finds links containing all words following the colon (:).
Equivalent to applying “inurl:” to discrete search strings.
Compare allinurl: healthy eating vs inurl:healthy inurl:eating:
allinurl: healthy eating - Google Search - About 972,000 results (0.53 seconds)

inurl:healthy inurl:eating - Google Search - About 971,000 results (0.49 seconds)
intext:, allintext:Finds websites containing the payload.
The dork “intext:” applies to its search parameter only, while “allintext:” applies to the entire query string.
The websites displayed in the results appear similar to a search without either command.
Compare intext:"Index of /" +.htaccess, allintext:"Index of /" +.htaccess, and "Index of /" +.htaccess.
cache:Get Google’s last saved version of a particular website. A website snapshot like this is called “cache”.
Asking Google to remove your website from search results may be necessary if the cache contains sensitive information.
cache:news.yahoo.com

Read our Google Dorks Cheat Sheet for a comprehensive list of commands and operators.

Examples of Google Dorking

Here is a sampling of various revealing Google dorks. To avoid accidental misuse, some dorks in this section are not clickable. For more examples, check out the Google Hacking Database.

A warning: Think twice before you try any Google dork. Be mindful that every action on Google is recorded. Unauthorized link-clicking may constitute criminal or dishonest intent required to convict you of computer crimes in many legal jurisdictions.

Explore LOG Files for Login Credentials

These use the dorking commands filetype: and ext:, such as filetype:log / ext:log, filetype:txt / ext:txt, and other file extensions associated with system logs.

You can uncover passwords and email addresses, among other sensitive information, with the following dorks and similarly constructed ones.

DorkDescription
DB_user ext:logThis and the related dangerous dork replacing “user” with “password” can uncover login credentials accidentally leaked through system logs.
True, developers need to retain all their logs for future troubleshooting. Yet it’s also important to redact sensitive information if they don’t keep those logs offline.
@gmail.com filetype:txt
This dork reveals Gmail addresses that spammers, for instance, may collect for nefarious purposes.
A preventative approach is using contact forms or methods that conceal email addresses and phone numbers.
Be careful to whom you entrust your personal information.

Explore Configurations Using ENV Files

Replacing “log” / “txt” from the previous section with “env” gives you the .env files containing environment variables, which typically include login credentials, API keys, and other unique parameters.

Best practices require that you store .env files offline at all times and, if you use Git, include “.env” in your .gitignore file, but if you test the following Google dorks, you'd be shocked at how many servers leave their .env files exposed.

DorkDescription
DB_password ext:envPopular web development frameworks use .env files to declare general variables and configurations for local and online dev environments, often including passwords.
This dork exposes database passwords. Hence it’s vital to keep .env files from being publicly accessible.
ext:env db_passThis is similar to the previous dork, except that the query keyword is “DB_pass” instead of the longer “DB_password”.

Google Dork Generator

Say goodbye to the hassle of trying to remember the exact syntax for your Google Dorks! With our Google Dork Generator, you can simply say what you need to do, and we will generate the Google Dork for you.

Explore Live Cameras

The following dorks return web applications showing live webcam (online camera) footage. The key to uncovering such webcam sites is exploiting the webcams’ default URLs.

The following Google dorks work because users forget to restrict permissions, or neglect to cover or disconnect their camera when it’s live.

DorkDescription
inurl:"view.shtml" "Network Camera",
"Camera Live Image" inurl:"guestimage.html"
Finds webcams that have in the URL “view.shtml” and titled “Network Camera”, or have in the URL “guestimage.html” and titled “Camera Live Image”.
intitle:"webcamXP 5’"Finds webcams that have in the title “webcamXP 5’”
inurl:"guestimage.html"Finds webcams that have in the URL “guestimage.html”
inurl:"viewerframe?mode=motion"Find webcams that have in the URL “viewerframe?mode=motion”
Webcam found through Google dorking. Note this webcam doesn’t even use HTTPS (“Not Secure” in address bar).

Carrying forward the idea of exploiting default URLs, you can also find insecure Wi-Fi routers and other devices connected to the Internet:

DorkDescription
inurl:"cgi-bin" "No password set!" "There is no password set on this router."Finds routers containing “cgi-bin” in the URL and having no password
intitle:"router" inurl:"home.asp"Finds routers containing “home.asp” in their URLs

To protect your webcams, routers, and other Internet-connected devices, keep the firmware up-to-date and follow best practices in authentication methods.

Explore Open FTP Servers

A heads-up for penetration testers: This group of dorks work because, as a rule of thumb, web administrators don’t obfuscate the URLs of FTP servers. Hence, the server URLs contain “ftp” and their titles contain “index of”.

Apart from activities such as traversing the directory trees and accessing the contents of open FTP servers, third parties can also attack these servers and cause trouble. Therefore, reserving FTP server access to authorized users is crucial. Keeping them out of reach of Google and other search engines is the best you can do.

DorkDescription
"index of" inurl:ftp
intitle:"index of" inurl:ftp
intext:"index of" inurl:ftp
Find public FTP servers
"movies" inurl:ftpFinds the keyword “movies” on open FTP servers
intext:"index of" site:org inurl:ftpFind public FTP servers with the top-level domain “org”

The final example in this table is a great segue to our final subsection.

Explore Specific Websites with Specific Domains

This section is all about using the “site:” dork. You can specify the top-level domain (com, org, net, gov, etc.), domain names, and subdomains.

DorkDescription
intext:"index of" (site:edu | site:ac.*) inurl:ftpFind public FTP servers of universities, which assume the top-level domains “edu” and “ac”.
site:bbc.co.uk | site:bbc.com inurl:programmeFind URLs containing “programme” (the British spelling for "program") among the official websites of the British Broadcasting Corporation (BBC)
site:help.twitter.com verifiedFind pages containing the keyword “verified” under the subdomain “help” of the domain name twitter.com.

Steps to Google Dork a Website

Here’s how to Google dork a specific website safely and legally.

Step 1: Identify Your Targets

Unless you have full authorization to do penetration testing on a given server, you may not know where to begin Google dorking. Common starting points are large corporations and organizations.

Example of a general Google dork on .com websites (site:.com inurl:download "index of") - screenshot by author
Example of a general Google dork on .com websites (site:.com inurl:download "index of")
Example of a specific Google dork on an academic institution (site:demtech.oii.ox.ac.uk cyber crime ext:pdf) - screenshot by author
Example of a specific Google dork on an academic institution (site:demtech.oii.ox.ac.uk cyber crime ext:pdf)

Step 2: Reconnaissance

You may find subdomains of your targets and external websites. In the following example, climate data on .uk domains appear on governmental and academic websites.

A search on .uk sites using the Google dorks “site:” and “(filetype:docx | filetype:xlsx | filetype:pptx | filetype:pdf)”. - screenshot by author
Example of a Google dork spanning .uk sites (site:.uk climate data (filetype:docx | filetype:xlsx | filetype:pptx | filetype:pdf)).

Familiarize yourself with the target, which may keep its files or have newsletter signup links on external websites, such as Amazon Web Services (site:amazonaws.com), Cloudflare (site:cdn.cloudflare.net) and Mailchimp (site:list-manage.com). Surprisingly, Mailchimp has a welcome message for those doing Google dorking.

Step 3: Scanning

Use the dorks provided here and in our Google Dorks Cheat Sheet to look into your websites. A helpful tool is Pagodo which limits your Google dorking rate and keeps your activities under the radar. Be thorough.

As an illustration, I scanned a company providing services, redacting the target keyword because of what I’m going to show you. It keeps its files and mailing list on external websites:

A search on the target’s file hosting server using the Google dorks “site:” and “filetype:” followed by a keyword related to the target - screenshot by author, sensitive information redacted
A search on the target’s file hosting server using the Google dorks “site:” and “filetype:” followed by a keyword related to the target
A search on the target’s mailing list server using the Google dork “site:” followed by a keyword related to the target - screenshot by author
A search on the target’s mailing list server using the Google dork “site:” followed by a keyword related to the target.

The keyword didn’t show up in the top results of either search, which may be to its advantage. But an innocuous Google dork on this particular target’s own domain returned something unsettling:

A Google dork on this company reveals disturbing subpages. I’d have expected content suitable for a general audience.

Step 4: Follow Up

If you’re a beginner in Google dorking, you may want to narrow your search to certain files, in which case “filetype:” and “ext:” dorks are applicable, or explore a keyword across a set of websites. Slow down or the Google captcha will catch you.

If your clientele included the example company in step 3, you would write a report to inform it of the severity of the vulnerabilities and give recommendations to mitigate them.

Conclusion

Now that you know how to Google dork a specific website, as risky as Google hacking can be, it’s an invaluable open-source information-gathering method to prepare for penetration testing. Don’t wait for a third party to use Google dorking against you. It’ll be too late by then.

You may also want to check out our courses on website hacking and penetration testing included in our StationX Accelerator Program.

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Cassandra Lee

    Cassandra is a writer, artist, musician, and technologist who makes connections across disciplines: cyber security, writing/journalism, art/design, music, mathematics, technology, education, psychology, and more. She's been a vocal advocate for girls and women in STEM since the 2010s, having written for Huffington Post, International Mathematical Olympiad 2016, and Ada Lovelace Day, and she's honored to join StationX. You can find Cassandra on LinkedIn and Linktree.

  • Sheikh Rion says:

    Please help and support me.i am sheikh Rion.i am not job.please give me a job.

  • Mohammad Nehal says:

    I request you please reply me, how to hack all phones

  • >