Google dorks are specific search queries that use Google’s search operators, combined with targeted parameters to find very specific information. Google search operators in turn are special characters and commands (sometimes called “advance operators”) that extend the capabilities of the regular text searches. There are generally two parts to most search operators, separated by a colon (:).
To the left of the colon is the type of the operator such as file-type operator or the site operator. To the right of the colon is the rule for the operator such as type of file (PDF, JPG etc) or the target’s domain name.
The search operators are generally divided into:
This blog discusses some of the Google dorks that can find extremely targeted information. Some of these dorks are intrusive enough to be used for hacking purposes or to find extremely sensitive personal information. Therefore, users are expected to use them to find whether their Personally Identifiable Information (PII) has been exposed by mistake or inadvertently.
Before dividing deeper, let’s first recap these operators.
Quotation Marks: Placing the search term inside the quotation marks is the simplest way to enhance the quality of the searches substantially.
Site operator: This is our favorite operator, especially because of the different combinations it allows. Site operator provides two benefits to the search results. Firstly, it provides results of the pages located only on a specific domain. Secondly, it provides all of the results containing the search term on that domain. The technique can be applied to any domain including social networks, blogs and any other website that has been indexed by the search engine. Thus, once the page has been indexed by crawlers, we can view the content using the “site” operator.
File Type Operator: The “file-type operator” helps filter the search result by a particular file-type. This operator can be used by students to find the best study material, by hackers to find sensitive personal information and much more.
Hyphen Operator: The hyphen (-) operator asks Google to exclude the text immediately following the hyphen from the search results. Thus, this command helps exclude words that you don’t want to appear in the search results. There should never be space between the hyphen and the text to be excluded. This operator is mostly used to reduce the over-whelming results.
Inurl Operator: The operators discussed so far, apply to the contents within the web page. However, this operator focuses on the data within the URL or address of the website. The “inurl:” syntax restricts the search results to the URLs containing the keywords searched. For example, inurl:password returns only links to those pages that have the word “password” in their URLs. There must be no space between the inurl: and the following word.
Intitle Operator: Practically, every web page on the internet has an official title. This is often included within the source code of the page and may not appear anywhere else within the content. Most webmasters carefully create a title that will be best indexed by the search engines.
The “Intitle Operator” restricts the search to pages containing that word within the title tag. For example, intitle:login password returns links to those pages that have the word "login" in their title and the word "password" somewhere on the page.
OR Operator: As the name suggests, this OR operator (|) searches for pages that have one word or the other. Thus, the search for the term ABC OR DEF returns pages that have just the term “ABC” OR just the term “DEF” OR both the terms “ABC” and “DEF” in that page. The pipe operator (|) can also be used in place of “OR”.
Asterisk Operator: Asterisk operator (*) represents one or multiple words to Google and is popularly known as the wild card search operator. Google considers * as a placeholder for words within a search term. For example, “honesty * policy” commands Google to search for pages containing the phrases beginning with “honesty”, followed by one or multiple words, followed by the word “policy”. The different phrases that fit the results include “honesty is the best policy”, “honesty is the most important policy” etc.
Most Intrusive Google Dorks & Utility:
Finding Email Accounts:
At times, we know a person’s user name, but wish to know his/ her email address. In that case, the email service provider can be assumed and potential email address verified to find email addresses of the user. For example, if our target’s user name is "luccku121 ", then we can assume following email addresses:
Subsequently, we can use the email verification services like “Email Hippo” and “Verify Email” to confirm the above presumed email addresses.
However, the above complete process is quite lengthy one. Besides, we are likely to miss few of the less popular email service providers like email@example.com, firstname.lastname@example.org etc. Therefore, consider the following:
Instead of searching for all the possible email service providers, replace the domain name with an asterisk – “username*com” i.e., “lucky121*com”.
In this way, you can find email address of a person based on username.
Search for Online Resumes:
This is one of the most favorite dork of many OSINT experts, as resumes contain some extremely sensitive information which is difficult to find anywhere else. Before learning the Google dork best for online resumes searches, let’s look at commonly used process for the same. It will also help us understand how Google dork is better.
If the target’s name is “User-Name” we generally search for:
“User -Name” “Curriculum Vitae”
“User-Name” “Resume” filetype:doc
“User-Name” “Curriculum Vitae” filetype:doc
“User-Name” “CV” filetype:doc
“User-Name” “Resume” filetype:pdf
“User-Name” “Curriculum Vitae” filetype:pdf
“User-Name” “CV” filetype:pdf
“User-Name” “Resume” site:docs.google.com
“User-Name” “Curriculum Vitae” site:docs.google.com
“User-Name” “CV” site:drive.google.com
“User-Name” “Resume” site:drive.google.com
“User-Name” “Curriculum Vitae” site:drive.google.com
“User-Name” “CV” site:drive.google.com
However, using the specialized dorks described below, you can search within the URL of a website or within the text of a site:
Similarly, certain dorks can focus on jobs. For example, by targeting the LinkedIn site, you can search for people with a specific job title or location. Even you can search for icons or Unicode characters!
And in case you are looking for a specific name, you can always search for:
Similarly, there is a nice dork to find people within the GitHub code:
And if you are looking for the lists of attendees, or finalists use:
intitle:final.attendee.list OR inurl:final.attendee.list
As discussed beforehand, few dorks are intrusive enough to reveal sensitive information like login credentials. For example, a lot of people forget to tighten the security settings on Trello boards, and therefore lots of login credentials have been exposed and indexed by Google crawlers. And, you can search for login information on aTrello board by:
site:http://trello.com password + admin OR username
To find specific document within a website or domain name, you can use the basic site and filetype operator as follows:
A search targeting PDF can also be used to search for only those documents that might contain possible email information. For this, change the “domain” to the specific company’s domain name:
Example: filetype:pdf domain “email”
Similarly, the below dork can search for XLS files within the government websites:
Of course you can look for more extensions, depending on what you intend. You can do achieve that by adding multiple file extensions in between double quotes, where each of the extensions is separated by OR operator (a pipe of vertical line “|” ).
Example: filetype:"pdf | xls | xlsx | doc | docx | txt" site:.gov
Here is a complete list of extensions you may use:
7Z: Compressed file
BMP: Bitmap image
DOC: Microsoft Word
DOCX: Microsoft Word
GIF: Animated Image
HTM: Web page
HTML: Web page
KML: Google Earth
KMZ: Google Earth
ODP: Open Office Presentation
ODS: Open Office Spreadsheet
ODT: Open Office Text
PDF: Adobe Acrobat
PPT: Microsoft Power Point
PPTX: Microsoft Power Point
RAR: Compressed File
RTF: Rich Text Format
TXT: Text File
XLS: Microsoft Excel
XLSX: Microsoft Excel
ZIP: Compressed File
You can search for any kind of document on Hubspot that contains the word “cyber” and that has the year 2019 in the URL:
site:http://cdn2.hubspot.net intitle:2019 OR inurl:2019 “*cyber”
Similarly, you can target Google as email platform while looking for text or PDF files containing words like cyber, cops etc depending on your particular interest.
"Email delivery powered by Google" ext:pdf OR ext:txt cyber OR cops OR hacking
Cloud, Buckets and Databases:
You can also search for indexed documents that contain the phrase “secret” or “confidential” within open Amazon S3 buckets:
site:http://s3.amazonaws.com secret OR "confidential"
Similarly, if you are lucky enough you may also find confidential login information within XLS files:
s3 site:http://amazonaws.com filetype:xls password
Again, you may add all the extensions discussed above, since Excel files are not the only the document format that may contain the information you are looking for. Finally, you can also search for copies of databases via Google too. To find some of them, simply search for:
ext:sql intext:"-- phpMyAdmin SQL Dump"
Social Media Searches:
You can use site operator, to search your target on social media sites. For example, if your target’s user name is “Ramesh Kumar”, then you can search:
site:instagram.com “Ramesh Kumar”
site:facebook.com “Ramesh Kumar” etc
Similarly, you can find whether a certain tweet was shared on other social media sites. To achieve that, search for the specific text and tell Google to ignore anything that was posted within twitter.com by adding the minus sign to that part of the dork:
"text of a tweet" -site:https://twitter.com
The same method can be used to search for messages or links for a specific user name not coming from that particular user name account. For example, it searches for links or information containing “rakesh_india” but not coming directly from the timeline of “rakesh_india”
Google advance operators provide limitless possibilities, and using these operators effectively is an art in itself. By using well chosen dorks you can search your targeted specific information among the haystack.