You may not have thought that dorks are powerful, but with the right dorks you can hack devices by using only the password to log in. Because Google is fantastic at indexing everything connected to the Internet, it is possible to find files that are accidentally exposed and contain critical information that anyone can see.
The advanced application of Google search operators is Google Dorking – using search operators to search for specific vulnerable devices through targeted search strings. If we assume that Google has indexed most devices that have been accidentally exposed to the Internet, we can use the text that we know is on their login or administration pages to find them.
What kinds of things is Dorks connected to the internet?
You would be amazed. Everything from yachts in the ocean pool controller to critical system configuration interfaces is connected to the internet by well-meaning people on the assumption that no one will ever find them.
So how can this happen to you? Imagine that you get a new security camera that offers the possibility to view it on your phone whenever you want. You set it up, connect it to your wifi and download an app that asks you to log in. Then you have access to your camera everywhere!
What is going on in the background is not that simple. The camera calls a Chinese server and streams video in real time, so you can log in by accessing the video feed hosted on the server in China from your phone. That server may not need a password to access the feed from your webcam, making your camera accessible to anyone looking for text on the camera display page.
Unfortunately, Google is relentlessly effective in detecting devices on the Internet running HTTP and HTTPS servers. Because most of these devices host a server to configure them, it means that many things that shouldn't be on Google end up there.
need a browser with internet access. The great thing about using Google dorks is that we can use tools that are accessible by almost everyone to find vulnerable systems.
Once you have opened a browser, go to Google.com and we can get started.
Step 1: Search FTP servers and websites with HTTP
To start, we use the following dork to search for file transfer servers published sometime this year. By searching for these servers, we can find files that are supposed to be internal but that have been unknowingly made public.
intitle: "index of" inurl: ftp na: 2018
These servers are public because the index file of their FTP server is the type of data that Google likes scans – a fact that people often forget. Scanning Google results in a complete list of all files on the server that can be searched on Google.
If we want to find unsafe webpages & # 39; s that still use HTTP to poke to, we can slightly change the command by "ftp" to "http" and run the search again.
intitle: "index of" inurl: http after: 2018
If you search in that string, a list of many and many websites that use HTTP should appear, ready to be attacked. But if we are looking for a specific type of site, we can go even further.
If we want to attack some simple targets, we can be more specific and search for online forms that still use HTTP through the text in
intitle: "forum" inurl: http na: 2018
We can continue with adding search operators such as AND inurl: "registration" to become more specific and to track the registration pages of unsafe websites.
Here you can see that we have found a list of vulnerable online forums using HTTP.
The next step is to search for files of the .LOG type. By searching for LOG files we can search for clues about the references to the system or various user or administrator accounts.
The dork we use for this is as follows.
allintext: password file type: log after: 2018
When searching for current log files that are exposed to the internet, we find this almost immediately.
This log states that the password is the standard, which requires only a simple Google search from the OpenCast Project website to discover. With one search query we may have found the references for this system without hacking anything.
Configuration files can hardly ever be public, and .ENV files are great examples of this. If we search for .ENV files that contain a string for the database password, we immediately find the password for this database that we have discovered.
filetype: env "DB_PASSWORD" after: 2018
If we remove the after: 2018 we can see that older log files also offer services on the internet.
Email lists are a great way to scrape email addresses and search for information about business or school goals. These lists are often displayed by companies or schools that try to organize email lists for their members.
To find them, we search for the .XLS file type spreadsheet with the string "email.xls" in the URL.
Although these results are useful, make sure that you do not download any file without first considering whether it is a honeypot. Many people take popular dorks and then leave a server that hosts a file that looks vulnerable but may contain malware instead.
Step 4: Find Open Cameras
Finally, if you thought Shodan was the only service that weird open camera & # 39; s could find you were completely wrong. Camera login and viewing pages & # 39; s are usually HTTP, which means that Google likes to index them and make them available for viewing if you know the correct search string.
A commonly used format for webcam sequences is searching for "top.htm" in the URL with the current time and date included. You will find many results this way.
inurl: top.htm inurl: currenttime
The first result is a webcam that views the Windows XP background from a different angle in Belmullet, Ireland.
Another dummy for cameras that provides excellent results, searches for a common live view page hosted on routers.  inurl: "lvappl.htm"
With the help of this sucker, I was able to find the best camera of all, the birdcam1.
Please do not hack the bird camera, but feel free to enjoy it here . Many other cameras are available, although they are all less interesting than birdcam1.
Many cameras also check in factories or industrial areas.
While you can view the & # 39; s cameras I demonstrated without a password; many dorks search for webcam login pages with a known default password. Although this tactic is illegal, it provides easy access to many webcams that are not intended for public viewing.
Thanks to the way Google indexes almost everything connected to the internet that has a web interface, there is no shortage of misconfigured services that expose critical elements to the internet. Make sure you do not log in to any of these services even if the password is displayed, as this may cause you problems because you do not have permission. If you have an online service, it is smart to run a few common idiots on your domains to see what pops up, in case you accidentally uncovered something that a hacker might find useful.
I hope you liked this guide to use Google dorks to find vulnerable devices and passwords! If you have any questions about Google dorks, or if you have a comment, ask them below or feel free to reach me on Twitter @KodyKinzie .
Don't miss it: Identify Information from a phone number with OSINT Tools