You may not have thought of dorks as powerful, but with the right dorks, you can hack devices by googling the password to log in. Because Google is awesome in indexing everything connected to the Internet, it's possible to find files that are inadvertently exposed and contain important information that anyone can see.
The advanced use of Google search operators is Google Dorking – search operators are used to search for specific vulnerable devices using targeted search strings. If we assume that Google has indexed most of the devices that have been inadvertently exposed to the Internet, we can find them from the text on the logon or administration pages.
What kind of things does Dorks connect to the Internet?
You would be astonished. Everything, from oceanic yachts' pool controllers to critical system configuration interfaces, is connected to well-meaning people with the assumption that nobody will ever find them.
How could that happen to you? Imagine a new surveillance camera that lets you watch it on your phone at any time. You set it up, connect it to your Wi-Fi network and download an app that prompts you to log in. Then you can access your camera from anywhere!
What's going on in the background is not that easy. The camera calls a Chinese server and transmits videos in real-time so that you can log in by accessing the video feed hosted on the server in China from your phone. This server may not require a password to access the feed from your webcam. This makes your camera accessible to anyone looking for text on the camera's display page.
Unfortunately, Google is ruthlessly effective in finding devices on the Internet running HTTP and HTTPS servers. Since most of these devices host a server to configure these devices, it means that many things that are not intended for Google end up there.
Follow us need a browser with internet access. The beauty of using Google Dorks is that we can use tools that almost anyone can access to find vulnerable systems.
If you have a browser open, navigate to Google.com and we'll get started.
Step 1: Finding FTP Servers and Websites Via HTTP. By searching for these servers, we can search for files that are supposed to be internal but unknowingly published.
intitle: "index of" inurl: ftp after: 2018
intitle: "index of" inurl: ftp after: 2018
These servers become public because the index file of their FTP server is the type of data that the Google likes to scan – a fact that is often forgotten. Scanning from Google causes a complete list of all files on the server to be searchable on Google.
If we want to find unsafe web pages that still use HTTP browsing, we can easily change the command by typing "ftp" to "http" and re-running the search.
intitle: "index of" inurl: http: 2018
When you search this string, a list of many, many sites created over HTTP that are ready to use is attacked. However, if we are looking for a specific type of site, we can go further.
If we want to start attacking some simple targets, we can be more specific and search for online forms that still use HTTP by changing the text in the search title.
intitle: "forum" inurl: http after: 2018
We can continue to add search operators such as AND inurl: "registration" for more detailed information and to search the registry pages of insecure form websites.
Here is a list of vulnerable online forums using HTTP.
The next step is to search for .LOG files. Searching for LOG files allows us to search for clues about what the system credentials or various user or administrator accounts might be.
The idiot with whom we do this is as follows:
allintext: password File Type: Post-Protocol: 2018
When searching for current log files available on the Internet, they are found almost immediately.
This protocol specifies the password, which is the default setting for running a simple Google search on the OpenCast Project Web site. With a search, we may have found credentials for this system without hacking anything.
Configuration files should almost never be public, and .ENV files are great examples of this. When we search for .ENV files that contain a string for the database password, we immediately find the password for that database we found.
File Type: env "DB_PASSWORD" after: 2018
If you remove the after: 2018 older log files appear, including services make available for the internet.
E-mail Lists are a great way to search email addresses and find information about business or school goals. These lists are often displayed by companies or schools trying to organize e-mail lists for their members.
To find them, we search for .XLS for spreadsheets with the string "email.xls" in the URL.
Although these results are useful, you must not download a file without first thinking about whether it is a honeypot. Many people take popular dorks and then leave a server that has a file that looks vulnerable but might contain malware instead.
Step 4: Finding Open Cameras
If you finally thought Shodan was the only service that could find weird open cameras, you were completely wrong. Login and view pages for the camera are typically HTTP, which means Google likes to index them and provide them for display if you know the correct search string.
A common format for webcam strings is to search for "top.htm" in the URL with the current time and date included. This will give you many results.
inurl: top.htm inurl: currenttime
The first result is a webcam that is apparently the Windows XP background from a different angle in Belmullet, Ireland ,
Another idiot for cameras that achieves great results is looking for a general live view page hosted on routers] inurl: "lvappl.htm"
With this dork I was able to find the best camera of all birdcam1.
Please do not hack the bird's camera, but do not hesitate to enjoy here. Many other cameras are available, although all are less interesting than birdcam1.
Many cameras also monitor in factories or industrial areas.
While you can view the cameras that I demonstrated without a password; Many idiots are looking for webcam login pages that have a known default password. While illegal, this tactic allows easy access to many webcams that are not intended for the public.
Thanks to the way Google indexes almost all services connected to the Internet The Web interface does not lack misconfigured services that expose critical elements to the Internet , Make sure that you do not log in to one of these services, even if the password is displayed, because this can cause problems because you are not authorized. If you have a service online, it's wise to run some ordinary dorks on your domains to see what comes up just in case you accidentally uncover something a hacker might find useful.
I hope you enjoyed this guide Use Google Dorks to find vulnerable devices and passwords! If you have questions about this topic on Google Dorks or have a comment, please contact me at Twitter @KodyKinzie .