Using Google Dorks for Threat Intelligence Operations
Enterprises have to deal with a range of mass campaigns as well as advanced attacks that target a specific industry or company. Threat actors use ever-changing methods to reach their target, and always research before proceeding with the operation. To protect themselves from targeted attacks, enterprises should leverage real-time threat intelligence feeds, or use other sources to get information from an outside perspective.
Gathering information is a significant stage of the threat intelligence lifecycle. The volume of the data or information gathered can be tremendous, thus it lowers the efficiency of the results. If the right tools are selected in this step, the results will be more accurate. Open-source intelligence, better known as OSINT, is massively used in this stage. It includes everything that is public to everyone. There is a vast range of tools that can be used – and Google Dorks (also known as Google Hacking) is one of them.
What is Google Dorking?
Google is the most popular search engine that everyone uses daily. Gathering information about a target using Google is one option. However, mixing a few operators to create advanced searches, will take a load of pages out of sight, and give the most accurate results, easier and faster. That is exactly what Google Dorking is.
The power of Google Dorking is that it not only locates difficult-to-find information, but also sensitive, yet not well-protected information. Depending on which role you have, attacker or victim, finding this information in public sources is of great importance to you – one will exploit it, the other will try to protect it.
In 2002, Johnny Long, a computer security expert, started gathering these search queries, and in 2004 they were organized into the Google Hacking Database (GHDB), which turned out to be one of the most used OSINT tools.
Who uses it?
Since it’s beginning, dorks, have been used by more advanced users, to get more accurate results. Specifically, hackers use it to find sensitive information and documents about their target, find exploitable vulnerabilities, usernames and passwords, corporate email lists, financial information, and more confidential data, to be able to use these in their illegal activities. For instance, by finding vulnerable servers, an attacker can leverage them to later build bots for its attacks.
However, hackers are not the only users and shouldn’t be. The reason behind this amazing tool is to help organizations protect their data. So, just like attackers find information to attack, enterprises can find information to protect. Everything mentioned above (sensitive information, credentials, and so on), if first found by the owner, will be in safe hands. It means that something important has leaked, and you finding this security hole before the hacker, will prevent the risk.
Some famous operators for Google Dorking
- Filetype is an operator that retrieves specific file types. For instance, filetype: log will show all the log type files. A few types can be searched by separating the extensions with “|”.
- Intext is an operator that retrieves a specific text on a page.
- Ext is an operator that retrieves files with a specific extension, similar to a filetype operator.
- Inurl is an operator that retrieves URLs containing a specific sequence of characters.
- Intitle is an operator that retrieves pages using a specific text in the page title.
- Site is an operator that retrieves results from a specific site only. For instance, site:example.com will give results only from example.com and no other website.
- Cache is an operator that retrieves the cached (older) version of a website.
- * can be used in place of a missing word in the search query, to complete it.
The beauty of Google Dorks is that operators can be combined to get even more accurate results. For instance, by using the operators “filetype” and “site” you can retrieve specific filetypes on a specific website.
How to use Google Dorks for threat intelligence operations?
Google Dorks can affect threat intelligence operations, by reducing the number of results for a specific search query, and showing results that are not visible after a simple search. This is crucial in finding sensitive information hidden in important company files, not intended to be public. They do not appear in simple searches, but with the right operators, these documents together with the secrets will come right to the first result page.
However, threat intelligence is more about knowing vulnerabilities, malicious IPs and hashes, APT group activity and TTPs, hacked servers, and similar information. There are various tools to find all of these, but security professionals can use Google Dorks, just as hackers do.
Threat Intelligence teams can use google dorks to find vulnerable web servers or indexed FTP servers and check if anything is leaking from the organization. A combination of “site” and “inurl” operators can help the TI team search if a specific vulnerable server is still running in their domain.
Log files are another interesting case. They are not supposed to be indexed, but unfortunately, they are. By searching a log file about a company using the “filetype” operator, you can identify sensitive information that could have leaked.
Env files contain extremely important information about a development environment, like variables and configurations, and having them publicly accessible can be of great danger. Usernames and passwords of databases come right to the result page, by a combination of operators. Using Google Dorks to see if your company developers have unintentionally forgotten an env file publicly accessible, can prevent serious data breaches.
Email lists, webcams, and confidential files in pdf format are often forgotten by organizations and left public for google dorks to reveal them. Letting this information on the web leaves plenty of security holes which sooner or later will be exploited by threat actors. Using google dorks, TI teams can easily find them and disseminate the information to the relevant team.
Using a combination of different operators gives better results but adding a few boolean operators can result in extremely precise findings. Being able to use the right combination, creates a great advantage for the threat intelligence team. Being one step ahead of attackers is the goal of all enterprises. That’s why SOCRadar alerts customers about leaked google dorks to inform them that a google dork is detecting a security hole in the website configuration.