reconnaissance

Google Dorking

A field guide to using Google's advanced search operators for offensive security reconnaissance. From basic syntax to advanced dorks that uncover exposed credentials, sensitive documents, and infrastructure details.

What Is Google Dorking?

Google Dorking (also called Google Hacking) is the practice of using Google's advanced search operators to find information that isn't meant to be public. Attackers use these techniques during the reconnaissance phase to map a target's infrastructure, find exposed files, and gather intelligence before launching an attack.

Google indexes virtually everything it can reach on the public internet. With the right operators, you can filter that massive index down to precisely the data you're looking for — exposed databases, configuration files, login panels, or internal documents that administrators mistakenly left accessible.

This guide teaches you how to think like an attacker so you can defend like one. Every technique here is a real-world tool used by penetration testers and red teams.

Basic Search Operators

Google's search operators are special keywords that refine your search. Here are the core ones every security practitioner must know:

OperatorDescriptionExample
site:Limit results to a specific domain or subdomainsite:example.com "password"
filetype:Search for specific file extensionsfiletype:pdf site:example.com
intitle:Pages with a specific word in the titleintitle:"index of" "config"
inurl:Pages with a specific word in the URLinurl:admin.php
intext:Pages containing specific text in the bodyintext:"sql syntax near"
" "Exact phrase match"MySQL root password"
-Exclude a term from resultssite:example.com -site:blog.example.com
+Force inclusion of a common word+config +password
cache:View Google's cached version of a pagecache:example.com/admin

You can chain operators together. The more specific your query, the more targeted your reconnaissance. For example, site:github.com filetype:env "DB_PASSWORD" searches GitHub for .env files containing database passwords.

Reconnaissance Dorks

Reconnaissance is about mapping the target's attack surface. These dorks help you discover subdomains, technologies, and exposed endpoints.

Subdomain Enumeration

01site:*.example.com -www.example.com
02site:example.com inurl:dev
03site:example.com inurl:staging
04site:example.com inurl:test

Technology Fingerprinting

01site:example.com intitle:"Apache" "server at"
02site:example.com "powered by WordPress"
03site:example.com inurl:wp-admin
04site:example.com "X-Generator: Drupal"

Exposed Admin Panels

01site:example.com inurl:admin
02site:example.com inurl:login
03site:example.com intitle:"phpMyAdmin"
04site:example.com inurl:8080

Directory Listings

01site:example.com intitle:"index of"
02site:example.com "index of" "parent directory"
03site:example.com intitle:"index of" "backup"

Finding Sensitive Files

Misconfigured servers and careless uploads often leave sensitive files exposed on the public web. These dorks find the gold.

Configuration & Credentials

01site:example.com filetype:env
02site:example.com filetype:yaml "password"
03site:example.com "config.json" "password"
04site:example.com filetype:xml "password"
05site:example.com filetype:sql "dump"

Backup Files

01site:example.com filetype:bak
02site:example.com filetype:old
03site:example.com filetype:zip "backup"
04site:example.com inurl:backup
05site:example.com "backup.sql"

Documents with Sensitive Data

01site:example.com filetype:pdf "confidential"
02site:example.com filetype:docx "password"
03site:example.com filetype:xlsx "email" "password"

Log Files

01site:example.com filetype:log
02site:example.com "error_log"
03site:example.com "access.log"
04site:example.com intext:"password" filetype:log

Infrastructure Discovery

Understanding a target's infrastructure — IP ranges, cloud providers, and network topology — is critical for planning an engagement.

IP & Network Recon

01site:shodan.io "example.com"
02site:censys.io "example.com"
03site:github.com "example.com" "docker-compose"
04site:github.com "example.com" "terraform"

Cloud Storage Misconfigurations

01site:s3.amazonaws.com "example"
02site:blob.core.windows.net "example"
03site:storage.googleapis.com "example"

API & Endpoint Discovery

01site:example.com inurl:api
02site:example.com inurl:swagger
03site:example.com inurl:graphql
04site:example.com "api/v1"

Defensive Measures

If attackers can use Google Dorking against you, so can you. Here's how to harden your infrastructure against search-based reconnaissance.

1. robots.txt & Meta Tags

Use robots.txt to tell crawlers not to index sensitive paths. Use noindex meta tags on pages that shouldn't appear in search results.

User-agent: *
Disallow: /admin/
Disallow: /api/
Disallow: /backup/

⚠️ robots.txt is a suggestion, not a barrier. Malicious crawlers ignore it. Never rely on it for security.

2. Authentication on Everything

Every admin panel, API endpoint, and internal tool should require authentication. No exceptions. Exposed resources without auth are trivial to find with dorks.

3. File Upload Restrictions

Restrict file uploads by type, size, and location. Never allow executable files. Store uploads outside the web root when possible. Scan all uploads for malware.

4. Regular Google Dorking Self-Audits

Run the dorks in this guide against your own domain monthly. If you find exposed files, fix them immediately. Treat every exposed config file as a potential breach.

5. Monitor for Leaks

Set up Google Alerts for your domain combined with sensitive keywords like "password", "secret", "API key", and "config". This catches leaks quickly, sometimes before an attacker finds them.

Ready for hands-on training?

Hackshire launches December 2026 with CTF-based labs that teach offensive security through real-world challenges — including live reconnaissance scenarios.

Join the waitlist →