You may not have thought of dorks as powerful, but with the right dorks, you can hack devices just by Googling the password to log in. Because Google is fantastic at indexing everything connected to the internet, it's possible to find files that are exposed accidentally and contain critical information for anyone to see.
The advanced application of Google search operators is Google Dorking — using search operators to hunt for specific vulnerable devices through targeted search strings. If we assume that Google has indexed most devices accidentally exposed to the internet, we can use the text we know appears in their login or administrative pages to find them.
You would be amazed. Everything from the pool controller of Yachts in the ocean to configuration interfaces for critical systems is connected to the internet by well-meaning people with the assumption that no one will ever find them.
So how could this happen to you? Imagine getting a new security camera that provides the ability to watch it on your phone whenever you want. You set it up, connect it to your Wi-Fi, and download an app that asks for you to sign in. After that, you can access your camera from anywhere!
What's going on in the background isn't so simple. The camera calls a Chinese server and streams video in real-time, allowing you to log in by accessing the video feed hosted on the server in China from your phone. That server may require no password to access the feed from your webcam, making your camera accessible to anyone who searches for text contained in the viewing page of the camera.
Unfortunately, Google is ruthlessly effective at hunting down any devices on the internet running HTTP and HTTPS servers. Because most of these devices host a server to configure them, it means that many things that aren't supposed to be on Google end up there.
By far, the most severe kind of exposed file we can find is one that leaks the credentials to user accounts or the entire service itself. Usually, this will happen in one of two ways. In the first, a server or other service is set up incorrectly and exposes its administrative logs to the internet. When passwords are changed, or a user fails to log in correctly, these logs can leak the credentials being used to the internet.
The other way this happens is when configuration files that contain the same information are exposed. These are files that are supposed to be internal but are often leave critical information out in the open. Either one of these mistakes can cause the entire service to be taken over by an attacker who happens to chance upon the information.
We'll be using Google dorks to find not only these files, but also things like file transfer servers that may contain interesting information, email lists, and my personal favorite, exposed webcams.
To follow along, you'll need a browser with internet access. The beautiful thing about using Google dorks is that we can use tools accessible by nearly anyone to find vulnerable systems.
Once you have a browser open, navigate to Google.com, and we can get started.
To start, we'll use the following dork to search for file transfer servers published sometime this year. Searching for these servers can allow us to find files that are supposed to be internal, but were unknowingly made public.
intitle:"index of" inurl:ftp after:2018
These servers become public because the index file of their FTP server is the kind of data that Google loves to scan — a fact people tend to forget. Google's scanning leads to a complete list of all the files contained within the server being searchable on Google.
If we want to find insecure webpages still using HTTP to poke at, we can modify the command slightly to do so by changing the "ftp" to "http" and re-running the search.
intitle:"index of" inurl:http after:2018
Searching that string should produce a list of lots and lots of websites using HTTP, ready to be attacked. But if we're looking for a specific type of site, we can go even further.
If we want to start attacking some easy targets, we can be more specific and search for online forms still using HTTP by changing the text in the search title.
intitle:"forum" inurl:http after:2018
We can keep adding search operators like AND inurl:"registration" to get more specific and hunt down the registration pages of insecure form websites.
Here you can see we've found a list of vulnerable online forums using HTTP.
The next step will be to search for files of the .LOG type. Searching for LOG files will allow us to look for clues about what the credentials to the system or various user or admin accounts might be.
The dork we'll be using to do this is as follows.
allintext:password filetype:log after:2018
When searching for current log files exposed to the internet, we find this almost immediately.
This log states that the password is the default one, which takes just a simple Google search of the OpenCast Project website to discover. With one search, we've possibly found the credentials to this system without hacking anything at all.
Configuration files should not be public pretty much ever, and .ENV files are great examples of this. If we search for .ENV files that contain a string for the database password, we instantly find the password to this database we've discovered.
filetype:env "DB_PASSWORD" after:2018
If we remove the after:2018 we can see older log files also exposing services to the internet.
Email lists are a great way of scraping email addresses and trying to find information on corporate or school targets. These lists are frequently exposed by companies or schools that are trying to organize email lists for their members.
To find them, we'll be looking for spreadsheet .XLS file type with the string "email.xls" in the URL.
While these results are useful, be careful not to download any file without first considering if it's a honeypot. Many people will take popular dorks and then leave a server hosting a file that looks vulnerable but could instead contain malware.
Finally, if you thought Shodan was the only service that can find weird open cameras, you were dead wrong. Camera login and viewing pages are usually HTTP, meaning Google is happy to index them and provide them for viewing if you know the right search string.
One common format for webcam strings is searching for "top.htm" in the URL with the current time and date included. You'll find a lot of results this way.
The first result is a webcam that appears to be the Windows XP background from another angle in Belmullet, Ireland.
Another dork for cameras that produces outstanding results searches for a common live-view page hosted on routers.
Using this dork, I was able to locate the best camera of all, the birdcam1.
Please do not hack the bird cam, but feel free to enjoy it here. Many other cameras are available, though all are less interesting than birdcam1.
Many cameras also monitor inside factories or industrial areas.
While you can view the cameras I demonstrated without a password; many dorks look for webcam login pages that have a well-known default password. This tactic, while illegal, allows easy access to many webcams not intended for public viewing.
Thanks to the way Google indexes nearly everything connected to the internet that offers a web interface, there's no shortage of misconfigured services that leave critical elements exposed to the internet. Make sure you don't log in to any of these services even if the password is exposed, as this could get you into trouble because you don't have permission. If you have a service online, it's smart to run a few common dorks on your domains to see what turns up, just in case you've accidentally left something exposed that a hacker might find useful.
I hope you enjoyed this guide to using Google dorks to find vulnerable devices and passwords! If you have any questions about this on Google dorks, or if you have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.