The Google dorks can be a very useful tool for both of passive and active reconnaissance.
By combining Google provided search operators like; inurl, intitle, intext, filetype, etc.. you can bring up many interesting web pages that you would not see in typical searches.
There is a well-written posting where describes many useful Google search operators. If you are interested to see them, please visit this page (https://moz.com/blog/mastering-google-search-operators-in-67-steps)
Instead of writing my own mega-list, I’ll just briefly show give you a couple examples.
Before we go any further, I need to state the obvious. This posting is for educational purposes only, and you are not allowed to do anything with any devices you’ve found through the searches. Whatever you’d like to do with those found devices, it’ll be highly highly and highly likely illegal.
Many network devices have web-based admin page. When they do, usually either their device names or their company names are included in the title bar. And usually, the URL of their login pages have a keyword like ‘login.cgi’
So, using the following search operators;
1. inurl:<keyword> -> Returns URLs that contain the <keyword>
2. intitle:<keyword> -> Returns web-pages those title bars contain the <keyword>
You could come up with a long search string like; “inur:login.cgi intitle:netgear” that would return ‘netgear’ devices have .cgi login pages
How about a helpdesk application login page? If an organization has installed 3rd party’s helpdesk application without changing the default path, we could pull some interesting results like this one below(see GHDB ID: 4494 for details).
‘filetype‘ operator is very useful to narrow down the search. If you are looking for an ebook, typing ISBN or the name of the book in the search window would return hundreds of results which a half of them are direct links to ebook sellers and the other half of them are ‘get free books if you do our infinite-endless-total-waste-of-time surveys’ kind of scams.
Say, you need a copy of ISO27001:2013 in PDF format. You can always buy one from here(https://www.iso.org/standard/54534.html) but you could give it a shot with ‘filetype:pdf iso 27001‘.
In the result window, the first looks like iso27001 but the preview says “2005” so it’d be likely the first edition which has been replaced by “2013”. The second one also looks like iso27001 and this time the preview mentions the year ‘2013’ so it could be the second edition. Let’s go ahead and click that one.
It seems we’ve found a copy of iso27001:2013 in PDF format for free. yay.