Guide on how to transform Google into a powerful tool.
Google Dorking is the practice of using advanced search operators and filters in search engines, such as Google, to discover valuable information about a target. Often, organizations or individuals unintentionally expose confidential files, sensitive configuration archives, internal documents, or security credentials online, making them accessible to anyone who knows how to search effectively.
These exposed resources can be incredibly valuable during reconnaissance, allowing you to gather intelligence about a target both passively (by simply reviewing the search results) and actively (by visiting and interacting with the discovered pages). Passive gathering carries minimal risk of detection, appart from the search engine itself, whereas active exploration — accessing the files or pages — could trigger logs on the target’s servers.
When conducting active searches, it’s important to remember that the target may log details such as IP addresses, user-agents, and timestamps. To protect your anonymity, you should take appropriate OpSec measures. This can include using privacy-focused tools like Talis or routing your traffic through Tor to hide your real identity and location.
Properly used, Google Dorking is a powerful tool in both ethical hacking and malicious reconnaissance. Always ensure you have permission when engaging in any form of testing or data gathering, as unauthorized access or exploitation can be illegal.
There are plenty of search engines available in the wild. Depending on your target and the type of content you’re aiming to find, one engine may be more effective than another. Each has different strengths, regional coverage, and indexing behaviors that can give you an edge during reconnaissance.
| Engine | Primary Region | vs Google |
|---|---|---|
| Americas, Western Euroupe, Japan | ||
| Bing | Americas, Western Euroupe, Japan | Slower indexing; strong image-specific filters; sometimes finds different or less-moderated content. |
| DuckDuckGo | Americas, Western Euroupe, Japan | Privacy-focused; powered mainly by Bing results; fewer personalized search results. |
| Yandex | Russia, ex-URSS, Turkey | Excellent for image searches; indexes different segments of the web, especially Russian-speaking sites. |
| Baidu | China | Best for Chinese-language content and local Chinese websites; limited indexing of global content. |
This guide will focus on filters that work primarily with Google, as they are the most universal and often compatible across other platforms too. Some basic filters even function on social media sites like LinkedIn, Twitter, and Facebook.
ANDFinds results that contain both specified terms.
Usage:
1string1 AND string2
Example: hacker AND “penetration testing”
Notes:
Google usually implies AND by default, but using it can help in complex queries to force clarity.
ORFinds results that contain either one term or the other. Usage:
1string1 OR string2
Example: “cybersecurity consultant” OR “security analyst”
Notes: OR must be in uppercase; otherwise, Google treats it as a normal word.
- (Minus)Excludes results containing a specific term. Usage:
1string1 -string2
Example: pentest report -template
Notes: The minus sign must be placed immediately before the word you want to exclude (no space).
"" (Quotation Marks)Searches for an exact match of the text between the quotes. Usage:
1"exact phrase here"
Example: “internal use only”
Notes: Quotation marks are crucial for finding specific phrases, file names, or strings.
* (Wildcard)Acts as a placeholder for any word. Usage:
1"initial string * end string"
Example: “configure * server”
Notes: Wildcards can help when you’re unsure about specific words in a phrase.
( ) (Parentheses)Groups terms or operators to control the logic of a search. Usage:
1(string1 OR string2) AND string3
Example: (pentest OR “penetration test”) report
Notes: Helps organize complex queries, similar to mathematical equations.
Limits results to a specific website or domain. Usage:
1site:example.com keyword
Example: site:linkedin.com “security engineer”
Notes: Useful for targeting a specific site or restricting your search to a company’s domain.
inurl:Searches for pages that have the specified keyword in the URL.
Usage:
1inurl:keyword
Example: inurl:admin login
Notes: Great for locating login pages, admin panels, or directories based on URL patterns.
allinurl:Searches for pages where all specified words appear in the URL.
Usage:
1allinurl:keyword1 keyword2
Example: allinurl:admin login portal
Notes: Forces all words to exist in the URL; broader than inurl: when stacking multiple terms.
intitle:Searches for pages with the specified keyword in the title tag.
Usage:
1intitle:keyword
Example: intitle:"index of /backup"
Notes: Good for finding open directories or specific pages like “Login,” “Dashboard,” etc.
allintitle:Searches for pages where all specified words are in the title.
Usage:
1allintitle:keyword1 keyword2
Example: allintitle:admin dashboard
Notes: All words must appear in the title; can be more restrictive than intitle:.
filetype:Limits results to a specific file extension.
Usage:
1filetype:extension keyword
Example: filetype:pdf penetration test report
Notes: Useful for hunting exposed documents like .pdf, .docx, .xlsx, .txt, .csv, etc.
ext: (Alternate to filetype:)Another way to specify a file extension for the search.
Usage:
1ext:extension keyword
Example: ext:log passwords
Notes: Functions similarly to filetype:, but less officially documented; still effective.
intext:Finds pages that contain the specified keyword in the body text.
Usage:
1intext:keyword
Example: intext:"confidential - do not distribute"
Notes: Powerful for locating sensitive disclosures buried in web content.
allintext:Finds pages where all specified keywords are in the text body.
Usage:
1allintext:keyword1 keyword2
Example: allintext:"user database" password
Notes: Forces all terms to appear somewhere in the text, making it stricter than intext:.
cache:Displays Google’s cached version of a page.
Usage:
1cache:example.com
Example: cache:example.com/login
Notes: Useful if the original page is down or has been taken offline; reveals older snapshots.
related:Finds sites similar to a specified domain.
Usage:
1related:example.com
Example: related:linkedin.com
Notes: Handy for identifying competitors, sister companies, or associated sites.
Awesome! Here’s the Advanced Search Tricks section in the same clean style you’re using:
Once you’re comfortable with basic filters, you can chain multiple operators together to create powerful, laser-focused queries. This allows you to narrow results dramatically and find exactly what you’re looking for.
Use multiple filters together to refine results even further.
Usage:
1site:example.com filetype:pdf "internal memo"https://github.com/redduxi/Google-Dorks-Resources
Example: (site:github.com OR site:gitlab.com) "access token"
Notes: Very effective when investigating companies with multiple brands or domains.
inurl: and filetype:Find specific files by hunting directory structures.
Usage:
1inurl:"/backup" filetype:zip
Example: inurl:"/backup" filetype:zip
Notes: Helps locate compressed backup files left in accessible locations.
before: and after:Search pages published within specific date ranges.
Usage:
1site:example.com "leak" after:2023-01-01 before:2024-01-01
Example: site:example.com "leak" after:2023-01-01 before:2024-01-01
Notes: Requires YYYY-MM-DD format. Useful for tracking recent breaches, updates, or announcements.
Search for open folders on web servers.
Usage:
1intitle:"index of /" "parent directory" keyword
Example: intitle:"index of /" "parent directory" backup
Notes: Often reveals exposed server directories containing files not meant for public viewing.
Locate admin panels and login interfaces.
Usage:
1inurl:admin intitle:login
Example: inurl:admin intitle:login
Notes: Good first step during target mapping and reconnaissance phases.
Search for default or leaked error messages.
Usage:
1intitle:"404 Not Found" OR intitle:"403 Forbidden"
Example: intitle:"403 Forbidden" site:example.com
Notes: Error pages can leak sensitive path information or server details.
Find unsecured webcams or surveillance systems.
Usage:
1inurl:view.shtml OR inurl:viewerframe?mode=motion
Example: inurl:viewerframe?mode=motion
Notes: Part of “Shodan-style” reconnaissance using Google alone.
You can add special parameters at the end of your Google URL manually:
&num=100 → show up to 100 results per page (default is 10)&hl=en → force interface language to English&start=0 → control pagination directly (useful for automation/scripting)Below are practical Google Dork templates you can directly copy, adapt, and use during reconnaissance or information gathering.
1inurl:login intitle:login
2inurl:admin intitle:"admin login"
3inurl:signin
Notes: Locate authentication portals and admin interfaces.
1intitle:"index of /" "parent directory"
2intitle:"index of /" +backup
3intitle:"index of /" site:example.com
Notes: Open directory listings often expose sensitive files.
1inurl:phpmyadmin
2intitle:"phpMyAdmin" "Welcome to phpMyAdmin"
3inurl:admin/db/
Notes: Critical for finding misconfigured database portals.
1site:example.com filetype:pdf "confidential"
2site:example.com filetype:docx "internal use only"
3site:example.com filetype:xlsx password
Notes: Leaked internal reports, budgets, and HR files.
1filetype:txt intext:"password"
2filetype:log intext:"password="
3filetype:env DB_PASSWORD
Notes: Useful for uncovering mismanaged credentials.
1inurl:view/index.shtml
2inurl:"/webcapture.jpg?command=snap&"
3intitle:"IP Camera" site:.com
Notes: Access unsecured camera feeds.
1inurl:"/cgi-bin/" intext:"test page"
2intitle:"Welcome to nginx!" -github
3intitle:"Apache2 Ubuntu Default Page"
Notes: Default pages often indicate unfinished setups.
1site:linkedin.com/in "CEO" "Germany"
2site:twitter.com "developer" "recruiting"
3site:facebook.com intext:"works at"
Notes: Profiling key targets for social engineering.
1filetype:env intext:API_KEY
2filetype:json intext:"private_key"
3site:github.com intext:"AWS_SECRET_ACCESS_KEY"
Notes: Great for cloud service reconnaissance.
1inurl:/backup/ filetype:zip
2inurl:/db_backup/ filetype:sql
3intitle:"index of" "backup.tar.gz"
Notes: Exposed backup files often contain gold.
1filetype:conf intext:server
2filetype:ini intext:"DB_HOST"
3filetype:yaml intext:"password:"
Notes: Misplaced configs reveal sensitive infrastructure info.
1filetype:php inurl:/var/www/
2filetype:env intext:APP_ENV
3site:github.com intext:"db_password"
Notes: Retrieve application source code and secrets.
1inurl:"/printers" intitle:"Printer Status"
2inurl:"hp/device" "status"
3inurl:printer
Notes: Many office devices are accessible publicly by mistake.
1intitle:"WebMail Login"
2inurl:/mail/
3site:example.com intext:"SMTP server"
Notes: Email servers are high-value targets.
1intext:"Index of /admin"
2intext:"Index of /secret"
3intext:"Index of /test"
Notes: Lists unprotected staging or development areas.
1filetype:txt intext:"license key"
2filetype:pdf intext:"product key"
3site:github.com intext:"activation code"
Notes: Leaked licenses can lead to piracy or financial loss.
1site:hospital.com filetype:pdf "patient record"
2inurl:"/ehr/" intitle:"Electronic Health Record"
3filetype:xls intext:"medical history"
Notes: Highly sensitive — proceed with extreme caution.
1inurl:wp-admin
2inurl:wp-login.php
3site:example.com inurl:wp-content
Notes: Common during CMS assessments.
1inurl:payment intitle:"payment"
2inurl:checkout intitle:"checkout"
3site:example.com "billing portal"
Notes: Useful for mapping financial transaction systems.
1filetype:log intext:"error"
2filetype:txt intext:"debug"
3site:example.com filetype:log
Notes: Debug logs often disclose system architecture.
1inurl:.git/config
2intitle:"Index of" ".git"
3site:example.com inurl:.git
Notes: Can expose the entire source code repo.
1intitle:"index of" inurl:ftp
2inurl:ftp://
Notes: Open FTP servers often allow anonymous browsing.
1filetype:json intext:"password"
2filetype:json intext:"credentials"
Notes: Modern web apps often accidentally expose .json credentials.
1filetype:env "DB_PASSWORD"
2filetype:env "AWS_ACCESS_KEY_ID"
Notes: .env files are a frequent leak vector.
1intitle:"Dashboard [Jenkins]"
2inurl:8080
Notes: Jenkins CI/CD servers can expose internal projects.
1inurl:/users/sign_in intitle:"GitLab"
2site:example.com inurl:gitlab
Notes: Targets version control systems and DevOps infrastructures.
1intext:"10.0.0." | intext:"192.168.1."
2filetype:log
Notes: Useful during network footprinting.
1site:s3.amazonaws.com
2inurl:s3.amazonaws.com
Notes: Public S3 buckets can leak huge amounts of data.
1inurl:upload intitle:upload
2inurl:"file_upload"
Notes: Important when searching for file upload vulnerabilities.
1filetype:sql intext:"INSERT INTO"
2filetype:sql intext:"DROP TABLE"
Notes: SQL dumps expose full database structures.
1intitle:"MongoDB" "Welcome"
2inurl:27017
Notes: Exposed database UIs are high-risk.
1inurl:/script intitle:"Jenkins"
2inurl:8080/script
Notes: Can give access to server-side command execution.
1intitle:"SugarCRM"
2inurl:"/crm/"
Notes: Exposed CRM platforms can leak customer data.
1intitle:"Internal Wiki"
2inurl:wiki
3site:example.com
Notes: Internal documentation sometimes is public by mistake.
1intitle:"Open Tickets" inurl:/support/
2site:example.com
Notes: Reveals customer complaints, internal problems.
1inurl:/job/ intitle:"Jenkins"
2filetype:xml inurl:/jobs/
Notes: Discover information about internal build systems.
1filetype:xls intext:"salary"
2filetype:xlsx intext:"budget"
Notes: Internal financial documents accidentally exposed.
1intitle:"Kubernetes Dashboard"
2inurl:/api/v1/
Notes: Exposed Kubernetes clusters = total system compromise.