If you are good at research by using Google searches, does that make you a malicious cyber actor? Of course not, but DHS, FBI and NCTC (National Counterterrorism Center) have issued a bulletin warning about malicious “Google dorking” cyber actors. If using advanced search techniques on Google or Bing is considered suspicious, what does that make Shodan users who specifically target SCADA, ICS, VoIP, routers, switches, webcams and printers to name but a few?
Of course, Google dorking is just a phrase that applies to using advanced queries on any search engine. Searching for vulnerabilities in this way is common among penetration testers as well as bad guys, but there’s nothing new about Google dorking. While it seems as if the bulletin was issued years too late, attackers are still pwning sites by using advanced search techniques. The same could be said of getting hacked by leaving the default username and password in applications; sadly, it still happens to this day.
Google dorking can find website vulnerabilities that can later be used in cyberattacks. The fed-issued bulletin states:
By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities. For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.
The bulletin referenced Search Diggity, another not-new project, which includes “free online tool suite that enables users to automate Google dork queries. It contains both offensive and defensive tools and over 1,600 pre-made dork queries that leverage advanced search operators.”
June 2013 was the most recent update to SearchDiggity 3.1, "the primary attack tool of the Google Hacking Diggity Project. It is Bishop Fox’s MS Windows GUI application that serves as a front-end to the most recent versions of our Diggity tools: GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, FlashDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotInMyBackYard Diggity."
There are “lists” of over 20,000 Google dorks to exploit SQL on Pastebin; the fed-issued memo mentioned when 35,000 websites were compromised in Oct. 2013 as a result of attackers using Google dorking to find vulnerabilities. Other lists are specifically focused on Havij, an SQL injection tool which has been around for years and is so easy that “even a three-year-old can be a successful hacker.”
Google hacking for fun and profit was an “issue” by at least 2005 when security expert Johnny Long warned network defenders to stay current with the “latest Google-hacking techniques to keep ahead of the bad guys.” Folks have been Google dorking to discover passwords since at least 2003. As the years rolled by, there have been numerous Dork scanners as well as an up-to-date Google hacking database on Exploit Database.
The feds made several recommendations for website administrators such as protecting sensitive information with a password and encryption, making sure it isn't indexed, running Google Hacking Database “queries to find discoverable proprietary information and website vulnerabilities,” and running a vulnerability scanner.
Seriously, if you don’t know about Google dorking and you are running a site, it’s way past time to learn and close any vulnerable holes.