Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Follow Contact

HF Rulez the UniverseHF Rulez the Universe
Raymond Reddington
Legendary Vendor
dork dorks google dorking google hacking hacking hacking websites search engines search engine hacking

[Tutorial] Introduction to Dorking - Definitions & Basic Dork Creation Guide

Posted 06-14-2022, 08:26 PM
[Image: mfuNoEa.png]

[Image: zsBn6iI.gif]

[Image: gXRamuy.gif]

Introduction to Dorking & Basic Dork Creation
Learn how to master Google Dorks!

I.) Introduction
Before we start, I'd like to give an introduction to dorks and why they are useful in the terms of SQLi dumping and subsequently, gathering data to run bruteforce attacks with.

The ideal process chain looks as follows:

  1. Make Dorks
  2. Scan Dorks
  3. Get URLs
  4. Scan for Exploitable URLs
  5. Scan for Injectable URLs
  6. Dump Databases
  7. Decrypt Hashes
  8. Check Data
  9. Filter Hits
  10. Sell Accounts

A dork is a combination of commands, keywords, parameters and symbols that instruct search engines to give us strictly filtered results from the World Wide Web. At the surface level, dorking involves using specific modifiers to search data. For example, instead of searching the entire Web, users can click on tags like "image" or "site" to collect images or find information about a specific site. Users can utilize other commands like "filetype" and "datarange" to get other specific search results.

A Google dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website. Google dorking, also sometimes called Google hacking is a technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using.

The primary objective of dorking is to find injectable/vulnerable URLs, which can be further to exploit any outdated/redundant code.

The basic composition or format of a dork includes three parts - keyword, pageType and pageParameter.
For example, within "Playstation game.php ?item="
'Playstation game' indicates the keyword
'.php?' indicates the pageType while;
'item=' indicates the pageParameter

Dorks are used to target & attack data-driven applications on any vulnerable website, allowing bad actors to identify technologies used on a website and read details from the a slew of target websites' database & infrastructure. While scanning for exploitable and vulnerable URLs you get a filtered list of websites whose databases can be dumped in full.

A vulnerable URL is a website that has a SQL error that can be exploited (eg. simple error, union error, SM error, Oracle error codes). Kindly refer to my thread that deals with an Introduction to SQL Injection to learn more SQLi attacks and types of SQLi.

Within this tutorial suite we will be using a variety of tools including dork scanners, keyword builders, url to param extractors and SQL dumpers

II.) Understanding How Dorks Work

Since I've given a basic defintions regarding a dork and its sub-contents such as keywords, pageTypes, pageParameters, here is a rough example of a dork.

  1. Go to Google Search

  2. Type in a keyword, for this example I shall use "amazon games"

  3. Choose any URL from the results list (ignoring the Sponsored Ads)
    [Image: e1737Ti.png]

  4. For this, I will select the following URL:
    https://www.amazon.fr/gp/help/customer/d...YDQFMD5DRS
    Our objective is to create a basic dork from the provided URL such that we can pinpoint the exact URL through our next search

  5. Analyzing the existing URL we can see the following:
    https://www.amazon.fr/gp/help/customer/display.html?nodeId=GTCADSYDQFMD5DRS
    The keyword here is "amazon customer display"
    The pageType here is ".html?"
    The pageParameter here is "nodeId="
    The secondary keywords here is "GTCADSYDQFMD5DRS"

    There are multiple ways in which you can pinpoint this exact URL with different combinations.
    For this example, I shall use the following dork "amazon customer display display.html?nodeId=GTCADSYDQFMD5DRS"

  6. As you can see, the first result we have received here is exactly the URL we're trying to target.
    [Image: AQtynCc.png]

    Additionally, we have received a very few number of results due to the targeting. With stricter operators and commands, we can limit the number of targets received to even lower ranges.

To understand dorks further, we need to understand its sub-contents in depth, such as keywords and parameters.

III.) Introduction to Keywords
Keywords (also known as “SEO keywords," “keyphrases,” or “search queries”) are words and phrases that users type into search engines to find information on a particular topic.

The key to mastering keyword creation is understanding that all keywords are real words and hence are most likely to be used. Hence, there is no such terminology as "private keywords" but it is the parameters that help you in building HQ dorks. The only aim while making keywords is focusing upon your target, for example, let's continue with our example with Amazon.

  1. Select your target (we're proceeding with "Amazon" in this case). This shall be your primary keyword.

  2. Our keyword builders will add secondary keywords upon this targeted keyword. These will give you results such as eg. Amazon product, Amazon shop, Amazon games, Amazon electronics

  3. The trick here is to interchange the positions of the keywords. [Primary + Secondary] would turn into [Secondary + Primary]

    Quote:Amazon product -> Product Amazon
    Amazon shop -> Shop Amazon
    Amazon games -> Games Amazon
    Amazon Electronics -> Electronics Amazon

  4. This helps the dork scanner build better accuracy while searching for dorks. If you're targeting shopping related data, then this keyword switch will help you increase the quality of your results.


IV.) Introduction to Parameters
Page parameters plays a very key roles in dorking, because while creating targeted dorks, you will need to clean & filter your parameters accordingly by relevance.

For example, let's take our target as "Fortnite" and proceed with parameter creation.

  1. The first step of our process will be generating keywords. For this step, I shall be using Keyword Shitter 2.0 which is an open-source keyword generation tool.

  2. After keyword creation/generation, you should have a sample list of keywords to start with. They should look randomized, like this:
    Quote:b fortnite ✓
    c fortnite ✓
    d fortnite ✓
    e fortnite ✓
    fortnite except
    fortnite has
    fortnite tracker
    fortnite mobile
    fortnite skins
    fortnite game
    fortnite item shop
    fortnite meaning
    fortnite redeem
    fortnite system requirements

  3. To increase quality, we can discard a few irrelevant keywords like the ones at the start and begin interchanging the keyword positions. A quick way to do this would be using Notepad++ to quickly filter out keywords. You can also specify customization options within Keyword Shitter.

  4. Within your txt file, hit "Ctrl+F" and navigate to the "Mark" tab. Type the following field as your query.
    Code
    .* .* .*
    [Image: UBQAwTj.png]

  5. Select "Bookmark line" and "Regular expression" and hit "Mark All"

  6. Open the Search menu -> Bookmark -> Cut Bookmarked Lines. Save the these keywords in another .txt, they're to be used later.

  7. To quickly flip the keywords, use HashKiller's List Tools. Input your filtered list of keywords here as the input.

  8. Specify a blankspace as the separator under "Split by Separator" and split the list. Then proceed to "Combine Right:Left" with a blankspace separator. You should now have a list of high quality keywords to begin with.
    [Image: Doo6SiJ.png]

  9. To fetch URLs from these keywords, we will require a dork scanning tool. Now, due to search engines picking up on dorks & automation in 2022, it is rather hard to refer a reliable tool that's free here. I would recommend Bing-O however that's paid so I suggest looking up Github for some good code (there's always new actors posting resources there); with the assurance of legitimacy that comes with open-source applications. In my tutorial, I shall use a private scanner. Proxies are also highly recommended.

  10. After we get around 3000-5000 URLs, we shall stop scanning and move onto parameter extraction. We will require a tool that can extract parameters from URLs, which again is available freely online. For this tutorial, we shall take an example with one such tool.

  11. We're ideally looking to extract "PageTypes" here. You should get a very elaborate list including both short and large parameters and unparsed URLs. Here we're looking to remove large characters so I will include a quick shortcut to filter these out.
    [Image: y2ntMCD.png]

  12. Within your txt file, hit "Ctrl+F" and navigate to the "Mark" tab. Type the following field as your query.
    Code
    ^(.){20,9999999}

  13. Select "Bookmark line" and "Regular expression" and hit "Mark All"

  14. Open the Search menu -> Bookmark -> Cut Bookmarked Lines. There's no need to save these params, you can delete them.

  15. You should now have a list of high quality parameters ready to go.

V.) Basic Dorks

For creating starter & base-level dorks, we shall just be using a mix of keywords, parameters and pageTypes to show how you can mix & match an existing set of params, pagetypes and keywords to create multiple dorks.

For this tutorial, we shall take the example of "Fortnite game.php?item=". This is a dork in the format (keyword + pageType + pageParameter). Since Fortnite is a very popular game, there is a high chance someone else may have searched the same combination, so you wouldn't really be getting quality results by running it. However, you can work past this roadblock by re-arranging the dork structure to get different results every time.

With our basic dork, I shall demonstrate multiple possible formats and results:

  1. Fortnite game.php?item= (Target keyword + Secondary keyword + Pagetype + Parameter)
  2. Fortnite.php?item= game (Target keyword + Pagetype + Parameter + Secondary keyword)
  3. game.php?item= Fortnite (Secondary keyword + Pagetype + Parameter + Target keyword)
  4. .php?item= Fortnite game (Pagetype + Parameter + Target keyword + Secondary keyword)
  5. .php?item= Game fortnite (Pagetype + Parameter + Secondary keyword + Target keyword)
  6. .php Game ?item= Fortnite (Pagetype + Secondary keyword + Parameter + Target keyword)
  7. Fortnite.php Game ?item= (Target keyword + Pagetype + Secondary keyword + Parameter)

To demonstrate the difference in results, let's take two of these examples:

Code
Fortnite.php Game ?item=
[Image: kjkGvv4.png]

Code
Fortnite game.php?item=
[Image: qIr25GZ.png]

If you've noticed, the number of results are different with each combination, and often contain varying results, which would help you in your search to gather better URLs.

The current example was only with a single keyword, parameter and pagetype. As such, the type of possible combinations is 4! (denoted as 4 factorial). If you had hundreds of keywords and parameters at your disposal, you could generate millions of dorks.

That commences the starter tutorial, we shall talk about more advanced dork creation techniques and an introduction to Google Search Operators (which are critical in dork creation) within the next tutorial. As always, it is always recommended to perform these tasks on a RDP or Virtual Machine, so if you're looking for free credit for a RDP, feel free to check out my Free Azure Credit tutorial.

As usual, thanks for devoting your time towards this tutorial. This tutorial suite has been strictly for educational purposes and imparting knowledge to fellow members and I do not condone any abuse or misuse arising from it.