[Tutorial] Introduction to Dorking - Definitions & Basic Dork Creation Guide

Introduction to Dorking & Basic Dork Creation

Learn how to master Google Dorks!

I.) Introduction
Before we start, I'd like to give an introduction to dorks and why they are useful
in the terms of SQLi dumping and subsequently, gathering data to run bruteforce
attacks with.

The ideal process chain looks as follows:

Make Dorks
Scan Dorks
Get URLs
Scan for Exploitable URLs
Scan for Injectable URLs
Dump Databases
Decrypt Hashes
Check Data
Filter Hits
Sell Accounts

A dork is a combination of commands, keywords, parameters and symbols that instruct

search engines to give us strictly filtered results from the World Wide Web. At the
surface level, dorking involves using specific modifiers to search data. For
example, instead of searching the entire Web, users can click on tags like "image"
or "site" to collect images or find information about a specific site. Users can
utilize other commands like "filetype" and "datarange" to get other specific search
results.

A Google dork query, sometimes just referred to as a dork, is a search string that
uses advanced search operators to find information that is not readily available on
a website. Google dorking, also sometimes called Google hacking is a technique that
uses Google Search and other Google applications to find security holes in the
configuration and computer code that websites are using.

The primary objective of dorking is to find injectable/vulnerable URLs, which can

be further to exploit any outdated/redundant code.

The basic composition or format of a dork includes three parts - keyword, pageType
and pageParameter.
For example, within "Playstation game.php ?item="
'Playstation game' indicates the keyword
'.php?' indicates the pageType while;
'item=' indicates the pageParameter

Dorks are used to target & attack data-driven applications on any vulnerable
website, allowing bad actors to identify technologies used on a website and read
details from the a slew of target websites' database & infrastructure. While
scanning for exploitable and vulnerable URLs you get a filtered list of websites
whose databases can be dumped in full.

A vulnerable URL is a website that has a SQL error that can be exploited (eg.
simple error, union error, SM error, Oracle error codes). Kindly refer to my thread
that deals with an Introduction to SQL Injection to learn more SQLi attacks and
types of SQLi.
Within this tutorial suite we will be using a variety of tools including dork
scanners, keyword builders, url to param extractors and SQL dumpers

II.) Understanding How Dorks Work

Since I've given a basic defintions regarding a dork and its sub-contents such as
keywords, pageTypes, pageParameters, here is a rough example of a dork.

Go to Google Search

Type in a keyword, for this example I shall use "amazon games"

Choose any URL from the results list (ignoring the Sponsored Ads)
[Image: e1737Ti.png]

For this, I will select the following URL:

https://www.amazon.fr/gp/help/customer/d...YDQFMD5DRS
Our objective is to create a basic dork from the provided URL such that we can
pinpoint the exact URL through our next search

Analyzing the existing URL we can see the following:

https://www.amazon.fr/gp/help/customer/display.html?nodeId=GTCADSYDQFMD5DRS
The keyword here is "amazon customer display"
The pageType here is ".html?"
The pageParameter here is "nodeId="
The secondary keywords here is "GTCADSYDQFMD5DRS"

There are multiple ways in which you can pinpoint this exact URL with different
combinations.
For this example, I shall use the following dork "amazon customer display
display.html?nodeId=GTCADSYDQFMD5DRS"

As you can see, the first result we have received here is exactly the URL we're
trying to target.
[Image: AQtynCc.png]

Additionally, we have received a very few number of results due to the targeting.
With stricter operators and commands, we can limit the number of targets received
to even lower ranges.

To understand dorks further, we need to understand its sub-contents in depth, such

as keywords and parameters.

III.) Introduction to Keywords

Keywords (also known as “SEO keywords," “keyphrases,” or “search queries”) are
words and phrases that users type into search engines to find information on a
particular topic.

The key to mastering keyword creation is understanding that all keywords are real
words and hence are most likely to be used. Hence, there is no such terminology as
"private keywords" but it is the parameters that help you in building HQ dorks. The
only aim while making keywords is focusing upon your target, for example, let's
continue with our example with Amazon.

Select your target (we're proceeding with "Amazon" in this case). This shall be
your primary keyword.

Our keyword builders will add secondary keywords upon this targeted keyword. These
will give you results such as eg. Amazon product, Amazon shop, Amazon games, Amazon
electronics

The trick here is to interchange the positions of the keywords. [Primary +

Secondary] would turn into [Secondary + Primary]

Quote:
Amazon product -> Product Amazon
Amazon shop -> Shop Amazon
Amazon games -> Games Amazon
Amazon Electronics -> Electronics Amazon

This helps the dork scanner build better accuracy while searching for dorks. If
you're targeting shopping related data, then this keyword switch will help you
increase the quality of your results.

IV.) Introduction to Parameters

Page parameters plays a very key roles in dorking, because while creating targeted
dorks, you will need to clean & filter your parameters accordingly by relevance.

For example, let's take our target as "Fortnite" and proceed with parameter
creation.

The first step of our process will be generating keywords. For this step, I shall
be using Keyword Shitter 2.0 which is an open-source keyword generation tool.

After keyword creation/generation, you should have a sample list of keywords to

start with. They should look randomized, like this:
Quote:
b fortnite ✓
c fortnite ✓
d fortnite ✓
e fortnite ✓
fortnite except
fortnite has
fortnite tracker
fortnite mobile
fortnite skins
fortnite game
fortnite item shop
fortnite meaning
fortnite redeem
fortnite system requirements

To increase quality, we can discard a few irrelevant keywords like the ones at the
start and begin interchanging the keyword positions. A quick way to do this would
be using Notepad++ to quickly filter out keywords. You can also specify
customization options within Keyword Shitter.

Within your txt file, hit "Ctrl+F" and navigate to the "Mark" tab. Type the
following field as your query.
Code
.* .* .*
[Image: UBQAwTj.png]

Select "Bookmark line" and "Regular expression" and hit "Mark All"

Open the Search menu -> Bookmark -> Cut Bookmarked Lines. Save the these keywords
in another .txt, they're to be used later.
To quickly flip the keywords, use HashKiller's List Tools. Input your filtered list
of keywords here as the input.

Specify a blankspace as the separator under "Split by Separator" and split the
list. Then proceed to "Combine Right:Left" with a blankspace separator. You should
now have a list of high quality keywords to begin with.
[Image: Doo6SiJ.png]

To fetch URLs from these keywords, we will require a dork scanning tool. Now, due
to search engines picking up on dorks & automation in 2022, it is rather hard to
refer a reliable tool that's free here. I would recommend Bing-O however that's
paid so I suggest looking up Github for some good code (there's always new actors
posting resources there); with the assurance of legitimacy that comes with open-
source applications. In my tutorial, I shall use a private scanner. Proxies are
also highly recommended.

After we get around 3000-5000 URLs, we shall stop scanning and move onto parameter
extraction. We will require a tool that can extract parameters from URLs, which
again is available freely online. For this tutorial, we shall take an example with
one such tool.

We're ideally looking to extract "PageTypes" here. You should get a very elaborate
list including both short and large parameters and unparsed URLs. Here we're
looking to remove large characters so I will include a quick shortcut to filter
these out.
[Image: y2ntMCD.png]

Within your txt file, hit "Ctrl+F" and navigate to the "Mark" tab. Type the
following field as your query.
Code
^(.){20,9999999}

Select "Bookmark line" and "Regular expression" and hit "Mark All"

Open the Search menu -> Bookmark -> Cut Bookmarked Lines. There's no need to save
these params, you can delete them.

You should now have a list of high quality parameters ready to go.

V.) Basic Dorks

For creating starter & base-level dorks, we shall just be using a mix of keywords,
parameters and pageTypes to show how you can mix & match an existing set of params,
pagetypes and keywords to create multiple dorks.

For this tutorial, we shall take the example of "Fortnite game.php?item=". This is
a dork in the format (keyword + pageType + pageParameter). Since Fortnite is a very
popular game, there is a high chance someone else may have searched the same
combination, so you wouldn't really be getting quality results by running it.
However, you can work past this roadblock by re-arranging the dork structure to get
different results every time.

With our basic dork, I shall demonstrate multiple possible formats and results:

Fortnite game.php?item= (Target keyword + Secondary keyword + Pagetype + Parameter)

Fortnite.php?item= game (Target keyword + Pagetype + Parameter + Secondary keyword)
game.php?item= Fortnite (Secondary keyword + Pagetype + Parameter + Target keyword)
.php?item= Fortnite game (Pagetype + Parameter + Target keyword + Secondary
keyword)
.php?item= Game fortnite (Pagetype + Parameter + Secondary keyword + Target
keyword)
.php Game ?item= Fortnite (Pagetype + Secondary keyword + Parameter + Target
keyword)
Fortnite.php Game ?item= (Target keyword + Pagetype + Secondary keyword +
Parameter)

To demonstrate the difference in results, let's take two of these examples:

Code
Fortnite.php Game ?item=
[Image: kjkGvv4.png]

Code
Fortnite game.php?item=
[Image: qIr25GZ.png]

If you've noticed, the number of results are different with each combination, and
often contain varying results, which would help you in your search to gather better
URLs.

The current example was only with a single keyword, parameter and pagetype. As
such, the type of possible combinations is 4! (denoted as 4 factorial). If you had
hundreds of keywords and parameters at your disposal, you could generate millions
of dorks.

That commences the starter tutorial, we shall talk about more advanced dork
creation techniques and an introduction to Google Search Operators (which are
critical in dork creation) within the next tutorial. As always, it is always
recommended to perform these tasks on a RDP or Virtual Machine, so if you're
looking for free credit for a RDP, feel free to check out my Free Azure Credit
tutorial.

As usual, thanks for devoting your time towards this tutorial. This tutorial suite
has been strictly for educational purposes and imparting knowledge to fellow
members and I do not condone any abuse or misuse arising from it.