Information gathering can be done using technical and nontechnical methods. Technical methods rely on computer-aided techniques for collecting information. However, there is no assurance that a particular tool or a piece of electronic equipment will obtain sufficient information about a target. That’s why, social engineers generally use a balanced mix of technical and nontechnical methods and merge the information they get to build a profile for their targets.

While there are numerous such techniques, this article only focuses on how social engineers leverage Google search engine (a.k.a Google Dorks) to collect sensitive information about their targets.

Leveraging Google search engine for information gathering

It is said that the internet never forgets. If you want to know something, knowing the right way to ask will get you almost all the information you want. Google, the dominant search engine, is a key tool that social engineers use to unearth information about targets on the internet. This article walks you through some of the search phrases that social engineers use to hunt for information:

• To search for a target’s information within a specific domain, such as a corporate site, the following query can be used:

Site: www.websitename.com "John Doe"

Google will index all mentions of John Doe in the search results of the query.

• To search for a target’s information in the title of any website indexed by Google, the following query is used:

Intitle:John Doe

Note that the spacing between the two words instructs Google to also search for titles that have John and are followed by text containing the word Doe. This is a very useful query since it will capture a target’s info contained in the titles of multiple websites. This query will yield information from corporate sites and social media platforms because they often use a person’s name as the title in some pages.

• To search for a target’s information in the URL of any website, you can use the following query:

Inurl:john doe

It is a common practice among many organizations to use relevant words in the URLs for SEO purposes. This query identifies a person’s name from the URLs indexed by Google. Note that the query will search for john in the URLs and for doe in the accompanying text. If at all a social engineer wants to search for the entire name in the URL, he/she can use the following query:

Allinurl:John Doe

The query will restrict results to only those URLs that include both John and Doe.

• It is not uncommon for a target to have applied for jobs using job boards. Some job boards and organizations retain the target’s résumé on their websites. A person’s résumé contains highly sensitive details, including the person’s real name, phone number, email address, educational background, and work history. It has a wealth of information that is very useful for a social engineering attack. To search for a target’s private details, the social engineer can use the following query:

"John Doe" intitle:"curriculum vitae" "phone" "address" "email"

It is a very powerful query that will scour the entire internet for information about John Doe, looking for titles with information like curriculum vitae, phone number, email, and postal address.

• The following query is used to gather information about an organization. It targets confidential releases of information within the organization that may be posted on websites:

intitle:"not for distribution" "confidential" site:websitename.com

The query will search for anything posted with the title, not for distribution or confidential in a website. This search may unearth information that some employees of the organization might not even be aware of. It is a very useful query, especially when the social engineer wants to appear informed about the internal matters of an organization when interacting with a certain target.

• One of the most commonly used pretexts to enter guarded premises is that of an IT maintenance person contacted urgently by the company. Guards will be ready to let such a person in, enabling the fraudster to carry out an attack from within the premises without raising alarms. However, to pull this off, the social engineer must have enough knowledge about the internal network or infrastructure of the organization. The following is a group of search queries that can give this information to a social engineer:

Intitle:"Network Vulnerability Assessment Report"

The information that this query provides can also be leveraged in the attack, since the query results also reveal the weaknesses that can be exploited in the target’s network.

• To search for user passwords in an organizational network, a backup of these passwords could be a useful place to begin with. As such, the following query can come in handy:

Site:websitename.com filetype:SQL ("password values" || "passwd" || "old passwords" || "passwords" "user password")

This query looks for SQL files stored in a website’s domain that contain password values, password, old passwords, passwords, or user password. Even though the files may not have the user’s current passwords, they may give enough information to the attacker for him to be able to profile the current passwords of the users.

If you enjoyed this article and want to learn more about social engineering, you can refer to the book, Learn Social Engineering, by Dr Erdal Ozkaya. Following an end-to-end approach to explain the underlying concepts of social engineering, this book will help you avoid and combat social engineering attacks through detailed insights gained from the modus operandi of social engineers.