This Google Dorking guide for 2026 covers everything you need to master one of the most powerful and widely used techniques in open source intelligence. Google Dorking — also called Google hacking — uses advanced search operators to find specific information that standard searches miss. Security professionals use it to discover exposed files, misconfigured servers, sensitive documents, and vulnerable systems. OSINT investigators use it to find publicly available information about people, organizations, and infrastructure that simple searches will never surface.
In this guide you will learn every major Google search operator, how to combine them into powerful dorks, a complete cheat sheet of the most useful dorks for security and investigation work, and the legal and ethical boundaries that every practitioner must respect.
What Is Google Dorking?
Google Dorking is the practice of using advanced search operators — special commands built into Google’s search engine — to refine searches far beyond what normal queries allow. The term comes from “Google hacking,” a technique popularized by security researcher Johnny Long who demonstrated that Google’s index contained vast amounts of sensitive information that organizations had accidentally exposed.
A Google dork is a search query that combines one or more operators to target specific types of content. For example, a simple dork like site:company.com filetype:pdf finds all PDF documents that Google has indexed from a specific domain. More complex dorks combine multiple operators to find configuration files, login portals, exposed databases, or internal documents that were never intended to be public.
The information that Google dorks reveal was always publicly accessible — it was indexed by Google and visible to anyone who knew how to search for it. This is why Google Dorking is a legitimate OSINT technique rather than a hacking technique in the traditional sense: it uses Google’s own search functionality to find publicly available information.
Essential Google Search Operators Every OSINT Practitioner Must Know
site:
The site: operator restricts results to a specific domain or subdomain. This is one of the most fundamental operators for any OSINT investigation involving a specific organization.
Examples:
site:example.com — shows all indexed pages from example.com
site:example.com login — finds login pages on the domain
site:subdomain.example.com — limits results to a specific subdomain
-site:example.com keyword — excludes a domain from results
filetype:
The filetype: operator finds documents of a specific file type. This is invaluable for discovering documents an organization has published — both intentionally and accidentally.
Examples:
site:example.com filetype:pdf — all PDFs indexed from the domain
site:example.com filetype:xlsx — Excel spreadsheets (may contain data)
site:example.com filetype:docx — Word documents
filetype:sql — finds SQL database files indexed by Google
filetype:log — finds log files (often contain sensitive information)
filetype:conf OR filetype:config — configuration files
filetype:env — environment files (often contain API keys)
inurl:
The inurl: operator finds pages where the specified text appears in the URL. This is particularly useful for finding specific types of pages — admin panels, login portals, configuration pages.
Examples:
inurl:admin — finds pages with “admin” in the URL
inurl:login site:example.com — login pages on a specific domain
inurl:wp-admin site:example.com — WordPress admin pages
inurl:phpMyAdmin — database administration interfaces
inurl:config.php — PHP configuration files
intitle:
The intitle: operator finds pages where the specified text appears in the page title. Many web applications use distinctive title text that makes them easy to identify.
Examples:
intitle:"index of" — finds open directory listings (servers with directory browsing enabled)
intitle:"dashboard" site:example.com — dashboard pages on a domain
intitle:"login" inurl:admin — admin login pages
intext:
The intext: operator finds pages containing specific text in the page body. This is useful for finding pages that contain specific strings — error messages, configuration details, or sensitive data patterns.
Examples:
intext:"password" filetype:log — log files containing the word “password”
intext:"sql syntax" site:example.com — SQL error messages (indicate potential SQL injection)
cache:
The cache: operator retrieves Google’s cached version of a page. This is useful when a page has been taken down but Google’s cache still has a copy.
Example: cache:example.com/page
related:
The related: operator finds websites similar to a specified domain. This can reveal competitors, related infrastructure, or affiliated organizations.
Example: related:example.com
info:
The info: operator returns information Google has about a specific URL — the cached version, similar pages, and pages linking to it.
Example: info:example.com
Google Dorking Cheat Sheet 2026
| Dork | What It Finds | Use Case |
|---|---|---|
site:example.com filetype:pdf | All PDFs on a domain | Document reconnaissance |
site:example.com inurl:login | Login pages on domain | Attack surface mapping |
site:example.com inurl:admin | Admin panels on domain | Penetration testing recon |
intitle:"index of" site:example.com | Open directory listings | Finding exposed files |
site:example.com filetype:env | Environment files (API keys) | Security assessment |
site:example.com filetype:log | Log files | Information gathering |
inurl:phpMyAdmin intitle:phpMyAdmin | Exposed database admin panels | Vulnerability identification |
site:example.com ext:sql | SQL database files | Data exposure check |
site:example.com "confidential" | Pages marked confidential | Sensitive document discovery |
site:github.com "example.com" password | GitHub repos with credentials | Credential exposure check |
site:pastebin.com "example.com" | Pastes mentioning target | Data breach monitoring |
site:linkedin.com "example.com" | LinkedIn profiles at org | Employee enumeration |
intext:"@example.com" filetype:xlsx | Excel files with email addresses | Contact discovery |
intitle:"webcam" inurl:view | Exposed webcam interfaces | Physical security assessment |
inurl:wp-content/uploads filetype:pdf | WordPress uploaded documents | CMS document discovery |
Advanced Google Dorking Techniques for OSINT Investigations
Combining Operators for Precise Results
The real power of Google Dorking comes from combining multiple operators to create highly specific queries. Each additional operator narrows the results, making them more relevant and actionable.
Example — finding login pages with specific technology indicators on a target domain:
site:example.com inurl:login intext:"powered by"
Example — finding exposed configuration files across multiple file types:
site:example.com (filetype:conf OR filetype:config OR filetype:cfg)
Example — finding documents published by an organization that mention specific internal terms:
site:example.com filetype:pdf "internal use only"
Using Google Dorks for Subdomain Discovery
Google indexes subdomains along with main domains, making it a useful tool for discovering an organization’s full online presence.
site:*.example.com -site:www.example.com — finds all subdomains except the main www subdomain
This technique often reveals development environments, staging servers, internal tools, and API endpoints that organizations did not intend to expose publicly.
Finding Exposed Credentials and Sensitive Data
One of the most significant categories of Google Dorking findings involves accidentally exposed credentials and sensitive data. Organizations frequently publish documents, configuration files, and pages that contain information they never intended to make public.
site:github.com "api_key" "example.com" — searches GitHub for API keys associated with a domain
site:pastebin.com "password" "example.com" — searches Pastebin for password dumps mentioning the organization
These dorks are used by security teams conducting their own vulnerability assessments — and by attackers. Checking these regularly as part of an organization’s security monitoring is recommended practice.
GHDB — The Google Hacking Database
The Google Hacking Database, maintained by Exploit-DB at exploit-db.com/google-hacking-database, is a community-maintained collection of Google dorks organized by category — files containing passwords, sensitive directories, vulnerable files, error messages, and more. It currently contains thousands of tested, categorized dorks and is updated regularly. For any practitioner working with Google Dorking, GHDB is an essential reference.
Google Dorking for Specific Investigation Scenarios
Corporate Intelligence and Due Diligence
Google Dorking is a legitimate and valuable tool for corporate intelligence gathering and due diligence investigations. Security teams and investigators use it to discover publicly available information about target organizations before business engagements, to identify what sensitive information about their own organization is publicly accessible, and to monitor for data leakage.
For due diligence, useful dorks include searches for an organization’s name combined with terms like “breach,” “leak,” “exposed,” or “vulnerability” to identify any public security incidents. Searching for the organization’s domains on Pastebin and GitHub can reveal whether credentials have been accidentally published.
Personal OSINT Investigations
Investigators conducting research on individuals can use Google Dorking to find publicly available information such as documents containing a person’s name, professional profiles across multiple platforms, public records, and historical web presence. All searches should be confined to publicly available information and conducted in compliance with applicable privacy laws.
Legal and Ethical Boundaries of Google Dorking
Google Dorking uses Google’s public search functionality to find information that Google has already indexed. The information found through Google Dorking is publicly accessible — Google has already crawled and indexed it. However, the legal and ethical context matters significantly.
Using Google Dorks to identify vulnerabilities in systems you own or have explicit written permission to test — as part of a penetration testing engagement — is completely legitimate. Using dorks to identify and then exploit vulnerabilities in systems without authorization is illegal under computer fraud laws in most jurisdictions, including the Computer Fraud and Abuse Act in the United States.
Always operate within clearly defined authorization boundaries. If you discover sensitive information about an organization while conducting legitimate research, responsible disclosure practices apply — notify the organization privately rather than publishing or exploiting the finding.
Frequently Asked Questions
Your Ultimate Google Dorking Guide
Is Google Dorking illegal?
Google Dorking itself — using advanced search operators to find publicly available information — is legal. The information found through dorking has already been indexed by Google and is publicly accessible. What can become illegal is using the information found through dorking to gain unauthorized access to systems, steal data, or cause harm. Always ensure your dorking activities are authorized and used only for legitimate purposes.
What is the Google Hacking Database?
The Google Hacking Database (GHDB) is a community-maintained collection of Google dorks maintained by Exploit-DB. It organizes thousands of tested dorks by category — vulnerable files, error messages, sensitive directories, login portals, and more. It is freely accessible at exploit-db.com/google-hacking-database and is an essential reference for anyone working with Google Dorking for security research.
Can Google Dorking find passwords?
Yes — Google Dorking can find pages and files that contain passwords if those files have been accidentally indexed by Google. Common examples include configuration files containing database passwords, log files that captured authentication events, and documents containing credential information. Security teams regularly use password-related dorks against their own infrastructure to identify accidentally exposed credentials before attackers find them.
What is the difference between Google Dorking and Google hacking?
The terms are used interchangeably. Google hacking was the original term coined when the technique was first documented by security researcher Johnny Long. Google Dorking became the more common contemporary term. Both refer to the same practice of using advanced Google search operators to find specific types of information that standard searches miss.
How do I protect my organization against Google Dorking?
The most effective protection is preventing sensitive files from being indexed in the first place. Use robots.txt to instruct search engines not to crawl specific directories. Ensure configuration files, log files, and sensitive documents are never placed in web-accessible directories. Conduct regular Google Dorking assessments against your own domains to identify what sensitive information is publicly indexed. Use Google Search Console to request removal of accidentally indexed sensitive pages.
What are the most useful Google Dorks for penetration testing?
The most useful dorks for penetration testing reconnaissance include site combined with filetype to find documents, inurl combinations to identify admin and login portals, intitle with “index of” to find open directory listings, and searches for specific technology indicators that reveal the software stack. The Google Hacking Database is the best resource for a comprehensive and current collection of penetration testing dorks.
Conclusion
Google Dorking remains one of the most powerful and accessible OSINT techniques available in 2026. With nothing more than a browser and knowledge of the right operators, security professionals and investigators can discover publicly exposed files, misconfigured servers, sensitive documents, and attack surface information that standard searches completely miss.
Master the operators in this guide, practice with the cheat sheet, explore the Google Hacking Database for specialized dorks, and always operate within legal and ethical boundaries. Google Dorking is a skill that compounds with practice — the more you use it, the more efficient and creative your queries become.