Learning “Google-Fu”: Google Directives for Penetration Testers

Most people are half-way decent at googling their way to the information they’re looking for.  They can phrase their search query in a way that Google understands, and they find they need.  For more difficult or frequent searches, knowing how to use Google directives can be very handy.  As such, it’s a great tool for penetration testers to more effectively collect OSINT on their targets and narrow down their search results to more relevant content.

A Google directive is similar to the queries you’re already familiar with, but with a bit more syntax.  The format is:

directive-name:directive-argument terms-to-search

Some useful Google directives

Filter your results down to one website (‘site’ directive)

You can use the ‘site’ directive to filter results by website.  If you were searching for ‘ACME Corp,’ and wanted all of your results to come from, for example, CNN, you could type:

site:cnn.com ACME Corp

Filter your results to webpages that have the specified search terms in the title

You can use ‘allintitle’.  If you wanted to search for ‘careers’ in the title of webpages, you’d use:

allintitle:careers ACME Corp

An example in The Basics of Hacking and Penetration Testing is searching for a list of indexed directories:

allintitle:index of

Filter your results to webpages that have the specified search terms in the URL

Similar to the previous directive, you can use ‘inurl’ to search for a specified URL string.  Another example from the book is searching for ‘admin’ to uncover admin pages.

inurl:admin ACME Corp

Searching the Google cache

If you’re trying to be stealthy during a penetration test, you can use Google’s cached pages to view websites.  This allows you to view their website without alerting the server, similar to the HTTrack website-copying tool.

Additionally, you can find pages that have been removed from the website, but are still cached by Google.  This might include interesting Word docs, PDFs, and so on.

To search a website’s cached files, you can use the ‘cache’ directive:


(as it turns out, acmecorp.com is a real website!)

Be careful when clicking on links within cached pages, as they’ll bring you to the live site.

Searching for specific filetypes

You can also search by filetype with the ‘filetype’ directive.  If you were looking for PDFs, you could type:

filetype:pdf ACME Corp

Of course, you can always combine Google directives:

site:example.com filetype:pdf allintitle:marketing

Using any of these directives, or using several of these directives in combination will likely narrow your search results by an order of magnitude or more.  I hope this has been useful!