Skip to main content
Version: 1.0.2

Search engines and online resources

  • For e.g. information about the target organization's employees, intranet, login pages...
  • Sources include • social networking sites • people search services • alerting services • financial services • job sites showing target infrastructure details, physical location, and employee details • deep and dark web

Google hacking

  • Involves using a set of search operators (dorks) and building complex queries.

  • 📝 Form of passive reconnaissance

  • Common dorks:

    DorkDefinitionExample
    siteOnly from the specified domainazure site:cloudarchitecture.io
    inurlOnly pages that has the query in its URL.inurl: cloudarchitecture
    intitleOnly pages that has the query in its title.intitle: cloud architecture
    cacheCached versions of the queried pagecache:cloudarchitecture.io
    linkOnly pages that contain the queried URL. Discontinued.link:cloudarchitecture.io
    filetypeOnly results for the given filetypefiletype:sql
  • 📝 Usual to combine filetype and site dorks as see in metagoofil

  • Google logical query operators

    OperatorDefinitionExample
    OR, **``**X or Y but not both
    ANDResults related to both X and Y, google default.jobs AND gates
    -Exclude a term or phrasejobs ‑apple
    *Wildcard that will match any word or phrase."Google * my life" > google changed my life, google runs my life...
    (, )Group multiple terms(iPad OR iPhone) apple
  • E.g. finding passwords: intext:"please change your" password | code | login file:pdf | doc | txt | docx -github

    • intext: in the text of the website
    • "please change your" password": Placing something in quote marks means it must contain the text as whole, not parts of it.
    • file:pdf: specify what kind of file you want.
    • -github: minus + word tells to exclude results containing that word(s).
  • For complex searches use:

  • 💡 Easier way may be using Google Advanced Search or Advanced Image Search

Google hacking tools

  • Google hack honeypot
    • Logs google hacking queries against your resources
  • Google hacking database
    • Helps you with
      • finding various types of files, including those that contain usernames and passwords.
      • VoIP footprinting using e.g. intitle:"D-Link VoIP Router" "Welcome" to find pages containing D-Link login portals
      • VPN footprinting using e.g. filetype:pcf "cisco" "GroupPwd" to find Cisco VPN files with passwords
    • 💡 Once you find password lists and you can guess similar ones as people usually have similar passwords.

metagoofil

  • Open-source tool to extract metadata of public documents (pdf,doc,xls,ppt,etc) available in the target websites
  • Also helps with website footprinting
  • Flow
    1. Queries Google for different filetypes that may have metadata
      • Combining site: and filetype dorks
    2. Downloads the documents to disk and extracts the metadata of the file
    3. Parses files using different libraries for metadata (e.g. Hachoir, pdfminer)

Online services

  • Searching domain gives you some data about e.g. IP address, server, geolocation.
    • ❗Careful, can be fairly inaccurate, Generic results = No guarantee.
      • Far better to do your own search
      • Generic results = No guarantee
  • Website Watcher to get notified if a web page is changed.
  • Allows tracking original source of an image
  • E.g. • Google Image Search • TinEye Reverse Image Search • Yahoo Image Search

Video search engines

  • Search video related to target and extract video information
  • E.g. • YouTube • Google Videos
  • Video analysis tools include • YouTube DataViewer • EZGif • VideoReverser.com,

Meta data engines

  • Uses other search engines to build meta data of Internet
  • Can give more information such as images, videos, blogs, news, articles about target
  • E.g. • Startpage • MetaGer

FTP search engines

  • Search files on FTP servers
  • E.g. • NAPALM FTP Indexer • Global FTP Search Engine
  • Can help to find tax documents, business strategies etc.

IoT search engines

Shodan

  • Online search engine
  • Finds specific types of IoT (webcams, routers, servers, etc.) connected to the internet using a variety of filters.
  • 📝 You can e.g. search for open ports port: 1433

Censys

  • Online censys
  • 📝 Provides internet asset discovery i.e. scanning for unknown internet resources.
  • Available on search.censys.io

Netcraft

  • Allows you search web by domain (DNS) through search DNS service.
  • Reports more information such as
    • If it uses HTML5 or flash (flash has many vulnerabilities)
    • X-Frame-Options: Do not allow this site to be rendered in an iframe
      • If it's allowed it allows for a phishing scheme such as clickjacking

CrimeFlare

  • Helps you find IP addresses behind a CDN (e.g. CloudFlare)
  • CDN: Protects against DDoS, geolocation of servers by having different IP address.
  • People often use real IP addresses before CDN, you can then look at past DNS records to find it.