google dorks image grahpic
Image from Quora

Ever wondered how the most successful Bug Hunters, Red Teamers, Penetration Testers and even black hat hackers are able to efficiently gather information on a target during enumeration? — for total n00bs even worse than me, enumeration is that phase where you try to find as much information as you can about your target. even better if the information you find can lead to direct exploitation, partial/full compromise. You know anything that can lead to the violation or compromise of the CIA triad (Not the CIA you know..) on your target asset.

Worry no more fellow n00bs, for I bring thee glad tidings, behold the grimoire of…. lol ok enough of that.

OSINT(Open Source Intelligence) tools have always been an important part of the hacking process and methodology and what better way can there be to gather information than to use the most popular search engine on earth (don’t argue with me on this, I just feel it is…) which is good old google.

Now, lets get to the juicy part….

I will introduce you to a nifty web page by Exploit DB that has loads of queries you can try out on your search bar (This information is provided strictly for educational purposes and on NO account do you access, destroy or download any information from the results you find using these queries without the explicit permission of the owner of that web asset). Google hacking Database contains very useful queries you can use to find information on a target asset or a target individual.

You can find it here GHDB

For a long time OSINT experts and I mean it when I say experts because there are a special group of people who specialize in using OSINT tools. And yes, not everyone is a “Hacker” in Cybersecurity John… Anyway, back to our discussion; there are certain useful queries you can use which you most probably should get familiar with.

See the queries below:

site:*.domain.com intitle:index of ==> This can be used to enumerate subdomains of a target asset with the text “index of” in the title. Mainly, this identifies web assets of that domain that have directory listing turned on, which means there might be sensitive data exposure, server version details exposed or other juicy stuff.

Real engagement on a target asset showing server directory exposed

site:*.domain.com -www filetype:txt ==> This query is used to find files on a web asset that might contain juicy info ( I know, I used juicy a lot in this… don’t think about what you’re thinking…pervert!). the “txt” in the query specifies the type of extension you’re searching for so you can switch between file extensions to search for on the target web asset. In some cases like in the example shown in the image below, you can find release notes of the server on your target.

Another Real Engagement on a Target Asset

For now, this is all I can offer and like I have learnt. There is never a time when you say you have done too much enumeration, all that just means is the potential to widen the attack surface of a target asset just increased.

These queries I have shared have actively been used in my bug bounty side gig so I can attest to their effectiveness.

The end… oh yeah make sure to check out GHDB for more on google dorks and No, this is not a sponsored advert, lol.

ciao!