OSINT

Techniques

Google Dorks

Using specialist search terms and advanced search operators to find results that are not usually displayed using regular search terms.¹

• inurl
  • Searches for a specified text in all indexed URLs
  • inurl:hacking will fetch all URLs containing the word “hacking”
• filetype
  • Searches for specified file extensions
  • filetype:pdf "hacking" will bring all pdf files containing the word “hacking”
• site
  • Searches all the indexed URLs for the specified domain.
  • site:zeit.de will bring all the indexed URLs from tryhackme.com
• cache
  • Get the latest cached version by the Google search engine.
  • cache:zeit.de

site:target.com inurl:admin
intitle:login site:website.com
intitle:/admin site:website.com
inurl:admin
intitle:admin 
intext:admin

whois

WHOIS database stores public domain information such as registrant (domain owner), administrative, billing and technical contacts in a centralised database.

• https://who.is

robots.txt

Is a publicly accessible file created by the website administrator and intended for search engines to allow or disallow indexing of the website’s.¹

• https://www.google.de/robots.txt

httpx

httpx -l hosts.txt -paths /root/login.txt -threads 50 -random-agent -x GET, POST -tech-detect -status-code -follow-redirects -title -content-length
httpx -l hosts.txt -ports 80,443,8009,8080,8081,8090,8180,8443 -paths /root/login.txt -threads 50 -random-agent -x GET, POST -tech-detect -status-code -follow-redirects -title -content-length

References

• medium: 10 Minute Bug Bounties: OSINT With Google Dorking, Censys, and Shodan
• github: httpx

1. https://tryhackme.com/room/adventofcyber4 ↩ ↩²