- Credits to OsintCurious.us
The term โGoogle dorksโ has been around for quite some years by now and is used for specific search queries that use Googleโs search operators, combined with targeted parameters to find specific information. And in the webcast/podcast of early December we reached out to the listeners, to send us your favourite Google Dork.
We grouped the dorks by the type of target information that it is used for, starting with the human being:
People and Accounts
The first one that was posted on Twitter after we talked about it, came fromย Kirby. She loves to find emails based on a username, so she lets Google do the heavy lifting. Instead of searching for all possible email providers, she replaced the domain name with an asterisk:
"username*com"OSINT Techniquesย shared his favourite dork, that searches for online resumes of a person. You can search within the URL of a website, or within the text of a site:
inurl:resume โjohn smithโ
intext:resume โjohn smithโOSINT Combineย also shared a tweet that focuses on jobs. By targeting the LinkedIn site, he searches for people with a specific job title and location. But he shared another trick, which is the fact that you can search for icons or Unicode characters:
site:http://linkedin.com/in "<job title>" (โ OR โ OR โ OR ๐ฑ) +"<location>"And in case you are looking for a specific name, you can of course always search for:
"<name>" (โ OR โ OR โ OR ๐ฑ)The last dork touching people that was sent to us via Twitter, came fromย Jung Kim. He shows a nice dork to find people within GitHub code:
site:http://github.com/orgs/*/peopleAnd if you are looking for lists of attendees, or finalists,ย Jung Kimย shared a second dork with us:
intitle:final.attendee.list OR inurl:final.attendee.listAnother tips was given byย Nixintel, that searches for login information on a Trello board. Since a lot of people forget to tighten the security settings on their Trello board, loads of them are exposed and indexed by Google:
site:http://trello.com password + admin OR usernameDocuments
To finding specific documents within a website or domain name,ย CyberSquarePegย shared with us the basic Google dork to do just that:
site:<domain> filetype:PDFNote: Instead of โfiletype:โ you can also use the abbreviation for extention, which is: โext:โ
Alexย shared with us a search that is also targeting PDFโs, but he shows how to search for only those documents that might contain possible email information. Change the <domain> to the specific company domain name and have a look whatโs out there:
filetype:pdf <domain> "email"Zerconilย shared a dork that is looking for XLS files within government websites:
filetype:xls site:.govOf course you can look for more extensions, depending on what you are trying to achieve. You do that by adding multiple file extensions in between double quotes, where each of the extensions is being separated by a pipe of vertical line โ|โ. And donโt forget to add extra spaces around it:
filetype:"xls | xlsx | doc | docx | txt | pdf" site:.govIn case you are looking for even more extensions that might be of interest, Twitter userย Insiderย helped us out there with his tip that he sent via Twitter:
filetype:"doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml"And another tip shared byย Jung Kim, this time searching for any kind of document on HubSpot that contains the word โtrendsโ and that has the year 2019 in the URL:
site:http://cdn2.hubspot.net intitle:2019 OR inurl:2019 "* trends"Dutch_Osintguyย shared another one targeting Google as email platform with looking for txt OR pdf files containing words like FBI, CIA Or NYpD (these are interchangeable by words by your particular interest):
"Email delivery powered by Google" ext:pdf OR ext:txt nypd OR fbi OR ciaCloud, Buckets and Databases
Dutch_OsintGuyย shared one of his favorite dorks. This one is searching for indexed documents that contain the phrase โconfidentialโ or โtop secretโ within open Amazon S3 buckets:
site:http://s3.amazonaws.com confidential OR "top secret"Another search touching Amazon buckets came fromย Zerconil, that might show some confidential login information within XLS files:
s3 site:http://amazonaws.com filetype:xls passwordAnd here again the tip of maybe adding all kinds of interesting extensions, since Excel files might not be the only interesting document format that contain the information you are looking for.
And of course you can search for copies of databases via Google too. To find some of them, simply search for:
ext:sql intext:"-- phpMyAdmin SQL Dump"Social Media
Jules Darmaninย shared a tip on how to find out whether a certain tweet was shared on other media, for instance a news site. For that, search for the specific text and tell Google to ignore anything that was posted within twitter.com by adding the minus sign to that part of the dork:
"text of a tweet" -site:https://twitter.comAlmost the same method can be used to search messages and/or links for a specific username not coming from that username his/her account. For example this searches for links or information containing โ@dutch_osintguyโ but not coming directly of the twitter user timeline Dutch_osintguy
@dutch_osintguy -site:twitter.com/dutch_osintguyWant to learn more about Google Dorking ?
Using Google search operators as effective as possible is an art by itself. For OSINT the goal is (most of the time) to create your targeted haystack. But by usingย well chosen keywordsย and dorked together withย the right search operatorsย you will be able to create a haystack with asย lowย a possibleย volumeย with an asย highย as possibleย probability.
Keep in mind that Google has limited the amount of keywords that you can search for to a total of 32 words. This means that all search term beyond the 32 word limit will not be taken into account (keyword 33 and beyond) in a search. Also there is a character limit per one keyword. A single keyword can not be longer than 2048 characters.
All of the above Google dorks came from a specific intelligence requirement question. Without a good question it is way harder to craft your search query is targeted as possible. So an advice might be, what are you looking for? What question are you trying to answer? That makes it easier to pinpoint which search operators might be needed to answer that specific question.
For extra inspiration you might want to look into sources like theย Google Hacking Database. This is a website that collects user generated Google dorks with a specific need or interest. Another great resource to learn how to craft a good Google dork is theย GoogleGuide. The GoogleGuide is a good website to see which Google search operators are available and how you can use them for your research. Even though it is a bit old (info from 2007) the GoogleGuide still has a lot to offer en learn from when you are OSINTcurious. Another option is theย ahrefs blogย about Google search operators. They visually explain how you an use 42 search operators.
There is also one Google Dorking book which is a must read when it comes to learning and understanding how to use google searches for research. It is a book byย Johnny Longย with the title โGoogle hacking for penetration testersโ. Within the osint community there is a debate on which version is the best for OSINT practitioners. My personal (Dutch_Osintguy) opinion is that version 1 of this book is the best and most complete. Non the less all other versions (there are 3 editions) are worth the read.
- Reverse your thinking
One of the methods for geolocating an image is to do an image reverse search. This means that we are searching for the image itself online, and if the image has been indexed by search engines we may find the exact image or we can do a visual search or crop search to help us find similar images.ย
ย Aric Tolerย fromย Bellingcatย has written a fantastic guide on reversing images, please read itย here.ย OSINTย Curiousย also has aย write-upย on the topic that you should look through before attempting this challenge.ย
I recommend adding this extension to ease the workflow for when you find images online that you want to do an image reverse on:
Addon description:ย โPerform a search by image. Choose between the image search engines Google, Bing, Yandex, TinEye and Baidu.โ
Chrome:ย RevEye Reverse Image Searchย -ย
Firefox:ย RevEye Reverse Image Search