Using Google Dorks for OSINT

•

docs.google.com/document/d/1HJyNF2PdGBKLn3aDv0GMxcFTI3PoBasRDmyFZEKHqus/edit?usp=sharing Как правильно гуглить. Использование дорков в OSINT - Peer Video Club peervideo.club/w/nMGTWa4m8StFJSpv1nTsGs Google dorks. Usage in OSINT City pulse hacker-basement.com11 min March 19, 2023 View Original

Hi, friend! Today about Google Dorks. I have already mentioned them several times and showed how to use them in some situations. But, it would be right to systematize knowledge and analyze this topic in its entirety. If only because dorks are an extremely useful thing.

Of course, you can use the capabilities of Google without dorks, but only if you have a lot of free time and there is absolutely nothing else to do. Because it is long and not very rational.

And, since OSINT is a story that is sensitive to a rational approach, it is worth understanding the issue of using dorks in detail and comprehensively.

General Terms of Use for Google Dorks To effectively use Google Dorks, and Google in general, you need to know some points regarding the work of Google itself:

- case does not matter. It doesn't matter in which case, upper or lower, you write a query, for Google it's the same thing. This means that, for example, the names of cities or surnames can be written with a small letter, nothing will change;

- space between words. For Google, this is a logical "AND". Those. it will search not only for the whole phrase, but also for each word separately, which, accordingly, greatly increases the number of results found, and, accordingly, the time you spend while shoveling them all.

In order for Google to search for an exact match, you need to enclose the search query in quotes. And you should always use it when there is such an opportunity, firstly, to obtain more accurate results, and secondly, to save your time;

Google knows how to inflect words. Accordingly, there is no point in doing it manually, except when you are looking for an exact match i.e. you use quotation marks;

- Google sorts results by relevance i.e. because it seems to him the most relevant. And Google's opinion doesn't always match our needs. Of course, the more accurately and correctly we make a request, the higher the result will be the answer we need.

But, at the same time, it always makes sense to study all the results offered to us;

- Google searches in the language in which the request is made. Of course, he manages to correctly translate, for example, names, but you shouldn’t count on it too much. Therefore, the most correct approach is to use in the request the language in which we need the result;

- the result is affected by the history of previous requests. Therefore, the easiest option is to use "incognito mode". Better yet, have a separate browser for Osinter goals.

For example, Brave, and in it, enable blocking of trackers, digital fingerprints and automatic deletion of cookies and site data when the window is closed. Well, you don't need to sign in to Google accounts either.

Because in such a situation, even with the blocking enabled, Google will remember the history of requests;

Geolocation influences the results. This means that if you are looking for some information, for example, in France, it will not be out of place if your IP is French.

- the most important point. Dorks can and should be combined. Because the combination of the right dorks greatly reduces the number of unnecessary results and greatly speeds up finding the desired results.

It is unlikely that I will be able to show all the combinations within the framework of one article. Yes, and it doesn't make any sense. Therefore, I will show the most commonly used combinations so that you understand the principle of how it works.

And then everything will depend on your imagination.

Using Google Dorks Now let's move on to Google Dorks themselves. As you probably know, there are quite a few of them. The good news is that only a few are used more or less often in Osinta. And it is them, or rather the nuances of their use, that we will analyze.

Dorkov library : exploit-db.com/google-hacking-database Dork site: . It is needed to search the content of a particular site. In the simplest version, after the colon, we simply indicate the address of the site we are interested in, and then enter the search query. For example:

site:hacker-basement.com osint

And here we come to the first nuance. If there is a lot of information on the site, and the request is not too specific, then Google will show a bunch of results to the target. Including pictures, videos, documents.

In general, everything that it finds and everything that it considers involved in our request. To get more accurate results, you need to either refine the query or filter out unnecessary results. And it's best to do both.

To concretize the request, you need to formulate it in such a way that Google understands exactly what we want. The simplest option is an exact match search. To do this, we need to enclose our query in quotation marks. For example:

site:hacker-basement.com "The Complete Guide to osint"

This is due to the fact that the space for Google is a logical "AND". That is, when we write a query, it searches not only for the entire phrase, but also for each word separately. A more illustrative example is the search for a person by full name.

If we write Petrov Aleksey Nikolaevich , then he will find, among other things, a bunch of Petrovs , a bunch of Alekseevs and a bunch of Nikolaevichs . And if we take this query in quotation marks, then it will only look for Petrov Alekseev Nikolaevich .

Quotes work well if we know exactly what we are looking for, for example, as in the case of a full name. But, sometimes it happens that it is difficult to immediately formulate an exact request.

For example, if we are looking for information about some event or when we do not know the exact name of what we need. Let's take an example:

site:hacker-basement.com guide (osint OR humint)

This is an example request for the case when we know exactly part of the question. In our case, we are looking for a guide , but we don’t know exactly what the guide is for. Therefore, in parentheses, we list the options that interest us, using the OR operator (you can use ).

The parentheses here work on the same principle as in mathematical equations, to separate multiple elements.

There may also be an option when we know only part of the exact name. In this situation, the request would look like this: site:hacker-basement.com "* osint manual" We have replaced the unknown word with the * operator . It means "any value".

In all the above examples, we got very similar results. The point of all this is that, based on the initial data we have, we select a search query and combine it with search operators in such a way as to get the desired answer.

This, by the way, is the basic principle of using dorks in particular, and Google in general.

Another important point of using Google. In order to formulate the correct query, you must google not the question that interests you, but the part of the answer to it that you know. Those. expected search result.

Then Google is more likely, based on the match of the query and the indexed information, to give you what you need.

When using dork site: it is not necessary to specify the entire address. After all, it may well happen that we do not know exactly which site has the necessary information. For example: list of employees site:*.gov.ru

In fact, we now told Google to find all the information on request for a list of employees on all sites with the gov.ru domain . But it may be necessary to look for not just information, but a document.

Then we should specify the request by adding dork filetype: . After which, specify the file extension of interest to us:

list of employees site:*.gov.ru filetype:pdf - About Google Dork filetype: I spoke in detail in the article “ How to search and analyze documents? Document OSINT » - A guide to all existing file extensions HERE - A guide to file formats for Word, Excel and PowerPoint HERE

- A list of the most common extensions indexed by Google HERE

Another useful operator is the - (minus) sign . It allows you to remove results that we definitely do not need. It can be anything. For example, you can remove a site or part of a query from the results.

For example, if, as in the previous case, we are looking for lists of employees, but we definitely do not need employees, for example, the Ministry of Finance, then the query will look like this:

list of employees site:*.gov.ru filetype:pdf -minfin.gov.ru

One more example. You are looking for some person by last name, but he has a namesake who works as a dentist. And in the search results, a bunch of sites come up with reviews, advertising, or something similar related to his work.

Accordingly, the simplest solution would be to remove from the results everything where the words dentist, doctor, or other synonyms are mentioned:

"last name, father's name" - dentist - doctor

When exploring sites, there is another useful dork that you should not forget about, this is cache: . When using it, the version of the site that was saved in 1 Google cache will be shown. The time and date when this version got there will also be indicated there.

You can view the site in three versions: full view, text version and source code.

cache:hacker-basement.com By the way, this is not the only way to see the cached version of the site. When you google something, then in the search results, near the page address there is a small arrow:

If you click on it, the button "Saved copy" will appear. By clicking on which, we will also see the version of the site from the Google cache. If we're exploring a site, it's definitely worth checking the cached version.

Because sometimes there comes across information that is no longer on the current version of the site. It can also help if the site is not working now or the necessary information has been deleted, but we see it in the search results.

Two more useful dorks to know are inurl: and allinurl: . As you might guess, the point is that they are looking for the URL. And the difference is that inurl: looks for only one word, which is given immediately after the colon.

And allinurl: searches for the phrase that is given after the colon.

One of the possible applications. For example, you found the email elonmusk@gmail.com.

The logic of use is that people very often use the same type of names in the name of their mail, which often coincide with the names that were used to register on other sites, including social networks.

Accordingly, we take the first part of the mail address and google it using the dork inurl:. inurl:elonmusk

As a result, we get social network accounts and sites where this name is used. This is generally a fairly versatile dork. You can look at how a site generates its URLs, and based on this, figure out how to use this dork to search for the information you need.

Dork inurl: Can be combined with other Google Dorks. For example, we can search on a specific site by specifying it with the dork site:. In this way, you can search for posts in social networks, for example: site:twitter.com inurl:elonmusk

In such a situation, additional Google tools are very helpful. If you click the "Tools" button, you can specify the time range for which we need results or a specific date in general.

In the case of dork allinurl:, if we are looking for social networks, then we will use the full name. If we know it. allinurl:Elon Musk

As a result, we will get all the sites whose URL contains the name we need. Here you need to remember that this dork works on its own and cannot be combined with other dorks.

In the previous example, we searched in a URL. But by the same principle, you can search in the title of the page. The dorks intitle: and allintitle: are used for this . Works symmetrically. intitle: searches for the word that is specified after the colon.

Well, as an option, you can specify a query of several words in quotation marks. And allintitle: searches for the phrase that is specified after the colon.

Since we can search in the URL and title, of course we can also search in the content of the site. And to be more precise, everything that is between the <body> tags. The dorks intext: and allintext: are used for this .

The application logic is exactly the same as the previous two.

Another useful dork worth mentioning is AROUND() . It helps to search in a situation when we definitely cannot formulate the entire query, but we know that there are several words between its elements.

The estimated, or rather the maximum number of these unknown words, we, in number, enter in brackets. For example:

"ivanov ivan ivanovich" AROUND(3) street

Well, lastly. There is a cool dork constructor dorksearch.com . There you can create your own combinations of Google Dorks, or there are ready-made blanks for all occasions. Suitable for those who are too lazy to type dorks with their hands.

And also for those who want to study the topic in more depth, because there are a lot of options that you can parse and try.

Conclusion

As you can see, just using Google Dorks gives us a huge amount of search power. Of course, within the framework of this article, I have not shown all possible combinations of dorks, and not even all dorks. But such a goal was not set.

The main thing you need is to understand the principle of how it works and gain practice. Because this is exactly the topic in which experience decides. And the scope is almost limitless.

Starting from searching for people and studying the news, ending with searching for subdomains, directories, passwords, admin panels or checking for plagiarism. Everything depends on your imagination and desire.

Therefore, do not limit yourself to the examples that I have shown, but come up with your own combinations and applications.

Your Pulse.

You can read the unrolled version of this thread here: typefully.com/CASBT_OSINT_UA/WgeiVAY