Google Search Engine Directives
Limits results ot a target site or domain
Searches for keywords within the URL of a page
Searches for keywords within the title of a page.
Identifies sites that link to our target, providing info that is useful for social engineering and related attacks
Searches for files with an identifiable extension
Bing also supports site:, inurl:, intitle: and the filetype: directives.
"surroung strings in double quotes"
Literal matches for the string
- = hyphen, -site:www.domain.com, or -omitted
omits pages or pages with specific strings
* = asterick
Used as a keyword wildcard
Bing uses Not instead of the "-"
Google Hacking Database (GHDB)
Is a repository for search syntax, known as "Google Dorks", which can find interesting information. Works with most search engines with proper syntax adjustments.
Automate Google Searches
Google SOAP API key required for some automation tools but Google stopped issuing new keys in 12/06
Google Shunning begins with banning you from a particular search, to a 2 hour ban, to an IP ban.
SPUD by SensePost
Converts Google SOAP API requests into general searches of the Google website.
Uses "screen-scraping" to collect, parse, and return the results.
Violates Google's ToS.
Originally SensePost's Aura but that was deprecated.
"The world's first search engine for Internet-connected devices."
A plethora of devices can be found on Shodan including medical devices, traffic management systems, automotive controls, traffic light controls, HVAC/environment controls, power regulators/UPSs, security/access controls including CCTV and webcams, serial port servers and data radios.
Search all documents in a domain
Produce list of metadata
Metadata collected includes users, folders, printers, software, emails, OS, password, and servers.
Supports numerous document types: doc, ppt, pps, xls, docx, pptx, ppsx, xlsx, sxw, scx, sxi, odt, ods, odg, odp, pdf, wpd, svg, svgz, indd, rdp and ica
Fingerprinting Organizations with Collected Archives is primarily a document metadata search tool, Pro is now called "Final Version."
Gathers information from target domains via public information sources including email addresses, IP addresses and domain names, and ports and banners.
Uses search engines, PGP key servers and Shodan
Uses screen scraping and API calls to pull results from search engines.
Information mapping tool that finds relationships among people, sites and companies
Uses "transforms" to build a hierarchy of related information
Starting points include domain, person's name, phone number, etc.
Domain to PGP keys, Person to email, Domain to phone number
Community Edition limitations: not for commercial use, max 12 results per transform, need to register on website to use, API keys expire every couple days, runs slower, no encryption, not updated until next major version, no end user support, no updates of transforms on server sdie, only discover from Paterva servers.
>50 modules available
0 modules overtly for mapping phase
Cache Snoop checks the DNS cache for previously resolved names, Interesting Files looks for files of interest associated with the target
XPATH and Command Injection attacks available
Web reconnaissance framework including dozens of modules that interact with Internet services to obtain information. Reporting modules consolidate and export results, as well as discovery and exploitation modules. Some modules require API keys which may cost money. Use show info to get information about a module. 4.x update provides a significant overhaul especially of the layout and structure.