Google Dorking Commands

Basics

๐Ÿ” site:example.com
โ†’ shows results for the domain example.com only

๐Ÿ” site:*.example.com
โ†’ all subdomains of example.com (e.g. mysite.example.com)

For Login Pages

๐Ÿ” site:example.com inurl:admin

๐Ÿ” site:*.example.com inurl:admin/login
โ†’ (โ€œadmin loginโ€) use quotes for multiword phrases

๐Ÿ” site:*.example.com intitle:login/admin
โ†’ (โ€œloginโ€ / โ€œadminโ€ / โ€œlogin pageโ€) use quotes for exact words

Directory Listing

๐Ÿ” site:*.example.com intitle:"Index of /"
โ†’ very useful and powerful

๐Ÿ” site:*.example.com intitle:"index of" "parent directory"
โ†’ finds pages with <title>Index of</title> containing โ€œparent directoryโ€

๐Ÿ” site:*.example.com inurl:ftp
โ†’ old but sometimes used for files/backups

๐Ÿ” site:*.example.com inurl:wp-content
โ†’ for WordPress sites

Finding Files

๐Ÿ” site:example.com ext:xls OR ext:csv OR ext:doc

๐Ÿ” site:example.com (ext:pdf OR filetype:pdf)
โ†’ ext:pdf is more precise than filetype:pdf (other: txt, robots.txt, sitemap, docx, xlsx, log, xml)

๐Ÿ” site:example.com filetype:env
โ†’ try env, ini, sql, bak for sensitive info

Subdomain Enumeration

Websites

  • ๐ŸŒ crt.sh
  • ๐ŸŒ pentest-tools.com/information-gathering/find-subdomains-of-domain

Tools

  • ๐Ÿ› ๏ธ sublist3r - CLI tool for getting all the subdomains of a domain.
    step 1 โ†’ git clone https://github.com/aboul3la/Sublist3r.git
    step 2 โ†’ cd ~/Sublist3r
    step 3 โ†’ python3 -m venv venv
    step 4 โ†’ source venv/bin/activate
    step 5 โ†’ pip install -r requirements.txt
    step 6 โ†’ python sublist3r.py -d example.com
    step 7 โ†’ python sublist3r.py -d example.com > subdomains.txt
    step 8 โ†’ deactivate

for step 6 - run inside the Sublist3r directoryโ€”where the sublist3r.py file is located.
for step 7 - run if you want to save the result in a file.
for step 8 - after using you can type to exit out of venv -> virtual environment

  • shodan / spiderfoot - browsers for advance search

Directory and File Enumeration - (Gobuster)

  • Gobuster supports both protocols, and you can specify the target URL using either http:// or https://. When using HTTPS, you may encounter certificate validation errors, especially with self-signed certificates, which can be bypassed using the -k or โ€“no-tls-validation flag to skip SSL certificate verification.