Search Engine Discovery

Check List

Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization’s website) or indirectly (via third-party services).

Methodology

Google

Enumerate all subdomains of the target website by leveraging search queries to identify all accessible subdomains, providing a comprehensive map of potential entry points for further testing

Filter out common or irrelevant subdomains to focus on unique or less-secured subdomains, reducing noise and prioritizing high-value targets for vulnerability assessment

Identify admin-related endpoints that may handle file uploads or sensitive operations, targeting interfaces likely to expose critical functionality or misconfigurations

Locate login pages by searching for specific page titles, uncovering authentication interfaces that may be vulnerable to credential-based attacks or misconfigured access controls

Search for pages containing specific text, such as authentication-related terms, to discover hidden or misconfigured entry points that could reveal sensitive functionality

Enumerate files by their type, such as configuration files, PDFs, or database dumps, to identify exposed sensitive documents that may leak critical information

Discover configuration and backup files with specific extensions, such as .conf, .bak, or .env, to uncover Misconfigurations or unprotected data that could aid in exploitation

Identify exposed JavaScript files containing sensitive information, such as API keys, credentials, or tokens, by targeting configuration scripts in publicly accessible directories

Search for backup directories or cryptographic keys, like id_rsa or id_dsa, to reveal sensitive files that may have been inadvertently exposed due to poor access controls

Locate URIs with keywords indicative of sensitive functionality, such as "conf," "api," or "admin," to prioritize endpoints likely to yield vulnerabilities like LFI or unauthorized access

Identify API endpoints by targeting URLs with patterns like "api," "rest," or versioned paths (e.g., /v1, /v2), focusing on interfaces prone to misconfigurations or insecure access

Detect server errors, stack traces, or debug logs by searching for error-related terms or exposed log files, revealing misconfigured systems or sensitive debugging information

Find parameters vulnerable to cross-site scripting (XSS) by targeting inputs like search or query fields, testing for injection points that could allow malicious script execution

Identify parameters susceptible to open redirect vulnerabilities by focusing on URL-handling inputs, such as redirect or return parameters, to test for unauthorized redirection capabilities

Shodan

Register with Shodan and obtain an API key to enable advanced queries and rate-limited access, facilitating integration with automated tools like CLI or Python scripts for streamlined reconnaissance

Identify the target organization or domain using the filter org:"organization_name" to narrow results to specific assets, focusing the attack surface on relevant infrastructure within the bug bounty scope

Discover subdomains and hosts with hostname:"target.com" or ssl.cert.subject.cn:"target.com" to uncover forgotten subdomains or SSL certificate-linked assets, revealing new entry points for testing

Scan for open ports using port:"80" or port:"22" to identify exposed services like web servers or SSH, prioritizing commonly vulnerable ports such as 8080 for proxies or 443 for HTTPS

Search for operating systems with os:"Windows Server" or os:"Linux" to find devices running outdated or known-vulnerable OS versions, enabling prioritization of tests based on exploitable systems

Identify software products and versions with product:"Apache" or product:"Jenkins" to discover outdated applications matching known CVEs, combining with after:"2020-01-01" to focus on recent instances

Filter by known vulnerabilities using vuln:"CVE-2019-19781" to pinpoint directly exploitable devices, prioritizing high-severity issues like RCE or data disclosure for efficient testing

Restrict searches geographically with country:"US" or city:"New York" to focus on assets in specific regions, aligning with localized or regulatory-focused bug bounty requirements

Search network ranges with net:"192.168.1.0/24" to scan organizational IP blocks, identifying internal or cloud infrastructure like staging or development servers

Identify specific web servers with server:"nginx" or http.title:"Login" to discover login pages or admin panels, highlighting potential entry points for brute-force or XSS testing

Search for SSL/TLS certificates with ssl.cert.issuer.cn:"target.com" to find related domains, uncovering wildcard subdomains or certificate misconfigurations that expand the attack surface

Filter by time range with before:"2024-01-01" after:"2020-01-01" to focus on recently active assets, eliminating outdated results and prioritizing current infrastructure

Identify device types with device:"webcam" or product:"MySQL" to discover exposed IoT or database instances, targeting risks like default credentials or misconfigured access

Search for SSH fingerprints with ssh.fingerprint:"dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0" to identify hosts with weak or reused keys, assessing potential for brute-force or MITM attacks

Discover PEM files or certificates with http.title:"Index of /" http.html:".pem" to find open directories exposing private keys, highlighting sensitive data disclosure for privilege escalation testing

Identify industrial control systems with port:"502" port:"102" to uncover exposed _ICS/SCADA systems, targeting critical infrastructure risks relevant to specialized bug bounty programs

Search for vulnerable Exchange servers with "X-AspNet-Version" http.title:"Outlook" -"x-owa-version" to identify outdated instances, facilitating tests for CVEs like ProxyLogon or RCE vulnerabilities

Filter SMB shares with "Authentication: disabled" port:445 to find exposed file shares, assessing risks of unauthorized access or data leakage in organizational networks

GitHub

Register for a GitHub account and obtain an API token to enable advanced search capabilities and rate-limited access, allowing integration with automated tools like CLI or Python scripts for efficient reconnaissance

Identify repositories related to the target organization by searching for keywords like the organization name or domain (e.g., "target.com") to uncover public Repos containing sensitive information

Search for sensitive configuration files using path:/WebServer.xml or path:/wp-config.php to find exposed server configurations, database credentials, or API keys inadvertently committed to repositories

Look for command history files with path:**/.bash_history to discover executed commands that may reveal sensitive operations, internal paths, or credentials exposed in public repositories

Identify system files like path:/passwd path:etc or path:/shadow path:etc to uncover repositories containing sensitive server files, indicating potential misconfigurations or leaks

Search for database credentials in configuration files with path:**/config.php dbpasswd to find exposed passwords or connection strings, prioritizing files likely to contain sensitive data

Discover API keys in code with shodan_api_key language:python to identify hardcoded credentials for external services, which could lead to unauthorized access if exploited

Find SQL dump files using path:*.sql mysql dump to uncover database backups containing sensitive data like user information or application schemas exposed in public repositories

Search for environment files with path:**/.env to identify misconfigured repositories exposing environment variables, such as API tokens, database credentials, or secret keys

Look for backup files or sensitive extensions with path:/.bak or path:/.old to find outdated or temporary files that may contain sensitive configurations or data

Identify repositories with specific frameworks like path:/wp-config.php for WordPress or path:/settings.pyfor Django, targeting framework-specific files prone to credential exposure

Use language filters like language:python or language:php to narrow searches to specific programming languages, focusing on codebases likely to contain sensitive logic or hardcoded secrets

Combine organization and keyword searches with org:target_org config to find repositories owned by the target containing specific terms like "config" or "secret," increasing the likelihood of finding sensitive data

Verify findings by accessing the repository and checking file contents to confirm the presence of sensitive information, such as API keys, passwords, or internal paths

Document all relevant findings, including repository URLs, file paths, and snippets of exposed sensitive data, to create a clear proof-of-concept for reporting

Assess the impact of exposed data, such as potential for unauthorized access, data leakage, or privilege escalation, to prioritize findings based on severity

Submit findings through the target’s responsible disclosure program, ensuring clear documentation of the repository, file, and potential impact, distinguishing from unrelated or non-exploitable leaks

Censys

Register with Censys and obtain an API key to access advanced search features and rate-limited queries, enabling seamless integration with tools like the Censys CLI or Python SDK for automated reconnaissance workflows

Define the target scope by using location.country: "Iran" or location.city: "Tehran" to geographically filter results, narrowing down to regional assets relevant to localized bug bounty programs or compliance-focused assessments

Enumerate hosts and subdomains with name: "target.com" to discover exposed hosts associated with the target domain, uncovering forgotten infrastructure or wildcard configurations that expand the potential attack surface

Search IP ranges using ip: [1.1.1.1 to 1.1.255.255] to scan organizational network blocks, identifying internal servers, cloud instances, or development environments for targeted vulnerability testing

Identify login or authentication pages with services.http.response.html_title: "Login Page" to locate exposed admin interfaces, prioritizing them for brute-force, credential stuffing, or XSS assessments

Filter by organization or autonomous system with autonomous_system.name: "Google" or autonomous_system.asn: 13335 to focus on assets owned by the target entity, ensuring results align with bug bounty scope and avoiding unrelated infrastructure

Detect operating systems with operating_system.product: "Windows" to find devices running potentially outdated OS versions, facilitating OS-specific exploit chaining or misconfiguration analysis

Scan for open ports using services.port:80 to enumerate exposed services like HTTP/HTTPS, combining with other filters to prioritize high-risk ports such as 22 for SSH or 445 for SMB

Search for SSL/TLS certificates with services.tls.certificate.parsed.subject.common_name: "target.com" to uncover related domains and subdomains via certificate transparency data, revealing hidden assets or misissued certs

Identify software products and versions with services.software.product: "apache" AND services.observed_at: [2020-01-01 TO 2024-01-01] to detect outdated applications vulnerable to known CVEs, using time-based filters to focus on active, exploitable instances

Query server headers with services.http.response.headers.server: "nginx" to discover web server types and configurations, highlighting potential misconfigurations like exposed version info for targeted exploits

Search for SSH fingerprints using services.ssh.v2.fingerprint_sha256: "dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0" to identify hosts with weak or duplicated keys, assessing risks for brute-force attacks or key compromise

Discover exposed certificates or PEM files with services: (http.response.html_title: "Index of /" and http.response.body: ".pem") to find open directories leaking private keys, enabling privilege escalation or lateral movement testing

Filter for industrial control systems with labels: ics to uncover OT/SCADA devices in scope, targeting critical infrastructure exposures relevant to specialized security programs

Identify vulnerable Exchange servers using services: (http.response.headers: (key: "X-AspNet-Version" and value.headers: "") and http.response.html_title: "Outlook" and not http.response.headers: (key: "x-owa-version" and value.headers: "")) to detect legacy versions prone to RCE like ProxyLogon

Enumerate SMB shares with services: (service_name: SMB and banner: "shared_folder") to find accessible file shares, evaluating unauthorized data access risks in networked environments

Search for domain controllers specifically with "Authentication: disabled" and services: (service_name: NETLOGON and service_name: SYSVOL) and not operating_system.product: "unix" and services.port: 445 to pinpoint Windows AD exposures for credential harvesting or escalation

Query FTP servers for anonymous access with services.ftp.status_code: 230 to identify open anonymous logins, testing for directory traversal or file disclosure vulnerabilities

Locate exposed webcams or IoT devices with services.http.response.headers: (key: "Server" and value.headers: "Webcam") to discover unsecured cameras, assessing default credential risks or command injection

Filter Android IP Webcam servers with services.http.response.html_title: "IP Webcam" to find mobile-exposed streams, checking for unauthorized access or integration with broader network compromises

Identify security DVRs with services.http.response.html_title: "Security DVR" to uncover surveillance systems, prioritizing tests for weak authentication or remote control exploits

Search for printers with services.http.response.headers: (key: "Server" and value.headers: "Printer") to detect networked printing devices, targeting spooler vulnerabilities or credential leaks

Discover Chromecast or smart TVs using services.http.response.headers: (key: "Server" and value.headers: {"Chromecast", "Smart TV"}) to identify media devices, evaluating discovery protocol abuses or unauthorized casting

Query Ethereum miners with services.http.response.html_title: "Ethereum Miner" to find exposed mining rigs, assessing risks like unauthorized pool redirection or resource hijacking

Detect misconfigured WordPress instances with services: (http.response.html_title: "WordPress" and http.response.headers: (key: "Favicon" and value.headers: "c4d2e77e3e9a4c8d4d2e9b6c9f6d3c6f")) to uncover default setups vulnerable to known plugins or theme exploits

Enumerate services on specific ports like services.port: {22,23,24,25} to scan for multiple low-hanging fruits such as SSH, Telnet, or email servers in a single query

Search for Elasticsearch on unusual ports with (services.service_name=ELASTICSEARCH)and service.port=443 to find misconfigured search engines exposing data queries or indices

Zoomeye

Register with Zoomeye and obtain an API key to unlock advanced search capabilities and rate-limited queries, enabling integration with CLI tools or Python scripts for automated reconnaissance and threat intelligence gathering

Define the target scope by querying with hostname: "target.com" to enumerate hosts and subdomains associated with the target domain, uncovering exposed infrastructure or wildcard configurations that broaden the attack surface

Search IP addresses or ranges using ip: "8.8.8.8" or cidr: "192.168.1.0/24" to scan specific addresses or network blocks, identifying internal servers, cloud instances, or organizational assets for vulnerability prioritization

Filter by autonomous system number with asn: 8978 to focus on assets within a specific network provider, aligning results with bug bounty scopes and revealing interconnected infrastructure

Identify open ports using port: 80 or port: {80,22,443} to discover exposed services like HTTP, SSH, or HTTPS, combining with logical OR for multi-port scans to target common entry points efficiently

Search for operating systems with os: "windows" or os: "linux" to find devices running outdated or vulnerable OS versions, facilitating OS-specific exploit research or misconfiguration detection

Enumerate applications and versions using app: "Apache" or ver: "2.1" to detect software with known CVEs, prioritizing outdated instances for RCE or disclosure testing

Query services with service: "http" or service: {"http","ssh"} to locate specific protocols or daemons, using OR logic to uncover diverse exposed endpoints in a single search

Discover devices by type with device: "router" to identify IoT or networking gear, assessing risks like default credentials or firmware vulnerabilities in scoped environments

Filter geographically with country: "IR" or city: "Tehran" to narrow results to regional assets, supporting localized reconnaissance for compliance-driven or geo-specific bug bounties

Search by organization using organization: "Google" to pinpoint assets owned by the target entity, ensuring queries stay within program boundaries and highlight corporate exposures

Query web applications with webapp: "wordpress" to find framework-specific instances, targeting misconfigurations like exposed admin panels or plugin vulnerabilities

Identify products with product: "MySQL" to uncover database servers or tools, evaluating exposure risks such as unauthorized query access or credential leaks

Search server headers or banners with header: "server" to detect web server types like "nginx", revealing version details for targeted exploit development

Filter by descriptions or titles using desc: "hello" or title: "Login" to locate pages with specific content, highlighting authentication interfaces or debug endpoints

Enumerate sites with site: "target.com" to discover indexed web assets, combining with keywords for content-based reconnaissance like exposed APIs or error pages

Use time-based filters with after: "2020-01-01" before: "2024-01-01" to focus on recently active devices, eliminating stale data and prioritizing current, exploitable infrastructure

Query for vulnerabilities with vuln: "CVE-2021-34527" to directly identify assets matching known exploits, streamlining high-impact testing like RCE chains

Combine filters logically with operators like country:"FR" + os:"Linux" to create complex queries, such as (app:"Jenkins" + port:8080) for precise targeting of vulnerable CI/CD tools

Leverage facets for host searches (app, device, service, os, port, country, city) or web searches (webapp, component, framework, frontend, server, waf, os, country, city) to generate summary reports on search distributions, aiding in attack surface prioritization

Document query results including IPs, ports, banners, and geolocations to build a comprehensive asset inventory, verifying exposures with manual follow-up scans

Assess impact by cross-referencing findings with CVE databases or exploit frameworks, prioritizing assets for deeper penetration testing or responsible disclosure

Cheat Sheet

Google

Subdomain Gathering

site:$WEBSITE

Negative Search

-www -shop -share -ir -mfa site:$WEBSITE

File Upload Endpoints

"admin" site:$WEBSITE

Http Title

intitle:"Login" site:$WEBSITE

All http Title

allintitle:"Login" site:$WEBSITE

Http Text

intext:"Login" site:$WEBSITE

File Type

filetype:pdf | 
filetype:csv | 
filetype:xls | 
filetype:json | 
filetype:xml | 
filetype:ini | 
filetype:ppt | 
filetype:docx | 
filetype:doc | 
filetype:pptx | 
filetype:txt | 
filetype:xlsx | 
filetype:env 
site:$WEBSITE

Extension

ext:log | 
ext:txt | 
ext:conf | 
ext:cnf | 
ext:ini | 
ext:env | 
ext:sh | 
ext:bak | 
ext:backup | 
ext:swp | 
ext:old | 
ext:~ | 
ext:git | 
ext:svn | 
ext:htpasswd | 
ext:htaccess | 
ext:json | 
ext:daf 
site:$WEBSITE

Sensitive Documents

ext:txt | 
ext:pdf | 
ext:xml | 
ext:xls | 
ext:xlsx | 
ext:ppt | 
ext:pptx | 
ext:doc | 
ext:docx 
site:$WEBSITE

Sensitive JS

intitle:"index of" inurl:"/js/" ("config.js" | "credentials.js" | "secrets.js" | "keys.js" | "password.js" | "api_keys.js" | "auth_tokens.js" | "access_tokens.js" | "sessions.js" | "authorization.js" | "encryption.js" | "certificates.js" | "ssl_keys.js" | "passphrases.js" | "policies.js" | "permissions.js" | "privileges.js" | "hashes.js" | "salts.js" | "nonces.js" | "signatures.js" | "digests.js" | "tokens.js" | "cookies.js" | "topsecr3tdonotlook.js") site:$WEBSITE

Backup Files

intitle:index.of "backup" OR "bkp" OR "bak" | 
intitle:index.of id_rsa OR id_dsa filetype:key 
site:$WEBSITE

URI

inurl:conf | 
inurl:env | 
inurl:cgi | 
inurl:bin | 
inurl:etc | 
inurl:root | 
inurl:sql | 
inurl:backup | 
inurl:admin | 
inurl:api | 
inurl:swagger | 
inurl:database | 
inurl:php 
site:$WEBSITE

API Endpoints

inurl:api | 
site:*/rest | 
site:*/v1 | 
site:*/v2 | 
site:*/v3 
site:$WEBSITE

High % Inurl Keywords

inurl:conf | 
inurl:env | 
inurl:cgi | 
inurl:bin | 
inurl:etc | 
inurl:root | 
inurl:sql | 
inurl:backup | 
inurl:admin | 
inurl:php 
site:$WEBSITE

Server Errors

inurl:"error" | 
intitle:"exception" | 
intitle:"failure" | 
intitle:"server at" | 
intext:"confidential" | 
intext:"Not for Public Release" | 
intext:"internal use only" | 
intext:"do not distribute" | 
inurl:exception | 
"database error" | 
"SQL syntax" | 
"undefined index" | 
"unhandled exception" | 
"stack trace" | 
inurl:error.log OR inurl:debug.log filetype:log 
site:$WEBSITE

XSS Parameters

inurl:q= | 
inurl:s= | 
inurl:search= | 
inurl:query= | 
inurl:keyword= | 
inurl:lang= | 
inurl:& 
site:$WEBSITE

Open Redirect Parameters

inurl:url= | 
inurl:return= | 
inurl:next= | 
inurl:redirect= | 
inurl:redir= | 
inurl:ret= | 
inurl:r2= | 
inurl:page= | 
inurl:& | 
inurl:http 
site:$WEBSITE

SQLi Parameters

inurl:id= | 
inurl:pid= | 
inurl:category= | 
inurl:cat= | 
inurl:action= | 
inurl:sid= | 
inurl:dir= | 
inurl:& 
site:$WEBSITE

SSRF Parameters

inurl:http | 
inurl:url= | 
inurl:path= | 
inurl:dest= | 
inurl:html= | 
inurl:data= | 
inurl:domain= | 
inurl:page= | 
inurl:& 
site:$WEBSITE

LFI Parameters

inurl:include | 
inurl:dir | 
inurl:detail= | 
inurl:file= | 
inurl:folder= | 
inurl:inc= | 
inurl:locate= | 
inurl:doc= | 
inurl:conf= | 
inurl:& 
site:$WEBSITE

RCE Parameters

inurl:cmd | 
inurl:exec= | 
inurl:query= | 
inurl:code= | 
inurl:do= | 
inurl:run= | 
inurl:read= | 
inurl:ping= | 
inurl:& 
site:$WEBSITE

API Docs

inurl:apidocs | 
inurl:api-docs | 
inurl:swagger | 
inurl:api-explorer 
site:$WEBSITE

inurl:login | 
inurl:signin | 
intitle:login | 
intitle:signin | 
inurl:secure 
site:$WEBSITE

Environments

inurl:test | 
inurl:env | 
inurl:dev | 
inurl:staging | 
inurl:sandbox | 
inurl:debug | 
inurl:temp | 
inurl:exports | 
inurl:downloads | 
inurl:internal | 
inurl:demo 
site:$WEBSITE

Sensitive Parameters

inurl:email= | 
inurl:phone= | 
inurl:password= | 
inurl:pass= | 
inurl:pwd= | 
inurl:secret= | 
inurl:& 
site:$WEBSITE

Cached Site

cache:"$WEBSITE"

Link to a Specific URL

link:$WEBSITE

Bug Bounty Reports

"submit vulnerability report" | 
"powered by bugcrowd" | 
"powered by hackerone" 
site:$WEBSITE

Adobe Experience Manager

inurl:/content/usergenerated | 
inurl:/content/dam | 
inurl:/jcr:content | 
inurl:/libs/granite | 
inurl:/etc/clientlibs | 
inurl:/content/geometrixx | 
inurl:/bin/wcm | 
inurl:/crx/de 
site:$WEBSITE

WordPress

inurl:/wp-admin/admin-ajax.php site:$WEBSITE

Drupal

intext:"Powered by" & intext:Drupal & inurl:user site:$WEBSITE

Joomla

site:*/joomla/login site:$WEBSITE

Shodan

City

city:"Tehran"

Country

country:"IR"

GEO

geo:"56.913055,118.250862"

Vulns

vuln:"CVE-2019-19781"

Hostname

server:"aws" hostname:"$WEBSITE"

Net

net:"210.214.0.0/16"

Http Title

http.title:"Login"

Organization

org:"United States Department"

Autonomous System Number

asn:"AS29068"

Operating System

os:"windows server 2022"

Port

port:"21"

SSL/TLS Certificates

ssl.cert.issuer.cn:"$WEBSITE" ssl.cert.subject.cn:"$WEBSITE"

Before/After

product:"apache" after:"01/01/2020" before:"01/01/2024"

Device Type

device:"webcam"

Product

product:"MySQL"

Server

server:"nginx"

SSH Fingerprint

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

PEM Certificates

http.title:"Index of /" http.html:".pem"

Industrial Control Systems

port:"502" port:"102"

Exchange 2013 / 2016

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

SMB (Samba) File Shares

"Authentication: disabled" port:445

Specifically Domain Controllers

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

"220" "230 Login successful." port:21

D-Link Webcams

d-Link Internet Camera, 200 OK

Android IP Webcam Server

uncover -s 'Server:"IP Webcam Server" "200 OK"'

Security DVRs

uncover -s 'html:"DVR_H264 ActiveX"'

HP Printers

"Serial Number:" "Built:" "Server: HP HTTP"

Chromecast / Smart TVs

"Chromecast:" port:8008

Ethereum Miners

"ETH" "speed" "Total"

Misconfigured WordPress

http.html:"* The wp-config.php creation script uses this file"

GitHub

WebServers Configuration File

gh search code "path:**/WebServer.xml" -R $URI

.bash_history Commands

gh search code "path:**/.bash_history" -R $URI

/etc/passwd File

gh search code "path:**/passwd path:etc" -R $URI

Password in config.php

gh search code "path:**/config.php dbpasswd" -R $URI

Shodan API Key in Python Script

gh search code "shodan_api_key language:python" -R $URI

/etc/shadow File

gh search code "path:**/shadow path:etc" -R $URI

wp-config.php File

gh search code "path:**/wp-config.php" -R $URI

MySQL Dump File

gh search code "path:*.sql mysql dump" -R $URI

Scan Commits

gh search commits "cve OR vuln OR security OR xss OR ssrf OR sensitive" \
          -R swagger-api/swagger-ui

Scan Pull & Issues

Patch list

gh pr list -S "cve OR vuln OR security OR xss OR ssrf OR sensitive" \
           -s all \
           -R $URI

View details

gh pr view $PR_NUMBER -R $URI

Censys

City

location.city: "Tehran"

Country

location.country: "Iran"

GEO

location.coordinates.latitude: 38.8951 and location.coordinates.longitude: -77.0364

Vulns

vulnerabilities.cve.keyword: "CVE-2021-34527"

Hostname

uncover -cs 'name: "$WEBSITE"'

NET

ip: [1.1.1.1 to 1.1.255.255]

Http Title

services.http.response.html_title: "Login Page"

Organization

autonomous_system.name: "Google"

Autonomous System Number

'autonomous_system.asn: 13335

Operating System

operating_system.product: "Windows"

Port

services.port=`80`

SSL/TLS Certificates

services.tls.certificate.parsed.subject.common_name: "$WEBSITE"

Before/After

services.software.product: "apache" AND services.observed_at: [2020-01-01 TO 2024-01-01]

Device Type

labels: device

Product

services.software.vendor=`Apache`

Server

services.http.response.headers.server: "nginx"

SSH Fingerprint

services.ssh.v2.fingerprint_sha256: "dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0"

PEM Certificates

services: (http.response.html_title: "Index of /" and http.response.body: ".pem")

Industrial Control Systems

labels: ics

Exchange 2013 / 2016

services: (http.response.headers: (key: "X-AspNet-Version" and value.headers: "*") and http.response.html_title: "Outlook" and not http.response.headers: (key: "x-owa-version" and value.headers: "*"))

SMB (Samba) File Shares

services: (service_name: SMB and banner: "shared_folder")

Specifically Domain Controllers

"Authentication: disabled" and services: (service_name: NETLOGON and service_name: SYSVOL) and not operating_system.product: "unix" and services.port: 445

services.ftp.status_code: 230

Webcams

services.http.response.headers: (key: "Server" and value.headers: "Webcam")

Android IP Webcam Server

services.http.response.html_title: "IP Webcam"

Security DVRs

services.http.response.html_title: "Security DVR"

Printers

services.http.response.headers: (key: "Server" and value.headers: "Printer")

Chromecast / Smart TVs

services.http.response.headers: (key: "Server" and value.headers: {"Chromecast", "Smart TV"})

Ethereum Miners

services.http.response.html_title: "Ethereum Miner"

Misconfiguration WordPress

services: (http.response.html_title: "WordPress" and http.response.headers: (key: "Favicon" and value.headers: "c4d2e77e3e9a4c8d4d2e9b6c9f6d3c6f"))

Services on Ports 22-25

services.port: {22,23,24,25}

Elasticsearch Service on Port 443

(services.service_name=`ELASTICSEARCH`) and service.port=`443`

((services.banner_hashes=`sha256:4d3efcb4c2cc2cdb96dddf455977c3291f4b0f6a8a290bfc15e460d917703226`) and labels=`login-page`) and location.country=`Iran`

same_service(services.http.response.favicons.name: */owa/auth/* and services.http.response.html_title={"Outlook Web App", "Outlook"})

Exchange Server in Iran

(services.software.product=`Exchange Server`) and location.country=`Iran`

Zoomeye

GEO

geo:"35.6892,51.3890"

Vuln

vuln:"CVE-2021-34527"

Net

net:"192.168.0.0/24"

Http Title

port:80 AND title:"Login Page"

Organization

organization:"Google"

SSL/TLS Certificates

ssl.cert.subject.cn:"$WEBSITE"

Before/After

product:"apache" after:"2020-01-01" before:"2024-01-01"

Product

product:"Apache"

Server

server:"nginx"

SSH Fingerprint

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

PEM Certificates

http.title:"Index of /" http.html:".pem"

Industrial Control Systems

ics:"SCADA"

Exchange 2013 / 2016

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

SMB (Samba) File Shares

"Authentication: disabled" port:445

Specifically Domain Controllers

smb.share:"SYSVOL" OR smb.share:"NETLOGON"

port:21 ,ftp.anonymous:"true"

D-Link Webcams

title:"d-Link Internet Camera" AND http.status_code:"200"

Android IP Webcam Server

Server:"IP Webcam Server" "200 OK"

Security DVRs

port:80 AND "DVR_H264 ActiveX"

HP Printers

"Serial Number:" "Built:" "Server: HP HTTP"

Chromecast / Smart TVs

product:"Chromecast" OR product:"Smart TV"

Ethereum Miners

"ETH" "speed" "Total"

Misconfigured WordPress

http.title:"WordPress" AND http.favicon.hash:"c4d2e77e3e9a4c8d4d2e9b6c9f6d3c6f"

Web Application

webapp:wordpress

Version

uver: 2.1

ProFTPD Server

app: ProFTPD

Device Type

device: router

Operating System

os: windows

Service

service: http

IP

ip: 192.168.1.1

Devices in 192.168.1.1/24 Network Range

cidr: 192.168.1.1/24

Hostname

hostname: $WEBSITE

Port

port: 80

City

city: tehran

Country

country: iran

Autonomous System Number

asn: 8978

Header

header: server

Found 'hello' in Description'

desc: hello

Title

title: $WEBSITE

Site

site: $WEBSITE

PreviousReconnaissance NextFingerprint Web Server

Last updated 9 days ago

Check List

Methodology

Google

Shodan

GitHub

Censys

Zoomeye

Cheat Sheet

Google

Subdomain Gathering

Negative Search

File Upload Endpoints

Http Title

All http Title

Http Text

File Type

Extension

Sensitive Documents

Sensitive JS

Backup Files

URI

API Endpoints

High % Inurl Keywords

Server Errors

XSS Parameters

Open Redirect Parameters

SQLi Parameters

SSRF Parameters

LFI Parameters

RCE Parameters

API Docs

Login Pages

Environments

Sensitive Parameters

Cached Site

Link to a Specific URL

Bug Bounty Reports

Adobe Experience Manager

WordPress

Drupal

Joomla

Shodan

City

Country

GEO

Vulns

Hostname

Net

Http Title

Organization

Autonomous System Number

Operating System

Port

SSL/TLS Certificates

Before/After

Device Type

Product

Server

SSH Fingerprint

PEM Certificates

Industrial Control Systems

Exchange 2013 / 2016

SMB (Samba) File Shares

Specifically Domain Controllers

FTP Servers with Anonymous Login

D-Link Webcams

Android IP Webcam Server

Security DVRs

HP Printers

Chromecast / Smart TVs

Ethereum Miners

Misconfigured WordPress

GitHub

WebServers Configuration File

.bash_history Commands

/etc/passwd File

Password in config.php

Shodan API Key in Python Script

/etc/shadow File

wp-config.php File