Search Engine Discovery

Check List

• Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization’s website) or indirectly (via third-party services).

Cheat Sheet

Google

Subdomains Gathering

site:$WEBSITE

Negative Search

-www -shop -share -ir -mfa site:$WEBSITE 

File Upload Endpoints

"admin" site:$WEBSITE 

Http Title

intitle:"Login" site:$WEBSITE

All http Title

allintitle:"Login" site:$WEBSITE

Http Text

intext:"Login" site:$WEBSITE

File Type

filetype:pdf | 
filetype:csv | 
filetype:xls | 
filetype:json | 
filetype:xml | 
filetype:ini | 
filetype:ppt | 
filetype:docx | 
filetype:doc | 
filetype:pptx | 
filetype:txt | 
filetype:xlsx | 
filetype:env 
site:$WEBSITE

Extension

ext:log | 
ext:txt | 
ext:conf | 
ext:cnf | 
ext:ini | 
ext:env | 
ext:sh | 
ext:bak | 
ext:backup | 
ext:swp | 
ext:old | 
ext:~ | 
ext:git | 
ext:svn | 
ext:htpasswd | 
ext:htaccess | 
ext:json | 
ext:daf 
site:$WEBSITE

Sensitive Documents

ext:txt | 
ext:pdf | 
ext:xml | 
ext:xls | 
ext:xlsx | 
ext:ppt | 
ext:pptx | 
ext:doc | 
ext:docx 
site:$WEBSITE

Sensitive JS Libs

intitle:"index of" inurl:"/js/" ("config.js" | "credentials.js" | "secrets.js" | "keys.js" | "password.js" | "api_keys.js" | "auth_tokens.js" | "access_tokens.js" | "sessions.js" | "authorization.js" | "encryption.js" | "certificates.js" | "ssl_keys.js" | "passphrases.js" | "policies.js" | "permissions.js" | "privileges.js" | "hashes.js" | "salts.js" | "nonces.js" | "signatures.js" | "digests.js" | "tokens.js" | "cookies.js" | "topsecr3tdonotlook.js") site:$WEBSITE

Backup Files

intitle:index.of "backup" OR "bkp" OR "bak" | 
intitle:index.of id_rsa OR id_dsa filetype:key 
site:$WEBSITE

URI

inurl:conf | 
inurl:env | 
inurl:cgi | 
inurl:bin | 
inurl:etc | 
inurl:root | 
inurl:sql | 
inurl:backup | 
inurl:admin | 
inurl:api | 
inurl:swagger | 
inurl:database | 
inurl:php 
site:$WEBSITE

API Endpoints

inurl:api | 
site:*/rest | 
site:*/v1 | 
site:*/v2 | 
site:*/v3 
site:$WEBSITE

High % inurl keywords

inurl:conf | 
inurl:env | 
inurl:cgi | 
inurl:bin | 
inurl:etc | 
inurl:root | 
inurl:sql | 
inurl:backup | 
inurl:admin | 
inurl:php 
site:$WEBSITE

Server Errors

inurl:"error" | 
intitle:"exception" | 
intitle:"failure" | 
intitle:"server at" | 
intext:"confidential" | 
intext:"Not for Public Release" | 
intext:"internal use only" | 
intext:"do not distribute" | 
inurl:exception | 
"database error" | 
"SQL syntax" | 
"undefined index" | 
"unhandled exception" | 
"stack trace" | 
inurl:error.log OR inurl:debug.log filetype:log 
site:$WEBSITE

XSS Parameters

inurl:q= | 
inurl:s= | 
inurl:search= | 
inurl:query= | 
inurl:keyword= | 
inurl:lang= | 
inurl:& 
site:$WEBSITE

Open Redirect Parameters

inurl:url= | 
inurl:return= | 
inurl:next= | 
inurl:redirect= | 
inurl:redir= | 
inurl:ret= | 
inurl:r2= | 
inurl:page= | 
inurl:& | 
inurl:http 
site:$WEBSITE

SQLi Parameters

inurl:id= | 
inurl:pid= | 
inurl:category= | 
inurl:cat= | 
inurl:action= | 
inurl:sid= | 
inurl:dir= | 
inurl:& 
site:$WEBSITE

SSRF Parameters

inurl:http | 
inurl:url= | 
inurl:path= | 
inurl:dest= | 
inurl:html= | 
inurl:data= | 
inurl:domain= | 
inurl:page= | 
inurl:& 
site:$WEBSITE

LFI Parameters

inurl:include | 
inurl:dir | 
inurl:detail= | 
inurl:file= | 
inurl:folder= | 
inurl:inc= | 
inurl:locate= | 
inurl:doc= | 
inurl:conf= | 
inurl:& 
site:$WEBSITE

RCE Parameters

inurl:cmd | 
inurl:exec= | 
inurl:query= | 
inurl:code= | 
inurl:do= | 
inurl:run= | 
inurl:read= | 
inurl:ping= | 
inurl:& 
site:$WEBSITE

API Docs

inurl:apidocs | 
inurl:api-docs | 
inurl:swagger | 
inurl:api-explorer 
site:$WEBSITE

Login Pages

inurl:login | 
inurl:signin | 
intitle:login | 
intitle:signin | 
inurl:secure 
site:$WEBSITE

Test Environments

inurl:test | 
inurl:env | 
inurl:dev | 
inurl:staging | 
inurl:sandbox | 
inurl:debug | 
inurl:temp | 
inurl:exports | 
inurl:downloads | 
inurl:internal | 
inurl:demo 
site:$WEBSITE

Sensitive Parameters

inurl:email= | 
inurl:phone= | 
inurl:password= | 
inurl:pass= | 
inurl:pwd= | 
inurl:secret= | 
inurl:& 
site:$WEBSITE

Cached Site

cache:"$WEBSITE"

Link to a Specific URL

link:$WEBSITE

Bug Bounty Reports

"submit vulnerability report" | 
"powered by bugcrowd" | 
"powered by hackerone" 
site:$WEBSITE

Adobe Experience Manager

inurl:/content/usergenerated | 
inurl:/content/dam | 
inurl:/jcr:content | 
inurl:/libs/granite | 
inurl:/etc/clientlibs | 
inurl:/content/geometrixx | 
inurl:/bin/wcm | 
inurl:/crx/de 
site:$WEBSITE

WordPress

inurl:/wp-admin/admin-ajax.php site:$WEBSITE

Drupal

intext:"Powered by" & intext:Drupal & inurl:user site:$WEBSITE

Joomla

site:*/joomla/login site:$WEBSITE

Duckduckgo

Subdomains

site:$WEBSITE

Http Title

intitle:"Login" site:$WEBSITE

All Http Title

allintitle:"Login" site:$WEBSITE

Http Text

intext:"Login" site:$WEBSITE

File Type

filetype:pdf OR filetype:csv OR filetype:xls site:$WEBSITE

Extension

ext:daf OR ext:bak OR ext:zip OR ext:log site:$WEBSITE

URI

inurl:login | 
inurl:logon | 
inurl:sign-in | 
inurl:signin | 
inurl:portal 
site:$WEBSITE

Cached Site

cache:$WEBSITE

Link to a Specific URL

link:$WEBSITE

Information Site

info:$WEBSITE

Shodan

City

city:"Tehran"

Country

country:"IR"

Geo

geo:"56.913055,118.250862"

Vuln

vuln:"CVE-2019-19781"

Hostname

'server:"aws" hostname:"$WEBSITE"'

Net

net:"210.214.0.0/16"

HTTP Title

http.title:"Login"

Organization

org:"United States Department"

Autonomous System Number

asn:"AS29068"

Operating System

os:"windows server 2022"

Port

port:"21"

SSL/TLS Certificates

ssl.cert.issuer.cn:"$WEBSITE" ssl.cert.subject.cn:"$WEBSITE"

Before/After

product:"apache" after:"01/01/2020" before:"01/01/2024"

Device Type

device:"webcam"

Product

product:"MySQL"

Server

server:"nginx"

SSH Fingerprint

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

PEM Certificates

http.title:"Index of /" http.html:".pem"

Industrial Control Systems

'port:"502" port:"102"'

Exchange 2013 / 2016

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

SMB (Samba) File Shares

"Authentication: disabled" port:445

Specifically domain controllers

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

FTP Servers with Anonymous Login

"220" "230 Login successful." port:21

D-Link Webcams

d-Link Internet Camera, 200 OK

Android IP Webcam Server

Server:"IP Webcam Server" "200 OK"

Security DVRs

html:"DVR_H264 ActiveX"

HP Printers

"Serial Number:" "Built:" "Server: HP HTTP"

Chromecast / Smart TVs

"Chromecast:" port:8008

Ethereum Miners

“ETH” “speed” “Total”

Misconfigured WordPress

http.html:"* The wp-config.php creation script uses this file"

GitHub

WebServers Configuration File

path:**/WebServer.xml

.bash_history Commands

path:**/.bash_history

/etc/passwd File

path:**/passwd path:etc

Password in config.php

path:**/config.php dbpasswd

Shodan API Key in Python Script

shodan_api_key language:python

/etc/shadow File

path:**/shadow path:etc

wp-config.php File

path:**/wp-config.php

MySQL Dump File

path:*.sql mysql dump

Censys

City

location.city: "Tehran"

Country

location.country: "Iran"

GEO

location.coordinates.latitude: 38.8951 and location.coordinates.longitude: -77.0364

Vuln

vulnerabilities.cve.keyword: "CVE-2021-34527"

Hostname

name: "$WEBSITE"

NET

ip: [1.1.1.1 to 1.1.255.255]

Http Title

services.http.response.html_title: "Login Page" 

Organization

autonomous_system.name: "Google"

Autonomous System Number

autonomous_system.asn: 13335

Operating System

operating_system.product: "Windows"

Port

services.port=`80`

SSL/TLS Certificates

services.tls.certificate.parsed.subject.common_name: "$WEBSITE"

Before/After

services.software.product: "apache" AND services.observed_at: [2020-01-01 TO 2024-01-01]

Device Type

labels: device

Product

services.software.vendor=`Apache`

Server

services.http.response.headers.server: "nginx"

SSH Fingerprint

services.ssh.v2.fingerprint_sha256: "dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0"

PEM Certificates

services: (http.response.html_title: "Index of /" and http.response.body: ".pem")

Industrial Control Systems

labels: ics

Exchange 2013 / 2016

services: (http.response.headers: (key: "X-AspNet-Version" and value.headers: "*") and http.response.html_title: "Outlook" and not http.response.headers: (key: "x-owa-version" and value.headers: "*"))

SMB (Samba) File Shares

services: (service_name: SMB and banner: "shared_folder")

Specifically domain controllers

"Authentication: disabled" and services: (service_name: NETLOGON and service_name: SYSVOL) and not operating_system.product: "unix" and services.port: 445

FTP Servers with Anonymous Login

services.ftp.status_code: 230

Webcams

services.http.response.headers: (key: "Server" and value.headers: "Webcam")

Android IP Webcam Server

services.http.response.html_title: "IP Webcam"

Security DVRs

services.http.response.html_title: "Security DVR"

Printers

services.http.response.headers: (key: "Server" and value.headers: "Printer")

Chromecast / Smart TVs

services.http.response.headers: (key: "Server" and value.headers: {"Chromecast", "Smart TV"})

Ethereum Miners

services.http.response.html_title: "Ethereum Miner"

Misconfigured WordPress

services: (http.response.html_title: "WordPress" and http.response.headers: (key: "Favicon" and value.headers: "c4d2e77e3e9a4c8d4d2e9b6c9f6d3c6f"))

Services on Ports 22-25

services.port: {22,23,24,25}

Elasticsearch Service on Port 443

(services.service_name=`ELASTICSEARCH`) and service.port=`443`

Login Page with Specific Banner Hash in Iran

((services.banner_hashes=`sha256:4d3efcb4c2cc2cdb96dddf455977c3291f4b0f6a8a290bfc15e460d917703226`) and labels=`login-page`) and location.country=`Iran` 

OWA Login Page

same_service(services.http.response.favicons.name: */owa/auth/* and services.http.response.html_title={"Outlook Web App", "Outlook"}) 

Exchange Server in Iran

(services.software.product=`Exchange Server`) and location.country=`Iran` 

Zoomeye

GEO

geo:"35.6892,51.3890"

Vuln

vuln:"CVE-2021-34527"

Net

net:"192.168.0.0/24"

Http Title

port:80 AND title:"Login Page"

Organization

organization:"Google"

SSL/TLS Certificates

ssl.cert.subject.cn:"$WEBSITE"

Before/After

product:"apache" after:"2020-01-01" before:"2024-01-01"

Product

product:"Apache"

Server

server:"nginx"

SSH Fingerprint

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

PEM Certificates

http.title:"Index of /" http.html:".pem"

Industrial Control Systems

ics:"SCADA"

Exchange 2013 / 2016

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

SMB (Samba) File Shares

"Authentication: disabled" port:445

Specifically domain controllers

smb.share:"SYSVOL" OR smb.share:"NETLOGON"

FTP Servers with Anonymous Login

port:21 ,ftp.anonymous:"true"

D-Link Webcams

title:"d-Link Internet Camera" AND http.status_code:"200"

Android IP Webcam Server

Server:"IP Webcam Server" "200 OK"

Security DVRs

port:80 AND "DVR_H264 ActiveX"

HP Printers

"Serial Number:" "Built:" "Server: HP HTTP"

Chromecast / Smart TVs

product:"Chromecast" OR product:"Smart TV"

Ethereum Miners

“ETH” “speed” “Total”

Misconfigured WordPress

http.title:"WordPress" AND http.favicon.hash:"c4d2e77e3e9a4c8d4d2e9b6c9f6d3c6f"

Web Application

webapp:wordpress

Version

ver: 2.1

ProFTPD Server

app: ProFTPD

Device Type

device: router

Operating System

os: windows

Service

service: http

IP

ip: 192.168.1.1

Devices in 192.168.1.1/24 Network Range

cidr: 192.168.1.1/24 

Hostname

hostname: $WEBSITE

Port

port: 80

City

city: tehran

Country

country: iran

Autonomous System Number

asn:8978

Header

header: server

Found 'hello' in Description'

desc: hello

Title

title: $WEBSITE

Site

site: $WEBSITE