This blog is all about Cyber Security and IT

Sunday, April 17, 2022

Passive Recon using Google Dorks and Shodan - Bug Hunting

During bug bounty or hacking.. I always try to find more and more tricks to enumerate for my target domain. So most of the times I love to find free information on google using dorks and Shodan. So I will tell you how we can find very juicy information which I use to broaden my attack surface by finding more (potentially vulnerable) assets and uncovering secrets. 

Google Search

Google already have lots of information but to get information about our target we need to follow some tricks. So we use google dorking which is a technique of making more specific queries to Google Search based on filters and restrictions defined by the user so that the search engine returns more concrete results. It includes filters of the form


and logical operators between the filters

filter:value [OPERATOR] filter:value

Some easy to use filters are

nurl:cmd and allinurl:cmd execute returns results from companies’ domains, like, which belongs to Randstad.


intitle:Organisation intitle:Internal or allintitle:Organisation Internal

intext:password -www

will ask Google to return results from every subdomain of known to it, except for This is a good query to use for additional subdomain discovery, in case your automation missed any subdomains.

Lets try some practical approach inurl:src

returns result with the parameter src in the url, like e.g. Then later, the endpoint can be analysed for possible vulnerabilities, especially if the parameter has a name that points to specific vulnerabilities like e.g. the parameter return points to Open Redirections.

Now if we try to find Dashboard for Jenkins . We can do that like

intitle:"Dashboard [Jenkins]"

This will return a public Jenkins instance belonging to, if there is any.

Many more info about google dorkings can be found at which contains large number of Google dorks queries for uncovering secrets and information on a target, like e.g. discovering private keys with the query

Now lets talk about SHODAN and how we can use it to find relevant information about our target

This project  collects information about web servers such as open ports, services running on those ports and their banners. 

To use Shodan , we need paid account then only you can explore to the highest level. To use it we also need to use tricks as we use google dorks. So below are some of the ways how we can use this search engine.


Returns the servers with the specified http status code, e.g. http.status:200.


Queries for the specified http title that can be found in the banners. A distinctive example is the shodan dork used to find BIG IP vulnerable components: http.title:"BIG-IP®- Redirect".


Returns servers with the specified web technology that is used on the website, e.g. http.component:"jenkins".


Finds servers with the specified string included in the SSL certificate, e.g. ssl:"Microsoft". This Filter can be further specified with ssl.expired, ssl.version (more on the resources).


Finds servers with IP belonging to the specified organization’s netblock, e.g., org:"Microsoft"


The port filter returns components with the specified port open, e.g. port:8080.


Using this filter shodan returns servers running the specified operating system, e.g. os:Windows.


Using this filter shodan returns devices running this specific product, e.g. product:"Apache Tomcat" or product:"IIS Windows Server"


The version filter is to be combined with the product filter. It specifies the version of the specified product, e.g. product:"Apache Tomcat" version:"7.0.82"


This filter is only available to academic users or Small Business API subscriptions and higher. It’s used to to return components vulnerable to the specified CVE identifier, e.g. vuln:cve-2010-2730.


Using search engines for passive reconnaissance, either that is endpoint or secret or subdomain discovery, requires a lot of digging and can take some time. But when it comes to bug hunting, the more digging a bug requires the more probable it is to not be a dupe. Testing out the filters and creating unique and creative queries is the key.


Post a Comment