Tips for an Information Security Analyst/Pentester career - Ep. 17: OSINT (pt. 3)

Over the last episodes, we've analyzed OSINT (open source intelligence, aka passive reconnaissance), but we mostly focused on specific tools.

This time, all we're gonna need is our web browser and Google search engine.

Google allows advanced search functionalities, called Google Dorks, that can be paramount to mining data on a target.

A complete list of these functionalities is available by visiting the Google Hacking Database.

In my post, I'm only going through some of them.

a) site: directive

It allows to search for specific keywords by limiting the search to one website only. In my example, I searched for Mark Russinovich on www.microsoft.com.

The search allowed me to find the Sysinternals Suite official download link from Microsoft website.

b) allintitle:index

Searches for a specific page called index. I could retrieve a page containing a (very likely illegal) movie database uploaded to a web or cloud server. This type of search may reveal alike webpages not supposed to be publicly accessible.

c) inurl:admin

It may reveal administrative or configuration webpages on the target website.

d) cache: directive

Launching cache: followed by the URL to check, cached versions of our target website can be recovered. Cache pages might contain useful and sometimes precious information not supposed to be there, and that's why they were removed.

Unluckily for defenders and luckily for hackers, a copy of a deleted page is stored in the web server cache for a while.

In my video, I used this directive: 

It returns a cached page.

e) site: + filetype: 

We use the site: directive as before, but this time we want to recover specific types of document, having a certain extension. For example, if we want to retrieve PDFs only from Microsoft site, we'd need to use:

You can find more directive examples in the embedded video.

Wrap-up

Only armed with your browser, you can wreak a lot of havoc. 

Google Dorks should be in the bag of tricks of any security professional.

I need to stress here that, when you click any of the links you found with these search techniques, your OSINT or passive recon, becomes an active recon.

Of course, don't use the results from these searches for performing illegal activities.

Now you know enough to be dangerous. Google yourself and see if you find something out there that should supposedly be private.

That'll be my next assignment for you guys, but, until the next episode, thank you for your time and patience.

Episode 18

Episode 16