I hope everyone is having a nice holiday. I started reviewing and going through the OWASP methodology check list and the first one talks about search engine recon. I guess I had two quesions if you’d be so kind.
When you do search engine recon. What are you typically looking for? (other than domains, I discover those with DNSdumpster).
The page also says to try and find information using Google Dorks. Do you guys have any favorite Google Dorks you like to utilize on each pentest?
While DNSdumpster is a good tool to use but this will not give you all the subdomains. You could start with DNSdumpster and follow up with tools like fierce and dnsmap which will brute force for subdomains and give you better results. Fierce and dnsmap have a default dictionary bruteforce list; you can brute with your dictionary too. I would recommend you to look at seclists for better subdomain dictionary lists.
There is a firefox addon called “PassiveRecon” you could use which has a google dorks module. Apart from that, you could identify specific kind of URL paths or certain information left by developers and find similar websites and understand more about the application. Google dorks are really powerful. It has helped me find 0 days on certain products.
Some of my favorite google dorks are
inurl:“Some URL path” “index of” - this will find URLs with that specific path having directory listing. This could be useful for finding Insecure Direct object references or Broken access controls.
site:“domain” filetype:pdf OR txt OR any other filetype - will list that particular types of files from the mentioned domain.
Advanced Boolean search queries are useful on occasion, but I wouldn’t count on the ones that can be detected as malicious based purely on the syntax. The reason I say this is that Google can easily tweak their search indices after doing some string verification. They do this to thwart web worms that utilize their service.