DorkHunter: Advanced OSINT For Penetration Testing
Lets get right into it.
I developed a command line tool called DorkHunter to help penetration testers become more efficient in the reconnaissance stage. Please click the hyperlink to view the code.
DorkHunter is a command line script designed to automate the process of identifying vulnerabilities and sensitive information on websites by utilizing advanced search queries known as “Google Dorks.” By systematically querying search engines with specially crafted search strings, Dorkhunter can uncover exposed files, directories, and configurations that may be indexed publicly but not intended for public access. Dorkhunter searches for various types of information, such as files, names, usernames, emails, phone numbers, and images. DorkHunter will open 20 web pages at a time per the request.
This tool is particularly useful for cybersecurity professionals conducting penetration testing or security audits.
DorkHunter leverages a variety of Google dork commands to perform advanced searches for files, names, usernames, emails, phone numbers, and images. For file searches, DorkHunter uses the filetype: command to specify desired file formats such as PDF, DOC, DOCX, XLS, XLSX, PPT, PPTX, TXT, RTF, ODT, ODS, ODP, XML, JSON, CSV, EPUB, MOBI, LOG, BAK, CFG, INI, PHP, ASP, ASPX, JSP, and HTML. This enables precise searches for documents and other file types within specified websites.
When searching for names, DorkHunter utilizes various advanced operators to find information on social media platforms and professional websites. The commands include site:linkedin.com, site:facebook.com, site:twitter.com, site:instagram.com, site:github.com, site:medium.com, site:reddit.com, and site:quora.com. It also searches for terms like “CV” or “resume,” “biography” or “bio,” “contact information,” “email address,” and “phone number.” Additional commands target directories with intitle:”index of” “parent directory” and other specific details like home address and contact details.
For username searches, DorkHunter uses commands that target profile pages and user-related content on various websites, including intitle:”index of” “username”, inurl:”profile” “username”, and inurl:”user” “username”. Specific sites like GitHub, Stack Overflow, Reddit, Twitter, Facebook, Instagram, LinkedIn, Medium, Pinterest, Quora, Bitbucket, GitLab, WordPress, Blogger, and Discord are included to cover a wide range of online platforms.
Email searches are conducted using common email providers and file extensions associated with emails. DorkHunter searches for emails from providers like Gmail, Yahoo, Hotmail, AOL, Comcast, Outlook, iCloud, Mail.com, Zoho, Yandex, ProtonMail, GMX, Lycos, Inbox.com, FastMail, Ymail, Googlemail, Live.com, and Spectrum.net. It also looks for email-related files with extensions like EML, MSG, MBOX, EMAIL, MAIL, and MSF.
When searching for phone numbers, DorkHunter accounts for various formats to capture all possible variations. These include formats like 1234567890, 123–456–7890, (123) 456–7890, +1 123 456 7890, and 123.456.7890. Contextual searches include terms like “phone number,” “contact,” “cell,” “mobile,” “home phone,” and “fax” to ensure comprehensive search results.
Finally, image searches are performed using the filetype: command for formats such as JPG, JPEG, PNG, GIF, BMP, TIFF, WEBP, SVG, ICO, PSD, EPS, AI, RAW, CR2, NEF, ORF, SR2, HEIC, INDD, and JPE. Advanced image searches include intitle:”index of” “image”, as well as terms like “photo,” “picture,” “graphic,” “drawing,” “illustration,” “artwork,” “screenshot,” and “icon.” This comprehensive use of Google dorks allows DorkHunter to efficiently and accurately locate specific types of information across the internet.
One of the key features of DorkHunter is its ability to document each search systematically. Each time a search is conducted, the script appends detailed information about the search to a single document located in a folder named dorkhunter_analytics.
This documentation includes the timestamp of the search, the type of search performed, the specific query used, and any domain restrictions applied. This structured approach ensures that all searches are logged in an easily readable format, with each search entry clearly separated for quick reference. During a penetration test, documentation is crucial for credibility. The benefits of this documentation process are manifold.
DorkHunter provides a comprehensive record of all search activities, which is invaluable for tracking and auditing purposes. This is particularly useful in environments where multiple searches are conducted over time, allowing users to review past queries and their contexts. Secondly, by maintaining a single, consolidated document, DorkHunter facilitates easier data management and analysis, enabling users to identify patterns and insights from their search history. Finally, the clear, organized format of the analytics document enhances the overall user experience, making it simple to retrieve and understand past search activities, thus improving efficiency and productivity in utilizing Google dorks for information retrieval.
DorkHunter assists with anonymity!
Operational security often requires the ability to traverse the internet anonymously and efficiently, and DorkHunter excels in this regard. By allowing users to fully exhaust search capabilities with minimal time investment, DorkHunter significantly enhances productivity. Additionally, as a command-line tool compatible with Linux and Mac systems, it takes up minimal space and is easily distributed, making it a versatile addition to any security toolkit. One of the standout features of DorkHunter is its robust logging capability. Since all searches are time-stamped and logged in a dedicated file, users can freely delete their browser history without losing important information about past searches. This not only helps maintain anonymity but also ensures that crucial search data is preserved securely, aiding in both operational efficiency and security.
I like to use dorkhunter preloaded on my Tails flashdrive (see hyperlink)
After booting Tails and connecting to the internet through the Tor network, you can open the Terminal application and set up the DorkHunter script. This involves creating the DorkHunter script within Tails, making it readily accessible for advanced Google dork searches. The combination of Tails OS and DorkHunter allows you to exhaust search capabilities while maintaining a high level of anonymity and privacy. This setup ensures that your searches are not only comprehensive but also secure, with minimal traces left on the system.
For those new to this…Here’s a bit about OSINT and Recon.
Reconnaissance is the process of gathering information about an enemy or potential adversary to better understand their capabilities, intentions, and vulnerabilities. This activity typically involves observing, collecting data, and analyzing the gathered information to support decision-making and strategic planning. Reconnaissance can be conducted through various means, including direct observation, satellite imagery, human intelligence (HUMINT), and signals intelligence (SIGINT).
Connection with OSINT (Open Source Intelligence)
OSINT stands for Open Source Intelligence and refers to the collection and analysis of information that is publicly available and legally accessible. This type of intelligence gathering leverages sources such as:
In conclusion, DorkHunter stands out as an indispensable tool for anyone looking to optimize their online search experience. Its lightweight, command-line interface ensures it is both easily deployable and unobtrusive on Linux and Mac systems. By automatically logging and timestamping search results, DorkHunter provides users with a well-organized and clear record of their searches, enhancing operational security and efficiency. Whether for professional or personal use, DorkHunter proves to be a reliable and robust resource, making the task of navigating the vast expanse of the internet more streamlined and effective.
Stay Vigilant!