Move your fingertips and hit your finger
Search engine is the most used tool in my daily work. The commonly used search engines in China include Baidu, sougou, bing and so on. But what I want to record in this article is not these commonly used search engines, but several web search engines that are necessary for information security practitioners. The search engines to be introduced in this article include: Shodan, censys, Zhong Yanzhi, Google, FoFa, Dnsdb, etc. The content of the introduction is mainly some advanced grammar of these search engines. Mastering advanced grammar will make the search results more accurate.
- For the forgotten search engine grammar, this article can be used as a reference, nothing more*
The reason why we want to introduce the google search engine is because it is different from Baidu, Sogou and other content search engines. It has an unusual position in the security industry, and even has a special term for google hacking to describe google and security is unusual. Relationship.
Index of/ Use it to go directly to all files and folders under the home page of the website.
Intext: will return all pages that contain keywords in the body of the page.
Intitle: will return all pages with keywords in the title of the page.
Cache: Search for a cache of certain content in google.
Define: Search for the definition of a word.
Filetype: Search for the specified file type, such as: .bak, .mdb, .inc, etc.
Info: Find some basic information about the specified site.
Inurl: Searches if the character we specify exists in the URL.
Link: link:thief.one returns all URLs that are linked to thief.one.
Site: site:thief.one will return all URLs associated with this site.
- List the words that google may ignore as the scope of the query.
- Ignore a word, example: new plus - slope.
~ Agree words.
. A single wildcard.
- A wildcard that can represent multiple letters.
“” Exact query.
Use goole to search for database files that can be downloaded directly on the Internet. The syntax is as follows:
Use google to search for sensitive information on some websites. The syntax is as follows:
This trick comes from [lostwolf] (http://wolvez.club/)
The service information of the 220.127.116.11/24 network can be obtained through google.
The shodan network search engine is biased towards network devices and server searches. The specific content can be viewed online. Here is its advanced search syntax.
- hostname: Search for the specified host or domain name, for example hostname:”google”
- port: Search for the specified port or service, for example port: “21”
- country: Search for the specified country, for example country:”CN”
- city: Search for the specified city, for example city:”Hefei”
- org: Search for a specific organization or company, such as org:”google”
- isp: Search for the specified ISP provider, for example isp: “China Telecom”
- product: Search for the specified operating system/software/platform, for example product:”Apache httpd”
- version: Search for the specified software version, for example version: “1.6.2”
- geo: Search for a specific geographic location, such as geo:”31.8639, 117.2808”
- before/after: Search for data before and after the specified collection time, in the format dd-mm-yy, for example before:”11-11-15”
- net: Search for the specified IP address or subnet, for example net: “18.104.22.168/24”
The above content reference: http://xiaix.me/shodan-xin-shou-ru-keng-zhi-nan/
The censys search engine function is similar to shodan, the following document information.
By default censys supports full-text retrieval.
- 22.214.171.124/8 or 126.96.36.199/24 can use and or not
- 80.http.get.status_code: 200 specified status
- 80.http.get.status_code:[200 TO 300] Status code between 200-300
- location.country_code: DE country
- protocols: (“23/telnet” or “21/ftp”) Protocol
- tags: scada tag
- 80.http.get.headers.server: nginx server type version
- autonomous_system.description: University System Description
The eyes of Zhong Rongzhi’s search engine are biased towards web application level search.
- app: nginx component name
- ver: version 1.0
- os: windows operating system
- country:”China” country
- city:”hangzhou” city
- port: port 80
- hostname: google hostname
- site:thief.one website domain name
- desc:nmask description
- service: ftp service type
- ip: 188.8.131.52 ip address
- cidr: 184.108.40.206/24 ip address segment
The FoFa search engine is biased towards asset search.
- title=”abc” Search for abc from the title. Example: There is a website in Beijing in the title.
- header=”abc” Search for abc from the http header. Example: jboss server.
- body=”abc” Search for abc from the html body. Example: The body contains Hacked by.
- domain=”qq.com” Search for websites with root domains with qq.com. Example: The root domain name is the website of qq.com.
- host=”.gov.cn” Search for .gov.cn from the url, pay attention to the search to use host as the name.
- port=”443” Find the corresponding port 443 asset. Example: Find the corresponding port 443 asset.
- ip=”220.127.116.11” Search the website containing 18.104.22.168 from ip, pay attention to the search to use ip as the name.
- protocol=”https” Search for the protocol type (valid when port scanning is enabled). Example: Query the https protocol asset.
- city=”Beijing” searches for assets in a given city. Example: Search for assets in a given city.
- region=”Zhejiang” Search for assets in a designated administrative district. Example: Search for assets in a designated administrative district.
- country=”CN” Searches for assets in a specified country (code). Example: Search for assets in a specified country (code).
- cert=”google.com” Search for certificates with google.com in certificates (https or imaps, etc.).
- title=”powered by” && title!=discuz
- title!=”powered by” && body=discuz
- ( body=”content=\”WordPress” || (header=”X-Pingback” && header=”/xmlrpc.php” && body=”/wp-includes/“) ) && host=”gov.cn”
The dnsdb search engine is a query platform for dbs parsing.
The DnsDB query syntax structure is conditional 1 condition 2 condition 3 …., each condition is separated by spaces, and DnsDB will return the result satisfying all the query conditions to the user.
Domain name query refers to querying all DNS records of the top private domain name. The query syntax is domain:
For example, query all DNS records for google.com: domain:google.com.
Domain name query can omit domain:.
Query syntax: host:
For example, query the DNS record with the host address mp3.example.com: host:map3.example.com
The difference between the host query condition and the domain name query query condition is that the host query matches the Host value of the DNS record.
Query syntax: type:
For example, only query A records: type:a
Usage: The domain: or host: condition must exist before the type: query syntax can be used.
Query syntax: ip:
Query the specified IP: ip: 22.214.171.124, the query is equivalent to the direct input 126.96.36.199 query
Query the specified IP range: ip: 188.8.131.52-184.108.40.206
CIDR: IP: 220.127.116.11/24
IP maximum range limit 65536
Query all A records for google.com: google.com type:a
This article will continue to add some content…
[[Infiltration artifact series] nc] (http://thief.one/2017/04/10/1/)
[Infiltration artifact series] nmap
[[Infiltration Artifact Series] Fiddler] (http://thief.one/2017/04/27/1)
[[Infiltration Artifact Series] WireShark] (http://thief.one/2017/02/09/WireShark%E8%BF%87%E6%BB%A4%E8%A7%84%E5%88%99/)