Infiltration artifact series search engine

Move your fingertips and hit your finger

Search engine is the most used tool in my daily work. The commonly used search engines in China include Baidu, sougou, bing and so on. But what I want to record in this article is not these commonly used search engines, but several web search engines that are necessary for information security practitioners. The search engines to be introduced in this article include: Shodan, censys, Zhong Yanzhi, Google, FoFa, Dnsdb, etc. The content of the introduction is mainly some advanced grammar of these search engines. Mastering advanced grammar will make the search results more accurate.

  • For the forgotten search engine grammar, this article can be used as a reference, nothing more*

Google Search Engine

The reason why we want to introduce the google search engine is because it is different from Baidu, Sogou and other content search engines. It has an unusual position in the security industry, and even has a special term for google hacking to describe google and security is unusual. Relationship.

google basic syntax

Index of/ Use it to go directly to all files and folders under the home page of the website.
Intext: will return all pages that contain keywords in the body of the page.
Intitle: will return all pages with keywords in the title of the page.
Cache: Search for a cache of certain content in google.
Define: Search for the definition of a word.
Filetype: Search for the specified file type, such as: .bak, .mdb, .inc, etc.
Info: Find some basic information about the specified site.
Inurl: Searches if the character we specify exists in the URL.
Link: link:thief.one returns all URLs that are linked to thief.one.
Site: site:thief.one will return all URLs associated with this site.

  • List the words that google may ignore as the scope of the query.
  • Ignore a word, example: new plus - slope.
    ~ Agree words.
    . A single wildcard.
  • A wildcard that can represent multiple letters.
    “” Exact query.

Searching for different country websites

1
2
Inurl:tw Taiwan
Inurl:jp Japan

Using google hack

Use goole to search for database files that can be downloaded directly on the Internet. The syntax is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
inurl:editor/db/
inurl:eWebEditor/db/
inurl:bbs/data/
inurl:databackup/
inurl:blog/data/
inurl: \ boke \ data
inurl:bbs/database/
inurl:conn.asp
inc/conn.asp
allinurl:bbs data
filetype:mdb inurl:database
filetype:inc conn
inurl:data filetype:mdb
intitle:"index of" data

Searching for sensitive information with goole

Use google to search for sensitive information on some websites. The syntax is as follows:

1
2
3
4
5
6
7
8
9
10
11
intitle:"index of" etc
intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
inurl:service.pwd

Searching for C-segment server information using google

This trick comes from [lostwolf] (http://wolvez.club/)

1
site:218.87.21.*

The service information of the 218.87.21.0/24 network can be obtained through google.

shodanSearch Engine

The shodan network search engine is biased towards network devices and server searches. The specific content can be viewed online. Here is its advanced search syntax.
Address: https://www.shodan.io/

Search syntax

  • hostname: Search for the specified host or domain name, for example hostname:”google”
  • port: Search for the specified port or service, for example port: “21”
  • country: Search for the specified country, for example country:”CN”
  • city: Search for the specified city, for example city:”Hefei”
  • org: Search for a specific organization or company, such as org:”google”
  • isp: Search for the specified ISP provider, for example isp: “China Telecom”
  • product: Search for the specified operating system/software/platform, for example product:”Apache httpd”
  • version: Search for the specified software version, for example version: “1.6.2”
  • geo: Search for a specific geographic location, such as geo:”31.8639, 117.2808”
  • before/after: Search for data before and after the specified collection time, in the format dd-mm-yy, for example before:”11-11-15”
  • net: Search for the specified IP address or subnet, for example net: “210.45.240.0/24”

The above content reference: http://xiaix.me/shodan-xin-shou-ru-keng-zhi-nan/

censysSearch Engine

The censys search engine function is similar to shodan, the following document information.
Address: https://www.censys.io/

1
2
3
4
Https://www.censys.io/certificates/help help documentation
Https://www.censys.io/ipv4?q= ip query
Https://www.censys.io/domain?q= Domain Name Query
Https://www.censys.io/certificates?q= Certificate Query

Search syntax

By default censys supports full-text retrieval.

  • 23.0.0.0/8 or 8.8.8.0/24 can use and or not
  • 80.http.get.status_code: 200 specified status
  • 80.http.get.status_code:[200 TO 300] Status code between 200-300
  • location.country_code: DE country
  • protocols: (“23/telnet” or “21/ftp”) Protocol
  • tags: scada tag
  • 80.http.get.headers.server: nginx server type version
  • autonomous_system.description: University System Description
  • regular

The eyes of Zhong Rongzhi’s search engine are biased towards web application level search.
Address: https://www.zoomeye.org/

Search syntax

  • app: nginx component name
  • ver: version 1.0
  • os: windows operating system
  • country:”China” country
  • city:”hangzhou” city
  • port: port 80
  • hostname: google hostname
  • site:thief.one website domain name
  • desc:nmask description
  • service: ftp service type
  • ip: 8.8.8.8 ip address
  • cidr: 8.8.8.8/24 ip address segment

FoFa Search Engine

The FoFa search engine is biased towards asset search.
Address: https://fofa.so

Search syntax

  • title=”abc” Search for abc from the title. Example: There is a website in Beijing in the title.
  • header=”abc” Search for abc from the http header. Example: jboss server.
  • body=”abc” Search for abc from the html body. Example: The body contains Hacked by.
  • domain=”qq.com” Search for websites with root domains with qq.com. Example: The root domain name is the website of qq.com.
  • host=”.gov.cn” Search for .gov.cn from the url, pay attention to the search to use host as the name.
  • port=”443” Find the corresponding port 443 asset. Example: Find the corresponding port 443 asset.
  • ip=”1.1.1.1” Search the website containing 1.1.1.1 from ip, pay attention to the search to use ip as the name.
  • protocol=”https” Search for the protocol type (valid when port scanning is enabled). Example: Query the https protocol asset.
  • city=”Beijing” searches for assets in a given city. Example: Search for assets in a given city.
  • region=”Zhejiang” Search for assets in a designated administrative district. Example: Search for assets in a designated administrative district.
  • country=”CN” Searches for assets in a specified country (code). Example: Search for assets in a specified country (code).
  • cert=”google.com” Search for certificates with google.com in certificates (https or imaps, etc.).

Advanced Search:

  • title=”powered by” && title!=discuz
  • title!=”powered by” && body=discuz
  • ( body=”content=\”WordPress” || (header=”X-Pingback” && header=”/xmlrpc.php” && body=”/wp-includes/“) ) && host=”gov.cn”

Dnsdb Search Engine

The dnsdb search engine is a query platform for dbs parsing.
Address: https://www.dnsdb.io/

Search syntax

The DnsDB query syntax structure is conditional 1 condition 2 condition 3 …., each condition is separated by spaces, and DnsDB will return the result satisfying all the query conditions to the user.

Domain Name Query Conditions

Domain name query refers to querying all DNS records of the top private domain name. The query syntax is domain:.
For example, query all DNS records for google.com: domain:google.com.
Domain name query can omit domain:.

Host Query Conditions

Query syntax: host:
For example, query the DNS record with the host address mp3.example.com: host:map3.example.com
The difference between the host query condition and the domain name query query condition is that the host query matches the Host value of the DNS record.

Query by DNS record type

Query syntax: type:.
For example, only query A records: type:a
Usage: The domain: or host: condition must exist before the type: query syntax can be used.

By IP limit

Query syntax: ip:
Query the specified IP: ip: 8.8.8.8, the query is equivalent to the direct input 8.8.8.8 query
Query the specified IP range: ip: 8.8.8.8-8.8.255.255
CIDR: IP: 8.8.0.0/24
IP maximum range limit 65536

Example of conditional combination query

Query all A records for google.com: google.com type:a

This article will continue to add some content…

Portal

[[Infiltration artifact series] nc] (http://thief.one/2017/04/10/1/)
[Infiltration artifact series] nmap
[[Infiltration Artifact Series] Fiddler] (http://thief.one/2017/04/27/1)
[[Infiltration Artifact Series] WireShark] (http://thief.one/2017/02/09/WireShark%E8%BF%87%E6%BB%A4%E8%A7%84%E5%88%99/)

本文标题:Infiltration artifact series search engine

文章作者:nmask

发布时间:2017年05月19日 - 11:05

最后更新:2019年07月11日 - 18:07

原始链接:https://thief.one/2017/05/19/01/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: