📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 9 OF 100
100-Day Ethical Hacking Course
🔴 Day 9 — Google Dorking & OSINT
Day 100 — Professional Pentester
09
Before a professional ethical hacker touches a single tool against a target, they spend hours — sometimes days — gathering information using only publicly available sources. This phase is called reconnaissance. And it starts somewhere most people would never think to look: Google.
Today you will learn to use Google the way security professionals do — not as a search engine, but as an intelligence tool. You’ll be surprised how much sensitive information is sitting in plain sight, indexed and searchable, waiting to be found by anyone who knows the right operators.
Google Dorking isn’t about hacking Google. It’s about using Google’s own features — features designed for finding specific types of content — to surface information that organisations accidentally expose to the public internet. Login pages left unprotected. Configuration files indexed by crawlers. Sensitive documents uploaded to public servers. Internal directories browsable without authentication.
I always tell students: the best recon happens before you touch a network. Everything you learn from Google, WHOIS, certificate transparency, and LinkedIn requires zero interaction with the target’s systems — meaning it’s completely passive, creates no logs on their end, and gives you intelligence that shapes everything you do next.
⚖️ The Legal Framework — Read This First
Google Dorking searches publicly available, indexed information — it is legal. However, there are clear lines to respect:
✓Searching for information is legal — it’s what Google is designed for
✓Using found public information in authorised security assessments is standard practice
✓Reporting exposed information to the organisation responsibly is ethical and often welcomed
✗Accessing credentials or systems found through dorking without permission is illegal
✗Downloading confidential documents you were not intended to access crosses legal lines
✗Using found vulnerabilities to attack systems without authorisation is a criminal offence
📋 Day 9 Contents
- What Is OSINT & Why It Comes First
- Core Google Search Operators
- Dorking by Category
- The Google Hacking Database (GHDB)
- Beyond Google — OSINT Tools
- Shodan — The Internet’s Search Engine
- theHarvester — Email & Subdomain Discovery
- WHOIS & Certificate Transparency
- Complete OSINT Workflow
- Day 9 Practical Task
What Is OSINT — And Why Every Pentest Starts Here
OSINT stands for Open Source Intelligence — information gathered from publicly available sources. The term comes from intelligence agencies, where “open source” means publicly accessible rather than classified. In ethical hacking, OSINT is the passive reconnaissance phase — you learn as much as possible about a target without sending a single packet to their network.
Why does it come first? Because the more you know going in, the more targeted and efficient your active testing becomes. A company’s tech stack, their employee names and emails, their domain structure, their software versions, their publicly exposed files — all of this shapes your attack surface map before you’ve written a single command. Intelligence professionals have a saying: “Time spent in reconnaissance is seldom wasted.” It applies equally here.
🔍
Google Dorking
Find publicly indexed sensitive files, login pages, exposed directories
📡
Shodan
Search internet-connected devices, find exposed services globally
📧
theHarvester
Collect email addresses, subdomains, IPs from public sources
🌐
WHOIS & DNS
Domain ownership, name servers, IP ranges, registration data
🔐
Cert Transparency
Find all subdomains from SSL certificate logs
Core Google Search Operators — The Building Blocks
Google search operators are special commands that filter and target search results with precision. You’ve probably used some of them without knowing they were called “operators.” In security work, we combine them to find very specific types of content. Here are the operators every ethical hacker needs to know.
Operator
What It Does
Example
site:
Restrict results to one domain
site:target.com
filetype:
Find specific file types
filetype:pdf site:target.com
inurl:
Find pages with keyword in URL
inurl:admin site:target.com
intitle:
Find pages with keyword in title
intitle:”index of” site:target.com
intext:
Find pages containing text in body
intext:”password” filetype:log
cache:
View Google’s cached version of a page
cache:target.com/page
related:
Find sites similar to a domain
related:target.com
” “
Exact phrase match
“index of /backup”
–
Exclude a term from results
site:target.com -www
OR
Match either term
filetype:sql OR filetype:db
💡 Combining operators: The real power comes from combining operators. site:target.com filetype:pdf intitle:"confidential" finds PDF files on a specific domain whose title contains “confidential.” Each operator narrows the result set — stacking them produces surgical precision.
Dorking by Category — What Security Professionals Actually Look For
Now let’s combine those operators into real dork queries, organised by what they find. In an authorised security assessment, these help you understand what a target has accidentally exposed. I’ve structured these by category so you understand the intent behind each query — not just the syntax.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)