đź“’
My Pentesting Cheatsheet
  • Home
  • Commands Only Summary
    • Some other cool websites
  • Preparation
    • Documents
    • Contract - Checklist
    • Rules of Engagement - Checklist
    • Contractors Agreement - Checklist for Physical Assessments
  • Information Gathering
  • Vulnerability Assessment
  • Pentesting Machine
  • Enumeration
    • NMAP Scan types explained
    • Firewall and IDS/IPS Evasion
  • Footprinting
    • Google Dorks
    • Samba (smb)
    • NFS
    • DNS
    • SMTP
    • IMAP/POP3
    • SNMP
    • MySQL
    • MSSQL
    • Oracle TNS
    • IPMI
    • SSH
    • RDP
    • WinRM
  • Web Information Gathering
    • Whois
    • DNS & Subdomains
    • Fingerprinting
    • Crawlers
    • Search Engine Discovery
    • Automating Recon
  • Vulnerability Assessment
  • File Transfers
    • Windows Target
    • Linux Target
    • Transferring Files with Code
    • Miscellaneous File Transfer Methods
    • Protected Files Transfer
    • Catching Files over HTTP/S (Nginx)
    • Living Off The Land
    • Evading Detection
  • Shells & Payloads
    • Reverse Shells + Bind + Web
  • Password Attacks
    • John the ripper
    • Remote password attacks
    • Password mutations
    • Password Reuse / Default Passwords
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Cracking Files
  • Attacking Common Services
    • FTP
    • SMB
    • SQL
    • RDP
    • DNS
    • Email Services
  • Pivoting, Tunneling, and Port Forwarding
    • Choosing The Dig Site & Starting Our Tunnels
    • Playing Pong with Socat
    • Pivoting Around Obstacles
    • Branching Out Our Tunnels
    • Double Pivots
    • Final considerations
  • Active Directory Enumeration & Attacks
    • Initial Enumeration
    • Sniffing out a Foothold
    • Sighting In, Hunting For A User
    • Spray Responsibly
    • Deeper Down the Rabbit Hole
    • Kerberoasting - Cooking with Fire
    • Access Control List (ACL)
    • Advanced Privilege Escalation in Active Directory: Stacking The Deck
    • Domain trusts
    • Domain Trusts - Cross Forest
    • Defensive Considerations
  • Using Web Proxies
  • Login Brute Forcing
  • SQL Injection Fundamentals
    • Mitigating SQL Injection
  • SQLMap Essentials
    • Building Attacks
    • Database Enumeration
    • Advanced SQLMap Usage
  • Cross-Site Scripting (XSS)
    • Prevention
  • File Inclusion
  • File Upload Attacks
    • Basic Exploitation
    • Bypassing Filters
    • Other Upload Attacks
    • Prevention
  • Command Injections
    • Exploitation
    • Filter Evasion
  • Web Attacks
    • HTTP Verb Tampering
    • Insecure Direct Object References (IDOR)
    • XML External Entity (XXE) Injection
    • GraphQL
  • Attacking Common Applications
    • Application Discovery & Enumeration
    • Content Management Systems (CMS)
    • Servlet Containers/Software Development
    • Infrastructure/Network Monitoring Tools
    • Customer Service Mgmt & Configuration Management
    • Common Gateway Interfaces
    • Thick Client Applications
    • Miscellaneous Applications
  • Privilege Escalation
    • Linux Privilege Escalation
      • Information Gathering
      • Environment-based Privilege Escalation
      • Service-based Privilege Escalation
      • Linux Internals-based Privilege Escalation
      • Recent 0-Days
      • Linux Hardening
    • Windows Privilege Escalation
      • Getting the Lay of the Land
      • Windows User Privileges
      • Windows Group Privileges
      • Attacking the OS
      • Credential Theft
      • Restricted Environments
      • Additional Techniques
      • Dealing with End of Life Systems
      • Windows Hardening
    • Windows (old page)
  • Documentation & Reporting
    • Preparation
    • Reporting
  • Attacking Enterprise Networks
    • Pre-Engagement
    • External Testing
    • Internal Testing
    • Lateral Movement & Privilege Escalation
    • Wrapping Up
  • Deobfuscation
  • Metasploit
    • msfvenom
  • Custom compiled files
  • XSS
  • Azure AD (Entra ID)
Powered by GitBook
On this page
  1. Web Information Gathering

Search Engine Discovery

Google Dorking

Operator
Operator Description
Example
Example Description

site:

Limits results to a specific website or domain.

site:example.com

Find all publicly accessible pages on example.com.

inurl:

Finds pages with a specific term in the URL.

inurl:login

Search for login pages on any website.

filetype:

Searches for files of a particular type.

filetype:pdf

Find downloadable PDF documents.

intitle:

Finds pages with a specific term in the title.

intitle:"confidential report"

Look for documents titled "confidential report" or similar variations.

intext: or inbody:

Searches for a term within the body text of pages.

intext:"password reset"

Identify webpages containing the term “password reset”.

cache:

Displays the cached version of a webpage (if available).

cache:example.com

View the cached version of example.com to see its previous content.

link:

Finds pages that link to a specific webpage.

link:example.com

Identify websites linking to example.com.

related:

Finds websites related to a specific webpage.

related:example.com

Discover websites similar to example.com.

info:

Provides a summary of information about a webpage.

info:example.com

Get basic details about example.com, such as its title and description.

define:

Provides definitions of a word or phrase.

define:phishing

Get a definition of "phishing" from various sources.

numrange:

Searches for numbers within a specific range.

site:example.com numrange:1000-2000

Find pages on example.com containing numbers between 1000 and 2000.

allintext:

Finds pages containing all specified words in the body text.

allintext:admin password reset

Search for pages containing both "admin" and "password reset" in the body text.

allinurl:

Finds pages containing all specified words in the URL.

allinurl:admin panel

Look for pages with "admin" and "panel" in the URL.

allintitle:

Finds pages containing all specified words in the title.

allintitle:confidential report 2023

Search for pages with "confidential," "report," and "2023" in the title.

AND

Narrows results by requiring all terms to be present.

site:example.com AND (inurl:admin OR inurl:login)

Find admin or login pages specifically on example.com.

OR

Broadens results by including pages with any of the terms.

"linux" OR "ubuntu" OR "debian"

Search for webpages mentioning Linux, Ubuntu, or Debian.

NOT

Excludes results containing the specified term.

site:bank.com NOT inurl:login

Find pages on bank.com excluding login pages.

* (wildcard)

Represents any character or word.

site:socialnetwork.com filetype:pdf user* manual

Search for user manuals (user guide, user handbook) in PDF format on socialnetwork.com.

.. (range search)

Finds results within a specified numerical range.

site:ecommerce.com "price" 100..500

Look for products priced between 100 and 500 on an e-commerce website.

" " (quotation marks)

Searches for exact phrases.

"information security policy"

Find documents mentioning the exact phrase "information security policy".

- (minus sign)

Excludes terms from the search results.

site:news.com -inurl:sports

Search for news articles on news.com excluding sports-related content.

  • Finding Login Pages:

    • site:example.com inurl:login

    • site:example.com (inurl:login OR inurl:admin)

  • Identifying Exposed Files:

    • site:example.com filetype:pdf

    • site:example.com (filetype:xls OR filetype:docx)

  • Uncovering Configuration Files:

    • site:example.com inurl:config.php

    • site:example.com (ext:conf OR ext:cnf) (searches for extensions commonly used for configuration files)

  • Locating Database Backups:

    • site:example.com inurl:backup

    • site:example.com filetype:sql

PreviousCrawlersNextAutomating Recon

Last updated 6 months ago