Published on May 19, 2017 | classified in safety tools | heat degree ℃

Search engine is one of the most frequently used tools in my daily work. The commonly used search engines in China include Baidu, sougou, Bing, etc. But what I want to record in this article is not these commonly used search engines, but several necessary Internet search engines for information security practitioners. The search engines to be introduced include: Shodan, censys, Zhong Kui's eye, Google, fofa, dnsdb, etc. The content introduced is mainly some advanced syntax of these search engines. Mastering the advanced syntax will make the search results more accurate. This article can be used as a reference for those who have forgotten the syntax of search engine, that's all

Google search engine

The reason why we want to introduce Google search engine here is that it is different from Baidu, Sogou and other content search engines, and it has an unusual position in the security field, and even a special term for Google hacking is used to describe the unusual relationship between Google and security.

Google basic syntax

Index of / can be used to directly access all files and folders under the homepage of the website. Intext: all pages containing keywords in the body of the page will be returned. Intitle: will return pages with keywords in all page titles. Cache: search the Google cache for certain content. Define: search for the definition of a word. Filetype: search the specified file types, such as. Bak,. MDB,. Inc, etc. Info: find some basic information about the specified site. Inurl: search whether the character we specified exists in the URL. Link: link: thief.one can return all URLs linked with thief.one. Site: site: thief.one will return all URLs related to this site.

+List the words that Google may ignore, such as query scope. -To omit a word, for example, add - slope. ~Consent. . a single wildcard. *Wildcard, which can represent multiple letters. '' exact query.

Search websites in different countries

One

Two

Inurl: TW Taiwan

Inurl: JP Japan

Using Google mob

The database files that can be downloaded directly on the Internet can be searched by using Google. The syntax is as follows:

One

Two

Three

Four

Five

Six

Seven

Eight

Nine

Ten

Eleven

Twelve

Thirteen

Fourteen

Fifteen

inurl:editor/db/

inurl:eWebEditor/db/

inurl:bbs/data/

inurl:databackup/

inurl:blog/data/

inurl:\boke\data

inurl:bbs/database/

inurl:conn.asp

Inc/conn.asp

Server.mapPath(“.mdb”)

allinurl:bbs data

filetype:mdb inurl:database

filetype:inc conn

inurl:data filetype:mdb

intitle:"index of" data

Searching sensitive information by using Google

Google can be used to search sensitive information of some websites. The syntax is as follows:

One

Two

Three

Four

Five

Six

Seven

Eight

Nine

Ten

Eleven

intitle:"index of" etc

intitle:"Index of" .sh_history

intitle:"Index of" .bash_history

intitle:"index of" passwd

intitle:"index of" people.lst

intitle:"index of" pwd.db

intitle:"index of" etc/shadow

intitle:"index of" spwd

intitle:"index of" master.passwd

intitle:"index of" htpasswd

inurl:service.pwd

Using Google to search the information of segment C server

This technique comes from lostwolf

One

site:218.87.21.*

The service information of 218.87.21.0/24 network can be obtained through Google.

Shodan search engine

The network search engine of Shodan prefers the search of network devices and servers. The specific content can be found on the Internet. Its advanced search syntax is given here. Address: https://www.shodan.io/

Search syntax

• Hostname: search the specified host or domain name, for example, hostname: "Google"
• Port: search for the specified port or service, for example port: "21"
• Country: search the specified country, for example, country: "CN"
• City: search for the specified City, for example city: "Hefei"
• Org: search the specified organization or company, for example, org: "Google"
• ISP: search for the specified ISP provider, for example, ISP: "China Telecom"
• Product: search the specified operating system / software / platform, for example, product: "Apache httpd"
• Version: search for the specified software version, for example, version: "1.6.2"
• Geo: search the specified geographic location, for example geo: "31.8639, 117.2808"
• Before / after: search the data before and after the specified collection time in DD mm YY format, for example, before: "11-11-15"
• Net: search the specified IP address or subnet, for example, net: "210.45.240.0/24"

For more information, please refer to: http://xiaix.me/shodan-xin-shou-ru-keng-zh-nan/

Censys search engine

The function of censys search engine is similar to that of Shodan. The following document information. Address: https://www.censys.io/

One

Two

Three

Four

Https://www.censys.io/certificates/help help help documentation

Https://www.censys.io/ipv4? Q = IP query

Https://www.censys.io/domain? Q = domain name query

Https://www.censys.io/certificates? Q = certificate query

Search syntax

By default, censys supports full-text retrieval.

• 23.0.0.0/8 or 8.8.8.0/24 can be used and or not
• 80.http.get.status "Code: 200 specify status

• 80. Http. Get. Status "Code: status code between [200 to 300] 200-300
• Location.country? Code: De country
• Protocols: ("23 / telnet" or "21 / ftp") protocol
• Tags: SCADA Tags
• 80. Http.get.headers.server: nginx server type version
• Autonomy? System.description: university system description
• regular

Eyes of Chung Kui

Zhong Kui's eye search engine tends to search at the web application level. Address: https://www.zoomeye.org/

Search syntax

• App: nginx component name
• Ver: version 1.0
• OS: Windows operating system
• Country: "China" country
• City: "Hangzhou" City
• Port: 80 port
• Hostname: Google hostname
• Site: thief.one website domain name
• Desc: nmask description
• Keywords: nmask 'blog keywords
• Service: FTP service type
• IP: 8.8.8.8 IP address
• CIDR: 8.8.8.8/24 IP address segment

Fofa search engine

The fofa search engine prefers asset search. Address: https://fofa.so

Search syntax

• Title = "ABC" search for ABC from the title. Example: there is a website in Beijing in the title.
• Header = "ABC" searches for ABC from the HTTP header. Example: JBoss server.
• Body= "ABC" searches for ABC from the HTML body. Example: the body contains hacked by.
• Domain = "QQ. Com" search for websites with qq.com as the root domain. Example: the root domain name is the website of qq.com.
• Host = ". Gov.cn" search. Gov.cn from the URL. Note that the name of the search should be host.
• Port = "443" find the asset corresponding to port 443. Example: find the asset corresponding to port 443.
• IP = "1.1.1.1" search the website containing 1.1.1.1 from IP, and pay attention to IP as the name.
• Protocol = "HTTPS" search and formulate protocol type (valid when port scanning is enabled). Example: query HTTPS protocol assets.
• City = Beijing searches for assets in the specified city. Example: search for assets in a specified city.
• Region = "Zhejiang" searches for assets in a specified administrative region. Example: search for assets in a specified administrative region.
• Country = "CN" searches for assets in the specified country (code). Example: search for assets in a specified country (code).
• CERT = "Google. Com" search Certificate (HTTPS or IMAPS, etc.) contains the assets of google.com.

Advanced search:

• title=”powered by” && title!=discuz
• title!=”powered by” && body=discuz
• ( body=”content=\”WordPress” || (header=”X-Pingback” && header=”/xmlrpc.php” && body=”/wp-includes/“) ) && host=”gov.cn”

Dnsdb search engine

Dnsdb search engine is a query platform for DBS parsing. Address: https://www.dnsdb.io/

Search syntax

Dnsdb query syntax structure is condition1 condition2 condition3 . each condition is separated by a space. Dnsdb will return the results satisfying all query conditions to the user

Domain name query criteria

Domain name query means to query all DNS records of the top-level private domain name. The query syntax is domain:. For example, query all DNS records of google.com: domain: google.com. Domain name query can omit domain:

Host query criteria

Query syntax: host: for example, query the DNS record whose host address is mp3.example.com: host: map3.example.com the difference between the host query criteria and the domain name query criteria is that the host query matches the host value of the DNS record

Query by DNS record type

Query syntax: Type:

Press IP limit

Query syntax: IP: query specified IP: IP: 8.8.8.8, which is equivalent to entering 8.8.8.8 directly to query specified IP range: IP: 8.8.8.8-8.8.255.255cidr: IP: 8.8.0.0/24ip maximum range limit 65536

Example of conditional combination query

Query all a records of google.com: google.com type: a

This article will continue to add some content

Portal

[penetration artifact series] NC [penetration artifact series] nmap [penetration artifact series] Fiddler [penetration artifact series] Wireshark

Welcome to sweep the WeChat official account above and subscribe to my blog!

Popular article recommendation: