OSINT Cheat Sheet

Google Dorks

Basic Operators

site:example.com                  # Search within a domain
inurl:admin                       # URL contains "admin"
intitle:index of                  # Page title contains
filetype:pdf                      # Specific file type
intext:password                   # Body text contains
cache:example.com                 # Cached version
link:example.com                  # Pages linking to
related:example.com               # Similar sites

Useful Combinations

site:example.com filetype:pdf
site:example.com inurl:login
site:example.com inurl:admin
site:example.com intitle:"index of" "parent directory"
site:example.com ext:sql OR ext:db OR ext:log
inurl:"/wp-admin" site:example.com
site:example.com "error" "stack trace"
site:example.com "API_KEY" OR "api_key" OR "apikey"
filetype:env "DB_PASSWORD"
filetype:log "password"

Sensitive File Exposure

filetype:sql "INSERT INTO"
filetype:env DB_PASSWORD
filetype:xml inurl:config
intitle:"index of" ".env"
intitle:"index of" "credentials"
inurl:"/etc/passwd"

Shodan

Basic Searches

hostname:example.com
org:"Company Name"
ip:1.2.3.4
port:22
port:3389 country:US
product:nginx

Finding Vulnerable Systems

vuln:CVE-2021-44228             # Log4Shell
port:445 os:windows             # SMB on Windows
port:23                         # Telnet exposed
default password                # Default creds exposed
port:9200 elastic               # Exposed Elasticsearch
port:27017 mongodb              # Exposed MongoDB
port:6379 redis                 # Exposed Redis

Email & People Search

hunter.io          → Find emails by domain
emailrep.io        → Email reputation check
haveibeenpwned.com → Breach check
intelx.io          → Dark web + breach search
pipl.com           → People search
spokeo.com         → US people search

Email Format Guessing

[email protected]
[email protected]
[email protected]
[email protected]

Domain & IP Reconnaissance

# WHOIS
whois example.com
whois 1.2.3.4

# DNS Enumeration
nslookup example.com
dig example.com ANY
dig example.com MX
dig example.com TXT
host -a example.com

# Subdomain Enumeration
subfinder -d example.com
amass enum -d example.com
assetfinder example.com
theHarvester -d example.com -b all

# Certificate Transparency (passive subdomain enum)
# https://crt.sh/?q=%.example.com
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq '.[].name_value'

Social Media OSINT

LinkedIn    → Job titles, org structure, employees
Twitter/X   → Real-time info, location leaks
GitHub      → Code leaks, API keys, internal tools
Instagram   → Location data in photos (EXIF)
Facebook    → Personal connections, check-ins

GitHub Dorks

org:CompanyName password
org:CompanyName secret
org:CompanyName api_key
filename:.env
filename:config.php DB_PASSWORD
extension:pem private

Metadata & File Analysis

# Extract EXIF from images
exiftool image.jpg

# Extract metadata from documents
exiftool document.pdf

# Strings from binary
strings file.exe | grep -i pass

Useful OSINT Tools