🔻دعواتنا دائمًا لأهلنا في غزة، اللهم كن لهم عونًا ونصيرًا، وافرغ عليهم صبرًا وعزيمة.
Introduction:
Recon is honestly my favorite part of the whole hunting process. it's always the start of every new finding for me. That's why I always kick off my hunts with recon.
If you missed Part 1, you can read it here:
let's get started!
Today we will talk about two tips in Recon:
1- Github Dorks:
GitHub is one of the most powerful recon sources for any bug hunter. Old commits, forgotten backups, and unintentionally uploaded files often hide sensitive information just waiting to be discovered. With the right search approach, I regularly find exposed secrets, hidden endpoints, and even infrastructure details directly through GitHub.
First, we need to identify the organization's main GitHub account by using the dork:
org:<company>Here are some of the GitHub dorks I use:
"domain.com" "apikey"
"domain.com" "api_key"
"domain.com" "aws_access_key_id:"
"domain.com" "client_secret"
"domain.com" "firebase"
"domain.com" "access_key"
"domain.com" "DATABASE_URL"
"domain.com" "password:"
"domain.com" "email:"
"domain.com" "@company.com" language:SQL
"domain.com" "admin"
"domain.com" "employees"
"domain.com" "stripe_key"
"domain.com" "db_password"
"domain.com" "db_server"
"domain.com" "aws_secret"
"domain.com" "s3_access_key"
"domain.com" "api-token"
Dorks for sensitive files:
these dorks for secret files:
org:<company> filename:.env
org:<company> filename:settings.py
org:<company> filename:config.js
Note:
One thing I usually do in this step: after locating the organization account on GitHub, I manually open the repositories one by one and search inside each repo for the most common sensitive files such as .env, settings.py, config.js, db.sql, and more.
GitHub alone can give you a full picture of a company's internal structure if you know where to look.
2-FOFA Search Engine Dorks:
FOFA is a powerful search engine that lets bug hunters discover exposed servers, dashboards, cloud buckets, and misconfigured services. It's like Shodan, but with deeper coverage and more flexibility. By using FOFA, you can quickly find internet-facing assets and sensitive endpoints that might otherwise go unnoticed.
To discover all services and subdomains related to any company, I usually start with the basic FOFA dorks:
host="company.com" or domain="company.com"These two queries give a full overview of the company's exposed assets, servers, and internet‑facing services.
Here are some of the FOFA dorks I use:
Subdomain & Asset Discovery:
domain="company.com" && title="test"
domain="company.com" && title="dev"
Discovering Exposed Dashboards:
domain="company.com" && title="dashboard"
domain="company.com" && app="Grafana" // very important
domain="company.com" && title="Admin"
domain="company.com" && title="cpanel"
Storage Buckets & File Servers:
domain="company.com" && "AmazonS3"
domain="company.com" && "config.js"
domain="company.com" && "title=\"Index of /\""
other dorks:
domain="company.com" && body="apikey"
domain="company.com" && body="admin"
domain="company.com" && body="config"
domain="company.com" && body="token"
domain="company.com" && body="jwt=eyJ"
domain="company.com" && body="username"
domain="company.com" && body="password"I test each result manually to see if the service is exposed, misconfigured, or leaking sensitive information.
FOFA often leads me to internal panels, forgotten staging systems, and open storage buckets.
FOFA is a goldmine when used correctly, it reveals the parts of a company's infrastructure that are never meant to be public.
Please share your feedback with me! Twitter: X \ آية أيمن 🇵🇸 (@GERR4Y)