Scope
Replace the placeholders with the actual authorized scope.
| Placeholder | Use |
|---|
<domain> | Root domain or subdomain, such as example.com |
<org> | Organization name, such as "Example Corp" |
<netblock> | CIDR range, such as 198.51.100.0/24 |
<asn> | Autonomous system, such as AS64496 |
<github-org> | GitHub organization or user |
<owner/repo> | GitHub repository |
Google Filters
| Filter | Syntax | Meaning |
|---|
| Exact text | "text" | Match an exact phrase. |
| Exclude | -text | Remove results containing a term. |
| Either term | A OR B | Match either term or group. |
| Site | site:<domain> | Restrict results to a domain. |
| File type | filetype:<ext> | Restrict results to an extension. |
| Before date | before:YYYY-MM-DD | Restrict by indexed/updated date. |
| After date | after:YYYY-MM-DD | Restrict by indexed/updated date. |
| Title | intitle:<text> | Match text in the title. |
| URL | inurl:<text> | Match text in the URL. |
| Body | intext:<text> | Match text in page content. |
No space goes between filter and value: site:example.com, not site: example.com.
Google Patterns
| Goal | Query |
|---|
| Domain inventory | site:<domain> -site:www.<domain> |
| Portals and login surfaces | site:<domain> (login OR portal OR dashboard OR vpn OR sso) |
| Public documents | site:<domain> (filetype:pdf OR filetype:docx OR filetype:xlsx OR filetype:pptx) |
| Backups, logs, and dumps | site:<domain> (filetype:conf OR filetype:log OR filetype:bak OR filetype:sql) |
| Directory listings | site:<domain> intitle:"index of" |
| Staging or test pages | site:<domain> (inurl:staging OR inurl:test OR inurl:dev) |
| Public shared documents | (site:docs.google.com OR site:drive.google.com) <domain> |
| Cloud-hosted references | (site:s3.amazonaws.com OR site:storage.googleapis.com OR site:azurewebsites.net) <domain> |
Shodan Filters
Shodan uses filter:value. Quote values containing spaces.
| Filter | Syntax | Meaning |
|---|
| Hostname | hostname:<domain> | Match hostnames. |
| TLS common name | ssl.cert.subject.cn:<domain> | Match certificate subject CN. |
| TLS issuer | ssl.cert.issuer.cn:"<name>" | Match certificate issuer CN. |
| Organization | org:"<org>" | Match network owner. |
| Netblock | net:<netblock> | Match CIDR range. |
| ASN | asn:<asn> | Match autonomous system. |
| Port | port:<number> | Match exposed port. |
| Product | product:"<name>" | Match detected product. |
| Version | version:<version> | Match detected version. |
| OS | os:<name> | Match detected operating system. |
| HTTP title | http.title:"<text>" | Match page title. |
| HTTP body | http.html:"<text>" | Match page body. |
| HTTP status | http.status:<code> | Match HTTP status. |
| Country | country:<code> | Match country code. |
| City | city:"<city>" | Match city. |
| Vulnerability | vuln:<CVE> | Match CVE metadata. |
Shodan Patterns
| Goal | Query |
|---|
| Hostname inventory | hostname:<domain> |
| Certificate inventory | ssl.cert.subject.cn:<domain> |
| Organization exposure | org:"<org>" |
| Netblock exposure | net:<netblock> |
| ASN exposure | asn:<asn> |
| Single-port review | net:<netblock> port:443 |
| Product review | org:"<org>" product:"OpenSSH" |
| Version review | org:"<org>" product:nginx version:1.18.0 |
| Web login titles | hostname:<domain> http.title:"login" |
| Directory listing titles | org:"<org>" http.title:"index of" |
| CVE triage | net:<netblock> vuln:CVE-YYYY-NNNN |
GitHub Filters
| Filter | Syntax | Meaning |
|---|
| Exact text | "text" | Match an exact string. |
| Both terms | A AND B | Require both terms. |
| Either term | A OR B | Match either term. |
| Exclude | NOT <term> | Remove matching results. |
| Repository | repo:<owner/repo> | Search one repository. |
| Organization | org:<github-org> | Search one organization. |
| User | user:<name> | Search one user. |
| Enterprise | enterprise:<name> | Search one enterprise. |
| Language | language:<name> | Restrict by language. |
| Path | path:<path> | Match file path. |
| Content | content:<text> | Match file content. |
| Symbol | symbol:<name> | Match symbol definitions. |
| Property | is:<property> | Filter by repository/content property. |
| Regex | /pattern/ | Match by regular expression. |
repo:, org:, and user: require complete names.
GitHub Patterns
| Goal | Query |
|---|
| Repository inventory | org:<github-org> NOT is:fork NOT is:archived |
| Infrastructure paths | org:<github-org> (path:/infra/ OR path:/terraform/ OR path:/kubernetes/) |
| GitHub Actions | org:<github-org> path:/.github/workflows/ |
| Container files | org:<github-org> (path:Dockerfile OR path:docker-compose.yml) |
| Env and config files | org:<github-org> (path:.env OR path:*.tfvars OR path:*.kubeconfig) |
| Private-key markers | org:<github-org> "BEGIN PRIVATE KEY" NOT path:README |
| Token keywords | org:<github-org> ("api_key" OR "access_token" OR "client_secret") NOT path:tests |
| Cloud credential names | org:<github-org> ("AWS_ACCESS_KEY_ID" OR "GOOGLE_APPLICATION_CREDENTIALS" OR "AZURE_CLIENT_SECRET") |
| Python debug flags | org:<github-org> language:python ("debug=True" OR "DEBUG = True") |
| Go TLS bypasses | org:<github-org> language:go "InsecureSkipVerify" |
| Workflow secret usage | org:<github-org> path:/.github/workflows/ "secrets." |
| Regex private-key marker | org:<github-org> /-----BEGIN [A-Z ]+PRIVATE KEY-----/ |
Result Fields
| Field | Purpose |
|---|
| Query | Search string used. |
| Source | Google, Shodan, GitHub, or another index. |
| Result URL | URL or Shodan/GitHub result link. |
| Asset | Domain, host, repo, or netblock. |
| Evidence | Matched path, banner, filename, title, or string. |
| Owner | Team, repo owner, or asset owner. |
| Status | New, triaged, fixed, accepted, or false positive. |
References