Researching Vulnerabilities by Service Version

One of the most straightforward uses of Google in security research is looking up known vulnerabilities for a specific service version. When an Nmap scan reveals that a target is running, say, vsftpd 2.3.4, the next step is simply searching for it in Google:

vsftpd 2.3.4 exploit

This returns CVE entries from NIST (the National Institute of Standards and Technology — the gold standard for vulnerability documentation), Rapid7’s Metasploit module database, Nmap NSE scripts, and community walkthroughs. The same approach applies to any software version discovered during reconnaissance: a web application running jQuery 3.1.1, an outdated CMS, an exposed API framework. Search the version plus “exploit” or “vulnerability” and see what’s documented.

This is a fundamental part of the research process during any security assessment.

Google Dorks: Advanced Search Operators

Google dorking refers to using Google’s built-in search operators in precise combinations to return highly specific results. Here’s a breakdown of the most useful ones.

Exact phrases with quotes

Wrapping a term in quotes forces Google to match it exactly. Say for example, you are researching a person for an investigation or an executive for an external penetration test that includes social engineering:

"John Smith"

This eliminates loosely related results and focuses the search on that exact string.

Combining terms to narrow results

Adding additional keywords refines the search further if you want to search for that person and a possible wedding, out of say a specific city and state:

"John Smith" wedding Sacramento California

The more context you add, the more targeted the results become.

Wildcard operator ( * )

An asterisk acts as a wildcard, substituting for any word or character. Think of regular expressions as they apply to searching text files in a Linux environment. You can add this to someone’s name, for example, to search for anyone with a middle initial in that name:

"John * Smith"

This returns results for John Smith with any middle name or initial — useful when you know a name but not all the details.

Site operator (site:)

This restricts results to a specific domain or site. An example could be trying to find a social media profile for “John Smith” in instagram:

"John Smith" site:instagram.com

This can also be great for limiting research to a particular organization’s web presence.

Minus operator (-)

A minus sign excludes specific terms or sites from results. This is great for filtering results and narrowing things down like searching for subdomains:

"John Smith" -"John L. Smith"

File type operator (filetype:)

Finds specific file types indexed by Google:

"John * Smith" site:.gov filetype:pdf

This returns PDFs from government websites matching the name pattern — potentially useful for finding resumes, reports, or documents containing contact information and professional details. In a penetration test context, the same technique can uncover exposed configuration files, credentials stored in text files, or publicly accessible code.

URL and page content operators

• inurl: — searches for a specific string within the URL itself
• intitle: — searches within the page title
• intext: — searches within the body text of a page

For example:

site:example.com inurl:admin

This looks for admin panels on a specific domain — a common check during web application penetration tests and bug bounties.

Subdomain Enumeration with Google

During web application reconnaissance, finding subdomains is an important step. Google can help surface subdomains that have been indexed:

site:*.example.com

As you discover subdomains, subtract them from future searches to avoid seeing the same results and uncover new ones:

site:*.example.com -www -careers

This iterative process of finding and subtracting results helps surface less obvious subdomains that may have weaker security configurations or expose additional attack surface. That said, Google is just one of many tools for subdomain enumeration — tools like Sublist3r, Subfinder, and Amass are also commonly used alongside certificate transparency log parsing.