June 10, 2026
Title:
How I Used Google to Find Exposed Government Files, Admin Pages & More — OSINT for Beginners
Haseeb Bilal
2 min read
How I Used Google to Find Exposed Government Files, Admin Pages & More — OSINT for Beginners
Subtitle:
A beginner's guide to Google Dorking, WHOIS, and OSINT techniques used by ethical hackers
Article:
Most people think Google is just a search engine. Ethical hackers know it's one of the most powerful reconnaissance tools on the planet.
I'm Muhammad Haseeb Bilal, a cybersecurity student currently on my journey to becoming a penetration tester. Today I want to share what I learned about OSINT — Open Source Intelligence — and how something as simple as Google can reveal things that should probably stay hidden.
What is OSINT?
OSINT stands for Open Source Intelligence. It means gathering information about a target using only publicly available sources — no hacking, no illegal access. Just smart searching.
In the Cyber Kill Chain, OSINT falls under Stage 1: Reconnaissance — specifically passive recon, meaning the target has no idea you're looking.
Think of it like this: before a locksmith picks a lock, they first study the lock. OSINT is that study phase.
Google Dorking — Search Like a Hacker
Google indexes millions of files and pages that most website owners don't even know are publicly visible. By using special search operators, you can find them.
Here are the most powerful ones:
site: → Search only one website
intitle: → Find specific words in page titles
inurl: → Find specific words in URLs
filetype: → Find specific file types
"quotes" → Search exact phrasessite: → Search only one website
intitle: → Find specific words in page titles
inurl: → Find specific words in URLs
filetype: → Find specific file types
"quotes" → Search exact phrasesReal example I tried today:
intitle:"login" inurl:"admin" site:.pkintitle:"login" inurl:"admin" site:.pkThis single search returned actual admin login pages of Pakistani websites — all publicly accessible, all indexed by Google. No hacking involved. Just smart searching.
Sensitive filetypes to know:
filetype:sql→ Exposed database dumpsfiletype:env→ Environment files (often contain passwords!)filetype:log→ Server log files
Want thousands of ready-made dorks? Visit the Google Hacking Database (GHDB): https://www.exploit-db.com/google-hacking-database
WHOIS — Who Owns That Domain?
WHOIS is a public database that stores domain registration info. Today I looked up google.com and facebook.com and found:
Interesting finding: Facebook's IP resolves to Dublin, Ireland — not the US. Why? Tax and legal reasons. Meta hosts European data in Ireland. I found this out in 30 seconds using a free tool.
What WHOIS tells you:
- Domain registrar and owner
- Registration and expiry dates
- Name servers
- IP address and hosting location
Try it yourself: https://who.is
Maltego — Visualizing Connections
Maltego is a visual intelligence tool that maps relationships between data points. Start with an email address and it finds connected social profiles, domains, phone numbers, and more — all displayed as a visual graph.
It's not a port scanner (that's Nmap's job). It's a connection finder.
The Golden Rule
Everything I described above is legal — these are public information sources. However, using this information to attack systems without permission is illegal. Ethical hackers always have written authorization before testing any target.
OSINT is the first step. How you use the information defines whether you're a white hat or a black hat.
What's Next?
Next up: Shodan — the search engine for internet-connected devices. If Google Dorking is powerful, Shodan is terrifying. Stay tuned.
Follow my cybersecurity journey as I document everything I learn — from beginner to penetration tester.
#CyberSecurity #EthicalHacking #OSINT #GoogleDorking #PenTesting #InfoSec #Beginner