OSINT for the Lazy. Part 3: How to Ask Questions to Get Answers

Have you ever? Yes? Now imagine that you are that person, and the search engine is you. For the most part, that's how it is from the perspective of the search engine. It's just that due to the Dunning-Kruger syndrome, you don't realize it.

— How can we become smarter and start asking the right questions so that the search engine understands us?
First of all, how does the search engine see us? For example, we write the query: buy watches omega. In the address bar, Google writes among other things https://www.google.com/search?q=buy+watches+omega; we'll omit the rest of the characters for clarity.

In other words, it sees not "buy watches omega," but "buy+watches+omega." What are those plus signs? They are logical operators. With the query, we get results on how to buy Omega watches. But what happens if instead of "buy+watches+omega," we write: "buy+watches-omega"? Manually, forcibly. In that case, Google will give us any watches except Omega.

Does the sign matter? Uh-huh. And not just that. If we construct a query in such a way that we need an exact match, we should put it in quotes.
What if we need all PDFs from a specific site? We explain to the search engine: inurl: example.com ext:pdf (or filetipe:pdf). That is: "From this site, give me everything that is recorded in your internal storage as pdf."

The search engine understands us. We are speaking the same language. The words and phrases from it are called dorks. And there are plenty of dictionaries for this language. Here are some of them:
https://taksec.github.io/google-dorks-bug-bounty/
https://github.com/BullsEye0/google_dork_list

Google? Not just that. Most search engines (almost all) operate with the same logical operators following a similar algorithm. Shodan dorks: https://github.com/nullfuzz-pentest/shodan-dorks
And GitHub has its own dorks too. Everywhere there is a search bar, they are applicable. So, let's not get lost.
What if you need your specific query, your original dork? Well, aren't we lazy OSINTers? Construct it ourselves? Uh-huh! Sure! Dork builders are here to help: https://dorksearch.com
https://www.dorkgpt.com — this one even has AI, just how we like it.

Important point: dorks do not hack websites; they find what is already openly available. You just asked the right question.
Where are dorks really useful? Dorks are great for:
– searching for documents
– old versions of websites
– technical pages
– forgotten PDFs
– leaked presentations
– test pages

— Additionally, they can excellently show the structure of a website, its file storage. For this, there is a magical dork like index of.
We write: inurl:example.com index of, but this request doesn't work for all websites anymore. We can work around to the same site like this:
– open the site, find an image on the site
– right-click -> open image in a new tab
– go to the tab with the picture
– if the text string looks like: https://example.com/wp-content/uploads/2025/12/IMAGE.jpg, then we can shorten the address to: https://example.com/wp-content/uploads/2025/12
If the file system opens, we can look in detail by year and month at all the files that have been uploaded there. But we may also encounter such a response:

In this case, we look for other ways. There is no universal recipe in OSINT by definition, but remember, dorks are like walking on ice. In places, this ice is very thin.
A database with personal data, an admin panel, a backup, private accounts - this is already the red zone. The main thing to remember: Dorks are not about "getting everything," they are about precision of thought.

A good dork:
– saves time
– shows connections
– helps understand the big picture

A bad dork:
– leads to the "evidence" folder
– ends with a letter from lawyers
– damages reputation Remember: Dorks are about smart searching, not cheat codes.

If you use them as an analysis tool - you are an osinter. If as a way of "poke and everything popped up" - you... Well, you get it.
Happy hunting, osinter!