Goohak
Goohak is an automated Google hacking reconnaissance tool that executes advanced Google Search operator queries to discover exposed vulnerabilities, misconfigurations, and sensitive information. It provides pre-built dork collections, automated query generation, and result aggregation for efficient OSINT workflows.
Installation
# Clone from GitHub
git clone https://github.com/1N3/Goohak.git
cd Goohak
# Install dependencies
pip3 install -r requirements.txt
# Run help
python3 goohak.py -hBasic Operation
Target Reconnaissance
# Perform basic reconnaissance on target
python3 goohak.py target.com
# Verbose output with detailed results
python3 goohak.py target.com -v
# Save to file
python3 goohak.py target.com -o results.txt
# Limit results
python3 goohak.py target.com -l 50
# JSON output
python3 goohak.py target.com -f jsonDork Categories
Goohak includes pre-built collections for different vulnerability classes:
| Category | Purpose | Example Command |
|---|---|---|
| admin | Admin panels & login pages | python3 goohak.py target.com -d admin |
| backup | Backup and archive files | python3 goohak.py target.com -d backup |
| config | Configuration files | python3 goohak.py target.com -d config |
| database | Database files & dumps | python3 goohak.py target.com -d database |
| documents | Exposed documents | python3 goohak.py target.com -d documents |
| api | API endpoints & docs | python3 goohak.py target.com -d api |
| error | Error pages & debug info | python3 goohak.py target.com -d error |
| misc | Miscellaneous findings | python3 goohak.py target.com -d misc |
Admin Interface Discovery
Typical Admin Dorks
# WordPress admin
python3 goohak.py target.com -q "intitle:wp-admin"
# Joomla admin
python3 goohak.py target.com -q "intitle:administrator"
# Drupal admin
python3 goohak.py target.com -q "intitle:admin.php"
# Generic admin panel
python3 goohak.py target.com -d admin
# Admin login pages
python3 goohak.py target.com -q "intitle:login inurl:admin"
# Management portals
python3 goohak.py target.com -q "intitle:management OR intitle:console"Sensitive File Discovery
Exposed Files & Data
# Database backups
python3 goohak.py target.com -d backup
# SQL dumps
python3 goohak.py target.com -q 'filetype:sql'
# Database files
python3 goohak.py target.com -q 'filetype:db OR filetype:sqlite'
# Archive files
python3 goohak.py target.com -q 'filetype:zip OR filetype:rar OR filetype:tar.gz'
# Configuration files
python3 goohak.py target.com -d config
# Application config
python3 goohak.py target.com -q 'filetype:conf OR filetype:cfg OR web.config'Document Leaks
# Run documents category
python3 goohak.py target.com -d documents
# Specific file types
python3 goohak.py target.com -q 'filetype:pdf'
python3 goohak.py target.com -q 'filetype:docx'
python3 goohak.py target.com -q 'filetype:xlsx'
python3 goohak.py target.com -q 'filetype:pptx'
# Documents with keywords
python3 goohak.py target.com -q 'filetype:pdf "confidential"'
python3 goohak.py target.com -q 'filetype:xlsx "password"'Credential & Secret Hunting
Exposed Credentials
# Credentials in pages
python3 goohak.py target.com -q 'intext:"username:" OR intext:"password:"'
# API keys
python3 goohak.py target.com -q 'intext:"api_key=" OR intext:"apikey="'
# AWS credentials
python3 goohak.py target.com -q 'intext:"AKIA" OR intext:"aws_access_key"'
# Bearer tokens
python3 goohak.py target.com -q 'intext:"Bearer" OR intext:"Authorization:"'
# Private keys
python3 goohak.py target.com -q 'intext:"BEGIN RSA PRIVATE KEY"'
# Database credentials
python3 goohak.py target.com -q 'intext:"mysql://" OR intext:"mongodb://"'API & Endpoint Discovery
Finding API Endpoints
# Run API category
python3 goohak.py target.com -d api
# API versioning
python3 goohak.py target.com -q 'inurl:/api/v'
# Swagger/OpenAPI
python3 goohak.py target.com -q 'intitle:swagger OR inurl:swagger'
# GraphQL endpoints
python3 goohak.py target.com -q 'inurl:graphql'
# API documentation
python3 goohak.py target.com -q 'intitle:api documentation'
# JSON endpoints
python3 goohak.py target.com -q 'inurl:api filetype:json'Error Page & Debug Discovery
Information Disclosure
# Run error category
python3 goohak.py target.com -d error
# Debug pages
python3 goohak.py target.com -q 'intitle:debug OR intitle:debug mode'
# Error pages with stack traces
python3 goohak.py target.com -q 'intitle:"error" "at line"'
# Database errors exposed
python3 goohak.py target.com -q 'intitle:"sql" OR intitle:"mysql"'
# Application errors
python3 goohak.py target.com -q 'intext:"fatal error" OR intext:"syntax error"'
# Exception pages
python3 goohak.py target.com -q 'intitle:"exception" filetype:html'Custom Query Execution
Running Custom Dorks
# Single custom query
python3 goohak.py target.com -q 'intitle:admin inurl:panel'
# Multiple operators
python3 goohak.py target.com -q 'site:target.com filetype:pdf "report"'
# Exclusions
python3 goohak.py target.com -q 'site:target.com -inurl:help'
# OR queries
python3 goohak.py target.com -q 'site:target.com OR site:api.target.com'
# Complex queries
python3 goohak.py target.com -q 'site:target.com filetype:xlsx OR filetype:xls intext:"password"'Batch Processing
# Create target list
cat > targets.txt << 'EOF'
target1.com
target2.com
target3.com
EOF
# Process each target
for target in $(cat targets.txt); do
echo "[*] Scanning $target"
python3 goohak.py "$target" -o "results/$target.txt"
done
# Combine results
cat results/*.txt | sort -u > all_results.txtReal-World Reconnaissance Workflows
Vulnerability-Specific Hunting
# SQL injection endpoints
python3 goohak.py target.com -q 'inurl:search.php?q='
# Open redirects
python3 goohak.py target.com -q 'inurl:redirect= OR inurl:url='
# SSRF endpoints
python3 goohak.py target.com -q 'inurl:proxy OR inurl:fetch'
# File upload functions
python3 goohak.py target.com -q 'inurl:upload OR inurl:file'
# Path traversal patterns
python3 goohak.py target.com -q 'inurl:../../../ OR inurl:..%2f'
# XXE endpoints
python3 goohak.py target.com -q 'inurl:xml OR filetype:xml'Complete Reconnaissance
#!/bin/bash
# Comprehensive Google hacking reconnaissance
TARGET="target.com"
OUTPUT_DIR="recon_$(date +%Y%m%d)"
mkdir -p "$OUTPUT_DIR"
echo "[*] Starting reconnaissance on $TARGET"
# Run all dork categories
for category in admin backup config database documents api error; do
echo "[*] Running category: $category"
python3 goohak.py "$TARGET" -d "$category" \
-o "$OUTPUT_DIR/$category.txt" 2>/dev/null
done
# Additional custom dorks
echo "[*] Running custom dorks"
python3 goohak.py "$TARGET" -q 'inurl:api/v1' -o "$OUTPUT_DIR/api_v1.txt"
python3 goohak.py "$TARGET" -q 'intitle:login' -o "$OUTPUT_DIR/login.txt"
python3 goohak.py "$TARGET" -q 'intext:"password" OR intext:"api_key"' \
-o "$OUTPUT_DIR/credentials.txt"
# Consolidate
echo "[*] Consolidating findings"
cat "$OUTPUT_DIR"/*.txt | sort -u > "$OUTPUT_DIR/all_findings.txt"
echo "[+] Reconnaissance complete"
echo "[+] Total unique findings: $(wc -l < $OUTPUT_DIR/all_findings.txt)"Result Analysis & Filtering
Parse and Organize Results
# Extract unique URLs only
grep -oE 'https?://[^\s]+' results.txt | sort -u > urls.txt
# Filter by criteria
grep "admin" results.txt > admin_findings.txt
grep "api" results.txt > api_findings.txt
grep "backup" results.txt > backup_findings.txt
# Find sensitive patterns
grep -iE "password|apikey|secret|token" results.txt > sensitive.txt
# Group by domain
cat results.txt | sed 's|.*://\([^/]*\).*|\1|' | sort -u > domains.txtIntegration with Other Tools
Feed to Burp Suite
# Create Burp scope
python3 goohak.py target.com | \
grep -oE 'https?://[^\s]+' | \
sed 's|https://||;s|http://||' | \
sort -u > burp_scope.txtFeed to Nuclei
# Extract URLs for Nuclei scanning
python3 goohak.py target.com | \
grep -oE 'https?://[^\s]+' > urls.txt
# Run Nuclei on discovered URLs
nuclei -l urls.txt -t templates/Feed to Web Scanner
# Prepare for OWASP ZAP
python3 goohak.py target.com -o urls.txt
# Format for import
cut -d' ' -f1 urls.txt | sort -u > clean_urls.txtBest Practices
- Respect Google’s Terms of Service during reconnaissance
- Add appropriate delays between searches
- Rotate user agents to appear legitimate
- Verify findings manually before reporting
- Document all dork queries used
- Filter false positives from results
- Combine with other OSINT sources
- Obtain proper authorization first
- Keep dork collections updated
Common Dork Patterns
# Site-specific patterns
site:target.com admin
site:target.com inurl:api
site:target.com filetype:pdf
# Multi-site patterns
site:target.com OR site:api.target.com
site:target.com OR site:cdn.target.com
# File hunting
filetype:conf
filetype:sql
filetype:env
# Title searches
intitle:admin
intitle:login
intitle:dashboard
# URL patterns
inurl:admin
inurl:api
inurl:backupReferences
Last updated: 2026-03-30