Google Searching

We can quickly find subdomains with Google. The goal of this exercise is to simply uncover as many subdomains as possible while remaining stealthy. The Google dork site:domain is used to explicitly return results that match said domain.

For example, to return only results from uc.edu, we would search: site:uc.edu.

Lets compare search results when using this operator.

Dork: 432,000 results

No Dork: 4.9 Million results.

This has clearly drasticaclly reduced the amount of noise we have to soft through. Lets go further.

Since we have already identified www.uc.edu, we can exlude that from our search.

Google returns over 400,000 subdomains that are owned by the university. Combing through all these results would certainly be tediuos, so scripting and automating this process will definitely save time and money. We will look at tools to do this later.

Are you keeping track of all the emails found so far? The subdomains? What about names and contact information?