We can infer the Windows OS version in use by mapping the IIS version back to the Windows version that it comes installed on by default. Some default installations are:
IIS 6.0: Windows Server 2003
IIS 7.0-8.5: Windows Server 2008 / Windows Server 2008R2
IIS 10.0 (v1607-v1709): Windows Server 2016
IIS 10.0 (v1809-): Windows Server 2019
X-Powered-By header: This header can tell us what the web app is using. We can see values like PHP, ASP.NET, JSP, etc. X-Powered-By: PHP/7.4.21
Cookies: Cookies are another attractive value to look at as each technology by default has its cookies. Some of the default cookie values are:
.NET: ASPSESSIONID<RANDOM>=<COOKIE_VALUE>
PHP: PHPSESSID=<COOKIE_VALUE>
JAVA: JSESSION=<COOKIE_VALUE>
Operator
Operator Description
Example
Example Description
site:
Limits results to a specific website or domain.
site:example.com
Find all publicly accessible pages on example.com.
inurl:
Finds pages with a specific term in the URL.
inurl:login
Search for login pages on any website.
filetype:
Searches for files of a particular type.
filetype:pdf
Find downloadable PDF documents.
intitle:
Finds pages with a specific term in the title.
intitle:"confidential report"
Look for documents titled "confidential report" or similar variations.
intext: or inbody:
Searches for a term within the body text of pages.
intext:"password reset"
Identify webpages containing the term “password reset”.
cache:
Displays the cached version of a webpage (if available).
cache:example.com
View the cached version of example.com to see its previous content.
link:
Finds pages that link to a specific webpage.
link:example.com
Identify websites linking to example.com.
related:
Finds websites related to a specific webpage.
related:example.com
Discover websites similar to example.com.
info:
Provides a summary of information about a webpage.
info:example.com
Get basic details about example.com, such as its title and description.
define:
Provides definitions of a word or phrase.
define:phishing
Get a definition of "phishing" from various sources.
numrange:
Searches for numbers within a specific range.
site:example.com numrange:1000-2000
Find pages on example.com containing numbers between 1000 and 2000.
allintext:
Finds pages containing all specified words in the body text.
allintext:admin password reset
Search for pages containing both "admin" and "password reset" in the body text.
allinurl:
Finds pages containing all specified words in the URL.
allinurl:admin panel
Look for pages with "admin" and "panel" in the URL.
allintitle:
Finds pages containing all specified words in the title.
allintitle:confidential report 2023
Search for pages with "confidential," "report," and "2023" in the title.
AND
Narrows results by requiring all terms to be present.
site:example.com AND (inurl:admin OR inurl:login)
Find admin or login pages specifically on example.com.
OR
Broadens results by including pages with any of the terms.
"linux" OR "ubuntu" OR "debian"
Search for webpages mentioning Linux, Ubuntu, or Debian.
NOT
Excludes results containing the specified term.
site:bank.com NOT inurl:login
Find pages on bank.com excluding login pages.
* (wildcard)
Represents any character or word.
site:socialnetwork.com filetype:pdf user* manual
Search for user manuals (user guide, user handbook) in PDF format on socialnetwork.com.
.. (range search)
Finds results within a specified numerical range.
site:ecommerce.com "price" 100..500
Look for products priced between 100 and 500 on an e-commerce website.
" " (quotation marks)
Searches for exact phrases.
"information security policy"
Find documents mentioning the exact phrase "information security policy".
- (minus sign)
Excludes terms from the search results.
site:news.com -inurl:sports
Search for news articles on news.com excluding sports-related content.
