DorkSearch Review
889,000+ pre-built Google dorks with an AI dork builder for instant recon
Quick Verdict
Security researchers, penetration testers, and OSINT investigators running targeted Google dorking campaigns — particularly useful when you know the target domain but don't know which dorks to run
Pros
- + 889,000+ dork library spanning credentials exposure, subdomains, admin panels, login pages, and hundreds of other patterns
- + Multi-engine support — generates dorks for Google, Bing, DuckDuckGo, Brave, Startpage, Yahoo, Yandex, and Baidu simultaneously
- + AI dork builder generates custom dorks from natural language — describe what you're looking for, get the query
- + Entirely free — no account, no rate limits on the search interface
- + Organized by category (SQLi, XSS, file exposure, authentication bypass, admin panels, cameras, IoT) for methodical recon
Cons
- − Executing dorks against search engines is still subject to each engine's own rate limits and CAPTCHAs
- − Very large library means noise — many dorks are outdated or too generic to return useful results
- − No built-in execution environment — generates queries, doesn't run them; still requires manual searching or integration
- − AI dork builder quality varies by use case; complex or unusual targets need manual refinement
- − No API for programmatic dork generation or bulk query execution
What DorkSearch Is
DorkSearch is a massive Google dork library. It has 889,000 queries, categorized by vulnerability and use case. A component generates custom dorks from natural language.
Google dorking finds information that standard queries miss. You can combine operators like site:, filetype:, inurl:, intitle:, and intext: to expose sensitive data. All you need is a browser and the right operator combinations.
DorkSearch makes it easy. You can search by category, keyword, or use, and get pre-written queries you can run right away. No memorization is needed. Just pick and use.
What It's Good For
DorkSearch
Attack Surface Mapping for Specific Domains
DorkSearch targets a domain. Enter the domain and run domain-specific dorks to uncover exposed admin panels, config files, backup files, and directory listings. Google queries are formatted and ready to paste.
Multi-Engine Coverage
DorkSearch supports eight engines. You can run the same query across multiple engines in minutes.
Vulnerability-Class Categories
Dorks surface exposed material such as credentials, tokens, API keys, Git directories, env files with DB passwords, backup files with _old and _backup suffixes, and S3 bucket listings.
OSINT Investigations
DorkSearch helps with organizational investigations by uncovering internal documents, employee directories, contractor lists, presentations, and procurement records that are publicly posted but often forgotten. You can use the filetype operator against a specific site and domain to search for PDF, DOCX, XLSX, and PPT files, which make up most of what's indexed.
Custom Dork Generation
The custom dork generator uses natural language to create formatted dork queries. For example, you can input "Find login pages for healthcare on Apache" and get a ready-to-use dork query to paste and search.
What It Doesn't Do
DorkSearch generates queries. It doesn't search. You'll still have to paste the results into a search engine. Then deal with rate limits, CAPTCHAs, and pagination.
For bulk work, Pagodo pairs well with DorkSearch. Use its library export. The library is huge—889,000 dorks. Filtering helps, still quality varies. New dorks for recent software stacks work best. Old dorks often return nothing; operators need to pick through.
DorkSearch generates queries, it doesn't search. You'll still have to paste the results into a search engine. Then deal with rate limits, CAPTCHAs, and pagination.
For bulk work, Pagodo pairs well with DorkSearch. Use its library export. The library is huge, 889,000 dorks. Filtering helps, quality varies. New dorks for recent software stacks work best. Old dorks often return nothing, operators need to pick through.
Responsible Use
Dorking surfaces publicly indexed information. It is legal in all major jurisdictions. The search itself is fine. What you do with the results isn't.
Pen testers and OSINT investigators use dorking for reconnaissance, but only in authorized engagements. They extract credentials from indexed files, and use them to log into systems. That is not acceptable.
Comparison to Alternatives
GHDB, from Exploit-DB, lists security dorks. It is a canonical source. DorkSearch builds on it, with more dorks and support for more search engines.
GHDB is pure security research. DorkSearch covers more and is easier to use.
Google CSE allows users to build custom search engines with preset operators for ongoing target monitoring, though setup is required.
DorkSearch is faster for quick recon.
Reviewed April 2026. Tool available at dorksearch.com.
See Also
Network Reconnaissance Tools
Network recon is about finding what's exposed. You scan for open ports, services, and devices. The top tools are Shodan, Censys, and ZoomEye. They index internet infrastructure, including servers, cameras, routers, industrial control systems. Anything listening on an open port gets catalogued. Banners tell you what's running, version numbers, sometimes config details.
Shodan
Shodan indexes internet infrastructure, servers, cameras, routers, industrial systems. Anything listening on an open port gets catalogued. Banners tell you what's running, version numbers, sometimes config details. The OSINT value is that you know what a target has exposed before you ever send a packet their way. Operators miss things. Dev servers get forgotten.
Shodan's API is robust. You can query by IP, domain, or port. Results are returned in JSON or CSV. The free tier has limits, you'll burn through it in about 40 minutes of actual work.
Censys
Censys scans the internet. It finds devices, services, and certificates. You query by IP, domain, or certificate. Results are detailed, including port numbers, protocols, and banners.
Censys and Shodan overlap. Censys finds some things Shodan misses. The reverse is also true, depending on the port range.
ZoomEye
ZoomEye is from a Chinese company. It scans the internet. You get device info, banners, and OS details. The free tier has limits. You can query by IP, domain, or port.
ZoomEye's API works. Results are returned in JSON. The free tier has usage limits. You can use it for quick checks.
Comparison
The tools have the following features. Shodan offers a free tier with limited queries by IP, domain, or port, and API support in JSON and CSV. Censys offers a free tier with limited queries by IP, domain, or certificate, and API support in JSON. ZoomEye offers a free tier with limited queries by IP, domain, or port, and API support in JSON.
Choose a tool. Start scanning. See what's exposed. That's network recon.
Further Reading
For more on domain and IP OSINT, see Domain and IP OSINT Guide. For comparisons of top network recon tools, see Best Network Recon Tools.
Tool Relationships
Similar Tools
Shodan
Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.
RTL-SDR Blog V4
The standard $40 software-defined radio dongle for ADS-B aircraft tracking, AIS ship tracking, and weather satellite imagery.
SingleFile
Archive any web page — including JavaScript-rendered content — into a single self-contained HTML file that opens identically offline and can be cryptographically verified.
urlscan.io
Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL
Community Rating
Ratings from security researchers. No third-party tracking.
Rate this tool:
This review reflects testing as of 2026-04-02. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →