loading
loading
Recon
Search Google dorks in a specified Custom Search Engine id.
overview
gorks runs a set of Google dork queries through a programmable Custom Search Engine (GCSE) rather than scraping the public results page. You supply a JSON file of dorks, a CSE id, and an API key, and gorks fires each query in turn and collects what the engine returns. Routing through the official API keeps the requests clean and avoids the rate blocks that hit raw scrapers.
Dorks are search operators that pin down exposed files, login pages, directory listings, and other artifacts an organization left indexable. gorks turns a curated dork list into a repeatable recon step, so the same query set runs the same way every time instead of being pasted by hand into a browser.
On Trickest, gorks is a Recon node that takes a dorks file plus engine credentials and writes a file and a folder of results. Feed it a tailored dork list scoped to one organization, then route the hits into triage or into a prober that confirms which exposed pages are still live.
source github.com/carlospolop/gorks
use cases
Run a dork list that targets index pages, backups, and config files through a Custom Search Engine to surface artifacts an organization left publicly indexable.
Keep the dork set in a JSON file so the same recon queries run identically on every engagement instead of being typed into a browser one at a time.
Use siterestrict with a CSE that covers a small domain set so every dork stays inside the organization you are assessing.
Supply a file of API keys so a large dork run spreads requests across credentials and keeps moving past per-key quotas.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| dorks | FILE | --dorks | JSON file of Google dork queries to run. |
| cse-id | STRING | --cseid | Id of the Custom Search Engine to query. |
| api-key | STRING | --api-key | API key for the Custom Search Engine. |
| api-keys-file | FILE | --api-keys-file | Read multiple API keys from a file to spread request volume. |
| siterestrict | BOOLEAN | --siterestrict | Use the siterestrict API when the engine covers fewer than 10 domains. |
| debug | BOOLEAN | --debug | Print debug output while queries run. |
Showing key inputs. gorks exposes 6 inputs in total.
example
# run a JSON dork list through a scoped Custom Search Enginegorks --dorks dorks.json --cseid a12bc3de4fg5hi6jk --api-key <GOOGLE_API_KEY> --siterestrict[+] site:example.com intitle:"index of" https://example.com/backup/ https://assets.example.com/old/[+] site:example.com filetype:env https://example.com/.env.bak[+] site:example.com inurl:wp-config https://blog.example.com/wp-config.php.save[+] site:example.com ext:sql "INSERT INTO" https://example.com/db/dump.sqlguidance
Use gorks when you want repeatable Google dorking against a target through the Custom Search Engine API instead of scraping the results page. You need a CSE id and an API key. For passive URL harvesting from web archives, reach for gau or waymore instead.
Pulls known URLs from web archives passively. gorks searches live Google index results via dorks.
Broad OSINT across many sources including search engines. gorks is focused purely on running a dork list.
Searches archived URL datasets for matches. A different angle on the same exposed-asset hunt.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A dorks file feeds gorks, which runs each query through a Custom Search Engine and writes the matching pages as a queryable output.
Facts on this page come from the live Trickest tool library.