OSINT for Carders 2.0: Finding Vulnerable Targets with Google Dorks and Shodan Scans

[Good Carder]

From carder to carders. OSINT used to be associated with collecting data on a victim: finding an email address, phone number, address, and social media. But in 2027, OSINT for a carder is about systems, not just people. Where can you find a store with an outdated version of WooCommerce, where the payment form is unprotected, where a Stripe API key is exposed in the page code, where an RDP with access to a POS terminal is open? The answer is Google Dorks and Shodan.

In this article, I'll show you how to turn search engines into a reconnaissance weapon. You'll learn how to find vulnerable payment forms through Google, scan the network for open databases and RDP through Shodan, automate target searches using Python, and avoid falling for honeypot traps. All of this is legal (at first glance) and without direct hacking.

Part 1. Google Dorks: Finding Vulnerabilities via the Search Bar​

Google Dorks (Google Hacking) is the use of special search operators to find information not intended for public access. Google indexes billions of web pages, many of which contain sensitive data that developers have accidentally made public.

1.1. Basic Google Operators for OSINT​

Operator	Example	What does it do?
site:	site:example.com	Searches only on the specified domain
inurl:	inurl:admin	Pages containing the word in the URL
intitle:	intitle:"index of"	Pages with a specific word in the title
filetype:	filetype:sql	Files of a specific type
ext:	ext:log	File extension
cache:	cache:example.com	Shows the cached version of the page.
- (minus)	"credit card" -site:amazon.com	Excludes domain

1.2. Dorks for finding payment forms and vulnerable stores​

1. Search for checkout pages on older CMS versions

intitle:"checkout" inurl:checkout "powered by" WooCommerce
inurl:checkout "OpenCart" "Visa" "Mastercard"
inurl:"/checkout/onepage" "Magento"

2. Searching for pages displaying map data in plain text (a developer's nightmare)

"card number" "expiry" "cvv" filetype:log
"pan" "cvv" "expiry" filetype:txt
"credit card" filetype:xls "Name" "Number"

3. Searching for phpinfo() is a panacea for intelligence

intitle:"phpinfo()" "PHP Version" "Server API"
"phpinfo()" "disabled functions"

4. Search for .env files with secrets

inurl:.env filetype:env "DB_PASSWORD" "STRIPE_SECRET"
index of /.env

5. Search for pages with test payment gateways

"stripe" "test mode" "payment"
"braintree" "sandbox" "client_side_encryption_key"

1.3. Advanced dorks for finding API key leaks​

# Stripe live keys
"sk_live" filetype:js
"pk_live" "stripe" filetype:txt

# PayPal
"paypal" "client_id" "live" filetype:txt

# AWS keys
"AKIA" filetype:txt
"aws_access_key_id" filetype:env

# Google API keys
"AIza" filetype:js
"key" "AIza" filetype:txt

1.4. Automating Google Dorks with Python​

Google limits the number of requests, but for reconnaissance you can use the googlesearch-python library or selenium with proxy rotation.

from googlesearch import search

queries = [
'intitle:"index of" "stripe" "webhooks"',
'inurl:checkout filetype:php "credit card"',
'filetype:log "card number"'
]

for q in queries:
for url in search(q, num_results=20, lang='en'):
print(f"Found: {url}")

Important: Google blocks automated requests from a single IP address. Use proxies and delays.

Part 2. Shodan: A Search Engine for Devices and Servers​

Shodan is a search engine that scans the entire internet and indexes not web pages but service banners: open ports, HTTP/HTTPS headers, FTP, SSH, RDP, and databases. For a carder, Shodan is a treasure trove of information about servers with vulnerable settings.

2.1. Shodan Basic Filters​

Filter	Example	Purpose
port:	port:3389	A specific port
you:	"Windows 10"	operating system
hostname:	hostname:bank.com	Domain
country:	country:US	Page
org:	org:"Amazon AWS"	Organization (provider)
ssl:	ssl:expired	The SSL certificate has expired.
http.title:	http.title:"Payment"	Web page title
Vuln:	vuln:CVE-2021-44228	Vulnerability

2.2. Search for vulnerable POS terminals and RDPs​

1. Open RDP (port 3389) - potential access to drop computers

port:3389 os:"Windows" country:US
port:3389 "Authentication: disabled" (RDP without password)

2. Open databases (MySQL, PostgreSQL, MongoDB) without password

port:3306 "MySQL" "anonymous"
port:27017 "MongoDB" "Unauthorized"

3. Administration panels (phpMyAdmin, Adminer) without password

http.title:"phpMyAdmin" "Welcome to phpMyAdmin" port:80 country:RU
http.title:"Adminer" "Login" port:443

4. Search for devices with outdated software versions

"Apache 2.2" port:80
"nginx 1.10" http.title:"Welcome to nginx"

5. Search for CCTV cameras (to bypass physical security)

port:554 "RTSP" "H.264" (vulnerable cameras)
"Login" "Axis" port:80

2.3. Shodan Automation via API​

Shodan provides an API that allows you to automate searching and downloading results.

import shodan

SHODAN_API_KEY = "YOUR_SHODAN_API_KEY"
api = shodan.Shodan(SHODAN_API_KEY)

# Search for open RDPs in the US
query = "port:3388 country:US"
results = api.search(query, limit=100)

for result in results['matches']:
ip = result['ip_str']
port = result['port']
org = result.get('org', 'Unknown')
print(f"IP: {ip}:{port} - {org}")

Saving results to CSV for analysis:

import csv

with open('shodan_results.csv', 'w', newline='') as f:
writer = csv.writer(f)
writer.writerow(['IP', 'Port', 'Organization', 'Country', 'Data'])
for result in results['matches']:
writer.writerow([result['ip_str'], result['port'], result.get('org', ''), result['location']['country_name'], result['data'][:200]])

2.4. Searching for vulnerable payment gateways using Shodan​

Shodan allows you to search for servers running specific software — for example, old versions of WooCommerce, Magento, and OpenCart that have known vulnerabilities.

http.title:"Checkout" "WooCommerce" "PayPal"
http.title:"Shopping Cart" "Magento" "Credit Card"
html:"stripe.js" http.title:"Checkout"

Part 3. OSINT Tools​

3.1. theHarvester – Email and domain harvesting​

theHarvester -d target-bank.com -l 500 -b google
theHarvester -d target-bank.com -b linkedin

3.2. Recon-ng — a web reconnaissance framework​

# Launching Recon-ng
recon-ng
marketplace install all
workspace create bank_recon
use recon/domains-hosts/bing_domain_web
set source target-bank.com
run

3.3. SpiderFoot — an automated OSINT platform​

SpiderFoot has a web interface and can scan 200+ modules: DNS, WHOIS, Shodan, Censys, AlienVault, Darkweb.

# Installation
docker pull spiderfoot/spiderfoot
docker run -d -p 5001:5001 spiderfoot/spiderfoot

3.4. Censys – A Shodan Alternative with a Focus on Certificates​

Censys scans the entire internet and collects data on SSL/TLS certificates. Censys can be used to find all domains using a specific SSL certificate (for example, one belonging to a single hosting provider).

import censys.certificates

api_id = "YOUR_CENSYS_ID"
api_secret = "YOUR_CENSYS_SECRET"

c = censys.certificates.CensysCertificates(api_id, api_secret)
for certificate in c.search("parsed.subject_dn: bank.com", max_records=50):
print(certificate['parsed']['fingerprint_sha256'])

Part 4: Finding Vulnerable Targets on the Darknet Using Ahmia and Tor​

Google and Shodan index only the surface. Specialized search engines are used to search for targets on the darknet (onion sites).

4.1. Ahmia.fi – Search for onion sites via Tor​

Ahmia allows you to search for sites in the .onion zone using a regular browser.

site:onion "credit card" "dumps"
site:onion "fullz" "ssn"

4.2. Tor66 и Not Evil​

# Via Tor Browser
http://tor66sezptvhx5nv4w3gv3x2og5i2i6vbjcqjfzjc2z4vz3eo6e7wiaqd.onion

Part 5. OSINT Mistakes​

1. Don't use a proxy. Google and Shodan log IP addresses. If you search "how to hack a website" from your home IP, you're leaving a trace.
2. Too aggressive a search. A thousand queries per minute will instantly get you banned.
3. Ignoring captcha. Google triggers captchas when suspicious activity occurs. Use captcha-solving services if you're automating.
4. Direct access to discovered vulnerabilities without verifying their legality. If you found a .env file with passwords, downloading it could be a criminal offense.

Part 6. OSINT Intelligence Checklist​

• Preparation: Enable your VPN/proxy before searching. Use a separate browser profile.
• Google Dorks. Create a list of dorks for a specific purpose (stores, CMS, payment gateways).
• Shodan. Configure filters to search for vulnerable services (RDP, MySQL, phpMyAdmin).
• Censys. Check SSL certificates for target domains.
• Email harvesting. Use theHarvester and Hunter.io to find administrator emails.
• Darknet. Check Ahmia for discussions of the target site's vulnerabilities.
• Automation. Write a Python script to upload Shodan results to the database.
• Analysis. Don't act immediately. Gather information and analyze patterns.

Part 7. Case Study: How I Found a Store with a Vulnerable Payment Form Using Google Dorks​

Situation: I needed a store with WooCommerce versions below 4.0 (there's a known vulnerability in the payment plugin). I Googled:

site:shop.com "WooCommerce" "Version 3.9"

I found a store that hadn't been updated in three years. The checkout used an old Stripe plugin with a webhook spoofing vulnerability. I made a test payment of $1 — it went through without 3DS. Conclusion: in an hour of OSINT, I saved weeks of target search time.

Tools used: Google Dorks + Shodan for open ports (the store was running an outdated Apache, as confirmed by Shodan).

Summary​

OSINT for a carder in 2027 isn't just about people. It's about finding digital doors left unlocked. Google Dorks finds things in code you shouldn't see. Shodan scans the network for open databases and RDPs. Censys and SpiderFoot automate deep reconnaissance. All of this is legal if you're just looking and not touching. But once you take action, you're on thin ice.

Use OSINT to prepare: find the target, study its vulnerabilities, test hypotheses. And once you have the full picture, act.

A quick one-line reminder:
"Google Dorks finds CVVs in logs, Shodan reveals open RDPs, Censys scans bank certificates, theHarvester collects administrator emails. In 2027, OSINT isn't just reconnaissance; it's the art of finding unlocked doors in the digital world." But remember: you can look, but you can't touch. Behind one dork there could be a honeypot.