Skip to main content

DigitalRiskProt-05-Dorks-Domain-Analysis

DigitalRiskProt-05-Dorks-Domain-Analysis

Overview

This workflow automates advanced Google Dork reconnaissance against target domains by executing dork queries, extracting discovered URLs, performing parallel WHOIS lookups, web technology fingerprinting, and HTTP probing, then correlating all reconnaissance data through AI-powered analysis to generate a comprehensive domain intelligence report delivered via email.

How It Works

  1. Input Configuration: Multiple Input Nodes provide the workflow parameters: the Google Dork query results containing discovered URLs, an email configuration for report delivery, a detailed AI analysis prompt defining the reconnaissance data processing rules, and look-and-feel styling guidelines.

  2. Dork Results Processing: A Scripting Agent Node parses the Google Dork results to extract URLs containing the target keyword, producing a structured URL list for further analysis.

  3. URL Normalization and Branching: The extracted URLs are processed into two parallel paths:

    Branch A - Subdomain Probing:

    • A Scripting Agent Node extracts the full subdomain URLs as plain text
    • An httpx Operation Node probes all discovered subdomains to gather HTTP response data, technology stacks, IP addresses, and security headers

    Branch B - Domain-Level Analysis:

    • A Scripting Agent Node reduces URLs to their root domains, removing subdomains and deduplicating
    • The root domains are processed in parallel through two Operation Nodes:
      • A WHOIS Operation Node performs domain registration lookups to retrieve registrar, creation dates, expiry dates, and registrant information
      • A WhatWeb Operation Node fingerprints web technologies, server software, and hosting infrastructure
    • A post-processing Scripting Agent Node unifies the WhatWeb JSONL output into a consolidated JSON structure

  4. Data Correlation and AI Analysis: A Scripting Agent Node merges the httpx, WHOIS, and WhatWeb results into a unified JSON structure. Another agent combines this with the AI analysis prompt and sends it to an AI Integration Node (powered by Claude Opus) that performs deep correlation analysis including CDN detection, domain expiry warnings, IP-country inconsistencies, and infrastructure pattern identification.

  5. Report Generation and Delivery: The AI analysis output is extracted and fed into an HTML Report generator that creates a detailed, email-compatible report with scan summaries, per-domain infrastructure analysis, web presence details, registration information, security observations, and global insights. The report is merged with email configuration and sent via the mail-reporting Operation Node.

Who is this for?

  • Penetration testers performing external reconnaissance and attack surface mapping against target organizations
  • Red team operators identifying exposed infrastructure, misconfigurations, and potential entry points through passive reconnaissance
  • Attack surface management teams monitoring organizational exposure through Google Dork discovery
  • Threat intelligence analysts investigating domain infrastructure and hosting patterns of threat actors
  • Security auditors assessing external-facing digital footprint and identifying shadow IT or forgotten assets
  • Bug bounty hunters discovering subdomains, exposed directories, and misconfigured services

What problem does this workflow solve?

  • Automates the multi-tool reconnaissance workflow of Google Dorking, WHOIS lookups, web fingerprinting, and HTTP probing into a single orchestrated pipeline
  • Provides AI-powered correlation analysis that identifies security-relevant patterns across multiple data sources, such as CDN obfuscation, expiring domains, and infrastructure inconsistencies
  • Generates comprehensive, styled reports with full domain intelligence including infrastructure, web technologies, registration data, and security observations for stakeholder communication
  • Reduces manual reconnaissance time from hours to minutes by parallelizing domain-level and subdomain-level analysis with automated data merging
  • Enables repeatable, consistent reconnaissance through structured workflows that can be re-executed against different targets with minimal configuration changes
  • Delivers actionable insights through security observation scoring including HSTS implementation, HTTP/3 support, and DNSSEC signing status Updated: 2026-03-19