Google Dorks Generator
1,500+ ready-to-fire operators. Filter by category, search, copy, or open in Google.
v2.0 // HACKER RECON // Zero data egress
Recon, decoded.
Recon, decoded.
A power toolkit for serious researchers.
Hacker Recon is a single-page red-team workspace. Generate dorks, dissect JWTs, analyse cookies, parse sitemaps, audit SEO, identify hashes, calculate CIDR, score passwords, score HTTP headers — all entirely client-side, with zero telemetry.
The toolkit
Eight tools. One tab. Zero round-trips.
Each tool lives inline. Click to expand, work, copy. Nothing you paste ever leaves your browser.
GitHub Recon
1,500+ code, issue, and repo queries. Switch search type without rewriting.
Sitemap Inspector
Parse XML sitemaps and robots files into a tree, search, export.
0 URLs
Browsers block cross-origin reads of arbitrary domains. Most fetches will fail with a CORS error — this is a browser security control, not a tool bug. Use paste mode for reliability, or supply your own CORS proxy URL below if you operate one.
Encoder / Decoder
Live conversion across 25+ formats. Copy or swap with one click.
JWT Inspector
Decode, verify, forge, and study JSON Web Token attack patterns.
Header
Payload
Signature
Saved secrets live in your browser's localStorage. Nothing is sent to any server.
Educational use only. The lab demonstrates published JWT vulnerabilities (RFC 8725 §2). Do not run these against systems you do not own or are not authorized to test.
Cookie Analyzer
Parse Set-Cookie headers, score flags, detect JWTs & PII.
SEO & Keyword Audit
Holistic on-page audit. Score, prioritized fixes, density, schema.
Cross-origin URL fetches are CORS-blocked in browsers. Provide a proxy you operate, or save the page and use paste mode.
Workflow & Notes
Recent tools, locally saved JWT secrets, recon checklist.
Recently used
Saved JWT secrets (local-only)
Recon checklist
- Confirm scope & written authorization before any active testing.
- Run Google + GitHub dorks against the apex and discovered subdomains.
- Pull
robots.txt,sitemap.xml,.well-known/security.txt. - Inspect every JWT and Set-Cookie header in scope; record flag posture.
- Audit the marketing site for accidental subdomain leaks & structured-data slips.
- Document every finding with reproduction steps and a clear impact statement.
Hash Identifier & Hasher
Identify common hash formats and compute MD5/SHA family digests locally.
// awaiting input…
// digests will appear here…
IP / CIDR Calculator
Network, broadcast, mask, host range, and reverse-DNS for any IPv4 + CIDR.
// IPv4 only. RFC 4632 CIDR semantics.
Password Strength Meter
Entropy estimate (bits), search space, crack time, common-pattern penalties.
// strength report appears here…
Crack-time estimates are heuristic. They assume offline, salted hashing at attacker GPU rates of 10⁹–10¹² guesses/sec depending on class.
HTTP Security Header Analyzer
Paste raw response headers. Get a 0–100 score and a prioritized fix list.
A predictable recon loop.
Start broad with dorks. Narrow with sitemap and SEO surface analysis. Triage findings through JWT and cookie analyzers. Decode anything strange.
01 · Discover
Surface mapping
Run Google + GitHub dorks. Parse the sitemap. Note every subdomain, parameter, and exposed file.
02 · Inspect
Auth surface
Decode every JWT in flight. Score every Set-Cookie. Look for misconfigured SameSite, missing Secure, weak secrets.
03 · Decode
Format archaeology
Strange tokens? Encoded blobs? The encoder/decoder covers Base{16…85}, hex, ROT, hashes, HMAC, JSON↔YAML↔XML.
Privacy Policy
Last updated:
1. No data collection
Hacker recon is delivered as a single, static HTML page. All processing — dork generation, JWT decoding, cookie analysis, sitemap parsing, SEO scoring, encoding/decoding — happens entirely inside your browser. No domain, token, cookie, or HTML you paste is transmitted to any Hacker Recon server. There is no Hacker Recon server.
2. Local storage
The site uses your browser's localStorage only for non-sensitive preferences (theme, recently opened tools) and any JWT secrets you explicitly choose to save. Saved secrets are stored on your device and are not synchronised, backed up, or transmitted. Clear them at any time from the Workflow & Notes panel or by clearing your browser storage.
3. Third-party assets
The page loads typography from Bunny Fonts, icons from jsDelivr, syntax highlighting from jsDelivr, and a JWT crypto library (jsrsasign) from jsDelivr. These providers may log standard HTTP request metadata (IP address, user agent) for the purpose of serving those assets, as is the case with any web request. Hacker Recon does not control or receive that data.
4. Outbound search links
Buttons such as “Open in Google” or “Open on GitHub” construct a search URL and open it in a new tab. Once you click such a link you are interacting directly with that third party and their privacy policy applies.
5. Cookies
This site sets no cookies of its own.
6. Children
This site is not directed at minors and is intended for security professionals and adult learners.
7. Changes
This policy may be updated. The “Last updated” date above reflects the current version. Continued use after a change constitutes acceptance.
8. Contact
Privacy questions or abuse / DMCA reports: hackerrecon@protonmail.com.
Legal Disclaimer & Acceptable Use
Educational purpose only
Hacker recon is provided exclusively for authorized security research, bug bounty engagements within published program rules, capture-the-flag and lab exercises, and academic study. It is a reference and convenience tool — every operator and query it produces is publicly documented in vendor docs, search engine help, and the security research community.
User responsibility
You are solely responsible for ensuring you have explicit, written authorization to test any target system. Unauthorized access to or interference with computer systems is illegal in virtually every jurisdiction, including under the Computer Fraud and Abuse Act (United States, 18 U.S.C. § 1030), the Computer Misuse Act 1990 (United Kingdom), the Information Technology Act 2000 (India), Directive 2013/40/EU and corresponding national laws (European Union), and equivalent statutes elsewhere. Civil liability may also attach.
No warranty
The Service is provided “AS IS” and “AS AVAILABLE,” without warranty of any kind, express or implied, including warranties of merchantability, fitness for a particular purpose, accuracy, completeness, non-infringement, or uninterrupted operation. Search operators evolve and may produce different or no results over time.
Limitation of liability
To the maximum extent permitted by law, the operators of Hacker Recon disclaim any and all liability for direct, indirect, incidental, consequential, special, exemplary, or punitive damages — including loss of profits, data, goodwill, or other intangible losses — arising out of or relating to your use of the Service, even if advised of the possibility of such damages.
Indemnification
You agree to defend, indemnify, and hold harmless the operators of Hacker Recon, their affiliates, and their respective officers, contractors, and agents, from and against any claims, damages, obligations, losses, liabilities, costs, or expenses (including reasonable attorneys' fees) arising from or related to (i) your use or misuse of the Service, (ii) your violation of these terms, or (iii) your violation of any third-party right, including any intellectual property or privacy right.
Acceptable use
You agree not to use the Service to: (a) test or interact with systems you do not own or do not have explicit, written permission to assess; (b) evade or attempt to evade legal responsibility; (c) harass, threaten, or harm others; (d) circumvent the security or access controls of any system; (e) violate any applicable law, regulation, contract, court order, or program scope. Bug bounty researchers must operate strictly within the rules of the program in question.
No data collection
All processing occurs locally in your browser. No inputs (domains, JWTs, cookies, HTML, secrets) are transmitted to any Hacker Recon server.
Reporting abuse
To report abuse or submit a DMCA notice: hackerrecon@protonmail.com.
Governing law
These terms are governed by the laws of India, without regard to its conflict-of-laws principles. Exclusive jurisdiction and venue lie in the courts located in India.