// TUTORIAL

Finding Hacker Forums using Magic

DATE: November 05, 2024
CATEGORY: OSINT / RECON

To find hacker or underground forums, it’s essential to understand the basic query syntax and the typical structure of these platforms. Many forums, such as XSS, RAMP, and Exploit.in, restrict access, preventing guest users from viewing content. However, some forums do allow guest access to the search bar like leakbase, enabling searches for topics like malware or leaks.

These types of forums can be easily identified using tools like Shodan, Censys, FOFA, or other cybersecurity search engines, so don’t limit yourself to just one approach.

Identifying Forum Platforms

Most of these forums are built on platforms like MyBB, phpBB, or XenForo (not limited to these only). When forums built with MyBB or Xenforo are live on the internet, for example, you’ll often see “Powered by MyBB” or “Xenforo” displayed on the bottom of the website.

Footer indicating platform

This knowledge is useful for crafting queries on cybersecurity search engines like Fofa, Shodan, or Censys.

Structure and Keywords

To effectively find forums, it’s important to recognize common elements in their HTML structure, which often include terms like:

  • Stealer logs
  • Hacking
  • Malware
  • Database
  • Combolist

These terms frequently appear as headers or keywords, helping you identify relevant content in a forum’s search results.

Forum headers example

FOFA Query Magic

Here’s a sample hunting query syntax for Fofa, although you shouldn’t limit yourself to just one type:

app="myBB" && body="stealer"

In this query:

  • app="myBB" specifies that we’re looking for forums built using MyBB, as discussed.
  • body="stealer" narrows the search to pages containing the word "stealer," one of the common terms in hacker forums.

By using similar combinations, you can tailor queries to target other keywords like “combolist” or “malware” to uncover another forums. This approach allows you to identify forums based on both their platform and common hacker forum language.

FOFA results

The forum we found using FOFA query is LeakX as shown in the below screenshot, the structure of the website.

LeakX screenshot

Censys Strategy

In Censys, you can modify the query syntax to effectively narrow down forum searches. For instance, using:

services.http.response.body:Xenforo AND services.http.response.body:hacking

Here’s the breakdown:

  • services.http.response.body:Xenforo specifies that we’re searching for forums built using XenForo.
  • services.http.response.body:hacking refines the search to pages containing the term “hacking,” which is common in underground forums.

Using this approach, the first result led us to a Russian forum named DrCrypter.

Censys results
DrCrypter forum

Pro Tips

These are just foundational queries you can use to find forums.

  • Don’t restrict your queries to English. Underground communities often operate in Russian, Chinese, or other languages.
  • Don’t limit yourself to basic syntax like app; think creatively about terms relevant to your search topic, and use varied search operators.
  • Explore beyond Fofa. Use Censys, Shodan, and similar tools, along with forums and channels known for sharing underground updates.
← BACK TO BLOG