OSINT

Target Objectives:

  • Users

  • Services

  • Netblocks

  • Vulnerabilities

  • Passwords

Additional Resources

OSINT- IN DETAIL

Automated Tools

Search Engine OSINT

Dev forums

Git Recon

  • Trufflehog

  • Gitdump

  • GitTools

  • GitHarvester

MSDN Forums

Stackoverflow

AWS Buwgetckets

Archived pages

  • Archive.org

  • waybackurls

People OSINT

Social Media OSINT

  • SocialMapper

  • Skiptracer

Data Dump

Twitter

Facebook

Instagram

Snapchat

  • Username search field

  • Location enumeration : maps.snapchat.com

Reddit

LinkedIn : Create a sock puppet A/c

  • Employees

  • Jobs

  • Google dorks: site:linkedin.com/in/

  • aeroleads

  • ScrapedIn

  • linkScrape

Sock Puppets

  • Fake accounts that can be used to investigate others.

-Creating a SockPuppet

Email OSINT

Verification

Password OSINT

Username OSINT

Phone OSINT

  • Truecaller

  • phoneinfoga

Business OSINT

  • Wikipedia

  • Crunchbase

Website OSINT

DNS Enumeration

Zone Transfer:

dig ns zonetransfer.me +noall +answer
dig axfr @nsztm1.digi.ninja zonetransfer.me

host -t ns zonetransfer.me
host -t axfr zonetransfer.me intns1.zonetransfer.me

nslookup -type=ns zonetransfer.me
nslookup -query=AXFR zonetransfer.me nsztm2.digi.ninja

ASN Enumeration

  • Hurricane Electric BGP Toolkit [ company name, IP address/CIDR range, and ASNs]

  • DNSDumpster

  • Hackertarget

  • Pentest-Tools

  • Shodan

    • Install Shodan CLI python3 /usr/lib/python3/dist-packages/easy_install.py shodan

    • Scan IP ranges of ASN and identify more subdomains. [Check from SSL cert, hostname details]

Subdomain Enumeration

  • DNSDumpster

  • RiskIQ

  • Amass: Setup Guide

    • DataSources:

      • AlienVault: johndoe1231:Password@123 | 20db3a87681c50f060ebe06d6c85b911259a852e492bac35a822d7f4c9d98b6c

      • BinaryEdge: toyebe9070@whyflkj.com:Password@123 | 4bfbf54c-e58a-4ccc-8bf1-d7e54750a594

      • Censys: Credentials:- johndoe1231::Password@123

      • Cloudflare : e550733bb9188e8cd01bea06881471bb6eb4d

      • Networks DB: toyebe9070@whyflkj.com:toyebe9070@whyflkj.com | 9b7a855a-79fe-4cdb-a969-d4968bab018e

      • Securitytrails: toyebe9070@whyflkj.com:Password@123 | qkySAUcwRqO6jQezjY6ctTA92gIQACR8

      • Passivetotal: toyebe9070@whyflkj.com: 86c8af8bb2512557a7b04ebe83722892eae813c29f311bda70b22772793b99b4

      • Shodan: toyebe9070:Password@123

      • Spyse: toyebe9070@whyflkj.com:Password@123 | 0f7be9b5-4619-45b0-a235-b506a1ed53d0

      • urlscan.io:toyebe9070@whyflkj.com | d2d0d9be-c27a-44b0-b350-22cffdf516f1

      • Virustotal: toyebe9070@whyflkj.com:Password@123 | 2521d616920d2dc70afa176afc9b2ed319045ce5c51da0b7ab8751ce65fb6992

      • whoisxml: at_pNPMuiJGHXGRGJoSz2uEfVf4shVJZ

  • Assetfinder

  • Virustotal

  • Pentest-Tools

  • Spyse

  • Hackertarget [Paid]

  • crt.sh [Github tool]

  • Censys [Script here]

Validate Identified Subdomains

#Viewdns API
/dnsrecord/?domain=<Domain>&apikey=<Insert API>&output=json

#Use Burp Intruder to identify. [Identifier flag : "data"]

Passive Port Scan

title: Search the content scraped from the HTML tag
html: Search the full HTML content of the returned page
product: Search the name of the software or product identified in the banner
net: Search a given netblock (example: 204.51.94.79/18)
version: Search the version of the product
port: Search for a specific port or ports
os: Search for a specific operating system name
country: Search for results in a given country (2-letter code)
city: Search for results in a given city
  • Censys

  • Spyse

  • c99.nl

  • Using a VPN

Analyse Metadata

#Search Google and Bing for files within example.com and extract metadata to a csv report
pymeta -d example.com
  • FOCA: used mainly to find metadata and hidden information in the documents it scans.

Technology Used

Image OSINT

  • exiftool

Wireless OSINT

OSINT LAB

Last updated