OSINT
Target Objectives:
Users
Services
Netblocks
Vulnerabilities
Passwords
Additional Resources
Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information Paperback – January 1, 2021 by Michael Bazzell (Author)
Udemy Course: Heath Adam's OSINT Course.
Redsiege: Recon for Red Teamers Link
OSINT- IN DETAIL
Automated Tools
Recon-ng
Amass
theHarvester
Re-engine
Aquatone
Foca
Metagoofil
Datasploit
Search Engine OSINT
Yandex [Russian] : https://yandex.com/
Baidu
Dev forums
Git Recon
Trufflehog
Gitdump
GitTools
GitHarvester
MSDN Forums
Stackoverflow
AWS Buwgetckets
Archived pages
Archive.org
waybackurls
People OSINT
Username checks: namechck.com
mylife.com
Phone Numbers: https://www.truecaller.com/
Yahoo
Birthday :Google Dorks: "<insert name>" "Happy Birthday"
Look up CVs: site:scribd, linkedin
Social Media OSINT
SocialMapper
Skiptracer
Data Dump
Requires valid credentials
https://twitter.com/search-advanced
from:cybermentor | to:<user> | @<user>
since:2019-01-01 until 2019-02-01
geocode:<co-ordinates>, 1km
Convert Twitter ID to @handle in case victim changes @handle.
Conversations between 2 people
Tool: twint
pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twint
pip3 install --upgrade aiohttp_socks
Photos of <name>
Find Instagram User ID : https://codeofaninja.com/tools/find-instagram-user-id/
Download DP :www.instadp.com
Download Images : https://imginn.com | https://ingramer.com/downloader/instagram/photo/
Tool: InstagramOSINT
Snapchat
Username search field
Location enumeration : maps.snapchat.com
LinkedIn : Create a sock puppet A/c
Employees
Jobs
Google dorks: site:linkedin.com/in/
aeroleads
ScrapedIn
linkScrape
Sock Puppets
Fake accounts that can be used to investigate others.
-Creating a SockPuppet
Email OSINT
Hunter
::asd@lksad!asdAS | 0212d28116f88468e4891f57f196cfd1f4c4e27c
Crosslinked [Dump from LinkedIn]
Validate Email IDs: https://www.voilanorbert.com/
h8mail
FOCA: used mainly to find metadata and hidden information in the documents it scans.
Verification
Password OSINT
breach-parse
Setting up Shared Folders in VMware:
Set-up folder sharing on Vmware Client.
This should output the shared folder:
vmware-hgfsclient
sudo vmhgfs-fuse .host:/<sharedfolder> /mnt/mountithere -o allow_other -o uid=1000
Dehashed : https://dehashed.com/docs
Username OSINT
Tool : whatsmyname, sherlock
Phone OSINT
Truecaller
phoneinfoga
Business OSINT
Wikipedia
Crunchbase
Website OSINT
DNS Enumeration
DNSDumpster: Export as CSV
DNSlytics - https://dnslytics.com/reverse-ip
Back Link Watch - http://backlinkwatch.com/index.php
viewdns.info
Check IP history
Multiple domains hosted on the same IP
Virus Total - https://www.virustotal.com/
Domain Dossier - https://centralops.net/co/
Historical DNS Archive
Zone Transfer:
ASN Enumeration
Hurricane Electric BGP Toolkit [ company name, IP address/CIDR range, and ASNs]
DNSDumpster
Hackertarget
Pentest-Tools
Shodan
Install Shodan CLI
python3 /usr/lib/python3/dist-packages/easy_install.py shodan
Scan IP ranges of ASN and identify more subdomains. [Check from SSL cert, hostname details]
Subdomain Enumeration
DNSDumpster
RiskIQ
Amass: Setup Guide
DataSources:
AlienVault: johndoe1231:Password@123 | 20db3a87681c50f060ebe06d6c85b911259a852e492bac35a822d7f4c9d98b6c
BinaryEdge: toyebe9070@whyflkj.com:Password@123 | 4bfbf54c-e58a-4ccc-8bf1-d7e54750a594
Censys: Credentials:- johndoe1231::Password@123
Cloudflare : e550733bb9188e8cd01bea06881471bb6eb4d
Networks DB: toyebe9070@whyflkj.com:toyebe9070@whyflkj.com | 9b7a855a-79fe-4cdb-a969-d4968bab018e
Securitytrails: toyebe9070@whyflkj.com:Password@123 | qkySAUcwRqO6jQezjY6ctTA92gIQACR8
Passivetotal: toyebe9070@whyflkj.com: 86c8af8bb2512557a7b04ebe83722892eae813c29f311bda70b22772793b99b4
Shodan: toyebe9070:Password@123
Spyse: toyebe9070@whyflkj.com:Password@123 | 0f7be9b5-4619-45b0-a235-b506a1ed53d0
urlscan.io:toyebe9070@whyflkj.com | d2d0d9be-c27a-44b0-b350-22cffdf516f1
Virustotal: toyebe9070@whyflkj.com:Password@123 | 2521d616920d2dc70afa176afc9b2ed319045ce5c51da0b7ab8751ce65fb6992
whoisxml: at_pNPMuiJGHXGRGJoSz2uEfVf4shVJZ
Assetfinder
Virustotal
Pentest-Tools
Spyse
Hackertarget [Paid]
-Certificate based search
Validate Identified Subdomains
Passive Port Scan
Shodan - https://shodan.io
Censys
Spyse
c99.nl
Using a VPN
Analyse Metadata
Just-Metadata
pymeta: https://github.com/m8r0wn/pymeta
FOCA: used mainly to find metadata and hidden information in the documents it scans.
Can be used to identify email schema from the documents uploaded by internal employees through metadata analysis.
Technology Used
BuiltWith - https://builtwith.com/
Wappalyzer
Image OSINT
exiftool
Wireless OSINT
Wigle : https://wigle.net/
OSINT LAB
Tracelabs VM :https://www.tracelabs.org/initiatives/osint-vm
Last updated