Target Objectives:

• Users

• Services

• Netblocks

• Vulnerabilities

• Passwords

Additional Resources

• https://blog.reknowledge.tech/blog

• Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information Paperback – January 1, 2021 by Michael Bazzell (Author)

• https://github.com/TCM-Course-Resources/Open-Source-Intellingence-Resources

• https://osintframework.com/

• Udemy Course: Heath Adam's OSINT Course.

• Redsiege: Recon for Red Teamers Link

OSINT- IN DETAIL

Automated Tools

• Recon-ng

• Amass

• theHarvester

• Spiderfoot

• Rocketreach

• Re-engine

• Maltego

• Aquatone

• Foca

• Metagoofil

• Datasploit

Search Engine OSINT

• Google

  • https://www.exploit-db.com/google-hacking-database

  • Advanced search: https://www.google.com/advanced_search

  • http://www.googleguide.com/print/adv_op_ref.pdf

  • https://resources.bishopfox.com/resources/tools/google-hacking-diggity/

• Bing: https://www.bing.com/

  • Guide: https://www.bruceclay.com/blog/bing-google-advanced-search-operators/

• Yandex [Russian] : https://yandex.com/

• DuckDuckGo : https://help.duckduckgo.com/duckduckgo-help-pages/results/syntax/

• Baidu

• Git dorking

Dev forums

Git Recon

• Trufflehog

• Gitdump

• GitTools

• GitHarvester

• Grep.app

MSDN Forums

Stackoverflow

AWS Buwgetckets

• https://buckets.grayhatwarfare.com/

Archived pages

• Archive.org

• waybackurls

People OSINT

• Username checks: namechck.com

• mylife.com

• US Based: www.whitepages.com, https://www.truepeoplesearch.com/

• https://peekyou.com/

• Phone Numbers: https://www.truecaller.com/

• Yahoo

• Birthday :Google Dorks: "<insert name>" "Happy Birthday"

• Look up CVs: site:scribd, linkedin

Social Media OSINT

• SocialMapper

• Skiptracer

Data Dump

• Requires valid credentials

• https://justgetmydata.com/

Twitter

• https://twitter.com/search-advanced

  • from:cybermentor | to:<user> | @<user>

  • since:2019-01-01 until 2019-02-01

  • geocode:<co-ordinates>, 1km

• https://socialbearing.com

• https://tweetbeaver.com/

  • Convert Twitter ID to @handle in case victim changes @handle.

  • Conversations between 2 people

• http://spoonbill.io/

• https://tweetdeck.twitter.com/

• Tool: twint

  • pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twint

  • pip3 install --upgrade aiohttp_socks

Facebook

• Photos of <name>

• https://intelx.io/tools?tab=facebook

Instagram

• Find Instagram User ID : https://codeofaninja.com/tools/find-instagram-user-id/

• Download DP :www.instadp.com

• Download Images : https://imginn.com | https://ingramer.com/downloader/instagram/photo/

• Tool: InstagramOSINT

Snapchat

• Username search field

• Location enumeration : maps.snapchat.com

Reddit

LinkedIn : Create a sock puppet A/c

• Employees

• Jobs

• Google dorks: site:linkedin.com/in/

• aeroleads

• ScrapedIn

• linkScrape

Sock Puppets

• Fake accounts that can be used to investigate others.

-Creating a SockPuppet

• https://jakecreps.com/sock-puppets/

• https://www.secjuice.com/the-art-of-the-sock-osint-humint/

• https://www.reddit.com/r/OSINT/comments/dp70jr/my_process_for_setting_up_anonymous_sockpuppet/

• https://www.fakenamegenerator.com/

• https://www.thispersondoesnotexist.com/

• https://privacy.com/

Email OSINT

• Hunter

  • ::asd@lksad!asdAS | 0212d28116f88468e4891f57f196cfd1f4c4e27c

• https://phonebook.cz/

• Crosslinked [Dump from LinkedIn]

• Validate Email IDs: https://www.voilanorbert.com/

• https://email-checker.net/

• Clearbit:https://chrome.google.com/webstore/detail/clearbit-connect-supercha/pmnhcgfcafcnkbengdcanjablaabjplo?hl=en

• h8mail

• FOCA: used mainly to find metadata and hidden information in the documents it scans.

Verification

• https://tools.verifyemailaddress.io/

• https://email-checker.net/

Password OSINT

• PwnDB

• pwnedOrNot

• breach-parse

  • Setting up Shared Folders in VMware:

    • Set-up folder sharing on Vmware Client.

    • This should output the shared folder: vmware-hgfsclient

    • sudo vmhgfs-fuse .host:/<sharedfolder> /mnt/mountithere -o allow_other -o uid=1000

• Dehashed : https://dehashed.com/docs

• https://snusbase.com/register

Username OSINT

• https://namechk.com/

• https://whatsmyname.app/

• https://namecheckup.com/

• Tool : whatsmyname, sherlock

Phone OSINT

• Truecaller

• phoneinfoga

Business OSINT

• Wikipedia

• Crunchbase

Website OSINT

DNS Enumeration

• DNSDumpster: Export as CSV

• DNSlytics - https://dnslytics.com/reverse-ip

• Back Link Watch - http://backlinkwatch.com/index.php

• viewdns.info

  • Check IP history

  • Multiple domains hosted on the same IP

• Virus Total - https://www.virustotal.com/

• Domain Dossier - https://centralops.net/co/

• Historical DNS Archive

Zone Transfer:

dig ns zonetransfer.me +noall +answer
dig axfr @nsztm1.digi.ninja zonetransfer.me

host -t ns zonetransfer.me
host -t axfr zonetransfer.me intns1.zonetransfer.me

nslookup -type=ns zonetransfer.me
nslookup -query=AXFR zonetransfer.me nsztm2.digi.ninja

ASN Enumeration

• Hurricane Electric BGP Toolkit [ company name, IP address/CIDR range, and ASNs]

• DNSDumpster

• Hackertarget

• Pentest-Tools

• Shodan

  • Install Shodan CLI python3 /usr/lib/python3/dist-packages/easy_install.py shodan

  • Scan IP ranges of ASN and identify more subdomains. [Check from SSL cert, hostname details]

Subdomain Enumeration

• DNSDumpster

• RiskIQ

• Amass: Setup Guide

  • DataSources:

    • AlienVault: johndoe1231:Password@123 | 20db3a87681c50f060ebe06d6c85b911259a852e492bac35a822d7f4c9d98b6c

    • BinaryEdge: toyebe9070@whyflkj.com:Password@123 | 4bfbf54c-e58a-4ccc-8bf1-d7e54750a594

    • Censys: Credentials:- johndoe1231::Password@123

    • Cloudflare : e550733bb9188e8cd01bea06881471bb6eb4d

    • Networks DB: toyebe9070@whyflkj.com:toyebe9070@whyflkj.com | 9b7a855a-79fe-4cdb-a969-d4968bab018e

    • Securitytrails: toyebe9070@whyflkj.com:Password@123 | qkySAUcwRqO6jQezjY6ctTA92gIQACR8

    • Passivetotal: toyebe9070@whyflkj.com: 86c8af8bb2512557a7b04ebe83722892eae813c29f311bda70b22772793b99b4

    • Shodan: toyebe9070:Password@123

    • Spyse: toyebe9070@whyflkj.com:Password@123 | 0f7be9b5-4619-45b0-a235-b506a1ed53d0

    • urlscan.io:toyebe9070@whyflkj.com | d2d0d9be-c27a-44b0-b350-22cffdf516f1

    • Virustotal: toyebe9070@whyflkj.com:Password@123 | 2521d616920d2dc70afa176afc9b2ed319045ce5c51da0b7ab8751ce65fb6992

    • whoisxml: at_pNPMuiJGHXGRGJoSz2uEfVf4shVJZ

• Assetfinder

• Virustotal

• Pentest-Tools

• Spyse

• Hackertarget [Paid]

-Certificate based search

• crt.sh [Github tool]

• Censys [Script here]

Validate Identified Subdomains

#Viewdns API
/dnsrecord/?domain=<Domain>&apikey=<Insert API>&output=json

#Use Burp Intruder to identify. [Identifier flag : "data"]

Passive Port Scan

• Shodan - https://shodan.io

title: Search the content scraped from the HTML tag
html: Search the full HTML content of the returned page
product: Search the name of the software or product identified in the banner
net: Search a given netblock (example: 204.51.94.79/18)
version: Search the version of the product
port: Search for a specific port or ports
os: Search for a specific operating system name
country: Search for results in a given country (2-letter code)
city: Search for results in a given city

• Censys

• Spyse

• c99.nl

• Using a VPN

Analyse Metadata

• Just-Metadata

• pymeta: https://github.com/m8r0wn/pymeta

#Search Google and Bing for files within example.com and extract metadata to a csv report
pymeta -d example.com

• FOCA: used mainly to find metadata and hidden information in the documents it scans.

  • https://github.com/ElevenPaths/FOCA

  • Can be used to identify email schema from the documents uploaded by internal employees through metadata analysis.

Technology Used

• BuiltWith - https://builtwith.com/

• Wappalyzer

Image OSINT

• exiftool

Wireless OSINT

• Wigle : https://wigle.net/

OSINT LAB

• Tracelabs VM :https://www.tracelabs.org/initiatives/osint-vm