OSINT: Open Source INTelligence (Inteligencia de Fuentes Abiertas)
site:website.comget results from a specific websiteANDusingkeyword AND otherkeywordwill get results that have both the keywords"keyword otherkeyword"will give results with this formulation in this orderORusingkeyword OR otherkeywordwill get results that have either these keywords- We can use wildcard with
* filetype:pdfwill give results according to the filetype mentionned here for instance we will get only pdf results-subdomainwill remove a specific subdomain from the search results example:site:website.com -www- Can work with any other keyword that we do not want in the search results
-keyword
- Can work with any other keyword that we do not want in the search results
intext:keywordget results with the keyword in the textinurl:keywordlook for url with a specific keyword in themintitle:keywordlook for title with a specific keyword in the title
- Pretty straightforward we can use this link to do reverse Image searching, you just need to upload the image you are looking for information about
Photo have data that is tied to the device and owner of the device
Using the website Jeffrey's Image Metadata Viewer (see resources) we can extract this information. This contains the device info and geolocalisation.
- Using the address a customer gave us for a physical pentest mandate, we can enter it in google map and have a look at the sattelite view and street:
- Does it have any protection
- Where to park without looking suspicious
- Is the entree guarded
- Is there a smoke area (useful for social engineering)
- Could you tailgate your way in?
Let's say we have an image
- If there is a car:
- where is it parked,
- what brand is it,
- What info get we get from the license plate,
- How is the weather
- Is it snowing?
- Architecture around
- Street signs
- Hunter 50 free searches/month We can use this tool to look for email address with a company name for instance. It is also useful to identify patterns on how the email address are built.
- Phonebook
- VoilĂ Norbert
- Clearbit connect need to be added on google chrome, but very powerful. Lots of filters, returns lots of info as well,..
- Look on google "who is in this role at this company" for example
- Then we can use phonebook or hunter and try to find the email pattern
- Then we can take the email and verify it with emailhippo or emailchecker
- We can use password recovery or account recovery to get more info about the user
- We can use dehashed cost money
- If a similar password pops multiple times it means it could be used somewhere else.
- Dehashed will also allow us to lookup for password and give information on where it is coming from
- WeLeakInfo
- Snusbase
- HaveIBeenPwned
- Scylla
- Get the tool here
- This tool will searched through the breach data and pull down names
./breach-parse.sh @domain.com outfile.txtgather breached emails and passwords from the mentionned domain and put it in a file using the name mentioned- At the end of the execution we will get 3 files
outfile-master.txtwith email and passwords,outfile-passwords.txtwith the pulled passwords ndoutfile-users.txtwith the users
- If we get hash:
- We can try to crack it
- It can be useful to search it and see if it ties back to something else
- Developers often share whole sections of code on StackOverflow (we could find leaks there)
- Github migh have private keys or secret as well
- Name
- Whatsmyname
- Name check up
- kik.me/username-you-are-looking-for
- Keep in mind that we could find a full name via username
!!! PLEASE USE RESPONSIBLY !!!
These websites are mostly US based
- WhitePages
- TruePeopleSearch
- FastPeopleSearch
- FastBackgroundCheck
- WebMii
- PeekYou
- 411
- Spokeo
- That'sThem
- Note: be aware that these websites and google will probably keep the phone numbers you enter.
- TrueCaller
- CallerID Test
- Infobel
- Possible to use a phone emoji and type a specific name business next to it in the search
- Infobel
- Using google dorks we could try something like this
"firstname lastname" intext:birthday- we can also use the
site:option to search
- we can also use the
""firstname lastname" resume- we could also add
filetype:pdf(or doc docx etc) orsite
- we could also add
- Filter search with latest people videos photos
- we can use quotes just like in google "sentence I am looking for"
- We can use
from:username to:username@usernamefrom:username since:YYY-MM-DD until:YYYY-MM-DDto:username since:YYY-MM-DD until:YYYY-MM-DD"sentence I am looking for" since:YYY-MM-DD until:YYYY-MM-DDfrom:username keywordgeocode:xx.xxxx, -xx,xxx, xxkmIdentify tweets coming from a specific area- We can also use Twitter Advanced Search
- Tweetdeck
- We can add columns and add a home page for instance
- We can add a column to track a specific user
- We can make search with search operators and add it as a column
- Difficult to keep up because facebook changes all the time.
- We can search for
photos of firstname lastnamewe will get photos of those who tagged the user we are interested in - We can use tools
- Check who they are following
- Do not underestimate Google "username site: instagram.com"
- Wopita
- Code of a Ninja
- InstaDP
- ImgInn
- we can use the reddit search
- We can search with google "username site:reddit.com"
- Check the contact info
- Do reverse image search
- Check recommendations received and given
- If we find people we can use it to make email address using a pattern we might have previously found
- Check the about section of a profile
- Check the career as well
- Search for a username tiktok.com/@username
- Google:
websiteor"website"orsite:website - Domain Dossier
- DNSlytics
- SpyOnWeb
- Virus Total
- Visual Ping
- Back Link Watch Where your website has been posted
- View DNS
- Central ops
- BuiltWith identify website technology
- Wappalyzer browser add on to identify website technology
- With google we can look for a specific website using
site:nameand addinurl:adminorinurl:devwe can also remove subdomain with-www - Pentest-Tools Subdomain Finder
- Spyse
- crt.sh we can use a wildcard to search for example
%.domain.comcurl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq .output results in jsoncurl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -uremove duplicatesfor i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done
dig any inlanefreight.com- A records: We recognize the IP addresses that point to a specific (sub)domain through the A record. Here we only see one that we already know.
- MX records: The mail server records show us which mail server is responsible for managing the emails for the company. Since this is handled by google in our case, we should note this and skip it for now.
- NS records: These kinds of records show which name servers are used to resolve the FQDN to IP addresses. Most hosting providers use their own name servers, making it easier to identify the hosting provider.
- TXT records: this type of record often contains verification keys for different third-party providers and other security aspects of DNS, such as SPF, DMARC, and DKIM, which are responsible for verifying and confirming the origin of the emails sent. Here we can already see some valuable information if we look closer at the results.
- Shodan we can use dorks to filter our search with words like
city:port:org:for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;donegenerate a list of IP addressesfor i in $(cat ip-addresses.txt);do shodan host $i;donerun the list through Shodan.
- Wayback Machine
- We look up with the tools if we can find subdomains
- We check if they are alive with a tool like httpprobe
- We check the subdomains to see what we can do, we can use a tool like Photon that will make screenshot of the list of active subdomains found. This will make our work faster.
- We can use this code. It was made by Heath Adams on his OSINT course in TCM Security Academy. You can check out this course here
- It will see whois, find subdomains. Once it finds subdomain it is going to check if the subdomains are alive and then it will screenshot the subdomains that are alive.
- It will use automated tools (subfinder, assetfinder, amass, httprobe) that you can find info
- We can make it better and more suited to our needs, like adding other subdomain enum tools, etc..
- There is also a tool called Photon that we can use for similar purposes
#!/bin/bash
# We want the first argument to be a domain it will be launch like this ./script domain.com
domain=$1
RED="\033[1;31m"
RESET="\033[0m"
info_path=$domain/info
subdomain_path=$domain/subdomains
screenshot_path=$domain/screenshots
# will create all necessary folder for our findings
if [ ! -d "$domain" ];then
mkdir $domain
fi
if [ ! -d "$info_path" ];then
mkdir $info_path
fi
if [ ! -d "$subdomain_path" ];then
mkdir $subdomain_path
fi
if [ ! -d "$screenshot_path" ];then
mkdir $screenshot_path
fi
echo -e "${RED} [+] Checkin' who it is...${RESET}"
whois $1 > $info_path/whois.txt
echo -e "${RED} [+] Launching subfinder...${RESET}"
subfinder -d $domain > $subdomain_path/found.txt
echo -e "${RED} [+] Running assetfinder...${RESET}"
assetfinder $domain | grep $domain >> $subdomain_path/found.txt
#echo -e "${RED} [+] Running Amass. This could take a while...${RESET}"
#amass enum -d $domain >> $subdomain_path/found.txt
echo -e "${RED} [+] Checking what's alive...${RESET}"
cat $subdomain_path/found.txt | grep $domain | sort -u | httprobe -prefer-https | grep https | sed 's/https\?:\/\///' | tee -a $subdomain_path/alive.txt
echo -e "${RED} [+] Taking dem screenshotz...${RESET}"
gowitness file -f $subdomain_path/alive.txt -P $screenshot_path/ --no-http- Check the company page. We can find name of employees.
- If names are not showed we can google the title
- search on google
site:linkedin.com/in/ "* at companyName" - We can use websites like these:
- WiGLE
- We need to register and then we can see the map but we can also make advanced search by SSID name
- Tool to get information from a file (image or pdf)
- Install on kali:
sudo apt install libimage-exiftool-perl
exiftool filename
- Tool to hunt emals and breached data
- Preinstalled on kali linux
theHarverster -d domain.com -b allwill get infos about domain.com from all search engines available with the tool.- Can be combined with other tools such as:
- breach-parse
- h8mail
git clone https://github.com/WebBreacher/WhatsMyName.gitcd WhatsMyName
python3 web_accounts_list_checker.py -u username
sudo apt install sherlock
sherlock username
- A tool to osint phone number
curl -sSL https://raw.githubusercontent.com/sundowndev/phoneinfoga/master/support/scripts/install | bashtar -xf phoneinfoga_Linux_x86_64.tar.gz
phoneinfoga serve -p 8080will serve the gui on port 8080 then you will just have to go to http://localhost:8080 and make a researchphoneinfoga scan -n numberyou will need to specify the cuntry code in front of the number for example for US or Canada you need to put 1
- Tool for Twitter OSINT available here.
- Upgrade
pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twintpip3 install --upgrade aiohttp_socks
twint -u usernametwint -u username -s keyword- Lots of other possibilities it is worth reading the doc
- We can use the browser add on Wappalyzer to see the technologies used on the website
- It is preinstalled on Kali. You can find the githb page here
whatweb webiste.com
- Tool to find subdomains. See about it here
apt install sublist3rInstall itsublist3r --domain [domain_name]launch it
- Tool to find subdomains
- Available here
subfinder -d domain
- Another tool to find subdomains
- Available here
assetfinder domainwe can put our results in a file by adding> results.txtif you already have a file with results you can append it with>>instead of>
- Tool for subdomain enumeration
- Available here
amass enum -d domain
- After finding multiple subdomains we can use httprobe to check if they are alive or not
- Find httprobe here
- We could use a command like this
cat findings.txt | sort -u | httprobe -s -p https:443we can limit our results to port 443 - We can put our result in a file named
alive-findings.txt(we then need to striphttps://,http://and:443and use it in gowitness
- We can also go through our findings and get screenshots of them using gowitness
- Find GoWitness here
gowitness file -f ./alive-findings.txt -P ./screenshots --no-httpthis command will go through every finding and make a screenshot
- The community edition is preinstalled on kali
- You can get it here
- We can use burpsuite as well and check the response headers of our targeted website to see if it discloses any interesting information.
- Find it here along with some documentation
recon-ngmarketplace searchsee all available toolsmarketplace install toolinstall one of the tool from the market (some of them require API keys)modules load toolload the tool just installedinfoto see what we can do with the moduleoptions set ITEM settingto set something in the module for instance if we were playing with hackertarget we could dooptions set SOURCE domain.comrunto run the module- Some nice module on recon-ng are hackertarget (OSINT on website such as subdomain enum and ip adr finder), profiler (search for accounts with a specific userame on different websites)
- Preinstalled on kali
- Run for free register and account confirm it
- We will need api keys for most of the modules
- We can use it without modules also
- We can make a new graph domain for instance if we want to make website OSINT
- Paid tools but free trial possible. Only runs on google chrome.
- Find Hunchly here
- We can launch new case and keep them in our dashboard
- We can start the "tracking" and add it to a specific case
- We can highlight keywords, take notes on website
- It will record everything viewed
- It has to be very detailed so that the person you will hand the report will be able to reproduce what you did.
- We remind here the goals and who mandate us to do what
- We can sum up here some key high level findings found during the assement (usernames, phone numbers etc.)
- Step by step what has been done to find something
- Each technical evidence can be a step.
- We can make it look like a table like this:
| OSINT | Osint Action done for example username found on websites |
|---|---|
| Link | link or reference to the used technology |
| notes | explanations and details |
- Then we can add a visual evidence