OSINT: Open Source INTelligence (Inteligencia de Fuentes Abiertas)

• site:website.com get results from a specific website
• AND using keyword AND otherkeyword will get results that have both the keywords
• "keyword otherkeyword" will give results with this formulation in this order
• OR using keyword OR otherkeyword will get results that have either these keywords
• We can use wildcard with *
• filetype:pdf will give results according to the filetype mentionned here for instance we will get only pdf results
• -subdomain will remove a specific subdomain from the search results example: site:website.com -www
  • Can work with any other keyword that we do not want in the search results -keyword
• intext:keyword get results with the keyword in the text
• inurl:keyword look for url with a specific keyword in them
• intitle:keyword look for title with a specific keyword in the title

• https://www.google.com/advanced_search

• Pretty straightforward we can use this link to do reverse Image searching, you just need to upload the image you are looking for information about
  • Google Image Search
  • TinEye
  • Yandex

Photo have data that is tied to the device and owner of the device

Using the website Jeffrey's Image Metadata Viewer (see resources) we can extract this information. This contains the device info and geolocalisation.

• Using the address a customer gave us for a physical pentest mandate, we can enter it in google map and have a look at the sattelite view and street:
  • Does it have any protection
  • Where to park without looking suspicious
  • Is the entree guarded
  • Is there a smoke area (useful for social engineering)
  • Could you tailgate your way in?

Let's say we have an image

• If there is a car:
  • where is it parked,
  • what brand is it,
  • What info get we get from the license plate,
• How is the weather
  • Is it snowing?
• Architecture around
• Street signs

• https://images.google.com

• Hunter 50 free searches/month We can use this tool to look for email address with a company name for instance. It is also useful to identify patterns on how the email address are built.
• Phonebook
• Voilà Norbert
• Clearbit connect need to be added on google chrome, but very powerful. Lots of filters, returns lots of info as well,..

• Look on google "who is in this role at this company" for example
• Then we can use phonebook or hunter and try to find the email pattern
• Then we can take the email and verify it with emailhippo or emailchecker

• We can use password recovery or account recovery to get more info about the user

• We can use dehashed cost money
  • If a similar password pops multiple times it means it could be used somewhere else.
  • Dehashed will also allow us to lookup for password and give information on where it is coming from
• WeLeakInfo
• Snusbase
• HaveIBeenPwned
• Scylla

• Get the tool here
• This tool will searched through the breach data and pull down names
• ./breach-parse.sh @domain.com outfile.txt gather breached emails and passwords from the mentionned domain and put it in a file using the name mentioned
• At the end of the execution we will get 3 files outfile-master.txt with email and passwords, outfile-passwords.txt with the pulled passwords nd outfile-users.txt with the users

• If we get hash:
  • We can try to crack it
  • It can be useful to search it and see if it ties back to something else
• Developers often share whole sections of code on StackOverflow (we could find leaks there)
• Github migh have private keys or secret as well

• Name
• Whatsmyname
• Name check up
• kik.me/username-you-are-looking-for
• Keep in mind that we could find a full name via username

!!! PLEASE USE RESPONSIBLY !!!

These websites are mostly US based

• WhitePages
• TruePeopleSearch
• FastPeopleSearch
• FastBackgroundCheck
• WebMii
• PeekYou
• 411
• Spokeo
• That'sThem

• Voter Records

• Note: be aware that these websites and google will probably keep the phone numbers you enter.
• TrueCaller
• CallerID Test
• Infobel
• Possible to use a phone emoji and type a specific name business next to it in the search
• Infobel

• Using google dorks we could try something like this "firstname lastname" intext:birthday
  • we can also use the site: option to search

• ""firstname lastname" resume
  • we could also add filetype:pdf (or doc docx etc) or site

• Filter search with latest people videos photos
• we can use quotes just like in google "sentence I am looking for"
• We can use from:username
• to:username
• @username
• from:username since:YYY-MM-DD until:YYYY-MM-DD
• to:username since:YYY-MM-DD until:YYYY-MM-DD
• "sentence I am looking for" since:YYY-MM-DD until:YYYY-MM-DD
• from:username keyword
• geocode:xx.xxxx, -xx,xxx, xxkm Identify tweets coming from a specific area
• We can also use Twitter Advanced Search

• Social Bearing
• Twitonomy
• Sleeping Time
• Mentionmapp
• Tweetbeaver
• Spoonbill.io
• Tinfoleak

• Tweetdeck
• We can add columns and add a home page for instance
• We can add a column to track a specific user
• We can make search with search operators and add it as a column

• Difficult to keep up because facebook changes all the time.
• We can search for photos of firstname lastname we will get photos of those who tagged the user we are interested in
• We can use tools
  • Sowdust Github
  • IntelligenceX Facebook Search

• Check who they are following
• Do not underestimate Google "username site: instagram.com"
• Wopita
• Code of a Ninja
• InstaDP
• ImgInn

• Snapchat Maps

• we can use the reddit search
• We can search with google "username site:reddit.com"

• Check the contact info
• Do reverse image search
• Check recommendations received and given
• If we find people we can use it to make email address using a pattern we might have previously found
• Check the about section of a profile
• Check the career as well

• Search for a username tiktok.com/@username
• Google

• Google: website or "website" or site:website
• Domain Dossier
• DNSlytics
• SpyOnWeb
• Virus Total
• Visual Ping
• Back Link Watch Where your website has been posted
• View DNS
• Central ops

• BuiltWith identify website technology
• Wappalyzer browser add on to identify website technology

• With google we can look for a specific website using site:name and add inurl:admin or inurl:dev we can also remove subdomain with -www
• Pentest-Tools Subdomain Finder
• Spyse
• crt.sh we can use a wildcard to search for example %.domain.com
  • curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . output results in json
  • curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u remove duplicates
  • for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done
• dig any inlanefreight.com
  • A records: We recognize the IP addresses that point to a specific (sub)domain through the A record. Here we only see one that we already know.
  • MX records: The mail server records show us which mail server is responsible for managing the emails for the company. Since this is handled by google in our case, we should note this and skip it for now.
  • NS records: These kinds of records show which name servers are used to resolve the FQDN to IP addresses. Most hosting providers use their own name servers, making it easier to identify the hosting provider.
  • TXT records: this type of record often contains verification keys for different third-party providers and other security aspects of DNS, such as SPF, DMARC, and DKIM, which are responsible for verifying and confirming the origin of the emails sent. Here we can already see some valuable information if we look closer at the results.

• Shodan we can use dorks to filter our search with words like city: port: org:
  • for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done generate a list of IP addresses
  • for i in $(cat ip-addresses.txt);do shodan host $i;done run the list through Shodan.
• Wayback Machine

• We look up with the tools if we can find subdomains
• We check if they are alive with a tool like httpprobe
• We check the subdomains to see what we can do, we can use a tool like Photon that will make screenshot of the list of active subdomains found. This will make our work faster.

• We can use this code. It was made by Heath Adams on his OSINT course in TCM Security Academy. You can check out this course here
• It will see whois, find subdomains. Once it finds subdomain it is going to check if the subdomains are alive and then it will screenshot the subdomains that are alive.
• It will use automated tools (subfinder, assetfinder, amass, httprobe) that you can find info
• We can make it better and more suited to our needs, like adding other subdomain enum tools, etc..
• There is also a tool called Photon that we can use for similar purposes

#!/bin/bash

# We want the first argument to be a domain it will be launch like this ./script domain.com
domain=$1
RED="\033[1;31m"
RESET="\033[0m"

info_path=$domain/info
subdomain_path=$domain/subdomains
screenshot_path=$domain/screenshots

# will create all necessary folder for our findings
if [ ! -d "$domain" ];then
    mkdir $domain
fi

if [ ! -d "$info_path" ];then
    mkdir $info_path
fi

if [ ! -d "$subdomain_path" ];then
    mkdir $subdomain_path
fi

if [ ! -d "$screenshot_path" ];then
    mkdir $screenshot_path
fi

echo -e "${RED} [+] Checkin' who it is...${RESET}"
whois $1 > $info_path/whois.txt

echo -e "${RED} [+] Launching subfinder...${RESET}"
subfinder -d $domain > $subdomain_path/found.txt

echo -e "${RED} [+] Running assetfinder...${RESET}"
assetfinder $domain | grep $domain >> $subdomain_path/found.txt

#echo -e "${RED} [+] Running Amass. This could take a while...${RESET}"
#amass enum -d $domain >> $subdomain_path/found.txt

echo -e "${RED} [+] Checking what's alive...${RESET}"
cat $subdomain_path/found.txt | grep $domain | sort -u | httprobe -prefer-https | grep https | sed 's/https\?:\/\///' | tee -a $subdomain_path/alive.txt

echo -e "${RED} [+] Taking dem screenshotz...${RESET}"
gowitness file -f $subdomain_path/alive.txt -P $screenshot_path/ --no-http

• Check the company page. We can find name of employees.
• If names are not showed we can google the title
• search on google site:linkedin.com/in/ "* at companyName"
• We can use websites like these:
  • Open Corporates
  • AI HIT

• WiGLE
  • We need to register and then we can see the map but we can also make advanced search by SSID name

• Tool to get information from a file (image or pdf)

• Install on kali: sudo apt install libimage-exiftool-perl

• exiftool filename

• Tool to hunt emals and breached data
• Preinstalled on kali linux

• theHarverster -d domain.com -b all will get infos about domain.com from all search engines available with the tool.
• Can be combined with other tools such as:
  • breach-parse
  • h8mail

• git clone https://github.com/WebBreacher/WhatsMyName.git
• cd WhatsMyName

• python3 web_accounts_list_checker.py -u username

• sudo apt install sherlock

• sherlock username

• A tool to osint phone number

• curl -sSL https://raw.githubusercontent.com/sundowndev/phoneinfoga/master/support/scripts/install | bash
• tar -xf phoneinfoga_Linux_x86_64.tar.gz

• phoneinfoga serve -p 8080 will serve the gui on port 8080 then you will just have to go to http://localhost:8080 and make a research
• phoneinfoga scan -n number you will need to specify the cuntry code in front of the number for example for US or Canada you need to put 1

• Tool for Twitter OSINT available here.

• Upgrade
  • pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twint
  • pip3 install --upgrade aiohttp_socks
• twint -u username
• twint -u username -s keyword
• Lots of other possibilities it is worth reading the doc

• We can use the browser add on Wappalyzer to see the technologies used on the website

• It is preinstalled on Kali. You can find the githb page here
• whatweb webiste.com

• Tool to find subdomains. See about it here
• apt install sublist3r Install it
• sublist3r --domain [domain_name] launch it

• Tool to find subdomains
• Available here
• subfinder -d domain

• Another tool to find subdomains
• Available here
• assetfinder domain we can put our results in a file by adding > results.txt if you already have a file with results you can append it with >> instead of >

• Tool for subdomain enumeration
• Available here
• amass enum -d domain

• After finding multiple subdomains we can use httprobe to check if they are alive or not
• Find httprobe here
• We could use a command like this cat findings.txt | sort -u | httprobe -s -p https:443 we can limit our results to port 443
• We can put our result in a file named alive-findings.txt (we then need to strip https://, http:// and :443 and use it in gowitness

• We can also go through our findings and get screenshots of them using gowitness
• Find GoWitness here
• gowitness file -f ./alive-findings.txt -P ./screenshots --no-http this command will go through every finding and make a screenshot

• The community edition is preinstalled on kali
• You can get it here
• We can use burpsuite as well and check the response headers of our targeted website to see if it discloses any interesting information.

• Find it here along with some documentation
• recon-ng
• marketplace search see all available tools
• marketplace install tool install one of the tool from the market (some of them require API keys)
• modules load tool load the tool just installed
• info to see what we can do with the module
• options set ITEM setting to set something in the module for instance if we were playing with hackertarget we could do options set SOURCE domain.com
• run to run the module
• Some nice module on recon-ng are hackertarget (OSINT on website such as subdomain enum and ip adr finder), profiler (search for accounts with a specific userame on different websites)

• Preinstalled on kali
• Run for free register and account confirm it
• We will need api keys for most of the modules
• We can use it without modules also
• We can make a new graph domain for instance if we want to make website OSINT

• Paid tools but free trial possible. Only runs on google chrome.
• Find Hunchly here
• We can launch new case and keep them in our dashboard
• We can start the "tracking" and add it to a specific case
• We can highlight keywords, take notes on website
• It will record everything viewed

• It has to be very detailed so that the person you will hand the report will be able to reproduce what you did.

• We remind here the goals and who mandate us to do what

• We can sum up here some key high level findings found during the assement (usernames, phone numbers etc.)

• Step by step what has been done to find something
• Each technical evidence can be a step.
• We can make it look like a table like this:

• Then we can add a visual evidence