OSINT Tools
Helpful links and resources for Cyber Security Analysts and Researchers
Here's a list of additional helpful tools that can be used for OSINT and Sand-boxing for Cyber Security Analysts and Researchers. These tools can be used to looking up information on Domains, IPs, URLs, File Hashes, etc.
Resources to find various OSINT platforms:
No one tool is the end all-be-all, please make sure to use multiple resources to gather and collect information.
Google and Google Dorking
We all know google is a search engine that collects and indexes various websites from all over the internet, but some don't know how powerful it really is. Google hacking, also named Google dorking, is a technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using.
Links
TryHackMe - Google Dorking Room Fast-Google-Dorks-Scan Github
What is Dorking
Dorking is basically an advanced search where we use operators that function as a filter to direct the search directly to where we want. We also use symbols to search for exact words or phrases. This will help us to search almost any search engine that we find on the internet. This involves making use of search engines to their complete potential to uncover outcomes that are not noticeable with a routine search. It enables us to refine out searches and dive deeper, and with better accuracy, right into web pages as well as files that are available online. Revealing covert documents and safety and security defects by dorking does not require a good deal of technical knowledge. It actually comes down to discovering just a few search strategies and using them across a variety of online search engine.
Why we need google dorks
Everyone can use google dorks for a different purpose. Some of the most common reasons for using google dorks:
Cyber Security roles use google dorks to find critical information that can be exposed by mistake, or by someone knowingly, about anything so that they can later on hide or delete that so that no one can use that for any wrong purpose.
Researchers, content writers, journalists, etc use google dorks to gather all the information available on google about a particular topic so that they can use that information for reaching their own goals.
Students use google dorks to find answers to their questions which are from their textbook or asked by someone or for finding leaked versions of a course or a book for free.
Companies and their employees use google dorks to gather information about their competitors and for finding honest reviews of their products or services so that they can use that information further for improving their products and services and which in results helps their company grow faster.
What can we find from Google Dorks
Google dorks can be used to find a variety of information in many aspects, but it's mainly used to find the information on:
Critical information of a website, company, organization, software, etc.
Blogs, articles, research papers, etc on a particular topic
Leaked documents, courses, eBooks, etc
Reviews about a company, it's products and services
Finding solutions of answers of textbook questions
There are many other kinds of information which can be found via google dorks very easily.
Using Google Dorks
"specified_phrase or statement"
Shows only those pages that contains exact word or statement
"Is hacking illegal"
site:
Removes search results from all other websites except the specified one
site:github.com th4ntis
inurl:specified_phrase
Shows search results which contains the specified word in url
inurl:ethical hacking
inurl:word1 word2
Shows search results that contain either of the words, or both
inurl:hacking programming
allinurl:word1 word2
Shows the search results that contain both of the specified words
allinurl:hacking programming
intitle:word1 word2
Shows those search results that mention the word in their title and mention the specified word anywhere in the document
intitle:hacking networking
cache:
Shows a cached version of the website if the website is down
cache:netflix.com
intext:word1
Shows only those pages containing that specific word(s) somewhere in the context
intext:bug hunting
allintext:word1 word2
Only shows pages containing the specified words somewhere in the context
allintext:hacking networking
intitle:βindex ofβ
Shows open ftp servers
intitle:βindex of spiderman movieβ
inurl:view/index.shtml
Shows live cameras that donβt have any protection
inurl:view/index.shtml
filetype:pdf/doc/ppt specified_phrase
Shows only pages that contains the document of that type and contains specific word in file name
filetype:pdf ethical hacking
+
Shows pages that must contain the specified word
ethical hacking + free course
-
Removes results that contain certain words
ethical hacking - paid course
feed:
Shows specified RSS feed for specified work
reed:hacking
ip:
Finds websites organized by specified IP
ip:54.239.28.85
We can use googles normal search as well as their Advanced Search page. Of course we can combine these searches as well.
We can also use BOOLEAN searches in Google by using AND / OR
IP/Domain OSINT
When researching IP addresses, it is important we know the context of the search we are performing. There are a multitude of sources to research IP addresses and they can vary depending on what information we want to learn about them.
For offensive security, threat hunting, and attack surface mapping, we want current registration data, and any associated data points that our searches may return. These can include hosted domains, ASN, associated network artifacts, etc.
For defensive operations, such as those of the security blue team, we are looking for historical data and activity data of the IP address.
Domains, more than almost any other target, have one of the largest assortments of associated data points. The most important that we will look for out of this section is the Registration data, the hosting data, site information, archived data, and analytics
There are tons of highly effective tools for subdomain enumeration and brute forcing, but they can be quite noisy. During the Passive Recon phase of a penetration test, we can start with any subdomains recorded by other sources to plan out our attack/test.
RDAP - Registration Data Access Protocol is the successor to WHOIS. Like WHOIS, RDAP provides access to information about Internet resources (domain names, autonomous systems, and IP addresses). Unlike WHOIS, RDAP provides: * A machine-readable representation of registration data; * Differentiated access; * Structured request and response semantics; * Internationalisation; * Extensibility.
Whois - A Whois domain lookup allows you to trace the ownership and tenure of a domain name.
Shodan.io - Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters.
VirusTotal - Analyze suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community
AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
Cisco Talos Intelligence - "Search by IP, domain, or network owner for real-time threat data."
IBM X-Force - Scan for a multitude of things such as IP/Domain, File Hash, Vulnerabilities, upload files for analysis, etc. A Threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers
IP.Teoh.io - VPN & Proxy IP Detection Tool. Check if an IP is currently blacklisted or is using a VPN/proxy
IPVoid - Various tools for IP information. WHOIS, DNS, DNSDIG, MX Record, Blaklisted by any services, etc.
ViewDNS - Huge toolbox with various utilities for enumerating information about a domain.
DNSDumpster - Free domain research tool that can discover hosts related to a domain.
MXToolbox - Checks MX information for the given domain
DNSLytics - Find out everything about a domain name, IP address or provider. Discover relations between them and see historical data. Use it for your digital investigation, fraud prevention or brand protection.
HostSpider - Command line tool that gathers tons of information about a domain including DNS records, subdomains, WHOIS, Cloudflare IP, and more!
OmnisintLabs - Project Crobat: Rapid7's DNS Database easily searchable via a lightening fast API, with domains available in milliseconds.
Sublist3r - Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines.
Email/Username OSINT
Corporate usernames can be obnoxiously easy to guess and build. The standard of [email protected] is so common, it's ridiculous. Even more so when account management tools will simply take the first half of the email and reuse it as a username. We can use schemes like this to our advantage to search for a multitude of treasures like accounts on other services with the same username, credentials found in breaches, and associated sites or tools. When searching for usernames, you can uncover linked social media accounts and tons of relevant intelligence.
Email Search Tools
MXToolBox - Collection of online tools that can gather multiple points of data surrounding an email address or domain
Seon.io - Enrich user data based on a single email address
Epieos - Enter an email address and see which sites the email address has been used.
HoleHE - CLI Tool to check if an email is attached to an account on sites like twitter, instagram, imgur and more than 120 others
Email Discovery Tools
Hunter.io - Discover email addresses by company name
Phonebook.cz - Phonebook lists all domains, email addresses, or URLs for the given input domain.
Voilanorbert - Discover email addresses by company name
Connect.Clearbit - Email discovery tool, only works in chrome.
Email Format - Find the email address format for a given company or domain.
Snov.io - Locate employee email addresses via domain name.
TheHarvester - This tool is the defacto standard for email intelligence gathering. It checks a large array of sources to pull together information. It can leverage APIs of other services such as Spyse or Shodan to improve the search. Remember these will require an API key to use. I have found that between the above html tools and this, it will satisfy your email searching needs.
Tools
Breached password list from Magnet link
Username Search Tools
WhatsMyName - This tool allows you to enumerate usernames across many different websites.
UserSearch - Search Engine for Usernames
Name Check - See if a username is available across multiple platforms
Sherlock - Hunt down social media accounts by username across social networks
SocialCcan - Python library and CLI for accurately querying username and email usage on online platforms
AnalyzeID - Social media username checker. Gather information on the taken username and get a summary of who the person is
IDCrawl - A free people search engine that organizes social network information, deep web information, phone numbers, email addresses and more
Social Media OSINT
Social Media is huge a huge part of the internet now, from personal accounts, businesses, news outlets, to bots, it's very helpful to find information on them. This doesn't include just Facebook or Twitter, this can include things like Discord, Telegram, Snapchat, and others.
Facebook
Codeofaninja - This tool called "Get Facebook ID" provides an easy and fast way to find a Facebook page's or Facebook profile's numeric ID.
CSE Facebook Image Search - Use Keywords to search Facebook for images.
CSE Facebook Search - Obtain overall Results, Pages, Groups & Photos.
Intelligence X - Facebook Graph Searcher.
Intelltechniques - Facebook Search Tool.
Lookup-ID - Facebook profile ID / Group ID / Page ID lookup resource.
Osint Combine - Social Geo Lens, this tool is designed to provide a map based interface for geo searching on social media platforms.
Osint Combine - This tool is a simple way to quickly search for multiple keywords from a list or open mutual friends for multiple profiles at the same time.
Plessas Facebook Matrix - This page contains Kirby Plessas Formulas for Searching Facebook.
Socmint Tool - Graph Search Tool.
Sowdust Graph Tips - Replacement Graph Search developed by Sowdust.
Who Posted What - Whopostedwhat.com is a non public Facebook keyword search for people who work in the public interest. It allows you to search keywords on specific dates.
Twitter
Nixintel How to find timestamps - Nixintel blog on how to find timestamps for verification (2022).
Codeofaninja - Easy way for you to get a Twitter profile's numeric ID.
Tools
Linked In
Are You Linked in? - Blog by Ginger T & Ritu Gill on how to search linked without being logged in (2021).
Free Person Search Tool - Find people easily on Linkedin.
Custom Search Engine - UK Linkedin Search (1).
Custom Search Engine - UK Linkedin Search (2).
Inteltechniques - LinkedIn Search Tool.
Recruitment Geek - LinkedIn Xray Search.
Instagram
Nixintel How to find timestamps - Nixintel's blog on how to find timestamps for verification (2022).
Nixintel Instagram Osint - Nixintel's tutorial on how to install InstaScraper.
TOCP How to search Instagram part 1 - Technisette talks through how to search Instagram, for people, stories, keywords, hashtags, locations (2019).
TOCP How to search Instagram part 2 - Technisette continues her tutorial searching Instagram, for businessess, deleted content and tracking followers (2019).
Codeofaninja - Easy way for developers and designers to get Instagram account numeric ID by username.
Download Gram - Instagram downloader tool, it helps you to download Instagram photos and videos.
Imginn - Download instagram photos, videos and stories highlights.
Instaloader - Download pictures (or videos) along with their captions.
Inteltechniques - Inteltechniques Instagram search tool.
Instalooter - API-less Instagram pictures and videos downloader.
iZuum - Instagram profile downloader.
Osint Combinne - Find images by date on Instagram at particular locations easier and more efficient.
Picnob - Enables you to browse Instagram profiles without the need of an account.
Picuki - Instgram Editor & Viewer.
Toutatis - Extract information from instagrams accounts such as e-mails & phone numbers.
Who Posted What - Finds Posts on Date Tagged With Location, for people who work in the public interest
Discord
A helpful resource on how to perform OSINT on Discord can be found here. Credit to BOstintBlanc.
DiscoList - added by Blackholered
Snapchat
Websites
Tools
Wappalyzer Plugin/Extention
Put this into a file for httprobe
Put this into a file for httprobe
Only returns sites that are up/active
strip http/https/:443 from the alive.txt made from httprobe
whois
Business OSINT
Wireless OSINT
Frameworks
Passwords
Physical Location
Google Satelite Images
Google Street View
URL and URL Sandboxing
URLScan - "A sandbox for the web" Scans submitted URL website for malicious intent details in their about page.
URLHaus - Search IP/Domain, URL, MD5, SHA256, and more to see if they have been flagged as malicious/suspicious.
URLVoid - Website reputation checker. Shows information of location, IP, WHOIS, DNS Records, and if various services have blacklisted the URL or not.
Browserling - Sandbox URLs on various browsers and interact with them in a live secure environment.
Wannabroswer - Simulate any Browser
Hybrid-Analysis - Malware Analysis Service
Joes Sandbox - "Detects and analyzes potential malicious files and URLs" on various OS
Triage - Malware Analysis Sandbox
Any.run - An "Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research". Free to use and sign up for. Can be used for "a convenient in-depth analysis of new (unidentified) malicious objects, as well as for the investigation of cyber incidentals."
Image
Websites
Tools
People Search/PII
This section will get stalker-ish real quick. While limited in usefulness for a penetration test, it can help you discover all the interesting data surrounding a person, or link data you have found back to an individual. For those who would like a premium all in one option, there are a few handy platforms that can make collection faster and easier.
Social Links - Premium collection of OSINT tools focusing on data gathered from social media and other sits.
Gamayun - Gamayun is a web based tool designed for conducting OSINT investigations when searching for emails, locations, phone number, aliases, and photos.
SL-Pro - SL Pro is a professional tool for searching data from social media accounts, the Darknet, blockchains, and internet data leaks. It comes with API Integrations that link to 1100 methods of search across 50+ sources of data on over 800 million identities, which makes it ideal for when performing OSINT on a person.
Melissa - Arguably one of the best search tools for people out there. Provides a massive amount of tools and resources to search people by name, address, phone number and so on. They also provide loads of other useful tools and resources including maps, federal data, property records and more.
SocialCatFish - Find connections and verify a person's online identity using a name, image, email address, phone number, username or physical address.
GoFindWho - Find people for free by phone number, name, email address, and username on Facebook and in public records.
EffectGroup - One of the best tools for searching people by username, email address, real name or phone number and build a dossier on your target. Searches social media sites, data breaches, documents and much more. Requires a paid subscription after first search.
Name Search
Name search records can get muddy really quickly when dealing with names like "John Smith", however many tools will allow you refine the search with other data points such as location or other context. As with any search tool, the more data you feed it, the more accurate your results will be. As always I like to start with one of Michael Bazzell's handy tools, Name.html. This tool will search databases of names that will return associated data points for building a full profile of your target. From here, the next step is to start looking for any public records that may be associated with the name you are searching for. Remember to use location to aid in context.
Xlek - Searches millions of online records for a given name.
Thats Them - Find all sorts of information about a person including address, email, even their cars VIN number
Public Records - Search public government records for entries relating to your target.
Peekyou - Popular people search engine
BeenVerified - People search engine that can return people, vehicle, property and contact info.Volunteer OSINT
OpenSanctions - The persons of interest database
Verecor - Generic people search site for U.S. citizens.
UFind.Name - Search for a person's name and see matching results including LinkedIn and Facebook accounts, white page results, vehicle registration database entries, marketing data and more.
Gov and Business Records
GLEIF - Look up company information from Global Legal Entity Identifier Foundation (GLEIF).
Open Corporates - Giant public database of corporate information.
Public Records - Search public government records for entries relating to your target.
Background checks - Search for mentions of a person in court cases, contact information, assets, police records and much more!
SEC filings - All companies, foreign and domestic, are required to file registration statements, periodic reports, and other forms electronically through EDGAR. Anyone can access and download this information for free. Here you'll find links to a complete list of filings available through EDGAR and instructions for searching the EDGAR database.
Vital Records Search Tools - This site contains tools for finding immigration records, census records, vital records, and for dealing with calendars, maps, foreign alphabets, and numerous other applications. Some of these tools fetch data from other websites but do so in more versatile ways than the search tools provided on those websites. Created by Stephen P, Morse.
JudyRecords - Search over 580 million United States court cases.
CaseLaw - A free tool that allows you to search over 1.7 million U.S. federal cases and over 4.9 million state cases.
CourtRecords - Search complete and up-to-date public court records in the U.S.
Public Records - Search for United States public records.
Voter Records
Phone Numbers
Websites
Carrier lookup - Enter a phone number and returns the carrier name and whether the number is wireless or landline.
Number Validator - Search phone number format and origin
CallerID check - A database of caller names used to identify the name of a caller when receiving an inbound call from the United States or Canada.
TrueCaller Caller ID check - One of the best CallerID utilities
Spy Dialer - Reverse phone number lookup for cell phones, VOIP and landlines.
Seon.io - Confirm if the number is valid, and detect the origin country, carrier, and number type.
800 Notes - A crowd-sourced reverse phone number search. Good for identifying scammer numbers.
Caller Name - Free phone number lookup service where you can look up a cell phone, VoIP or Landline number.
Tools
Additional OSINT
Spiderfoot - automates OSINT for threat intelligence and mapping your attack surface.
TorWhoIs - Look up an .onion address and see basic information such as date last seen, open ports, running software and banners
IntelligenceX - Search Tor, I2P, data leaks, domains, and emails
GreyNoise - Search for devices connected to the internet
Dehashed - View leaked credentials and compromised assets
DeHashed-API-Tool by Heath Adams(TCM)
Ultimate Windows Security - View Windows Event codes, CVE's, and multiple other tools relating to WIndows Security.
AlienVaultOTX - Extensive threat intelligence feed
Censys - Assessing attack surface for internet connected devices
URL2PNG - Get a screenshot of a website rather than browsing to it.
DNSChecker - A wide variety of DNS, IP, and other tools.
Bash.ws - Whois, host, dig, nslookup, ping, traceroute, and geoiplookup tool on IPs and Domains
NSLookup.io - Find all name servers for a domain name with this online DNS NS checker
Malware Bazaar - Search file hashes to see if they have been flagged as malicious.
HaveIBeenPwned - Check if your email or phone is in a data breach
DorkSearch - Faster Google dorking.
ExploitDB - Archive of various exploits
WayBackMachine - View content from edited, deleted and older websites
Maltiverse - Search for indicators of compromise or something related
HoneyDB - Provides real time data of honeypot activity.
SecurityTrails - Extensive and historical DNS data
ZoomEye - Gather information about targets
Pulsedive - Search for threat intelligence
GrayHatWarfare - Search public S3 buckets
MHA Azure Websites - Message Head Analyzer
PolySwarm - Scans files and URLs for threats
LeakIX - Search publicly indexed information
FullHunt - Search and discovery attack surfaces
ONYPHE - Collects cyber-threat intelligence data
Grep App - Git repository search
Vulners - Search vulnerabilities in a large database
Netlas - Search and monitor internet connected assets
CRT sh - Search for certs that have been logged by CT
Wigle - Database of wireless networks, with statistics
PublicWWW - Marketing and affiliate marketing research
Binary Edge - Scans the internet for threat intelligence
Hunter.io - Search for email addresses belonging to a website
Packet Storm Security - Browse latest vulnerabilities and exploits
SearchCode - Search 75 billion lines of code from 40 million projects
Last updated