Edit

OSINT Tools

Helpful links and resources for Cyber Security Analysts and Researchers

Here's a list of additional helpful tools that can be used for OSINT and Sand-boxing for Cyber Security Analysts and Researchers. These tools can be used to looking up information on Domains, IPs, URLs, File Hashes, etc.

Resources to find various OSINT platforms:

No one tool is the end all-be-all, please make sure to use multiple resources to gather and collect information.

Google and Google Dorking

We all know google is a search engine that collects and indexes various websites from all over the internet, but some don't know how powerful it really is. Google hacking, also named Google dorking, is a technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using.

Links

TryHackMe - Google Dorking Room Fast-Google-Dorks-Scan Github

What is Dorking

Dorking is basically an advanced search where we use operators that function as a filter to direct the search directly to where we want. We also use symbols to search for exact words or phrases. This will help us to search almost any search engine that we find on the internet. This involves making use of search engines to their complete potential to uncover outcomes that are not noticeable with a routine search. It enables us to refine out searches and dive deeper, and with better accuracy, right into web pages as well as files that are available online. Revealing covert documents and safety and security defects by dorking does not require a good deal of technical knowledge. It actually comes down to discovering just a few search strategies and using them across a variety of online search engine.

Why we need google dorks

Everyone can use google dorks for a different purpose. Some of the most common reasons for using google dorks:

  • Cyber Security roles use google dorks to find critical information that can be exposed by mistake, or by someone knowingly, about anything so that they can later on hide or delete that so that no one can use that for any wrong purpose.

  • Researchers, content writers, journalists, etc use google dorks to gather all the information available on google about a particular topic so that they can use that information for reaching their own goals.

  • Students use google dorks to find answers to their questions which are from their textbook or asked by someone or for finding leaked versions of a course or a book for free.

  • Companies and their employees use google dorks to gather information about their competitors and for finding honest reviews of their products or services so that they can use that information further for improving their products and services and which in results helps their company grow faster.

What can we find from Google Dorks

Google dorks can be used to find a variety of information in many aspects, but it's mainly used to find the information on:

  • Critical information of a website, company, organization, software, etc.

  • Blogs, articles, research papers, etc on a particular topic

  • Leaked documents, courses, eBooks, etc

  • Reviews about a company, it's products and services

  • Finding solutions of answers of textbook questions

There are many other kinds of information which can be found via google dorks very easily.

Using Google Dorks

Dork
Used for
Example

"specified_phrase or statement"

Shows only those pages that contains exact word or statement

"Is hacking illegal"

site:

Removes search results from all other websites except the specified one

site:github.com th4ntis

inurl:specified_phrase

Shows search results which contains the specified word in url

inurl:ethical hacking

inurl:word1 word2

Shows search results that contain either of the words, or both

inurl:hacking programming

allinurl:word1 word2

Shows the search results that contain both of the specified words

allinurl:hacking programming

intitle:word1 word2

Shows those search results that mention the word in their title and mention the specified word anywhere in the document

intitle:hacking networking

cache:

Shows a cached version of the website if the website is down

cache:netflix.com

intext:word1

Shows only those pages containing that specific word(s) somewhere in the context

intext:bug hunting

allintext:word1 word2

Only shows pages containing the specified words somewhere in the context

allintext:hacking networking

intitle:”index of”

Shows open ftp servers

intitle:”index of spiderman movie”

inurl:view/index.shtml

Shows live cameras that don’t have any protection

inurl:view/index.shtml

filetype:pdf/doc/ppt specified_phrase

Shows only pages that contains the document of that type and contains specific word in file name

filetype:pdf ethical hacking

+

Shows pages that must contain the specified word

ethical hacking + free course

-

Removes results that contain certain words

ethical hacking - paid course

feed:

Shows specified RSS feed for specified work

reed:hacking

ip:

Finds websites organized by specified IP

ip:54.239.28.85

We can use googles normal search as well as their Advanced Search page. Of course we can combine these searches as well.

We can also use BOOLEAN searches in Google by using AND / OR

google dorking filetype:pdf OR filetype:doc OR filetype:docx

IP/Domain OSINT

When researching IP addresses, it is important we know the context of the search we are performing. There are a multitude of sources to research IP addresses and they can vary depending on what information we want to learn about them.

For offensive security, threat hunting, and attack surface mapping, we want current registration data, and any associated data points that our searches may return. These can include hosted domains, ASN, associated network artifacts, etc.

For defensive operations, such as those of the security blue team, we are looking for historical data and activity data of the IP address.

Domains, more than almost any other target, have one of the largest assortments of associated data points. The most important that we will look for out of this section is the Registration data, the hosting data, site information, archived data, and analytics

There are tons of highly effective tools for subdomain enumeration and brute forcing, but they can be quite noisy. During the Passive Recon phase of a penetration test, we can start with any subdomains recorded by other sources to plan out our attack/test.

  • RDAP - Registration Data Access Protocol is the successor to WHOIS. Like WHOIS, RDAP provides access to information about Internet resources (domain names, autonomous systems, and IP addresses). Unlike WHOIS, RDAP provides: * A machine-readable representation of registration data; * Differentiated access; * Structured request and response semantics; * Internationalisation; * Extensibility.

  • Whois - A Whois domain lookup allows you to trace the ownership and tenure of a domain name.

  • Shodan.io - Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters.

  • VirusTotal - Analyze suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community

  • AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

  • Cisco Talos Intelligence - "Search by IP, domain, or network owner for real-time threat data."

  • IBM X-Force - Scan for a multitude of things such as IP/Domain, File Hash, Vulnerabilities, upload files for analysis, etc. A Threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers

  • IP.Teoh.io - VPN & Proxy IP Detection Tool. Check if an IP is currently blacklisted or is using a VPN/proxy

  • IPVoid - Various tools for IP information. WHOIS, DNS, DNSDIG, MX Record, Blaklisted by any services, etc.

  • ViewDNS - Huge toolbox with various utilities for enumerating information about a domain.

  • DNSDumpster - Free domain research tool that can discover hosts related to a domain.

  • MXToolbox - Checks MX information for the given domain

  • DNSLytics - Find out everything about a domain name, IP address or provider. Discover relations between them and see historical data. Use it for your digital investigation, fraud prevention or brand protection.

  • HostSpider - Command line tool that gathers tons of information about a domain including DNS records, subdomains, WHOIS, Cloudflare IP, and more!

  • OmnisintLabs - Project Crobat: Rapid7's DNS Database easily searchable via a lightening fast API, with domains available in milliseconds.

  • Sublist3r - Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines.

Email/Username OSINT

Corporate usernames can be obnoxiously easy to guess and build. The standard of [email protected] is so common, it's ridiculous. Even more so when account management tools will simply take the first half of the email and reuse it as a username. We can use schemes like this to our advantage to search for a multitude of treasures like accounts on other services with the same username, credentials found in breaches, and associated sites or tools. When searching for usernames, you can uncover linked social media accounts and tons of relevant intelligence.

Email Search Tools

  • MXToolBox - Collection of online tools that can gather multiple points of data surrounding an email address or domain

  • Seon.io - Enrich user data based on a single email address

  • Epieos - Enter an email address and see which sites the email address has been used.

  • HoleHE - CLI Tool to check if an email is attached to an account on sites like twitter, instagram, imgur and more than 120 others

Email Discovery Tools

  • Hunter.io - Discover email addresses by company name

  • Phonebook.cz - Phonebook lists all domains, email addresses, or URLs for the given input domain.

  • Voilanorbert - Discover email addresses by company name

  • Connect.Clearbit - Email discovery tool, only works in chrome.

  • Email Format - Find the email address format for a given company or domain.

  • Snov.io - Locate employee email addresses via domain name.

  • TheHarvester - This tool is the defacto standard for email intelligence gathering. It checks a large array of sources to pull together information. It can leverage APIs of other services such as Spyse or Shodan to improve the search. Remember these will require an API key to use. I have found that between the above html tools and this, it will satisfy your email searching needs.

  • Email Hippo

  • Email Checker

Tools

breach-parse

Breached password list from Magnet link

theHarvester -d domain -b search
h8mail -t [email protected]

Username Search Tools

  • WhatsMyName - This tool allows you to enumerate usernames across many different websites.

  • UserSearch - Search Engine for Usernames

  • Name Check - See if a username is available across multiple platforms

  • NameCheckup

  • Sherlock - Hunt down social media accounts by username across social networks

  • SocialCcan - Python library and CLI for accurately querying username and email usage on online platforms

  • AnalyzeID - Social media username checker. Gather information on the taken username and get a summary of who the person is

  • IDCrawl - A free people search engine that organizes social network information, deep web information, phone numbers, email addresses and more

  • whatsmyname

  • sherlock

sherlock user

Social Media OSINT

Social Media is huge a huge part of the internet now, from personal accounts, businesses, news outlets, to bots, it's very helpful to find information on them. This doesn't include just Facebook or Twitter, this can include things like Discord, Telegram, Snapchat, and others.

Facebook

  • Codeofaninja - This tool called "Get Facebook ID" provides an easy and fast way to find a Facebook page's or Facebook profile's numeric ID.

  • CSE Facebook Image Search - Use Keywords to search Facebook for images.

  • CSE Facebook Search - Obtain overall Results, Pages, Groups & Photos.

  • Intelligence X - Facebook Graph Searcher.

  • Intelltechniques - Facebook Search Tool.

  • Lookup-ID - Facebook profile ID / Group ID / Page ID lookup resource.

  • Osint Combine - Social Geo Lens, this tool is designed to provide a map based interface for geo searching on social media platforms.

  • Osint Combine - This tool is a simple way to quickly search for multiple keywords from a list or open mutual friends for multiple profiles at the same time.

  • Plessas Facebook Matrix - This page contains Kirby Plessas Formulas for Searching Facebook.

  • Socmint Tool - Graph Search Tool.

  • Sowdust Github

  • Sowdust Graph Tips - Replacement Graph Search developed by Sowdust.

  • Who Posted What - Whopostedwhat.com is a non public Facebook keyword search for people who work in the public interest. It allows you to search keywords on specific dates.

Twitter

Tools

Linked In

Instagram

  • Nixintel How to find timestamps - Nixintel's blog on how to find timestamps for verification (2022).

  • Nixintel Instagram Osint - Nixintel's tutorial on how to install InstaScraper.

  • TOCP How to search Instagram part 1 - Technisette talks through how to search Instagram, for people, stories, keywords, hashtags, locations (2019).

  • TOCP How to search Instagram part 2 - Technisette continues her tutorial searching Instagram, for businessess, deleted content and tracking followers (2019).

  • Codeofaninja - Easy way for developers and designers to get Instagram account numeric ID by username.

  • Download Gram - Instagram downloader tool, it helps you to download Instagram photos and videos.

  • InstaDP

  • Imginn - Download instagram photos, videos and stories highlights.

  • Instaloader - Download pictures (or videos) along with their captions.

  • Inteltechniques - Inteltechniques Instagram search tool.

  • Instalooter - API-less Instagram pictures and videos downloader.

  • iZuum - Instagram profile downloader.

  • Osint Combinne - Find images by date on Instagram at particular locations easier and more efficient.

  • Picnob - Enables you to browse Instagram profiles without the need of an account.

  • Picuki - Instgram Editor & Viewer.

  • Toutatis - Extract information from instagrams accounts such as e-mails & phone numbers.

  • Who Posted What - Finds Posts on Date Tagged With Location, for people who work in the public interest

  • Wopita

Discord

A helpful resource on how to perform OSINT on Discord can be found here. Credit to BOstintBlanc.

Snapchat

Websites

Tools

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
subfinder -d domain

Put this into a file for httprobe

go install -v github.com/tomnomnom/assetfinder@latest
assetfinder domain

Put this into a file for httprobe

go install -v github.com/tomnomnom/httprobe@latest
cat tesla.txt | sort -u | httprobe -s -p https:443

Only returns sites that are up/active

go install -v github.com/owasp-amass/amass/v4/...@master
amass enum -d domain
go install github.com/sensepost/gowitness@latest
gowitness file -f ./alive.txt -P ./pics --no-http

strip http/https/:443 from the alive.txt made from httprobe

  • whois

whois domain

Business OSINT

Wireless OSINT

Frameworks

Passwords

Physical Locationimage 17.png

URL and URL Sandboxing

  • URLScan - "A sandbox for the web" Scans submitted URL website for malicious intent details in their about page.

  • URLHaus - Search IP/Domain, URL, MD5, SHA256, and more to see if they have been flagged as malicious/suspicious.

  • URLVoid - Website reputation checker. Shows information of location, IP, WHOIS, DNS Records, and if various services have blacklisted the URL or not.

  • Browserling - Sandbox URLs on various browsers and interact with them in a live secure environment.

  • Wannabroswer - Simulate any Browser

  • Hybrid-Analysis - Malware Analysis Service

  • Joes Sandbox - "Detects and analyzes potential malicious files and URLs" on various OS

  • Triage - Malware Analysis Sandbox

  • Any.run - An "Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research". Free to use and sign up for. Can be used for "a convenient in-depth analysis of new (unidentified) malicious objects, as well as for the investigation of cyber incidentals."

Image

Websites

Tools

sudo apt install libimage-exiftool-perl
exiftool IMAGE

People Search/PII

This section will get stalker-ish real quick. While limited in usefulness for a penetration test, it can help you discover all the interesting data surrounding a person, or link data you have found back to an individual. For those who would like a premium all in one option, there are a few handy platforms that can make collection faster and easier.

  • WhitePages

  • TruePeopleSearch

  • FastPeopleSearch

  • FastBackgroundCheck

  • WebMii

  • PeekYou

  • 411

  • Spokeo

  • That'sThem

  • Social Links - Premium collection of OSINT tools focusing on data gathered from social media and other sits.

  • Gamayun - Gamayun is a web based tool designed for conducting OSINT investigations when searching for emails, locations, phone number, aliases, and photos.

  • SL-Pro - SL Pro is a professional tool for searching data from social media accounts, the Darknet, blockchains, and internet data leaks. It comes with API Integrations that link to 1100 methods of search across 50+ sources of data on over 800 million identities, which makes it ideal for when performing OSINT on a person.

  • Melissa - Arguably one of the best search tools for people out there. Provides a massive amount of tools and resources to search people by name, address, phone number and so on. They also provide loads of other useful tools and resources including maps, federal data, property records and more.

  • SocialCatFish - Find connections and verify a person's online identity using a name, image, email address, phone number, username or physical address.

  • GoFindWho - Find people for free by phone number, name, email address, and username on Facebook and in public records.

  • EffectGroup - One of the best tools for searching people by username, email address, real name or phone number and build a dossier on your target. Searches social media sites, data breaches, documents and much more. Requires a paid subscription after first search.

  • How to find information on anyone - Medium Article

Name Search

Name search records can get muddy really quickly when dealing with names like "John Smith", however many tools will allow you refine the search with other data points such as location or other context. As with any search tool, the more data you feed it, the more accurate your results will be. As always I like to start with one of Michael Bazzell's handy tools, Name.html. This tool will search databases of names that will return associated data points for building a full profile of your target. From here, the next step is to start looking for any public records that may be associated with the name you are searching for. Remember to use location to aid in context.

  • Xlek - Searches millions of online records for a given name.

  • Thats Them - Find all sorts of information about a person including address, email, even their cars VIN number

  • Public Records - Search public government records for entries relating to your target.

  • Peekyou - Popular people search engine

  • BeenVerified - People search engine that can return people, vehicle, property and contact info.Volunteer OSINT

  • OpenSanctions - The persons of interest database

  • Verecor - Generic people search site for U.S. citizens.

  • UFind.Name - Search for a person's name and see matching results including LinkedIn and Facebook accounts, white page results, vehicle registration database entries, marketing data and more.

Gov and Business Records

  • GLEIF - Look up company information from Global Legal Entity Identifier Foundation (GLEIF).

  • Open Corporates - Giant public database of corporate information.

  • Public Records - Search public government records for entries relating to your target.

  • PACER Court Case documents

  • Legacy.com Obituary Search

  • Background checks - Search for mentions of a person in court cases, contact information, assets, police records and much more!

  • SEC filings - All companies, foreign and domestic, are required to file registration statements, periodic reports, and other forms electronically through EDGAR. Anyone can access and download this information for free. Here you'll find links to a complete list of filings available through EDGAR and instructions for searching the EDGAR database.

  • Vital Records Search Tools - This site contains tools for finding immigration records, census records, vital records, and for dealing with calendars, maps, foreign alphabets, and numerous other applications. Some of these tools fetch data from other websites but do so in more versatile ways than the search tools provided on those websites. Created by Stephen P, Morse.

  • JudyRecords - Search over 580 million United States court cases.

  • CaseLaw - A free tool that allows you to search over 1.7 million U.S. federal cases and over 4.9 million state cases.

  • CourtRecords - Search complete and up-to-date public court records in the U.S.

  • Public Records - Search for United States public records.

  • Arrests

Voter Records

Voter Records

Phone Numbers

Websites

  • TrueCaller

  • CallerID Test

  • Infobel

  • Carrier lookup - Enter a phone number and returns the carrier name and whether the number is wireless or landline.

  • Number Validator - Search phone number format and origin

  • CallerID check - A database of caller names used to identify the name of a caller when receiving an inbound call from the United States or Canada.

  • TrueCaller Caller ID check - One of the best CallerID utilities

  • Spy Dialer - Reverse phone number lookup for cell phones, VOIP and landlines.

  • Seon.io - Confirm if the number is valid, and detect the origin country, carrier, and number type.

  • 800 Notes - A crowd-sourced reverse phone number search. Good for identifying scammer numbers.

  • Caller Name - Free phone number lookup service where you can look up a cell phone, VoIP or Landline number.

Tools

Phoneinfoga

bash <( curl -sSL https://raw.githubusercontent.com/sundowndev/phoneinfoga/master/support/scripts/install )
sudo install ./phoneinfoga /usr/local/bin/phoneinfoga
phoneinfoga scan -n (countrycode)(phonenumber)
phoneinfoga serve -p 8080

Additional OSINT

Last updated