OSINT

Credit to https://tcm-sec.com/ and https://github.com/jivoi for many of the tools in this section

Huge List of Tools

GitHub - jivoi/awesome-osint: :scream: A curated list of amazingly awesome OSINTGitHub

This repo is amazing ^ I have barely scratched the surface of the number of tools listed in there. Highly recommend checking it out.

IP - Domain OSINT

Sometimes you want to get some information on an IP/Domain without actually scanning and drawing the attention to yourself. That's what these tools are for

Email Address OSINT

Discovering Email Addresses

hunter.io

It will give you 50 to 100 free searchers per month and can be signed up to free with a google account

phonebook.cz

does domains, emails, and URLs

voilanobert.com

same as hunter.io

Scraping emails with LinkedInDumper

GitHub - l4rm4nd/LinkedInDumper: Python 3 script to dump/scrape/extract company employees from LinkedIn APIGitHub

Python tool to scrape company emails from a linkedin page + fill in the blanks if given a set format. Works by using your li_at session cookie value which can be grabbed from the developer tools

Additional usage information here:

Kitploit – Maintenance in Progresswww.kitploit.com

Verify Email Addresses

tools.verifyemailaddress.io

email-checker.net/validate

Verifying O365 Emails with UhOh365

GitHub - Raikia/UhOh365: A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.GitHub

Super useful tool for taking a list of emails and verifying if they are active or not. What is unique about this tool is it uses Microsoft's built-in Autodiscover API which is invisible to the person/company who owns said email address

git clone https://github.com/Raikia/UhOh365.git
cd UhOh365/

Usage: UhOh365.py [-h] [-v] [-t THREADS] [-o OUTPUT] file

positional arguments:
  file                  Input file containing one email per line

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Display each result as valid/invalid. By default only displays valid
  -s, --suffix	    Add a domain suffix to every input line from file (e.g: contoso.com)
  -t THREADS, --threads THREADS
                        Number of threads to run with. Default is 20
  -o OUTPUT, --output OUTPUT
                        Output file for valid emails only
  -n, --nossl           Turn off SSL verification. This can increase speed if
                        needed
  -p PROXY, --proxy PROXY
                        Specify a proxy to run this through (eg: 'http://127.0.0.1:8080')

(alternative tool)

GitHub - dievus/Oh365UserFinder: Python3 o365 User Enumeration ToolGitHub

Verifying Gmail accounts with geeMailUserFinder

GitHub - dievus/geeMailUserFinder: Python Gmail User Enumeration ToolGitHub

Where there is microsoft, there is google. Same concept as Oh365 but for gmail.

Finding Usernames with WhatsMyName

GitHub - WebBreacher/WhatsMyName: This repository has the JSON file required to perform user enumeration on various websites.GitHub

WhatsMyName has been abandoned as a solo tool, it can however be integrated into multiple OSINT frameworks like Spiderfoot or visited via a web portal here

https://whatsmyname.app/whatsmyname.app

Finding Usernames with Sherlock

GitHub - sherlock-project/sherlock: Hunt down social media accounts by username across social networksGitHub

Another great tool for discovering usernames used across multiple sites. There are some false positives (some sites it pulls from will report a username for any request whether it exists or not) but overall a super easy to use tool.

python3 sherlock <username> #check one username
python3 sherlock <user1> <user2> <user3> #check multiple usernames

Twitter OSINT (Or X depending on the day)

A really useful vector for social media OSINT is to leverage tools typically used for marketing. The tools listed below can be used to create a map of the users habits and interactions by using tools typically used to track account impression

Twitter Dorking

Did you know you can treat the twitter search bar very similar to google dorking?

we can use specific strings within the search ex: “nba draft pick”

from:<username> - tweets from a user

to:<username> - see who is sending tweets at them/replying to them

@ symbol - anyone who tags the target

since: <date> until:<date> set timeframe

If you go to google maps and grab a specific geo coordinate

geocode: <geo coordinate> , <range>

Instagram OSINT

instadip.co

Lets you fullsize and download the image to try and hunt it down somewhere else

Now for the super creepy parts

PimEyes: Face Recognition Search Engine and Reverse Image Search |pimeyes.com

Hands down the best facial reverse engineering tool out there. The results are highly truncated on the free tier but it is super fun for scammers.

Phone-sint (see what I did there)

Phone number OSINT is honestly a PITA. I am actively looking for suggestions for better free tools there. I refuse to "pay 99 cents to unlock this users full record".

Credential Hunting

Such an important part of proper OSINT is hunting for leaked credentials. The "industry standard" tool for this right now is dehashed. This is a paid subscription, and the API credits (a need) are a couple extra bucks on top of the monthly subscription.

usage: dehashed_parser.py [-h] [-a ADDRESS] [-e EMAIL] [-H HASHED_PASSWORD] [-i IP_ADDRESS] [-n NAME] [-p PASSWORD]
                 [-P PHONE_NUMBER] [-u USERNAME] [-v VIN] [-o OUTPUT] [-oS OUTPUT_SILENTLY] [-s SIZE]
                 [--only-passwords]

Query the DeHashed API

options:
  -h, --help            show this help message and exit
  -a ADDRESS, --address ADDRESS
                        Specify the address
  -e EMAIL, --email EMAIL
                        Specify the email
  -H HASHED_PASSWORD, --hashed_password HASHED_PASSWORD
                        Specify the hashed password
  -i IP_ADDRESS, --ip_address IP_ADDRESS
                        Specify the IP address
  -n NAME, --name NAME  Specify the name
  -p PASSWORD, --password PASSWORD
                        Specify the password
  -P PHONE_NUMBER, --phone_number PHONE_NUMBER
                        Specify the phone number
  -u USERNAME, --username USERNAME
                        Specify the username
  -v VIN, --vin VIN     Specify the VIN
  -o OUTPUT, --output OUTPUT
                        Outputs to CSV. A file name is required.
  -oS OUTPUT_SILENTLY, --output_silently OUTPUT_SILENTLY
                        Outputs to CSV silently. A file name is required.
  -s SIZE, --size SIZE  Specify the size, between 1 and 10000
  --only-passwords      Return only passwords

Outside of this, the most commonly used tool for your own "ethically sourced" databases is most likely breach parse. Its a super simple bash tool that is built for the old megabreach and COMB leaks.

GitHub - hmaverickadams/breach-parse: A tool for parsing breached passwordsGitHub

There are also some "specialty" parsers out there for some other breaches. I am not going to provide the magnet link too them however the hint I will give is "AntiPublic" and "Collection 1-5". Consider this a little OSINT practice and go figure that out.

GitHub - philipperemy/3.7-billion-passwords-tools: Tools to manipulate the data behind Collection #1 (and #2–5) - AntiPublic.GitHub

PreviousOSINT FRAMEWORKS (TODO)NextScanning and Enumeration

Last updated 1 year ago