CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Exiftool
  • Install
  • Use
  • The Harverster
  • Use
  • Tools for username and Account OSINT
  • whatsmyname
  • Sherlock
  • phoneinfoga
  • Install
  • Use
  • Twint
  • Use
  • Tools for website OSINT
  • Identifying website technology
  • Hunting subdomain
  • Burp Suite
  • OSINT Frameworks
  • Recon-ng
  • Maltego
  • Hunchly
  1. OSINT

OSINT Tools

PreviousOSINT WirelessNextWrite an OSINT report

Last updated 2 years ago

  • In this part you will find tools installable in your machine or VM to perform some OSINT task

Exiftool

  • Tool to get information from a file (image or pdf)

Install

  • Install on kali: sudo apt install libimage-exiftool-perl

Use

  • exiftool filename

The Harverster

  • Tool to hunt emals and breached data

  • Preinstalled on kali linux

Use

  • theHarverster -d domain.com -b all will get infos about domain.com from all search engines available with the tool.

  • Can be combined with other tools such as:

    • h8mail

Tools for username and Account OSINT

whatsmyname

Install

  • git clone https://github.com/WebBreacher/WhatsMyName.git

  • cd WhatsMyName

Use

  • python3 web_accounts_list_checker.py -u username

Sherlock

Install

  • sudo apt install sherlock

Use

  • sherlock username

phoneinfoga

  • A tool to osint phone number

Install

  • curl -sSL https://raw.githubusercontent.com/sundowndev/phoneinfoga/master/support/scripts/install | bash

  • tar -xf phoneinfoga_Linux_x86_64.tar.gz

Use

  • phoneinfoga serve -p 8080 will serve the gui on port 8080 then you will just have to go to http://localhost:8080 and make a research

  • phoneinfoga scan -n number you will need to specify the cuntry code in front of the number for example for US or Canada you need to put 1

Twint

Use

  • Upgrade

    • pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twint

    • pip3 install --upgrade aiohttp_socks

  • twint -u username

  • twint -u username -s keyword

  • Lots of other possibilities it is worth reading the doc

Tools for website OSINT

Identifying website technology

Wappalyzer

Whatweb

  • whatweb webiste.com

Hunting subdomain

Sublist3r

  • apt install sublist3r Install it

  • sublist3r --domain [domain_name] launch it

Subfinder

  • Tool to find subdomains

  • subfinder -d domain

Assetfinder

  • Another tool to find subdomains

  • assetfinder domain we can put our results in a file by adding > results.txt if you already have a file with results you can append it with >> instead of >

Amass

  • Tool for subdomain enumeration

  • amass enum -d domain

httprobe

  • After finding multiple subdomains we can use httprobe to check if they are alive or not

  • We could use a command like this cat findings.txt | sort -u | httprobe -s -p https:443 we can limit our results to port 443

  • We can put our result in a file named alive-findings.txt (we then need to strip https://, http:// and :443 and use it in gowitness

Gowitness

  • We can also go through our findings and get screenshots of them using gowitness

  • gowitness file -f ./alive-findings.txt -P ./screenshots --no-http this command will go through every finding and make a screenshot

Burp Suite

  • The community edition is preinstalled on kali

  • We can use burpsuite as well and check the response headers of our targeted website to see if it discloses any interesting information.

OSINT Frameworks

Recon-ng

  • recon-ng

  • marketplace search see all available tools

  • marketplace install tool install one of the tool from the market (some of them require API keys)

  • modules load tool load the tool just installed

  • info to see what we can do with the module

  • options set ITEM setting to set something in the module for instance if we were playing with hackertarget we could do options set SOURCE domain.com

  • run to run the module

  • Some nice module on recon-ng are hackertarget (OSINT on website such as subdomain enum and ip adr finder), profiler (search for accounts with a specific userame on different websites)

Maltego

  • Preinstalled on kali

  • Run for free register and account confirm it

  • We will need api keys for most of the modules

  • We can use it without modules also

  • We can make a new graph domain for instance if we want to make website OSINT

Hunchly

  • Paid tools but free trial possible. Only runs on google chrome.

  • We can launch new case and keep them in our dashboard

  • We can start the "tracking" and add it to a specific case

  • We can highlight keywords, take notes on website

  • It will record everything viewed

Tool for Twitter OSINT available .

We can use the browser add on to see the technologies used on the website

It is preinstalled on Kali. You can find the githb page

Tool to find subdomains. See about it

Available

Available

Available

Find httprobe

Find GoWitness

You can get it

Find it along with some documentation

Find Hunchly

breach-parse
here
Wappalyzer
here
here
here
here
here
here
here
here
here
here