# OSINT Tools * In this part you will find tools installable in your machine or VM to perform some OSINT task ## Exiftool * Tool to get information from a file (image or pdf) ### Install * Install on kali: `sudo apt install libimage-exiftool-perl` ### Use * `exiftool filename` ## The Harverster * Tool to hunt emals and breached data * Preinstalled on kali linux ### Use * `theHarverster -d domain.com -b all` will get infos about domain.com from all search engines available with the tool. * Can be combined with other tools such as: * [breach-parse](https://github.com/hmaverickadams/breach-parse) * h8mail ## Tools for username and Account OSINT ### whatsmyname #### Install * `git clone https://github.com/WebBreacher/WhatsMyName.git` * `cd WhatsMyName` #### Use * `python3 web_accounts_list_checker.py -u username` ### Sherlock #### Install * `sudo apt install sherlock` #### Use * `sherlock username` ## phoneinfoga * A tool to osint phone number ### Install * `curl -sSL https://raw.githubusercontent.com/sundowndev/phoneinfoga/master/support/scripts/install | bash` * `tar -xf phoneinfoga_Linux_x86_64.tar.gz` ### Use * `phoneinfoga serve -p 8080` will serve the gui on port 8080 then you will just have to go to and make a research * `phoneinfoga scan -n number` you will need to specify the cuntry code in front of the number for example for US or Canada you need to put 1 ## Twint * Tool for Twitter OSINT available [here](https://github.com/twintproject/twint). ## Use * Upgrade * `pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twint` * `pip3 install --upgrade aiohttp_socks` * `twint -u username` * `twint -u username -s keyword` * Lots of other possibilities it is worth reading the doc ## Tools for website OSINT ### Identifying website technology #### Wappalyzer * We can use the browser add on [Wappalyzer](https://www.wappalyzer.com/) to see the technologies used on the website #### Whatweb * It is preinstalled on Kali. You can find the githb page [here](https://github.com/urbanadventurer/WhatWeb) * `whatweb webiste.com` ### Hunting subdomain #### Sublist3r * Tool to find subdomains. See about it [here](https://github.com/aboul3la/Sublist3r) * `apt install sublist3r` Install it * `sublist3r --domain [domain_name]` launch it #### Subfinder * Tool to find subdomains * Available [here](https://github.com/projectdiscovery/subfinder) * `subfinder -d domain` #### Assetfinder * Another tool to find subdomains * Available [here](https://github.com/tomnomnom/assetfinder) * `assetfinder domain` we can put our results in a file by adding `> results.txt` if you already have a file with results you can append it with `>>` instead of `>` * #### Amass * Tool for subdomain enumeration * Available [here](https://github.com/OWASP/Amass) * `amass enum -d domain` #### httprobe * After finding multiple subdomains we can use httprobe to check if they are alive or not * Find httprobe [here](https://github.com/tomnomnom/httprobe) * We could use a command like this `cat findings.txt | sort -u | httprobe -s -p https:443` we can limit our results to port 443 * We can put our result in a file named `alive-findings.txt` (we then need to strip `https://`, `http://` and `:443` and use it in gowitness #### Gowitness * We can also go through our findings and get screenshots of them using gowitness * Find GoWitness [here](https://github.com/sensepost/gowitness/wiki/Installation) * `gowitness file -f ./alive-findings.txt -P ./screenshots --no-http` this command will go through every finding and make a screenshot ### Burp Suite * The community edition is preinstalled on kali * You can get it [here](https://portswigger.net/burp) * We can use burpsuite as well and check the response headers of our targeted website to see if it discloses any interesting information. ## OSINT Frameworks ### Recon-ng * Find it [here](https://github.com/lanmaster53/recon-ng/wiki) along with some documentation * `recon-ng` * `marketplace search` see all available tools * `marketplace install tool` install one of the tool from the market (some of them require API keys) * `modules load tool` load the tool just installed * `info` to see what we can do with the module * `options set ITEM setting` to set something in the module for instance if we were playing with hackertarget we could do `options set SOURCE domain.com` * `run` to run the module * Some nice module on recon-ng are hackertarget (OSINT on website such as subdomain enum and ip adr finder), profiler (search for accounts with a specific userame on different websites) ### Maltego * Preinstalled on kali * Run for free register and account confirm it * We will need api keys for most of the modules * We can use it without modules also * We can make a new graph domain for instance if we want to make website OSINT ## Hunchly * Paid tools but free trial possible. Only runs on google chrome. * Find Hunchly [here](https://hunch.ly) * We can launch new case and keep them in our dashboard * We can start the "tracking" and add it to a specific case * We can highlight keywords, take notes on website * It will record everything viewed --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csbygb.gitbook.io/pentips/osint/tools.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.