OSINT Tools
Last updated
Last updated
In this part you will find tools installable in your machine or VM to perform some OSINT task
Tool to get information from a file (image or pdf)
Install on kali: sudo apt install libimage-exiftool-perl
exiftool filename
Tool to hunt emals and breached data
Preinstalled on kali linux
theHarverster -d domain.com -b all will get infos about domain.com from all search engines available with the tool.
Can be combined with other tools such as:
h8mail
git clone https://github.com/WebBreacher/WhatsMyName.git
cd WhatsMyName
python3 web_accounts_list_checker.py -u username
sudo apt install sherlock
sherlock username
A tool to osint phone number
curl -sSL https://raw.githubusercontent.com/sundowndev/phoneinfoga/master/support/scripts/install | bash
tar -xf phoneinfoga_Linux_x86_64.tar.gz
phoneinfoga serve -p 8080 will serve the gui on port 8080 then you will just have to go to http://localhost:8080 and make a research
phoneinfoga scan -n number you will need to specify the cuntry code in front of the number for example for US or Canada you need to put 1
Upgrade
pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twint
pip3 install --upgrade aiohttp_socks
twint -u username
twint -u username -s keyword
Lots of other possibilities it is worth reading the doc
whatweb webiste.com
apt install sublist3r Install it
sublist3r --domain [domain_name] launch it
Tool to find subdomains
subfinder -d domain
Another tool to find subdomains
assetfinder domain we can put our results in a file by adding > results.txt if you already have a file with results you can append it with >> instead of >
Tool for subdomain enumeration
amass enum -d domain
After finding multiple subdomains we can use httprobe to check if they are alive or not
We could use a command like this cat findings.txt | sort -u | httprobe -s -p https:443 we can limit our results to port 443
We can put our result in a file named alive-findings.txt (we then need to strip https://, http:// and :443 and use it in gowitness
We can also go through our findings and get screenshots of them using gowitness
gowitness file -f ./alive-findings.txt -P ./screenshots --no-http this command will go through every finding and make a screenshot
The community edition is preinstalled on kali
We can use burpsuite as well and check the response headers of our targeted website to see if it discloses any interesting information.
recon-ng
marketplace search see all available tools
marketplace install tool install one of the tool from the market (some of them require API keys)
modules load tool load the tool just installed
info to see what we can do with the module
options set ITEM setting to set something in the module for instance if we were playing with hackertarget we could do options set SOURCE domain.com
run to run the module
Some nice module on recon-ng are hackertarget (OSINT on website such as subdomain enum and ip adr finder), profiler (search for accounts with a specific userame on different websites)
Preinstalled on kali
Run for free register and account confirm it
We will need api keys for most of the modules
We can use it without modules also
We can make a new graph domain for instance if we want to make website OSINT
Paid tools but free trial possible. Only runs on google chrome.
We can launch new case and keep them in our dashboard
We can start the "tracking" and add it to a specific case
We can highlight keywords, take notes on website
It will record everything viewed
Tool for Twitter OSINT available .
We can use the browser add on to see the technologies used on the website
It is preinstalled on Kali. You can find the githb page
Tool to find subdomains. See about it
Available
Available
Available
Find httprobe
Find GoWitness
You can get it
Find it along with some documentation
Find Hunchly