Checklists

Checklists

Source: External-Pentest-Checklist

LibreOffice - if you don’t have Excel or want to use it.

• LibreOffice Download
• Linux Install
• Debian Install
• Arch Linux Install

Excel tabs

1. To Do’s,
2. Scope
3. Targets
4. Password Spraying
5. Breached Accounts
6. Login Portals
7. Findings & Strengths

To Do’s

Scope

Targets

Password Spraying

Breached Accounts

Login Portals

Findings and Strengths

Roe

Rules of Engagement

This is a document that you will have to sign with the client after the quote and they sign the master of service agreement. The quote and master of service isn’t important to you. You will only be concerned about the rules of engagement.

The rules of engagement defines the roles and responsibilities and the details of the test agreement. It will tell you what you can and can’t do.

Contents

• Dates of the test
• Disclosure
• Status updates
• External Penetration test
  • IP address
• Malware test
  • Cobalt Strike, Meterpreter
• Bounds of the test
• Stop Point
• Keeping Access
• Announcement
• Project Closure
• Post Mortem
• Out of Scope (Important!)

Communication

• You will receive a customer point of contact (CPOC).
• You will provide a point of contact to the customer.

Disclaimer

Acceptance

Verify Scope

Verifying Scope

Before starting any type of pentest you need to verify your scope.

Here’s a reference on what could happen: darknetdiaries.com/episode/22/

Find out who owns the subnet in the scope: bgp.he.net/

You have to make absolutely sure the network that you’re going to run a pentest on is the network it’s really supposed to be.

Communication

Client Communication

If the engagement is going well and there are not any critical findings, you may only reach out to the client a couple times. If there are no findings, everything is low importance, there may not be any reason to reach out to them that much.

If you run into something critical, break into the network, log into a web server, get any kind of RCE, you need to let them know immediately. If you can breach the external network, there is a chance that someone else has already done it. They will need to patch the vulnerability asap.

Kick off email example:

Good Morning Jacky Chan,

The external pentest is about to begin. Per our agreement, we will be testing the following IPs/ranges:

200.120.30.0/24

All pentesting activity will be performed from the following IP address:

192.168.1.1

If out testing triggers any alerting for you, please notify us at your earliest convenience so we can notate this in the report.

Finally, if you need anything at all during the testing, you can reach me at this email or by the phone number listed below.

Thank you,
Hacker Bob

Hacker Joes's Hacking
Hacker Joe, Pen Testing Engineer 
555-555-1212 | email@domain.com

You can automate the process, set up emails to be sent and scans to start before you sit down to start work so you have some data to start looking at right away. Just make sure you keep the client happy so they don’t go to someone else for pentests. Communication is a high priority.

Strategy

Attack Strategy

Overview

• Think of external pentests like home security.
  • cameras, lighting, dogs, alarm system.
• Low chance/high chance of RCE (remote code execution), or weak passwords.
• OSINT and logical guessing are your best friends.

External Pentest

• There should be good software/system patching.
• There might be alarm systems or other protections in place.
• The network facing the outside world is the most vulnerable point.
• The chances of RCE (remote code execution)　are very low.
• Once someone breaks into the network from an external location, there a lot less defense mechanisms.
• Weak password policies, weak security, and the lack of multi factor authentication are some of the most common vulnerabilities. If you can get into an email, then the chances are you will be able to get into other things that aren’t protected enough. Sometimes you will see partial multi factor which is not enough. Just finding sensitive information is bad, even if you don’t get onto the network.
• There may be web portal logins, but don’t start pen testing a web app. You are looking to get onto the internal network. You can try default credentials or SQLi, but that’s about it.

Scanning

Vulnerability Scanning

By this point you should be ready to start and already have completed these things:

1. Signed Rules of Engagement
2. Scoping information
3. Validated scope
4. Sent kickoff email

Nessus

tenable.com/products/nessus $$$

Nessus Essentials is free:
tenable.com/products/nessus/nessus-essentials

Alternatives to Nessus

1. Astra Pentest
2. Indusface WAS
3. Invicti (formerly Netsparker)
4. Intruder
5. ManageEngine Vulnerability Manager Plus
6. Acunetix
7. Open VAS
8. Metasploit
9. Burp Suite
10. Qualys Cloud Platform
11. Tennable.io
12. OpenSCAP
13. Tripwire

Scan Demo

Demo is based on tesla at bugcrowd. bugcrowd.com/tesla
To use bugcrowd.com you needs an account set up and configured.

Note: In this case you would need to find out if automated scanning is out of scope.

Steps

Interface is probably different now and steps may have changed.

• Nessus - Advanced Scan
  • Name, description.
  • Targets: paste in IP address from scope.
  • Schedule: you can set when it will run.
  • Discovery: usually left at default for external.
  • Port Scanning: 1-65535
  • Service Discovery: leave as default.
  • Web Applications: Turn on Scan web applications.
  • Check through the rest of the settings and understand what they are for.

Information

Reviewing and Extracting Information

Nessus

Note: These instructions might be different in new versions.

When the scan is finished

• Click on it to see the results
• Check Hosts, Vulnerabilities and History
• Export results (drop down)
  • Click Nessus to export
• Report (drop down)
  • Click PDF to export
    • Executive Summary
    • Custom Summary with everything
  • Click HTML to export

Nessus Parsers

melcara.com - last updated in 2017
perl parse_nessus_xml.v24.pl -f Tesla_mbpjyt.nessus
It will create a spreadsheet file.

github.com/Ebryx/Nessus_Map

git clone https://github.com/Ebryx/Nessus_Map
cd Nessus_Map
mkdir env
cd env
python3 -m venv .
source bin/activate
cd ..
pip install -r requirements.txt
python manage.py runserver

Creating Sock Puppets

There are two different kinds of sock puppets.

1. Complete with a very convincing persona and online presence.

   • A sock puppet for yourself to use all the time as a fake identity.

2. Specifically created and used for an OSINT investigation.

There are known famous sock accounts.

There are sock hunters that can identify that you’re using a sock puppet.

Creating an Effective Sock Puppet for OSINT Investigations – Introduction:
Jake Creps - Sock Puppet

The Art Of The Sock:
The Art of the Sock
Online: secjuice.com/the-art-of-the-sock-osint-humint

Setting up anonymous sock puppet accounts:
Process for Setting Up Sock Puppet Accounts

Create a fake person:
fakenamegenerator.com
thispersondoesnotexist.com

Protect Your Payments and Keep Free Trials Free:
privacy.com

Jake Creps - Sock Puppet

Creating an Effective Sock Puppet for OSINT Investigations

Note: extracted from wayback machine to have as another archive.

Jake Creps Guides November 2, 2018 November 3, 2018 7 Minutes

Introduction and Philosophy

In recent light of the epic failure by Surefire Intelligence to frame Robert Mueller for sexual assault allegations, I feel it’s important to discuss and unpack how to make a good sock puppet for OSINT operations.  If you aren’t familiar, just google Jacob Wohl or Surefire Intelligence and you will likely be flooded with information about the scandal.  For further details on the unraveling of the socks Wohl made, check out Aric Toler’s threat on Twitter @arictoler from Bellingcat.

Now, without further ado, let’s get started on constructing a sock puppet for OSINT investigations.  To get started, I want to properly define what a sock puppet is and what it is not.  The internet (already a skeptic) defines a sock puppet as “an online identity used for purposes of deception”.  This clearly refers to the traditional sock puppet, with an unknown ‘master of puppets’.  I’d like to add a bit of clarity to that definition though.  Sock puppets aren’t exclusive to deception operations, they can also be used for privacy and OPSEC for an investigator, journalist, penetration tester, etc.  OPSEC online not only protects the investigator, but it also protects the target in the case that the evidence provided leads nowhere.  So, how do you make a sock puppet that won’t embarrass you like Jacob Wohl and Surefire Intelligence?

The first thing you have to do is clearly define your intent.  You can choose to create a fake persona or you can create an avatar that’s clearly fake with the masked excuse of OPSEC as it’s origin.  Let me elaborate.  Let’s say you choose option 1.  You want to create a sock puppet named “Eugene Shoemaker”.  Eugene Shoemaker doesn’t exist.  So you have to create an entire identity around Gene in order for the account to look authentic. This takes a very long time, is very difficult, and has a higher chance of failure.  Additionally, if this sock is discovered, all of your work has to be deleted and you have to start all over again.  If you can pull this off, this is the most effective way to operate.  But not everyone is patient.  That’s why there’s option 2.

Option 2 is creating an avatar that’s focused around an idea rather than a unique identity.  Examples of this include @ShakiraSecurity on Twitter or @DutchOSINTGuy.  Everyone knows Shakira isn’t involved in the infosec community.  They also know that that account isn’t Shakira.  But that account is still a trusted source on Twitter when it comes to OSINT and infosec conversations.  That account have over 500 followers.  That account has a function and has built trust.  That account was easier to create than a blank slate.

For both options it’s recommended to create content, add media (photos, videos), interact with others online in an authentic way, create multiple social profiles, convince others to vouch for you, have a phone number, unique IP, email address, etc. But more on that later.

But enough on theory and philosophy.  Both options are viable and, once again, it depends on your intent and the scope of your project.  If you have a large scale operation, you may create a community of sock puppets that interact with others and each other to create influence that has leverage.  Let’s get into the details on how to set this up.

The Setup

Depending on who you ask, there’s an endless list of things you can do to remain anonymous while conducting investigations online.  You can go extreme and jump down the Michael Bazzell rabbit hole, or you can have a little less attention to detail and still do fine. If you’re interested in an almost full proof system, check his book Hiding from the Internet. If you’re asking me how to create a successful sock puppet, I’m more of a subscriber of the Pareto Principle; but I also don’t have much to lose if caught during an investigation like others may have (back to intent).  Here’s the 80/20 on what you need to get started.

1. A dedicated computer that is only used for investigations
2. Encrypted Email – Use Proton Mail
3. A burner phone number (expensive) or a wifi phone number (cheap or free)
4. A social media profile where your target is most active (choose option 1 or 2)
5. A couple different virtual machines
6. A blog or website (you can use a free blog like WordPress, Blogger, or Medium)
7. A VPN (you should probably have one anyway)

Now, this is just a start, but it will help you at least get started.  You will have to customize your avatar as you go along to maintain or add credibility.

Dedicated Computer

Having a dedicated computer is an absolute must.  You don’t want anything you are doing under your avatar to somehow be linked to your personal, real account.  Not only will this reveal that your sock puppet is indeed a sock puppet, it may link your real identity to it (see Surefire Intelligence fail).  This computer doesn’t have to be expensive, you could use something as simple as a Raspberry Pi or a cheap laptop.  Using other tools I’ll discuss below, your dedicated computer should not be able to be linked to another computer on your network.

Encrypted Email

This is generally a best practice in the OSINT and infosec community.  While it may be enticing to use Gmail due to the vast number of free tools they provide and their seamless integration, but don’t do it.  Google is tracking you.  Even if you provide false information, they will still know it’s you eventually.  Proton Mail is a name brand in the encrypted email industry.  There are other options but I’d go with Proton Mail if you haven’t experimented with them before.  The user interface is easy to understand and it doesn’t require any advanced setup.

Phone Number

If you can, try to get a very cheap phone plan that’s dedicated to you avatar.  Cheap plans such as Mint will get you the very basics for close to single digits a month.  If you don’t want to spare the cash, consider getting a wifi based phone number from a website that doesn’t recycle phone numbers every month.  Google Voice is a good option.  Keep in mind that a lot of these websites request your primary phone number (Google) when signing up.  If you’re very concerned about privacy, find one that doesn’t.

VPN

It’s important to mask your IP when doing OSINT research online.  The best way to do this is to use a VPN.  The number one VPN changes frequently so depending on when you read this, it could be different.  I’ve used ProtonVPN, Windscribe, NordVPN, and Private Internet Access.  Pick one that values your privacy and has a user interface that’s easy for you.  Make sure you get a VPN that constantly changes your IP so that you don’t establish a pattern during logons or during interaction.

Social Media Profiles

Now that you have a dedicated computer, encrypted email, phone number, and VPN, we can get to the fun part.  You can use all of your information (email, phone number) to create your social media profiles of choice.  Since you’re starting from scratch, it’s important you start interacting in an organic way.  This could include following people, posting links, doing status updates, interacting with people in the same niche as your target, etc.  This process will take a long time if you do it right.  If you’re really skilled, your target will come to you.  I recommend creating multiple avatars with multiple emails and phone numbers to decrease your risk and to deploy them in different ways.  More on this later.

Virtual Machines

Virtual machines are a great way to create an additional layer of privacy.  You can also use them for specific tools in your OSINT investigation.  I recommend starting with Buscador as it offers a wide variety of OSINT tools.  You can also experiment with Windows VMs to access tools like FOCA and other Windows specific tools.  Experiment with Android emulators to take advantage of mobile apps.  Nox is an excellent emulator to get you started.

Blog

If you want to go another layer deep on your avatar, create a free blog on WordPress, Medium, or Blogger and link it to your social media profile.  Generate content both on social and your blog to increase credibility.  After a period of development, you will have a complex character that’s believable and valuable.

Chrome Extensions

Part of remaining anonymous on the web is blocking all forms of tracking.  The two extensions I’d recommend of the top of my head are AdBlock and Disconnect Me.  These will stop ads from tracking you as well as all pull requests from social media sites.  Combined with a VPN, you should have what you need to search safely.

Bonus

Once you’ve developed all of the above, you may want to verify yourself on Keybase and get involved in other opportunities such as Slack channels or Rocket Chats  This will grant you an opportunity to open a dialogue with your target or associates in an environment separate from social media.

Things to Consider

It’s important to remember that you should be very careful before deploying your sock puppet.  If you use it too soon, you’ll lose credibility with your target or associates and you may not recover.  I recommend setting goals such as a certain number of Tweets, followers, blog posts, or months, etc. before creating plan to use it.  With that being said, the intent of your sock puppet should be dictated by the influence it creates organically.  Don’t steer your sock puppet in an unnatural direction.  Let it grow organically and deploy it in the direction it develops on it’s own.  That’s why it’s important to have multiple accounts.

Another thing to consider is forensic linguistics.  Try to make the content you create on your sock puppet account as unique as possible (or at least different from your personal account). That being said, so long as you’re not doing anything incredibly controversial, people won’t question your motives and investigate your identity anyway. Constantly collect OSINT on your sock puppet and reverse engineer your own creation.  Have a friend or colleague take a look at it and see if they can find a way in.  Do all of this before deploying the sock.

Some mistakes Wohl made was using stock images that were easily traceable through image search, not using Whois protection during domain registration, using his socks too soon, and not collecting OSINT/investigating himself before deployment. Read Aric Toler’s write up on this for lessons learned.

Further Research

This post is closing in on 2000 words, which is quite concerning to me.  The OSINT community is already saturated with long form content that’s difficult to digest.  Keeping that in mind, I’d like to conduct an experiment of my own with this process and share the results in another medium.  I’ve been talking on Twitter about how I want to write an OSINT related book.  I think this is it.  I’ll be keeping everyone updated on the progress of this as I set up my sock puppet ecosystem, document, and write the results. Use this post as an introduction to the process and a precursor to the book.

Comments:

On the VMs – to increase distance from the “real you” – change screen resolution and fonts to prevent fingerprinting (etc). Turn webrtc off. Also – unbalance your keyboard legs or spin the keyboard and type at a weird angle. (Maybe switch to a dvorak for the puppets??) Maybe extreme, but helps throw a wrench in “keystroke dynamics”. The puppet will always be hunt and peck and “real you” will always type as real you normally does. If you have a predictive typing app/plugin ( ala mobile kybds ) – train the keyboard app to suggest phrases that the real you never uses. That is – prime the predictive typing with alter-ego’s linguistic preferences.

The Art of the Sock

The Art Of The Sock

Source: secjuice.com/the-art-of-the-sock-osint-humint
(Archived here for easy access. If you see this and want me to remove it, just let me know.)

Sock puppets are where the OSINT rubber meets the HUMINT road, but you need to be good at using them to survive in the infosec jungle.

Guise Bule
Aug 12, 2018 • 9 min read

Social media is infested with sock puppets, influencing what we think in a million different conversations across different social platforms. Some are employed by nation states and used to influence politically, others by private corporations attempting to influence the conversation around their brands. Some are more much more sinister, set up to deceive and defraud. Then you have people like me, OSINT investigators who like to put on a nice clean pair of socks before they go to work and engage their targets.

Wait, That’s Not OSINT Though Is It?

What’s that investigator? You thought that you would be purely gathering intelligence from publicly available information? Oh my sweet summer child.

I am sorry to tell you that that OSINT and HUMINT go hand in hand these days, because OSINT can only ever get you so far. HUMINT is a natural extension to your OSINT work, especially when you are investigating fraudsters, there are only so many public facing signals they give out. If you really want to get a feel for your targets, you have to get your hands dirty, touch your target and social engineer your heart out.

To be an effective investigator you need to master the art of the sock and learn how to engage your targets on social media while wearing socks.

What Is A Sock Puppet?

My favorite definition of the term ‘sock puppet’ comes from the Oxford English dictionary “a person whose actions are controlled by another; a minion”, I just like the word minion though. A more accurate definition from an OSINT perspective would be “a social persona worn when engaging the targets of your investigation”.

A fully fleshed out sock puppet is a social persona that has a credible social history across different social media channels. In my case, I had need of a fully fleshed out sock puppet for an OSINT investigation into the operators of an ICO, for and on behalf of the investors in that ICO. You already know that the ICO was scammy and I am far too discreet to discuss the details, but its worth using as an example of how to properly nurture your sock from its birth to its eventual death.

Think Long Term

The Art Of The Sock is a long term game, if only because there is nothing that screams sock like a freshly coined social media account. This means that you have to think long term when it comes to growing a fully fleshed out sock account, you have to start growing and nurturing them a long time before you will actually need them. Of course you need more than one, they are disposable and you should only ever use a sock once, then throw it away as if it were a cum stained wank rag (my apologies).

By credible social history I mean that your sock has to behave in a consistently credible way over a period of time, the longer the better. The more social history your sock has, the more convincing it will be when you come to use that sock. By social history I mean a convincing breadcrumb trail of consistent activity, one that looks like the activity of a real person on social media. Your socks do not have to be the most prolific posters, but they should engage in regular, publicly visible, activity across different social media platforms.

Whatever you do, do not interact with any of your other accounts, contacts or peers. Your socks should be standalone entities in their own right.

When I say a credible history across platforms, I mean that they should have a Linkedin profile with a credible looking work history, a Facebook profile with some pictures of your sock having fun in different places, or sharing whatever they are into with their friends. It should have an active Twitter profile that engages with its community in a genuine and consistent way.

You noobs with your two month old twitter accounts aren’t fooling anyone, its the sock masters with the properly grown and nurtured personas who are smashing up the sock world out there. When those guys turn their fully fleshed out socks onto a target, they are both credible and convincing. Sock masters never automate anything, they give an authentic touch to every publicly visible action and you just cannot beat it.

Within dark rooms in foreign corners of the world, ‘sock master’ is actually a real job description and people devote their working days to growing and nurturing sock accounts to hand off to others for use in information warfare campaigns. To call them all sock masters though would be a lie, most of them are sock herders at best and if you watch closely, you can see the handovers in the socks behavior.

TL;DR Start growing your socks now in case you need them one day.

Men Are Stupid

When it comes to socking them out of the ballpark, its better to be a woman than a man because men are stupid. Unless they are savvy, the vast majority of men are hugely vulnerable to a direct approach from a pretty girl. Its absolutely fucking ridiculous in fact and it made me never want to trust women online unless you first validate their existance via a webcam session. Social metadata validation cannot be trusted and even when you video validate they could have hired a prostitute to play the part.

And what do you do? You share far too much information with that cute girl, goddamnit what the hell is wrong with you people? Blabbing about your business to random girls on the internet, you deserve to be uncovered as fraudsters. Same applies to you idiots trying to recruit, you may want to consider not sharing the working details of your operation with that hot blonde flirts with you and seems money hungry.

I am sorry to tell you this dear reader, but that cute girl you are talking to on Twitter, the who connected to you on Linkedin and who shared their private Facebook profile with you is definitely a dude. He is more than likely trying to social engineer some information out of you, or influence you for some nefarious purpose.

Blackmail if you are really unlucky.

TL;DR NEVER trust cute girls online if you are a man.

Softly Softly Catchee Monkey

“Deception doesn’t work if your target doesn’t have a reason to believe you’re real, so having a personality is important.” @S4BOT4GE.

I talked to veteran sock masters when researching this subject and those focused on OSINT like to take the softly softly, catchee monkey approach to engaging their targets and the key to this is personality and a grain of uniqueness.

@S4BOT4GE told me that the deception does not work unless your target has a reason to believe that you are real and that having a unique personality is important for this reason. He thinks the key is to emulate a unique character, rather than imitate an existing one and that a grain of uniqueness can make it real enough to believe.

He uses a remote browser service to conduct online research. If the endpoint is the new perimeter, then remote browser isolation is the future of endpoint security.

This is full on social role playing he is talking about, immersing yourself in the character and becoming unique enough for your targets to notice you before you notice them. The trick to being noticed by your target according to S4BOT4GE is fairly straightforward on most social media platforms.

Start following and interacting with accounts that are in close proximity to your accounts targets and a couple times a day, check each of their accounts for anything they posted that hasn’t been widely shared yet, and repost it immediately. Rinse and repeat to allow the social media algorithms to do their work and they will eventually show your activity to your targets.

If your activity has an authentic voice, they will notice you first and that is everything when it comes to initiating contact with a target. If a target is to really trust you, they need to initiate first contact. A smart man would never trust a direct approach from a pretty girl, but if he sees her around town every now and again, he may very well decide to approach her and say hello, it’s very common.

TL;DR Take your time, let your target come to you.

Welcome To The Jungle

I spoke to retired sock master @an3rka0s who is a verteran of information warfare operations that mitigated against foreign adversaries. He told me that the chances are that the socks are already all around you, you’re probably already connected to them and they just haven’t decided to target you directly yet. Admittedly that’s a paranoid outlook, but he is right depending on the social spaces you inhabit.

@an3rka0s tells me that battle hardened operators who have been immersed in the sock jungle for long enough begin to recognize adversarial sock operators through their personas, using their intuition and instinct they can smell other socks.

If you happen to be investigating the crypto world, chances are that your targets are already operating their own socks. One of the first skills that a sock operator learns in the jungle if they want to survive is to recognize when your own followers are socks driven by your adversaries trying to scope you out or keep you in their radar. This is the reason why its essential that your fresh socks are completely unconnected to all of your other socks in every way, they need to be believable seperate entities in order to credibly survive in the jungle. It is an artform in itself.

TL;DR A savvy sock operator can spot other sock operators and unless you are careful with your connections and behavior, they will spot you easily.

Beware The Sock Hunters

Rather than explain how to avoid being caught using a sock, it’s probably best to explain how we catch sock operators doing what they do. In general, sock puppets can usually be identified based on their writing style, posting activity and relationship with other users on the same, or other social networks.

Happily, the OSINT community provides us with some fantastic toolsets for running investigations into social accounts and their public activity. If sock hunting is your thing, you can analyze a social accounts behavior and activity in lots of ways.

The easiest way to find sock accounts in a conversation is to check their login times and login IP adresses, very often sock operators will have sloppy OPSEC practices and/or not bother concealing their IP. They will also login and post at roughly the same time, sometimes delaying their posts in order not to be obvious.

Over time identifiable patterns emerge though.

Sometimes this method of detecting socks is not always workable, a sophisticated sock operator will know to avoid creating patterns in their logon times and posting times, they will also know how to conceal their IP address when logging on and posting. When it comes to the more sophisticated sock operators, you have to step up your detection methods in order to catch them and begin to develop machine learning algorithms that detect similarities in behavior across multiple social accounts.

A recent study found that “sock puppets contribute poorer quality content, write shorter posts that are often downvoted or reported by other users. They post on more controversial topics, spend more time replying to other users and are more abusive.

Worryingly, their posts are also more likely to be read and they are often central to their communities, generating a lot of activity”. This gives you a baseline pattern to hunt for and base your machine learning algorithms on. Researchers are out there right now, leveraging this detection model in order to detect and identify socks.

Machine learning tools have been created which can detect if two accounts are owned by the same person with 91% accuracy. There are other tools that can distinguish between a real social account and a sock with 68% accuracy.

Tools like these are spotting patterns across thousands of social accounts and identifying their owners with ever increasing accuracy, they find patterns in your behavior and develop a behavioral fingerprint that you subconsciously leave on your actions. Even though you may try to randomize your behavioral patterns, style of writing, manner of expression, login times, IP address and other ways to conceal yourself, you cannot hide if the algorithms are given enough historical data on your activities to analyze. We all have our own unique behavioral fingerprint.

These tools are being developed in an effort to counter information warfare efforts across social media operations conducted against us by foreign adversaries intent on influencing the conversation in our society. They are also being developed by the private sector and the social media platforms themselves in an effort to disrupt trolls, persistent abusers, and operations designed to spread fake news into our feeds.

Its getting much easier to spot and identify even the most experienced sock operators, especially when they are engaged in shady online behavior. But a skilled OSINT investigator who maintains his or her own sock accounts for investigative purposes, and who takes care, is likely to fly under their radar completely.

Stay under the radar, behave like a normal person, engage in authentic activity and keep your socks dry until you need them. Nobody likes wet socks.

Anon Sock Puppets

Setting up anonymous sock puppet accounts

1. Come up with a persona for the sockpuppet account.
2. Use Fake Name Generator to create a person whom you feel fits your sockpuppet persona.
3. Use This Person Does Not Exist to generate an image. Make sure you inspect the image closely and get one that doesn’t have any obvious flaws, as they often do. It is worth picking up some Photoshop, GIMP, Affinity Photo or Designer, or other basic image manipulation skills to fix them and change the background of the image.
4. Get a burner phone, completely wiped and fresh. Can be any brand that will accept a Mint Mobile SIM card.
5. Get a burner credit card from Privacy.com to use for on Amazon and possible the Mint Mobile setup. They might need it to set up the account.
6. Set up a burner Amazon account. We’re only going to use it once.
7. Buy two Mint Mobile SIM cards. You can find them various places online and in stores near you, but you can get two of them for $5 on Amazon. They also give you 1 week free trial with something like 100 text messages, which we’re going to use. This gives you two cards for two sockpuppet accounts for only $5.
8. I like to use Amazon to have the card sent to an Amazon pickup box, which can be anonymous.
9. Get a VPN that you can set to the physical area in which you want your sockpuppet to “exist.”
10. Set up the Mint Mobile trial account somewhere away from your home; as far as you’re willing to go.
11. Use this Mint Mobile trial phone number to set up all of the websites you need.
12. I recommend at least set up a Google account and Protonmail account. Both will come in handy at different times.
13. Once you’ve set up all the accounts with your trial Mint SIM, set up 2FA on all of the accounts.
14. After setting up 2FA on all of the accounts, change the phone number to one you have more permanent access to, such as MySudo or Google Voice.
15. Make sure everything works!
16. Destroy the SIM card.
17. Wipe the phone.

A lot of these websites are blocking MySudo, Google Voice, and other VoIP numbers. That’s why we go through the Mint phone number first.

They should be less stringent now.

As always, feedback is welcome! This was originally posted on my blog where I also talk about the ethics of sockpuppet accounts.

Google Guide

Basic Examples

Calculator

Restrict Search

Specialized Information Queries

Alternative Query Types

Search for Sites where Query Words Appear

Restrict Search to Google Groups

Restrict Search to Google News

About This Cheat Sheet: For more tips, tricks, & examples, visit GoogleGuide.com. By Nancy Blachman & Jerry Peek who don’t work for Google & Tasha Bergson-Michelson.

Bing Google Operators

bruceclay.com/blog/bing-google-advanced-search-operators

Duckduckgo Syntax

duckduckgo.com/duckduckgo-help-pages/results/syntax

Search Operators

If advanced syntax was used in a query and no results are found, we’ll try to show related results.

Please note: we are aware some of our advanced syntax isn’t operating 100% correctly on all queries and are actively working on it. It is unfortunately a non-trivial issue given we get our private results from a variety of sources.

Search Directly on Other Sites

• Use \ to go to directly to the first search result. For example, \futurama.
• Use ! to search other sites’ search engines directly. Remember, though, because your search is actually taking place on that other site, you are subject to that site’s policies, including its data collection practices. For example, [!a blink182](https://duckduckgo.com/?q=!a blink182) searches Amazon.com for blink182. There are thousands of sites covered!

Safe Search

• Add !safeon or !safeoff to the end of your search to turn on and off safe search for that search.

Reverse Image Search

Strip out exif data from images before uploading for search. Right click and check properties.

Google Image Search

Reverse image search example:

• drag and drop to upload image: images.google.com

• Click on “Find images source”

  • It appears to look for all locations of the exact image.

• Go back to front page.

• Drag the selection markers so that it’s only selecting the part of the image that you want to search for, then try Find image source again. Go back and forth as much as needed.

  • May not work that well for some images.
  • May work really well for other images (buildings, landmarks, etc.)

• Remove twitter from search: Jonas Hellborg -twitter.com

• “NAME” - probably just photos uploaded by NAME.

• “Photos of NAME” - will get you a different full list of photos.

Yandex Image Search

Yandex reverse image search
yandex.com/images/

• Drag and drop and image to get some results.
  • It should find more images, similar images.

TinEye

TinEye - Reverse Image Search
tineye.com/

Upload an image to search.

Other

socialcatfish.com/reverse-image-search - Reverse image search engine.
https://www.wolframalpha.com/input/?i=image+identify - Identify objects, landmarks, and other items within images.
pimeyes.com/en (paid)

EXIF Data

Viewing EXIF Data

EXIF - Exchangeable Image File

EXIF data can provide a lot of information. It’s data in a phone that can be tied back to the person who took the photo. It can tell you a location, device, and other details.

Sites for viewing EXIF data

jimpl.com
exifdata.com
exif.tools
exif.regex.info - offline

Linux command line tool:

exiftool image.jpg

Remove exif data

Sites: jimpl.com/remove-exif

Command Line: Install exiftool

sudo apt install libimage-exiftool-perl

Run in a directory to remove data from all images including subdirectories:

exiftool -overwrite_original -recurse -all= *

Using exiftool to remove data can take a while depending on how many images there are.

GPS Coordinates

Can get GPS coordinates if they exist in the photo data and search.
gps-coordinates.net

Can use google maps to get an overhead view (when searching for physical weaknesses, etc).

Physical Location

Go to Google maps, find a location and go to satellite view. Look at everything to see if there are any weaknesses or ways to get it without too much trouble. (Check for other satellite services if Google doesn’t have a current image)

• You’re trying to find ways into the building that won’t make you look suspicious.
  • Somewhere close by where you might be able to fly a drone.
• Drive around to possibly see anything in person.
• Is there private access?
• Are the paths blocked or guarded?
• Is there anywhere to park that’s not suspicious?
• Try to get into street view on map.
  • Are there any doors?
    • Badge, card readers.
    • What are the people doing,?
    • What are they wearing?
    • Keep asking these kinds of questions.
• You can apply all of these things to people.

Identifying Locations

Identifying Geographical Locations

geoguessr.com

Geoguesser “Rainbolt” youtuber
youtube.com/@georainbolt/videos

GeoGuessr- The Top Tips, Tricks and Techniques:
somerandomstuff1.wordpress.com/2019/02/08/geoguessr-the-top-tips-tricks-and-techniques
(Local copy downloaded for reference, but not here in notes due to its size)

Discovering Email Addresses

Methodology

1. Start with a google search. If you’re looking for a specific person or person with a role/position - “Who is in THIS role at THIS company?”
2. Go to phonebook.cz, hunter.io or equivalent to identify the email formatting.
3. Try to find the person and discover or guess the format.
4. Go to tools.emailhippo.com or equivalent to verify the emails. Sometimes you get false positives.
5. You’ll mostly likely be just verifying emails with any interaction.
6. Clearbit Connect (is limited so be careful how much you use it).

Format Research

• Research format of email addresses.
• Use gmail login to see if an email is valid. Enter email and see if it’s already taken. You can also try to reset gmail password to get hints of the recovery email.
  • Don’t underestimate forgot password.

Emails that you have found or know about:

• Password spraying.
• Credential stuffing.

Email Research

• hunter.io - Enter domain to get patterns and emails.
• phonebook.cz (Site not loading)
• voilanorbert.com
• mailmeteor.com/email-permutator

Verify emails

• tools.emailhippo.com
• email-checker.net
• Email-Validation-Tool
• github.com/mfbx9da4/deep-email-validator
• verifalia.com

Clearbit Connect Chrome extension:
chromewebstore.google.com/detail/clearbit-connect-free-ver/pmnhcgfcafcnkbengdcanjablaabjplo

theHarvester tool gathers names, emails, IPs, subdomains, and URLs:
github.com/laramies/theHarvester

Hunting for breached passwords (think of the method not the tool):
dehashed.com (paid service)

Check if an email was breached.

• haveibeenpwned.com
• breachdirectory.org

Tools by themayor - dievus

• Oh365UserFinder.py
• geeMailUserFinder.py

Breached Passwords

dehashed.com (Paid service)

Search by different elements:

• name
• email
• password
• username
• IP address
• domain
• address
• phone

1. Collect all the data, find patterns.
2. Try to find other emails and see if you can connect them to the same person.
3. They might use the same password.
4. Connect everything together and notate everything so it can be replicated.

hashes.org - no longer online.
reddit.com/r/DataHoarder/comments/ohlcye/hashesorg_archives_of_all_cracked_hash_lists_up
github.com/rarecoil/hashes.org-list

hashmob.net/
HashMob allows anyone to submit hashes discovered in database breaches (or other sources) and share them with the community so that everyone can collaborate on recovering the original plaintexts.

Note: You’ll probably have to pay for anything that is extensive and current.

weleakinfo.io (need to pay)
leakcheck.io (need to pay)
snusbase.com (need to pay)
scylla.so (coming soon?)
haveibeenpwned.com
haveibeenpwned.com/API/v2
breachdirectory.org

github.com/thewhiteh4t/pwnedOrNot
github.com/khast3x/h8mail

Usernames and Accounts

There may be other tools listed in other sections of these notes that also work for investigating usernames.

Website Tools

• namechk.com
• whatsmyname.app
• namecheckup.com
• checkusernames.com
• ghostdex.app
• usersearch.org
• idcrawl.com
• searchpof.com
• analyzeid.com
• lampyre.io

github Tools

• github.com/wishihab/userrecon
• github.com/AbirHasan2005/LittleBrother
• github.com/vijaysahuofficial/UserReCon

Validate

Check or try to validate the existence of usernames on various social media websites.

• kik.com
• snapchat.com
• tiktok.com
• etc.

wikipedia.org/wiki/List_of_social_networking_services

Voter Records

You can get a lot of useful information from voter records. You can search by state and county to find someone. All you need is an address that was known at some time or a current address.

voterrecords.com

Note: Only use this for research on people, other than yourself, when you have full permission.

This information should actually not be public, but it is so it’s up for grabs to anyone.

Phone Numbers

Hunting for good phone numbers

PhoneInfoga is one of the most advanced tools to scan international phone numbers. It allows you to first gather basic information such as country, area, carrier and line type, then use various techniques to try to find the VoIP provider or identify the owner.
github.com/sundowndev/phoneinfoga

Try Google first. Use different types: (555-555-1212 or 5555551212 or (555) 555-1212) and try the numbers in quotes too. It’s a hit or miss. A lot of websites are sketchy and should be ignored.

• Some people spell out phone numbers so you can try search for that.
• Search using “phone emoji” before name -📱- ☎️
• Search in white pages.
• Try using the forgot password feature on websites.
  • Yahoo, Google, etc.
  • Be careful you don’t send a verification code to the user.

Websites

Note: Do not log in to these sites using anything or any users the connect back to you.

• truecaller.com
• calleridtest.com
• infobel.com
• privacystar.com
• getcontact.com
• everycaller.com

Birthdates

Use Google to search everywhere for birthdates. The can sometimes be discovered on any kind of forum or social media website.

• Firstname Lastname Birthday
• “Firstname Lastname” Birthday
• “Firstname Lastname” intext:birthday
• “Firstname Lastname” intext:“happy birthday”
• “Username” intext:“happy birthday”
• “Username” intext:“happy birthday” site:twitter.com
• “Username” intext:“happy birthday” site:facebook.com
• “Username” intext:“happy birthday” site:linkedin.com

Resumes

Resumes can sometimes disclose personal information.

use Google to search for files or websites that might have something.

• firstname lastname resume
• firstname lastname resume filetype:pdf
• “firstname lastname” resume filetype:pdf
• “firstname lastname” resume filetype:doc
• “firstname lastname” resume site:google.com
• “firstname lastname” resume site:drive.google.com
• “firstname lastname” resume site:dropbox.com
• “firstname lastname” resume site:scribd.com
• “firstname lastname” site:linkedin.com

Twitter

You have to log in to be able to do anything. twitter.com

Search Examples:

• Check in: Top - Latest - People - Media - Lists
• nba (search term)
• #nbadraft (keyword)
• "nba draft pick" (specific search)
• from:thecybermentor (from)
• to:thecybermentor (to)
• @thecybermentor (tagging)
• from:thecybermentor since:2019-02-01 until:2019-03-01
• to:thecybermentor since:2019-02-01 until:2019-03-01
• "nba draft pick" since:2019-02-01 until:2019-03-01
• from:thecybermentor nba
• geocode:34.0200392,-118.741382,10km
• geocode:34.0200392,-118.741382,10km to:thecybermentor
• twitter.com/search-advanced

These sites are dead after the violent takeover and ultimate destruction:

• socialbearing.com
• sleepingtime.org
• mentionmapp.com
• tweetbeaver.com
• spoonbill.io

Websites that are still working, sort of, but not that useful now:

twitonomy.com
tinfoleak.com

Tweetdeck is dead: tweetdeck.com
Unless you pay for this: pro.twitter.com

thecybermentor left twitter: linktr.ee/thecybermentor

Facebook

You have to log in to be able to do anything.

Search examples:

• mark zuckerberg
  • Check all the relevant side tabs.
  • All tab - all posts
  • People tab - profiles
  • Photos
• photos of mark zuckerberg

Check profile page of a user if anything is public.

Note: the websites below may not function or work right due to the changes in facebook.

https://sowdust.github.io/fb-search/ is now located here: sowsearch.info

intelx.io/tools?tab=facebook

Instagram

• You can use the search to find people.
• Main search - #thecybermentor
• On a users home page check who/what they are following.
  • Check for relationships or close connections.
  • Anyone with the same last name?
  • Follow hash tags.
• Who is following them?
• Have they made any posts?
• Have they been tagged?
• Not as good on the website.
• Better search results on the phone app.
• If the profile isn’t public you wouldn’t be able to access anything.
• Sometimes people have multiple profiles.
• Sometimes the subject can be found on someone else’s profile.
  • Relatives, friends, neighbors, etc.
  • Pictures might be on a different persons profile.

google.com

• Search: thecybermentor site:instagram.com
• Search: thecybermentor instagram.com

Other Sites:

• codeofaninja.com/tools/find-instagram-user-id
• imginn.com
• instadb.com/en Doesn’t look useful now.
• wopita.com Dead site (spam, do not visit).

New sites I’m unsure about:

• picuki.com
• webstagram.org

Github Tools:

• github.com/Datalux/Osintgram
• github.com/HunxByts/INSTA-OSINT
• github.com/topics/instagram-osint

Snapchat

map.snapchat.com

Github:
github.com/rhematt/Snap-Scraper - Download media uploaded to Snapchat’s Snap Map using a set of latitude and longitiude co-ordinates.

Reddit

reddit.com is one of the best resources to find stuff.

Use the search bar at the top:

• Example: the cyber mentor
• Example: “the cyber mentor”
• Use the sort options.
• Go to the users page if it exists.

Using Google:

• “the cyber mentor” site:reddit.com
• “firstname lastname” site:reddit.com
• “the cyber mentor” site:reddit.com intext:oscp

Linkedin

Try to make a fake sock account. Be careful to not get banned or shadow banned.

Scrapes employees from a LinkedIn company page… github.com/shellfarmer/WeakestLink

• If images are available you can try reverse image search.
• Try searching an account’s username on google.
• Check contact info for anything useful.
• Check location, activities.
• Check profile sections, experience, education, etc.
• Check external links.
• Check connections to other people, accounts.
• LION (open network) members accept requests to connect.

Tiktok

They are more locked down these days, but you might be able to gather some valuable info.

• Check videos for info.
• Use images for reverse image search, etc.

Gathering Information

You can start with google.com to see what’s out there.

Search terms:

• tcm-sec.com
• "tcm-sec.com"
• site:tcm-sec.com
• site:tcm-sec.com heath
• site:tcm-sec.com heath -academy
• Check images if no sites/domains show up.

Gather as much information as you can about the target site.

• IP addresses
• Physical addresses
• Google tags/analytics
• Technology

Websites and online tools

Some of these sites can search using multiple types of data.

• builtwith.com
• centralops.net/co
• urlscan.io
• httpsdnslytics.com/reverse-ip
• spyonweb.com
  • URL, IP Address, pub-xxxxxxxxxx or UA-xxxxxxx
• virustotal.com
• reddit.com
  • reddit.com/domain/thecybermentor.com
• visualping.io
• backlinkwatch.com
  • You might find extra connections here.
• viewdns.info
• dnsdumpster.com
• hackertarget.com
• dnstools.ws
• isc.org/dns-tools
• iplocation.io/all-dns-records-of-domain
• mxtoolbox.com/ReverseLookup.aspx
• nmmapper.com/sys/tools/subdomainfinder
• dnslytics.com

Internet Services (IP, ISP, location)

• lg.he.net
• bgp.he.net
• play.google.com/store/apps/details?id=net.he.networktools

DNS Techniques:

• securitytrails.com/blog/dns-enumeration
• systemweakness.com/dns-analysis-ca637eab0180

Podcast on a penetration test, social engineering, incident response:
darknetdiaries.com/episode/22

Tools on github

• github.com/smicallef/spiderfoot
• github.com/topics/dns-lookup
• github.com/Manisso/Crips
• github.com/TermuxHackz/X-osint
• github.com/BullsEye0/ghost_eye
• github.com/h3x0crypt/HostSpider
• github.com/aaronjwood/PortAuthority
• github.com/akashblackhat/dark_web.py
• github.com/dievus/msdorkdump

Subdomains

Subdomain Hunting

When hunting down subdomains you are looking for developer or staging versions of a site, or admin login pages that are not public or easily found on the internet.

Website tools are not the best way to scan for subdomains, but you can try google and a couple others to see if anything interesting shows up.

Search google.com

• site:tesla.com
• site:tesla.com -www
• site:tesla.com -www -forums inurl:dev
• site:tesla.com -www -forums inurl:admin
• site:tesla.com -www -forums inurl:console

Other website tools

pentest-tools.com - scans are limited and you may have to create an account now.
pentest-tools.com/information-gathering/find-subdomains-of-domain

spyse.com - Shut down.

• netlas.io
• fullhunt.io
• binaryedge.io
• crt.sh - Domain Name, Organization Name, etc, a SHA-1 or SHA-256,  crt.sh ID
  % = wildcard - %.tesla.com
• censys.io
• archive.org

Shodan and Wayback

Shodan

shodan.io - Website tool to discover all kinds of stuff connected to the internet.

• Click on explore to see what is possible. It will show you the query being used.
• It may show screenshots of what the loaded IP address looks like.
• Search examples:
  • Click on one of the cameras.
  • Copy the IP address or you can try any IP address.
  • anydomain.com - but may work better with an Ip address.
  • city:atlanta - you should see quite a few results.
  • city:atlanta port:3389 - check for remote desktop.
  • city: atlanta port:3389 org:choopa - specific organization.
  • city: atlanta port:3389 org:choopa-business - narrow it down more.
  • Click Images tab to see just the images.
  • You can click to look at the details of a host.
  • You can find vulnerable systems.

web.archive.org

web.archive.org - non-profit library of millions of free books, movies, music, websites, etc.

• https://anydomain.com - the highlighted spots are where you can find screenshots.
• https://amazon.com - should show some versions of the site from a long time ago.

Google cached websites

• Go to google.com and search for a domain.
• Click on the 3 dot menu, then on the arrow to show more options, click on Cached.
• You might find some data in the cached version

Other Command line tools

• AMASS
• SubBrute
• Knock
• Sublist3r
• AltDNS
• Axiom
• Haktrails

Hunting Business Info

You might be able to find useful information from photos and videos. Is there a dress code? Is there a badge? Who are the employees you are looking at. Can you see their office, desk, computers, applications, OS, badges, phones, inside the office, etc.

• linkedin.com
  • Search - from a profile that has no connections.
    • tcm security
    • check tabs and look for information
    • About
    • People
      • images - right click, open in new tab, save photos, reverse image search.
      • copy “position title” and search it on google.
        • "IT Solutions Engineer at TCM Security"
        • find linkedin or other profiles online.
        • site:linkedin.com "* at TCM Security" (with wildcard)
        • might be “false positives” - non-employees showing up.
        • site:linkedin.com/in/ "* at TCM Security"
        • site:linkedin.com/pub "* at TCM Security"
    • Videos

Database of companies (requires a little digging through internal and external links):
opencorporates.com
You can search for companies and/or individuals.

Database of companies:
aihitdata.com

Job search:
indeed.com
Sometimes the job details will have a lot of information, software the company uses. Search for companies, positions, people.

Company search (indeed.com):
google.com

• Jobs can be found that are not listed on a companies Indeed.com pages.
• "Empirical Concepts Inc" site:indeed.com
• Also look up just the company to see if they have a jobs or careers page on their own website or other sites like linkedin.com.

Image and Location

More tools can be found if you do some research.

google.com

• exif tool site:github.com

exiftool - Might have to install it.

apt search exiftool                           
Sorting... Done
Full Text Search... Done

libimage-exiftool-perl/kali-rolling 12.67+dfsg-1 all
  library and program to read and write meta information in multimedia files

sudo apt install libimage-exiftool-perl    
[sudo] password for kali:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libcompress-raw-lzma-perl libmime-charset-perl libsombok3 libunicode-linebreak-perl
Suggested packages:
  libposix-strptime-perl libencode-eucjpascii-perl libencode-hanextra-perl libpod2-base-perl
The following NEW packages will be installed:
  libcompress-raw-lzma-perl libimage-exiftool-perl libmime-charset-perl libsombok3 libunicode-linebreak-perl
0 upgraded, 5 newly installed, 0 to remove and 1284 not upgraded.
Need to get 4,114 kB of archives.
After this operation, 24.7 MB of additional disk space will be used.
Do you want to continue? [Y/n]

exiftool dog.JPG             
ExifTool Version Number         : 12.67
File Name                       : dog.JPG
Directory                       : .
File Size                       : 3.9 MB
File Modification Date/Time     : 2023:12:28 10:59:18-05:00
File Access Date/Time           : 2023:12:28 11:01:19-05:00
File Inode Change Date/Time     : 2023:12:28 11:01:19-05:00
File Permissions                : -rwxrwx---
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
Make                            : Apple
Camera Model Name               : iPhone 4S
Orientation                     : Rotate 90 CW
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Software                        : 5.0.1
Modify Date                     : 2012:03:11 12:01:53
Y Cb Cr Positioning             : Centered
Exposure Time                   : 1/1842
F Number                        : 2.4
Exposure Program                : Program AE
ISO                             : 64
Exif Version                    : 0221
Date/Time Original              : 2012:03:11 12:01:53
Create Date                     : 2012:03:11 12:01:53
Components Configuration        : Y, Cb, Cr, -
Shutter Speed Value             : 1/1842
Aperture Value                  : 2.4
Brightness Value                : 10.39054726
Metering Mode                   : Multi-segment
Flash                           : Off, Did not fire
Focal Length                    : 4.3 mm
Subject Area                    : 1631 1223 881 881
Flashpix Version                : 0100
Color Space                     : sRGB
Exif Image Width                : 3264
Exif Image Height               : 2448
Sensing Method                  : One-chip color area
Exposure Mode                   : Auto
White Balance                   : Auto
Focal Length In 35mm Format     : 35 mm
Scene Capture Type              : Standard
Sharpness                       : Normal
GPS Latitude Ref                : North
GPS Longitude Ref               : West
GPS Altitude Ref                : Above Sea Level
GPS Time Stamp                  : 17:30:26
GPS Img Direction Ref           : True North
GPS Img Direction               : 191.2603175
Compression                     : JPEG (old-style)
Thumbnail Offset                : 914
Thumbnail Length                : 9959
Image Width                     : 3264
Image Height                    : 2448
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Aperture                        : 2.4
Image Size                      : 3264x2448
Megapixels                      : 8.0
Scale Factor To 35 mm Equivalent: 8.2
Shutter Speed                   : 1/1842
Thumbnail Image                 : (Binary data 9959 bytes, use -b option to extract)
GPS Altitude                    : 182 m Above Sea Level
GPS Latitude                    : 41 deg 40' 43.20" N
GPS Longitude                   : 83 deg 39' 21.00" W
Circle Of Confusion             : 0.004 mm
Field Of View                   : 54.4 deg
Focal Length                    : 4.3 mm (35 mm equivalent: 35.0 mm)
GPS Position                    : 41 deg 40' 43.20" N, 83 deg 39' 21.00" W
Hyperfocal Distance             : 2.08 m
Light Value                     : 14.0

Emails and Breached Data

Hunting Emails and Breached Data

theHarvester: github.com/laramies/theHarvester

It performs open source intelligence (OSINT) gathering to help determine a domain’s external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources

Note: - Some websites may start to block you if you are hitting them too much, such as google.com might block you if you are searching too much with theHarvester or other tools like this.

 theHarvester -h              
*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 4.3.0                                              *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*                                                                 *
*******************************************************************
usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-p] [-s] [--screenshot SCREENSHOT] [-v] [-e DNS_SERVER] [-t]
                    [-r [DNS_RESOLVE]] [-n] [-c] [-f FILENAME] [-b SOURCE]

theHarvester is used to gather open source intelligence (OSINT) on a company or domain.

options:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Company name or domain to search.
  -l LIMIT, --limit LIMIT
                        Limit the number of search results, default=500.
  -S START, --start START
                        Start with result number X, default=0.
  -p, --proxies         Use proxies for requests, enter proxies in proxies.yaml.
  -s, --shodan          Use Shodan to query discovered hosts.
  --screenshot SCREENSHOT
                        Take screenshots of resolved domains specify output directory: --screenshot output_directory
  -v, --virtual-host    Verify host name via DNS resolution and search for virtual hosts.
  -e DNS_SERVER, --dns-server DNS_SERVER
                        DNS server to use for lookup.
  -t, --take-over       Check for takeovers.
  -r [DNS_RESOLVE], --dns-resolve [DNS_RESOLVE]
                        Perform DNS resolution on subdomains with a resolver list or passed in resolvers, default False.
  -n, --dns-lookup      Enable DNS server lookup, default False.
  -c, --dns-brute       Perform a DNS brute force on the domain.
  -f FILENAME, --filename FILENAME
                        Save the results to an XML and JSON file.
  -b SOURCE, --source SOURCE
                        anubis, baidu, bevigil, binaryedge, bing, bingapi, bufferoverun, brave, censys, certspotter, criminalip, crtsh,
                        dnsdumpster, duckduckgo, fullhunt, github-code, hackertarget, hunter, hunterhow, intelx, otx, pentesttools,
                        projectdiscovery, rapiddns, rocketreach, securityTrails, sitedossier, subdomainfinderc99, threatminer, urlscan,
                        virustotal, yahoo, zoomeye

theHarvester -d tesla.com -b all -l 50

theHarvester -d tesla.com -b yahoo -l 50

breach-parse: github.com/hmaverickadams/breach-parse

A tool for parsing breached passwords

Install: `sudo ./install.sh`

Download breached password list from magnet located here: `magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337`

If you don't store the password list (BreachCompilation) in `/opt/breach-parse`, specify the location like:

`breach-parse @gmail.com gmail.txt "~/Downloads/BreachCompilation/data"`

Run `breach-parse` for instructions

The breach compilation database is around 44GB. You have to download it and place it in the breach-parse directory.

h8mail github.com/khast3x/h8mail

h8mail is an email OSINT and breach hunting tool using different breach and reconnaissance services, or local breaches such as Troy Hunt’s “Collection1” and the infamous “Breach Compilation” torrent.

Requires API-keys and a lot of them are paid. You also can use that same breach compilation database with h8mail. One problem is that it can’t run a search that’s based on just a domain.

 pip3 install h8mail              
Defaulting to user installation because normal site-packages is not writeable
Collecting h8mail
  Downloading h8mail-2.5.6-py3-none-any.whl (34 kB)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from h8mail) (2.31.0)
Installing collected packages: h8mail
Successfully installed h8mail-2.5.6

h8mail -t target@example.com

h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -sk

h8mail -t targets.txt -gz /tmp/Collection1/ -sk

EmailHarvester: github.com/maldevel/EmailHarvester

Usernames and Accounts

WhatsMyName - Not the same tool now.
github.com/WebBreacher/WhatsMyName

WhatsMyName (WMN) consists of a JSON file with detections in it. Submissions from people all over the world are included. When a request is made to one of those sites from a tool like the ones in the next section, the server replies with data that will match one of our detections.

Website/Apps using WhatsMyName:

• whatsmyname.app
• github.com/p1ngul1n0/blackbird
• github.com/osint-liar/reveal-my-name
• github.com/kpcyrd/sn0int
• github.com/smicallef/spiderfoot
• github.com/C3n7ral051nt4g3ncy/WhatsMyName-Python

sherlock - Not to be confused with Sherlock.ps1
github.com/sherlock-project/sherlock

 sherlock thecybermentor 

  [*] Checking username thecybermentor on:

[+] AllMyLinks: https://allmylinks.com/thecybermentor
[+] BuyMeACoffee: https://buymeacoff.ee/thecybermentor
[+] Clubhouse: https://www.clubhouse.com/@thecybermentor
[+] GitHub: https://www.github.com/thecybermentor
[+] HackerOne: https://hackerone.com/thecybermentor
[+] Keybase: https://keybase.io/thecybermentor
[+] Linktree: https://linktr.ee/thecybermentor
[+] Nightbot: https://nightbot.tv/t/thecybermentor/commands
[+] Patreon: https://www.patreon.com/thecybermentor
[+] Reddit: https://www.reddit.com/user/thecybermentor
[+] TryHackMe: https://tryhackme.com/p/thecybermentor
[+] Twitch: https://www.twitch.tv/thecybermentor
[+] Twitter: https://twitter.com/thecybermentor
[+] mastodon.cloud: https://mastodon.cloud/@thecybermentor
[+] metacritic: https://www.metacritic.com/user/thecybermentor

blackbird

 python blackbird.py -u thecybermentor   

    ▄▄▄▄    ██▓    ▄▄▄       ▄████▄   ██ ▄█▀ ▄▄▄▄    ██▓ ██▀███  ▓█████▄
    ▓█████▄ ▓██▒   ▒████▄    ▒██▀ ▀█   ██▄█▒ ▓█████▄ ▓██▒▓██ ▒ ██▒▒██▀ ██▌
    ▒██▒ ▄██▒██░   ▒██  ▀█▄  ▒▓█    ▄ ▓███▄░ ▒██▒ ▄██▒██▒▓██ ░▄█ ▒░██   █▌
    ▒██░█▀  ▒██░   ░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒██░█▀  ░██░▒██▀▀█▄  ░▓█▄   ▌
    ░▓█  ▀█▓░██████▒▓█   ▓██▒▒ ▓███▀ ░▒██▒ █▄░▓█  ▀█▓░██░░██▓ ▒██▒░▒████▓
    ░▒▓███▀▒░ ▒░▓  ░▒▒   ▓▒█░░ ░▒ ▒  ░▒ ▒▒ ▓▒░▒▓███▀▒░▓  ░ ▒▓ ░▒▓░ ▒▒▓  ▒
    ▒░▒   ░ ░ ░ ▒  ░ ▒   ▒▒ ░  ░  ▒   ░ ░▒ ▒░▒░▒   ░  ▒ ░  ░▒ ░ ▒░ ░ ▒  ▒
    ░    ░   ░ ░    ░   ▒   ░        ░ ░░ ░  ░    ░  ▒ ░  ░░   ░  ░ ░  ░
    ░          ░  ░     ░  ░░ ░      ░  ░    ░       ░     ░        ░
        ░                  ░                     ░               ░

                                        Made with ❤️️ by p1ngul1n0

[!] Searching 'thecybermentor' across 582 social networks
[+] - #16 Twitter Archived account found - http://archive.org/wayback/available?url=https://twitter.com/thecybermentor [200 OK]
[+] - #19 Xhamster account found - https://xhamster.com/users/thecybermentor [200 OK]
[+] - #12 Github account found - https://github.com/thecybermentor [200 OK]
   |--Name:
   |--Nickname:           thecybermentor


   |--picture: https://avatars.githubusercontent.com/u/75207118?v=4?s=400
[+] - #41 Ebay account found - https://www.ebay.com/usr/thecybermentor [200 OK]
[+] - #80 HackerOne account found - https://hackerone.com/thecybermentor?type=user [200 OK]
[+] - #1 Facebook account found - https://www.facebook.com/thecybermentor [200 OK]
[+] - #7 Instagram account found - https://www.picuki.com/profile/thecybermentor [200 OK]
   |--Name: Heath Adams
   |--Bio:             Living my best life.
   |--Followers: 70,496
   |--Following: 38
   |--picture: https://cdn1.picuki.com/hosted-by-instagram/q/yep6IPkO1EBGZyPbcMUVwONSiqxxRQlN.jpeg
[+] - #15 Xbox Gamertag account found - https://www.xboxgamertag.com/search/thecybermentor [200 OK]
   |--Name: TheCyberMentor
   |--picture: https://images.weserv.nl/?url=https://images-eds-ssl.xboxlive.com/image?url=8Oaj9Ryq1G1_p3lLnXlsaZgGzAie6Mnu24_PawYuDYIoH77pJ.X5Z.MqQPibUVTcS9jr0n8i7LY1tL3U7AiafSCYxKvpXj31MkoG3bO_PRAaZnxiCXXhJwXdM2GFciVMQ65NJp_gJqzkZPkN4cbjqg--&format=png&maxage=1d&output=webp&w=90&h=90
[+] - #25 WordPress Site account found - https://thecybermentor.wordpress.com/ [200 OK]
[+] - #14 Linktree account found - https://linktr.ee/thecybermentor [200 OK]
   |--Name: @thecybermentor
   |--Description: Linktree. Make your link do more.
   |--picture: https://assets.production.linktr.ee/profiles/_next/static/logo-assets/default-meta-image.png
[+] - #117 BugBounty account found - https://bugbounty.gg/members/thecybermentor/ [200 OK]
[+] - #45 Armor Games account found - https://armorgames.com/user/thecybermentor [200 OK]
[+] - #312 GitHub account found - https://github.com/thecybermentor [200 OK]
[+] - #147 Fark account found - https://www.fark.com/users/thecybermentor [200 OK]
Traceback (most recent call last):
  File "/opt/blackbird/blackbird.py", line 298, in <module>
    asyncio.run(findUsername(arguments.username, interfaceType, arguments.csv))
  File "/usr/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/opt/blackbird/blackbird.py", line 58, in findUsername
    userFile = open(pathSave, "w")
               ^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/opt/blackbird/results/thecybermentor.json'

Phone Numbers

phoneinfoga: github.com/sundowndev/phoneinfoga
PhoneInfoga is one of the most advanced tools to scan international phone numbers. It allows you to first gather basic information such as country, area, carrier and line type, then use various techniques to try to find the VoIP provider or identify the owner. It works with a collection of scanners that must be configured in order for the tool to be effective. PhoneInfoga doesn’t automate everything, it’s just there to help investigating on phone numbers.

Needs country code before number. This would be a US number:

phoneinfoga scan -n 15555551212

Start localhost server:

phoneinfoga serve -p 8080 

Load http://localhost:8080/#/ in a web browser.

Social Media

Note: Most of these tools are currently either broken or don’t work at all due to the changes in social media services. For example Twint is dead.

All in one

snscrape: github.com/JustAnotherArchivist/snscrape

choose from 'facebook-community', 'facebook-group', 'facebook-user', 'instagram-hashtag', 'instagram-location', 'instagram-user', 'mastodon-profile', 'mastodon-toot', 'reddit-search', 'reddit-submission', 'reddit-subreddit', 'reddit-user', 'telegram-channel', 'twitter-cashtag', 'twitter-community', 'twitter-hashtag', 'twitter-list-posts', 'twitter-profile', 'twitter-search', 'twitter-trends', 'twitter-tweet', 'twitter-user', 'twitter-users', 'vkontakte-user', 'weibo-user'

A few tests with this tool were unsuccessful but it might possibly work for some of the services.
It scrapes things like user profiles, hashtags, or searches and returns the discovered items, e.g. the relevant posts from these social networking services.

• Facebook: user profiles, groups, and communities (aka visitor posts)
• Instagram: user profiles, hashtags, and locations
• Mastodon: user profiles and toots (single or thread)
• Reddit: users, subreddits, and searches (via Pushshift)
• Telegram: channels
• Twitter: users, user profiles, hashtags, searches (live tweets, top tweets, and users), tweets (single or surrounding thread), list posts, communities, and trends
• VKontakte: user profiles
• Weibo (Sina Weibo): user profiles

Twitter

Twint is no longer maintained due to changes in twitter.
twint: github.com/twintproject/twint

Another tool but it probably doesn’t work now, after changes in June 2023.
github.com/markowanga/stweet

Another tool but haven’t tested it yet.
github.com/Altimis/Scweet

Instagram

Doesn’t appear to work now.
InstagramOSINT: github.com/sc1341/InstagramOSINT

List of Social Media Tools

github.com/osintambition/Social-Media-OSINT-Tools-Collection

Websites

Firefox extension:
Wappalyzer

whatweb - command line.
whatweb https://domain.com

whois - command line.
whois domain.com

httprobe: github.com/tomnomnom/httprobe
amass: github.com/owasp-amass/amass

Subdomains

• subfinder: github.com/projectdiscovery/subfinder
• Sublist3r: github.com/aboul3la/Sublist3r
• OneForAll: github.com/shmilylty/OneForAll
• bbot: github.com/blacklanternsecurity/bbot
• Finalrecon: github.com/thewhiteh4t/FinalRecon
• Sudomy: github.com/screetsec/Sudomy
• msdnsscan: github.com/dievus/msdnsscan
• assetfinder: github.com/tomnomnom/assetfinder
• gowitness: github.com/sensepost/gowitness

More subdomain tools:
github.com/topics/subdomain-enumeration

Command Examples:

subfinder -d domain.com

sublist3r -d domain.com

bbot -t z3r0r3z.com -f subdomain-enum -rf passive
bbot -s -t z3r0r3z.com -f subdomain-enum -rf passive

assetfinder --subs-only domain.com >> domain-com-subdom.txt
assetfinder domain.com | grep domain.com | sort -u
assetfinder domain.com | grep domain.com > domain.txt
cat domain.txt | grep dev
cat domain.txt | grep sta
cat domain.txt | grep admin

amass enum -d domain.com

cat domain.txt | sort -u | httprobe -s -p https:443

gowitness single https://domain.com
gowitness file -f ./alive_gowitness.txt -P captures_gowitness/ --no-http

bbot example - partial output:

 bbot -t z3r0r3z.com -f subdomain-enum -rf passive
[INFO] Loaded defaults from /home/kali/.local/pipx/venvs/bbot/lib/python3.11/site-packages/bbot/defaults.yml
[INFO] Creating BBOT config at /home/kali/.config/bbot/bbot.yml
[INFO] Creating BBOT secrets at /home/kali/.config/bbot/secrets.yml
[INFO] 
[INFO] ### MODULES ###
 
[....] (Too much to paste here)

[INFO] Finishing scan
[INFO] asn: +---------+------------------+--------------+----------------+-------------------------+-----------+
[INFO] asn: | ASN     | Subnet           | Host Count   | Name           | Description             | Country   |
[INFO] asn: +=========+==================+==============+================+=========================+===========+
[INFO] asn: | AS63410 | 109.150.165.0/22 | 6            | PRIVATECOSYSTEMS | PrivateEcoSystems Petworks | US        |
[INFO] asn: +---------+------------------+--------------+----------------+-------------------------+-----------+
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | Module          | Produced           | Consumed                     |
[INFO] aggregate: +=================+====================+==============================+
[INFO] aggregate: | certspotter     | 4 (4 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | leakix          | 4 (4 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | columbus        | 3 (3 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | crt             | 3 (3 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | massdns         | 3 (3 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | dnsdumpster     | 2 (2 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | hackertarget    | 2 (2 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | otx             | 2 (2 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | wayback         | 2 (2 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | CNAME           | 2 (2 DNS_NAME)     | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | azure_tenant    | 1 (1 AZURE_TENANT) | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | speculate       | 1 (1 DNS_NAME)     | 4 (3 DNS_NAME, 1 IP_ADDRESS) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | A               | 1 (1 IP_ADDRESS)   | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | anubisdb        | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | azure_realm     | 0                  | 5 (5 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | digitorus       | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | dnscommonsrv    | 0                  | 5 (5 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | myssl           | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | nsec            | 0                  | 3 (3 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | rapiddns        | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | riddler         | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | sitedossier     | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | subdomaincenter | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | threatminer     | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | urlscan         | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | ipneighbor      | 0                  | 1 (1 IP_ADDRESS)             |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | PTR             | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | SOA             | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | NS              | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | AAAA            | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | host            | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] output.csv: Saved CSV output to /home/kali/.bbot/scans/scheming_kyle/output.csv
[INFO] output.human: Saved TXT output to /home/kali/.bbot/scans/scheming_kyle/output.txt
[INFO] output.json: Saved JSON output to /home/kali/.bbot/scans/scheming_kyle/output.ndjson
[INFO] output.subdomains: Saved subdomains to /home/kali/.bbot/scans/scheming_kyle/subdomains.txt
[SUCC] Scan scheming_kyle completed in 40 seconds with status FINISHED
[INFO] Saved word cloud (9 words) to /home/kali/.bbot/scans/scheming_kyle/wordcloud.tsv

Set up go to run in bash/zsh:

nano ~/.bashrc
nano ~/.zshrc

export GOPATH=$HOME/go 
export GOROOT=/usr/lib/go 
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin 

source ~/.bashrc
source ~/.zshrc

Set up go to run in fish:

vim ~/.config/fish/config.fish

set -x GOPATH $HOME/go
set -x PATH $PATH $GOPATH/bin

source ~/.config/fish/config.fish

Frameworks

Tools

• recon-ng
• Spiderfoot
• sn0int
• etc. Check in Kali and online for more.

recon-ng

hackertarget.py

[recon-ng][default] > marketplace search

[recon-ng][default] > marketplace install hackertarget

[recon-ng][default] > modules load hackertarget

[recon-ng][default][hackertarget] > info

[recon-ng][default][hackertarget] > options set SOURCE domain.com

[recon-ng][default][hackertarget] > run

[recon-ng][default][hackertarget] > show hosts

[recon-ng][default][hackertarget] > back
[recon-ng][default] >

profiler.py

Dec 12, 2023: If your profiler.py is printing errors in red here is probably how you can fix it:
github.com/lanmaster53/recon-ng-marketplace/pull/246

To make it easier, I put all the file locations and modifications here:

recon-ng-marketplace Edit #1
Edit: /home/kali/.recon-ng/modules/recon/profiles-profiles/profiler.py at line 30.

   def module_thread(self, site, user):
        d = dict(site)
        # if d['valid'] == True:
        if d.get('valid', True) == True:
            self.verbose(f"Checking: {d['name']}")

recon-ng-marketplace Edit #2
Edit: /home/kali/.recon-ng/modules/recon/profiles-profiles/profiler.py at line 30.

meta = {
  'name': 'OSINT HUMINT Profile Collector',
  'author': 'Micah Hoffman (@WebBreacher), Brendan Burke (@gbinv)',
  # 'version': '1.1',
  'version': '1.2',
  'description': 'Takes each username from the profiles table and searches a variety of web sites for those users. The list of valid sites comes from the parent project at https://github.com/WebBreacher/WhatsMyName',
  'comments': (

recon-ng-marketplace Edit #3
Edit: /home/kali/.recon-ng/modules.yml on line 1101 and 1105.

  files: []
  last_updated: '2023-12-30'
  name: OSINT HUMINT Profile Collector
  path: recon/profiles-profiles/profiler
  required_keys: []
  version: '1.2'
- author: Robert Frost (@frosty_1313, frosty[at]unluckyfrosty.net)
  dependencies: []

After updating those files you should be able to run it.

[recon-ng][default] > marketplace install profiler

[recon-ng][default] > modules load profiler

[recon-ng][default][profiler] > info

[recon-ng][default][profiler] > options set SOURCE thecybermentor

[recon-ng][default][profiler] > run

[recon-ng][default][profiler] > show profiles

Maltego

A great tool, especially if you have access to API keys.

• Create an account, install maltego on Kali, launch it and log in.
• API keys are needed for most of the Hub Partners, but it some free recon.
• Click the + at the top right to open a new graph.
• Type domain in the search and drag it over to the graph area.
• Rename the domain to the target.
• Right click on the Domain Entity and select from the list of Transforms.
• Testing All Transforms here.
  • Click on the “double” arrow to begin.
  • Click on the + area to see what it does and the arrow to return.
• After setting the Required Inputs, click Run.
• In the results, click on anything to see more, add notes, etc.
• You can select an item from the results and run another Transform on it.
  • Emails, domains, companies, etc.
  • Then select another item from here and run a Transform again.
• If you run it on a company that’s been around for a while and has a decent presence, you should gather a lot of data like emails, DNS entries, subdomains, IP addresses, open ports/services, locations, people, etc.

Other Tools

tracelabs.org
Trace Labs is a nonprofit organization whose mission is to accelerate the family reunification of missing persons while training members in the tradecraft of open source intelligence (OSINT).

hunch.ly

• Pricing: 30 day free trial, $129.99 per year, Team (quote).
• Setup Example
  • Create a new case.
  • Fill out “Selectors” for things you want to find.
    • username, name, email address, etc.
    • Keep adding new items that you find.
    • Filter results in History for each Selector.
  • Fill out “Tags” for grouping findings.
    • Breached Passwords
    • Social Media
    • Videos, Images
    • Phone Numbers
    • People
    • Set up default tags.
    • Filter results in History for each Tag.
  • Create a To Do list.
  • Check Settings that you may want.
    • Highlight Selectors
  • Webpages will be listed in history.
  • Go to google and turn on with “Capture” toggle.
  • Assign captures to the new case.
  • Start searching on google.
  • Start opening websites that you find.
  • You may start finding selectors that you created.
  • Right click on page for some options.
  • Assign tags to websites.
  • Add notes, captures images.
  • In the History you can check google cache or wayback machine.
  • When you’re done you can export all the data as a report if necessary.