OSINT

Intelligence Lifecycle

  1. Planning and Direction
  2. Collection
  3. Processing and Exploitation
  4. Analysis and Production
  5. Dissemination and Integration

You might need to go back and forth between the steps as you learn more about the data.

Planning and Direction

Identifying the Requirements The first step in the OSINT cycle involves planning the priorities and requirements for the mission. Prior to collecting OSINT, operators should have a clear understanding of the types of information they need, how to find those sources, and what they hope to accomplish with the acquired information. These precautionary logistics will guarantee the productivity and efficiency of the operation during the next phases of the OSINT cycle.  

Who is the target? What is the target? Why are they the target? When are they the target? For each target you have to collect every type and bit of information and connect all the dots, and discover where to go next with that information until you have a complete map.

Collection

Gathering of Intelligence Data After proper planning has occurred, the collection of OSINT can begin. OSINT resources include any materials that are freely available online, such as news articles, social media posts, and blogs. Teams can utilize their preferred collection tools and resources to obtain this data. If your operations could benefit from OSINT training, check out our remote sessions on OSINT, which are held semimonthly by our expert cyber analysts at Ntrepid Academy.

Processing and Exploitation

Federation of Data into Usable Format Once you’ve acquired your data, you can start processing the information. Then, you’ll want to compile it into a common evidence repository, timeline, or report. In this stage, you’re simplifying the content you’ve found and making it legible for the recipients of the data. Processing the data will help analysts utilize the information more efficiently in the following steps of the OSINT cycle.

Analysis and Production

Conversion of information into Intelligence After the initial processing of the collected data, your teams will then need to perform an in-depth analysis of the information. This is a crucial step in the OSINT cycle. as it will allow your teams to use the data they’ve acquired to interpret and anticipate events. Operators can organize their analyzed information into a detailed document or presentation, which will be read by a designated audience.

Dissemination and Integration

Distribution of Intelligence to Relevant Parties The final step in the OSINT cycle entails delivering the collected and analyzed intelligence to the proper stakeholders. Analysts then receive feedback, which dictates whether the OSINT cycle should begin again.

OSINT Tools

List of OSINT Exercises
gralhix.com/list-of-osint-exercises

osintframework.com
github.com/lockfale/osint-framework
OSINT framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources. Some of the sites included might require registration or offer more data for $$$, but you should be able to get at least a portion of the available information for no cost.

cylect.io
The ultimate AI OSINT tool that integrates multiple databases and simplifies their search capability into an easily navigable interface, providing a comprehensive solution to help with your specific data needs.

Note: There are a lot more tools listed throughout each section so not all of them are found in these links. For a specific type of OSINT tool or method, check the menu on the left.

From “Hacker News” on ycombinator - Mastering Osint: How to Find Information on Anyone
news.ycombinator.com/item?id=41231145

-> Social media tools
-> Websites tools
-> Other website tools
-> Command line tools

github.com/smicallef/spiderfoot - SpiderFoot can be used offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target or defensively to gather information about what you or your organization might have exposed over the Internet.

github.com/Moham3dRiahi/Th3inspector - All in one tool for Information Gathering.

github.com/shellfarmer/WeakestLink - Browser extension for extracting data (be careful with it).

github.com/OhShINT/ohshint.gitbook.io/Lists_of_OSINT_Web_Resources - Complete List of OSINT Web Resources

github.com/jivoi/awesome-osint - A curated list of amazingly awesome open source intelligence tools and resources. Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources)

github.com/topics/osint-tools - 130 osint-tools

github.com/cipher387/osint_stuff_tool_collection - 1000+ services for a wide variety of purposes. Don’t forget that OSINT’s main strength is in automation. Read the Netlas Cookbook for details and examples.

Subsections of OSINT

Sock Puppets

In general a sock puppet is a fake identity created by an individual or organization to manipulate public opinion and deceive others. The purpose of using sock puppets might be to create the illusion of a large number of people supporting or endorsing a particular position, product, or idea, when in reality there may only be a few individuals behind the accounts. Sock puppets are often used for marketing purposes and political campaigns to increase visibility and influence.

In penetration testing your sock puppets are the fake people, an alternate identities with fake accounts that you use to infiltrate or research targets. A good sock puppet does not draw any attention back to you (back to your IP address, your identity, your devices, or anything to do with you). The main goal of the sock puppet is to be the fake identify that you use to do your OSINT research.

When you are investigating someone or something the goal is to never let them become aware of you and that you are looking into them.

The social accounts for the sock puppets should have data, look like they are current and being used, updated, etc. It has to look legitimate.

Subsections of Sock Puppets

Creating Sock Puppets

There are two different kinds of sock puppets.

  1. Complete with a very convincing persona and online presence.

    • A sock puppet for yourself to use all the time as a fake identity.
  2. Specifically created and used for an OSINT investigation.

There are known famous sock accounts.

There are sock hunters that can identify that you’re using a sock puppet.

Creating an Effective Sock Puppet for OSINT Investigations – Introduction:
Jake Creps - Sock Puppet

The Art Of The Sock:
The Art of the Sock
Online: secjuice.com/the-art-of-the-sock-osint-humint

Setting up anonymous sock puppet accounts:
Process for Setting Up Sock Puppet Accounts

Create a fake person:
fakenamegenerator.com
thispersondoesnotexist.com

Protect Your Payments and Keep Free Trials Free:
privacy.com

Jake Creps - Sock Puppet

Creating an Effective Sock Puppet for OSINT Investigations

Note: extracted from wayback machine to have as another archive.

Jake Creps Guides November 2, 2018 November 3, 2018 7 Minutes

Introduction and Philosophy

In recent light of the epic failure by Surefire Intelligence to frame Robert Mueller for sexual assault allegations, I feel it’s important to discuss and unpack how to make a good sock puppet for OSINT operations.  If you aren’t familiar, just google Jacob Wohl or Surefire Intelligence and you will likely be flooded with information about the scandal.  For further details on the unraveling of the socks Wohl made, check out Aric Toler’s threat on Twitter @arictoler from Bellingcat.

Now, without further ado, let’s get started on constructing a sock puppet for OSINT investigations.  To get started, I want to properly define what a sock puppet is and what it is not.  The internet (already a skeptic) defines a sock puppet as “an online identity used for purposes of deception”.  This clearly refers to the traditional sock puppet, with an unknown ‘master of puppets’.  I’d like to add a bit of clarity to that definition though.  Sock puppets aren’t exclusive to deception operations, they can also be used for privacy and OPSEC for an investigator, journalist, penetration tester, etc.  OPSEC online not only protects the investigator, but it also protects the target in the case that the evidence provided leads nowhere.  So, how do you make a sock puppet that won’t embarrass you like Jacob Wohl and Surefire Intelligence?

The first thing you have to do is clearly define your intent.  You can choose to create a fake persona or you can create an avatar that’s clearly fake with the masked excuse of OPSEC as it’s origin.  Let me elaborate.  Let’s say you choose option 1.  You want to create a sock puppet named “Eugene Shoemaker”.  Eugene Shoemaker doesn’t exist.  So you have to create an entire identity around Gene in order for the account to look authentic. This takes a very long time, is very difficult, and has a higher chance of failure.  Additionally, if this sock is discovered, all of your work has to be deleted and you have to start all over again.  If you can pull this off, this is the most effective way to operate.  But not everyone is patient.  That’s why there’s option 2.

Option 2 is creating an avatar that’s focused around an idea rather than a unique identity.  Examples of this include @ShakiraSecurity on Twitter or @DutchOSINTGuy.  Everyone knows Shakira isn’t involved in the infosec community.  They also know that that account isn’t Shakira.  But that account is still a trusted source on Twitter when it comes to OSINT and infosec conversations.  That account have over 500 followers.  That account has a function and has built trust.  That account was easier to create than a blank slate.

For both options it’s recommended to create content, add media (photos, videos), interact with others online in an authentic way, create multiple social profiles, convince others to vouch for you, have a phone number, unique IP, email address, etc. But more on that later.

But enough on theory and philosophy.  Both options are viable and, once again, it depends on your intent and the scope of your project.  If you have a large scale operation, you may create a community of sock puppets that interact with others and each other to create influence that has leverage.  Let’s get into the details on how to set this up.

The Setup

Depending on who you ask, there’s an endless list of things you can do to remain anonymous while conducting investigations online.  You can go extreme and jump down the Michael Bazzell rabbit hole, or you can have a little less attention to detail and still do fine. If you’re interested in an almost full proof system, check his book Hiding from the Internet. If you’re asking me how to create a successful sock puppet, I’m more of a subscriber of the Pareto Principle; but I also don’t have much to lose if caught during an investigation like others may have (back to intent).  Here’s the 80/20 on what you need to get started.

  1. A dedicated computer that is only used for investigations
  2. Encrypted Email – Use Proton Mail
  3. A burner phone number (expensive) or a wifi phone number (cheap or free)
  4. A social media profile where your target is most active (choose option 1 or 2)
  5. A couple different virtual machines
  6. A blog or website (you can use a free blog like WordPress, Blogger, or Medium)
  7. A VPN (you should probably have one anyway)

Now, this is just a start, but it will help you at least get started.  You will have to customize your avatar as you go along to maintain or add credibility.

Dedicated Computer

Having a dedicated computer is an absolute must.  You don’t want anything you are doing under your avatar to somehow be linked to your personal, real account.  Not only will this reveal that your sock puppet is indeed a sock puppet, it may link your real identity to it (see Surefire Intelligence fail).  This computer doesn’t have to be expensive, you could use something as simple as a Raspberry Pi or a cheap laptop.  Using other tools I’ll discuss below, your dedicated computer should not be able to be linked to another computer on your network.

Encrypted Email

This is generally a best practice in the OSINT and infosec community.  While it may be enticing to use Gmail due to the vast number of free tools they provide and their seamless integration, but don’t do it.  Google is tracking you.  Even if you provide false information, they will still know it’s you eventually.  Proton Mail is a name brand in the encrypted email industry.  There are other options but I’d go with Proton Mail if you haven’t experimented with them before.  The user interface is easy to understand and it doesn’t require any advanced setup.

Phone Number

If you can, try to get a very cheap phone plan that’s dedicated to you avatar.  Cheap plans such as Mint will get you the very basics for close to single digits a month.  If you don’t want to spare the cash, consider getting a wifi based phone number from a website that doesn’t recycle phone numbers every month.  Google Voice is a good option.  Keep in mind that a lot of these websites request your primary phone number (Google) when signing up.  If you’re very concerned about privacy, find one that doesn’t.

VPN

It’s important to mask your IP when doing OSINT research online.  The best way to do this is to use a VPN.  The number one VPN changes frequently so depending on when you read this, it could be different.  I’ve used ProtonVPN, Windscribe, NordVPN, and Private Internet Access.  Pick one that values your privacy and has a user interface that’s easy for you.  Make sure you get a VPN that constantly changes your IP so that you don’t establish a pattern during logons or during interaction.

Social Media Profiles

Now that you have a dedicated computer, encrypted email, phone number, and VPN, we can get to the fun part.  You can use all of your information (email, phone number) to create your social media profiles of choice.  Since you’re starting from scratch, it’s important you start interacting in an organic way.  This could include following people, posting links, doing status updates, interacting with people in the same niche as your target, etc.  This process will take a long time if you do it right.  If you’re really skilled, your target will come to you.  I recommend creating multiple avatars with multiple emails and phone numbers to decrease your risk and to deploy them in different ways.  More on this later.

Virtual Machines

Virtual machines are a great way to create an additional layer of privacy.  You can also use them for specific tools in your OSINT investigation.  I recommend starting with Buscador as it offers a wide variety of OSINT tools.  You can also experiment with Windows VMs to access tools like FOCA and other Windows specific tools.  Experiment with Android emulators to take advantage of mobile apps.  Nox is an excellent emulator to get you started.

Blog

If you want to go another layer deep on your avatar, create a free blog on WordPress, Medium, or Blogger and link it to your social media profile.  Generate content both on social and your blog to increase credibility.  After a period of development, you will have a complex character that’s believable and valuable.

Chrome Extensions

Part of remaining anonymous on the web is blocking all forms of tracking.  The two extensions I’d recommend of the top of my head are AdBlock and Disconnect Me.  These will stop ads from tracking you as well as all pull requests from social media sites.  Combined with a VPN, you should have what you need to search safely.

Bonus

Once you’ve developed all of the above, you may want to verify yourself on Keybase and get involved in other opportunities such as Slack channels or Rocket Chats  This will grant you an opportunity to open a dialogue with your target or associates in an environment separate from social media.

Things to Consider

It’s important to remember that you should be very careful before deploying your sock puppet.  If you use it too soon, you’ll lose credibility with your target or associates and you may not recover.  I recommend setting goals such as a certain number of Tweets, followers, blog posts, or months, etc. before creating plan to use it.  With that being said, the intent of your sock puppet should be dictated by the influence it creates organically.  Don’t steer your sock puppet in an unnatural direction.  Let it grow organically and deploy it in the direction it develops on it’s own.  That’s why it’s important to have multiple accounts.

Another thing to consider is forensic linguistics.  Try to make the content you create on your sock puppet account as unique as possible (or at least different from your personal account). That being said, so long as you’re not doing anything incredibly controversial, people won’t question your motives and investigate your identity anyway. Constantly collect OSINT on your sock puppet and reverse engineer your own creation.  Have a friend or colleague take a look at it and see if they can find a way in.  Do all of this before deploying the sock.

Some mistakes Wohl made was using stock images that were easily traceable through image search, not using Whois protection during domain registration, using his socks too soon, and not collecting OSINT/investigating himself before deployment. Read Aric Toler’s write up on this for lessons learned.

Further Research

This post is closing in on 2000 words, which is quite concerning to me.  The OSINT community is already saturated with long form content that’s difficult to digest.  Keeping that in mind, I’d like to conduct an experiment of my own with this process and share the results in another medium.  I’ve been talking on Twitter about how I want to write an OSINT related book.  I think this is it.  I’ll be keeping everyone updated on the progress of this as I set up my sock puppet ecosystem, document, and write the results. Use this post as an introduction to the process and a precursor to the book.

Comments:

On the VMs – to increase distance from the “real you” – change screen resolution and fonts to prevent fingerprinting (etc). Turn webrtc off. Also – unbalance your keyboard legs or spin the keyboard and type at a weird angle. (Maybe switch to a dvorak for the puppets??) Maybe extreme, but helps throw a wrench in “keystroke dynamics”. The puppet will always be hunt and peck and “real you” will always type as real you normally does. If you have a predictive typing app/plugin ( ala mobile kybds ) – train the keyboard app to suggest phrases that the real you never uses. That is – prime the predictive typing with alter-ego’s linguistic preferences.

The Art of the Sock

The Art Of The Sock

Source: secjuice.com/the-art-of-the-sock-osint-humint
(Archived here for easy access. If you see this and want me to remove it, just let me know.)

Sock puppets are where the OSINT rubber meets the HUMINT road, but you need to be good at using them to survive in the infosec jungle.

Guise Bule
Aug 12, 2018 • 9 min read

Social media is infested with sock puppets, influencing what we think in a million different conversations across different social platforms. Some are employed by nation states and used to influence politically, others by private corporations attempting to influence the conversation around their brands. Some are more much more sinister, set up to deceive and defraud. Then you have people like me, OSINT investigators who like to put on a nice clean pair of socks before they go to work and engage their targets.

Wait, That’s Not OSINT Though Is It?

What’s that investigator? You thought that you would be purely gathering intelligence from publicly available information? Oh my sweet summer child.

I am sorry to tell you that that OSINT and HUMINT go hand in hand these days, because OSINT can only ever get you so far. HUMINT is a natural extension to your OSINT work, especially when you are investigating fraudsters, there are only so many public facing signals they give out. If you really want to get a feel for your targets, you have to get your hands dirty, touch your target and social engineer your heart out.

To be an effective investigator you need to master the art of the sock and learn how to engage your targets on social media while wearing socks.

What Is A Sock Puppet?

My favorite definition of the term ‘sock puppet’ comes from the Oxford English dictionary “a person whose actions are controlled by another; a minion”, I just like the word minion though. A more accurate definition from an OSINT perspective would be “a social persona worn when engaging the targets of your investigation”.

A fully fleshed out sock puppet is a social persona that has a credible social history across different social media channels. In my case, I had need of a fully fleshed out sock puppet for an OSINT investigation into the operators of an ICO, for and on behalf of the investors in that ICO. You already know that the ICO was scammy and I am far too discreet to discuss the details, but its worth using as an example of how to properly nurture your sock from its birth to its eventual death.

Think Long Term

The Art Of The Sock is a long term game, if only because there is nothing that screams sock like a freshly coined social media account. This means that you have to think long term when it comes to growing a fully fleshed out sock account, you have to start growing and nurturing them a long time before you will actually need them. Of course you need more than one, they are disposable and you should only ever use a sock once, then throw it away as if it were a cum stained wank rag (my apologies).

By credible social history I mean that your sock has to behave in a consistently credible way over a period of time, the longer the better. The more social history your sock has, the more convincing it will be when you come to use that sock. By social history I mean a convincing breadcrumb trail of consistent activity, one that looks like the activity of a real person on social media. Your socks do not have to be the most prolific posters, but they should engage in regular, publicly visible, activity across different social media platforms.

Whatever you do, do not interact with any of your other accounts, contacts or peers. Your socks should be standalone entities in their own right.

When I say a credible history across platforms, I mean that they should have a Linkedin profile with a credible looking work history, a Facebook profile with some pictures of your sock having fun in different places, or sharing whatever they are into with their friends. It should have an active Twitter profile that engages with its community in a genuine and consistent way.

You noobs with your two month old twitter accounts aren’t fooling anyone, its the sock masters with the properly grown and nurtured personas who are smashing up the sock world out there. When those guys turn their fully fleshed out socks onto a target, they are both credible and convincing. Sock masters never automate anything, they give an authentic touch to every publicly visible action and you just cannot beat it.

Within dark rooms in foreign corners of the world, ‘sock master’ is actually a real job description and people devote their working days to growing and nurturing sock accounts to hand off to others for use in information warfare campaigns. To call them all sock masters though would be a lie, most of them are sock herders at best and if you watch closely, you can see the handovers in the socks behavior.

TL;DR Start growing your socks now in case you need them one day.

Men Are Stupid

When it comes to socking them out of the ballpark, its better to be a woman than a man because men are stupid. Unless they are savvy, the vast majority of men are hugely vulnerable to a direct approach from a pretty girl. Its absolutely fucking ridiculous in fact and it made me never want to trust women online unless you first validate their existance via a webcam session. Social metadata validation cannot be trusted and even when you video validate they could have hired a prostitute to play the part.

And what do you do? You share far too much information with that cute girl, goddamnit what the hell is wrong with you people? Blabbing about your business to random girls on the internet, you deserve to be uncovered as fraudsters. Same applies to you idiots trying to recruit, you may want to consider not sharing the working details of your operation with that hot blonde flirts with you and seems money hungry.

I am sorry to tell you this dear reader, but that cute girl you are talking to on Twitter, the who connected to you on Linkedin and who shared their private Facebook profile with you is definitely a dude. He is more than likely trying to social engineer some information out of you, or influence you for some nefarious purpose.

Blackmail if you are really unlucky.

TL;DR NEVER trust cute girls online if you are a man.

Softly Softly Catchee Monkey

“Deception doesn’t work if your target doesn’t have a reason to believe you’re real, so having a personality is important.” @S4BOT4GE.

I talked to veteran sock masters when researching this subject and those focused on OSINT like to take the softly softly, catchee monkey approach to engaging their targets and the key to this is personality and a grain of uniqueness.

@S4BOT4GE told me that the deception does not work unless your target has a reason to believe that you are real and that having a unique personality is important for this reason. He thinks the key is to emulate a unique character, rather than imitate an existing one and that a grain of uniqueness can make it real enough to believe.

He uses a remote browser service to conduct online research. If the endpoint is the new perimeter, then remote browser isolation is the future of endpoint security.

This is full on social role playing he is talking about, immersing yourself in the character and becoming unique enough for your targets to notice you before you notice them. The trick to being noticed by your target according to S4BOT4GE is fairly straightforward on most social media platforms.

Start following and interacting with accounts that are in close proximity to your accounts targets and a couple times a day, check each of their accounts for anything they posted that hasn’t been widely shared yet, and repost it immediately. Rinse and repeat to allow the social media algorithms to do their work and they will eventually show your activity to your targets.

If your activity has an authentic voice, they will notice you first and that is everything when it comes to initiating contact with a target. If a target is to really trust you, they need to initiate first contact. A smart man would never trust a direct approach from a pretty girl, but if he sees her around town every now and again, he may very well decide to approach her and say hello, it’s very common.

TL;DR Take your time, let your target come to you.

Welcome To The Jungle

I spoke to retired sock master @an3rka0s who is a verteran of information warfare operations that mitigated against foreign adversaries. He told me that the chances are that the socks are already all around you, you’re probably already connected to them and they just haven’t decided to target you directly yet. Admittedly that’s a paranoid outlook, but he is right depending on the social spaces you inhabit.

@an3rka0s tells me that battle hardened operators who have been immersed in the sock jungle for long enough begin to recognize adversarial sock operators through their personas, using their intuition and instinct they can smell other socks.

If you happen to be investigating the crypto world, chances are that your targets are already operating their own socks. One of the first skills that a sock operator learns in the jungle if they want to survive is to recognize when your own followers are socks driven by your adversaries trying to scope you out or keep you in their radar. This is the reason why its essential that your fresh socks are completely unconnected to all of your other socks in every way, they need to be believable seperate entities in order to credibly survive in the jungle. It is an artform in itself.

TL;DR A savvy sock operator can spot other sock operators and unless you are careful with your connections and behavior, they will spot you easily.

Beware The Sock Hunters

Rather than explain how to avoid being caught using a sock, it’s probably best to explain how we catch sock operators doing what they do. In general, sock puppets can usually be identified based on their writing style, posting activity and relationship with other users on the same, or other social networks.

Happily, the OSINT community provides us with some fantastic toolsets for running investigations into social accounts and their public activity. If sock hunting is your thing, you can analyze a social accounts behavior and activity in lots of ways.

The easiest way to find sock accounts in a conversation is to check their login times and login IP adresses, very often sock operators will have sloppy OPSEC practices and/or not bother concealing their IP. They will also login and post at roughly the same time, sometimes delaying their posts in order not to be obvious.

Over time identifiable patterns emerge though.

Sometimes this method of detecting socks is not always workable, a sophisticated sock operator will know to avoid creating patterns in their logon times and posting times, they will also know how to conceal their IP address when logging on and posting. When it comes to the more sophisticated sock operators, you have to step up your detection methods in order to catch them and begin to develop machine learning algorithms that detect similarities in behavior across multiple social accounts.

A recent study found that “sock puppets contribute poorer quality content, write shorter posts that are often downvoted or reported by other users. They post on more controversial topics, spend more time replying to other users and are more abusive.

Worryingly, their posts are also more likely to be read and they are often central to their communities, generating a lot of activity”. This gives you a baseline pattern to hunt for and base your machine learning algorithms on. Researchers are out there right now, leveraging this detection model in order to detect and identify socks.

Machine learning tools have been created which can detect if two accounts are owned by the same person with 91% accuracy. There are other tools that can distinguish between a real social account and a sock with 68% accuracy.

Tools like these are spotting patterns across thousands of social accounts and identifying their owners with ever increasing accuracy, they find patterns in your behavior and develop a behavioral fingerprint that you subconsciously leave on your actions. Even though you may try to randomize your behavioral patterns, style of writing, manner of expression, login times, IP address and other ways to conceal yourself, you cannot hide if the algorithms are given enough historical data on your activities to analyze. We all have our own unique behavioral fingerprint.

These tools are being developed in an effort to counter information warfare efforts across social media operations conducted against us by foreign adversaries intent on influencing the conversation in our society. They are also being developed by the private sector and the social media platforms themselves in an effort to disrupt trolls, persistent abusers, and operations designed to spread fake news into our feeds.

Its getting much easier to spot and identify even the most experienced sock operators, especially when they are engaged in shady online behavior. But a skilled OSINT investigator who maintains his or her own sock accounts for investigative purposes, and who takes care, is likely to fly under their radar completely.

Stay under the radar, behave like a normal person, engage in authentic activity and keep your socks dry until you need them. Nobody likes wet socks.

Anon Sock Puppets

Setting up anonymous sock puppet accounts

  1. Come up with a persona for the sockpuppet account.
  2. Use Fake Name Generator to create a person whom you feel fits your sockpuppet persona.
  3. Use This Person Does Not Exist to generate an image. Make sure you inspect the image closely and get one that doesn’t have any obvious flaws, as they often do. It is worth picking up some Photoshop, GIMP, Affinity Photo or Designer, or other basic image manipulation skills to fix them and change the background of the image.
  4. Get a burner phone, completely wiped and fresh. Can be any brand that will accept a Mint Mobile SIM card.
  5. Get a burner credit card from Privacy.com to use for on Amazon and possible the Mint Mobile setup. They might need it to set up the account.
  6. Set up a burner Amazon account. We’re only going to use it once.
  7. Buy two Mint Mobile SIM cards. You can find them various places online and in stores near you, but you can get two of them for $5 on Amazon. They also give you 1 week free trial with something like 100 text messages, which we’re going to use. This gives you two cards for two sockpuppet accounts for only $5.
  8. I like to use Amazon to have the card sent to an Amazon pickup box, which can be anonymous.
  9. Get a VPN that you can set to the physical area in which you want your sockpuppet to “exist.”
  10. Set up the Mint Mobile trial account somewhere away from your home; as far as you’re willing to go.
  11. Use this Mint Mobile trial phone number to set up all of the websites you need.
  12. I recommend at least set up a Google account and Protonmail account. Both will come in handy at different times.
  13. Once you’ve set up all the accounts with your trial Mint SIM, set up 2FA on all of the accounts.
  14. After setting up 2FA on all of the accounts, change the phone number to one you have more permanent access to, such as MySudo or Google Voice.
  15. Make sure everything works!
  16. Destroy the SIM card.
  17. Wipe the phone.

A lot of these websites are blocking MySudo, Google Voice, and other VoIP numbers. That’s why we go through the Mint phone number first.

They should be less stringent now.

As always, feedback is welcome! This was originally posted on my blog where I also talk about the ethics of sockpuppet accounts.

Search Engine

Search engines are a powerful tool and particularly useful for conducting OSINT research. By entering specific operators along with relevant keywords, you can quickly discover a vast amount of publicly available data about individuals or organizations that may be of interest, such as an individuals private or personal information, images, professional background, and affiliations with specific groups or organizations.

List of search engines:
en.wikipedia.org/wiki/List_of_search_engines

Operators/Syntax:
bruceclay.com/blog/bing-google-advanced-search-operators
duckduckgo.com/duckduckgo-help-pages/results/syntax

Basic Operators

Google Bing Description
site: site: Restricts the search to pages within a particular domain and all its subdomains.

Examples:
site:reddit.com wgu c95
site:reddit.com "c958 calculus"
site:reddit.com c958 calculus AND "professor leonard" AND
site:reddit.com c958 calculus OR "professor leonard" OR
'heath adams" the * mentor * (wildcard)
site:tesla.com password filetype:pdf filetype
site:tesla.com filetype:docx
"tesla.com" filetype:xlsx pass
sites:tesla.com -www (subdomains, remove www)
sites:tesla.com -www -forum
"heath adams" -thecybermentor -mentor (remove items)
"heath adams" intext:password intext
"heath adams" inurl:password inurl
"heath adams" intitle:password intitle

Google Advanced Search:
google.com/advanced_search
google.com Tools (on right side) -> Any time / All results

Search Engines/Websites

Subsections of Search Engine

Google Guide

Basic Examples

This Search Finds Pages Containing
biking Italy The words biking and Italy.
recycle steel OR iron Information on recycling steel or recycling iron.
“I have a dream” The exact phrase I have a dream.
salsa –dance The word salsa but NOT the word dance.
Louis “I” Franc Information about Louis the First (I), weeding out other kings of France.
castle ~glossary Glossaries about castles, as well as dictonaries, lists of terms, terminology, etc.
fortune-telling All forms of the term, whether spelled as a single word, a phrase, or hyphenated.
define:imbroglio Definitions of the word imbroglio from the Web.

Calculator

Operators Meaning Type Into Search (& Results)
+ – * / basic arithmetic 12 + 34 - 56 * 7 / 8
% of percentage of 45% of 39
^ or ** raise to a power 2^5 or 2**5
old units in new units convert units 300 Euros in USD, 130 lbs in kg, or 31 in hex.
Operators Meaning Type Into Search Results
city1 city2 Book flights. sfo bos Book flights from San Francisco (SFO) to Boston (BOS).
site: Search only one website or domain. Halloween site:www.census.gov Search for info on Halloween gathered by the US Census Bureau.
[#]..[#] Search within a range of numbers. Dave Barry pirate 2002..2006 Search for Dave Barry articles mentioning pirates written in these years.
filetype: Find documents of a filetype. Form 1098-T IRS filetype:pdf Find the US tax form 1098-T in PDF format.
ext: Find documents of a filetype. Form 1098-T IRS ext:pdf Find the US tax form 1098-T in PDF format.
link: Find linked pages, show pages that point to URL. link:warriorlibrarian.com Find pages that link to Warrior Librarian’s website.

Specialized Information Queries

Operators Meaning Type Into Search Results
book (or books) Search full-text of books. book Ender’s Game Show book-related information. No colon needed after book.
define, what is, what are Show a definition for a word or phrase. define monopsony, what is podcast Definition for monopsony and podcast. No colon after them.
define: Provide definitions for words, phrases, and acronyms. define:kerning Find definitions for kerning.
movie: Find reviews and showtimes. movie: traffic Search for information about this movie, including reviews, showtimes, etc.
stocks: Given ticker symbols, show stock information. stocks: goog ind Google’s current stock price.
weather Given a location (US zip code or city) weather Seattle WA, weather 81612 Show the current weather and forecast. No colon after weather.

Alternative Query Types

Operators Meaning Type Into Search Results
cache: Display Google’s cached version of a web page. cache:www.irs.gov Show cached version of the US IRS home page.
info: Find info about a page. info:www.theonion.com Find information about The Onion website.
id: Find info about a page. id:www.theonion.com Find information about The Onion website.
related: List web pages that are similar or related. related:www.healthfinder.gov Websites related to the Healthfinder website.

Search for Sites where Query Words Appear

Operators Meaning Type Into Search Results
allinanchor: All query words must appear in anchor text of links to the page. allinanchor:useful parenting sites Pages that are called useful parenting sites by others.
inanchor: Terms must appear in anchor text of links to the page. restaurants Portland inanchor:kid-friendly Portland restaurants where links to the page say “kid friendly.”
allintext: All query words must appear in the text of the page. allintext:ingredients cilantro chicken lime Search for recipes with these three ingredients.
intext: The terms must appear in the text of the page. Dan Shugar intext:Powerlight Pages mentioning Dan Shugar and his company Powerlight is included in the text.
allintitle: All query words must appear the text of the page. allintitle: Google Advanced Operators Pages with titles containing “Google,” “Advanced,”, and “Operators”.
intitle: The terms must appear in the title of the page. movies comedy intitle:top ten Pages with the words movie and comedy that includes top ten in the title.
allinurl: All query words must appear in the URL. allinurl:pez faq Search for pages containing the words pez & faq in the URL.
inurl: The terms must appear in the URL of the page. pharmaceutical inurl:investor Search for pages in which the URL contains the word investor.

Restrict Search to Google Groups

Operators Meaning Type Into Search Results
author: Find Groups messages from the specified author. flying author:Hamish author:Reid Search for Hamish Reid’s articles on flying.
group: Find Groups messages from the specified newsgroup. ivan doig group:rec.arts.books Postings about Ivan Doig in the group ec.arts.books.
insubject: Find Groups messages containing crazy quilts in the subject. nsubject:“crazy quilts” Articles containing crazy quilts in the subject line.

Restrict Search to Google News

Operators Meaning Type Into Search Results
location: Find News articles from sources located in the specified location. queen location:uk Find British news articles on the Queen.
source: Find News articles from specified sources. peace source:ha_aretz Show articles on peace from the Israeli newspaper Ha’aretz.

About This Cheat Sheet: For more tips, tricks, & examples, visit GoogleGuide.com. By Nancy Blachman & Jerry Peek who don’t work for Google & Tasha Bergson-Michelson.

Bing Google Operators

bruceclay.com/blog/bing-google-advanced-search-operators

Google Bing Result
allinanchor:
allintext: Returns webpages with all the words somewhere on the webpage.
allintitle: Finds pages that include all query words as part of the indexed title tag.
allinurl: Finds a specific URL in the search engine’s index. Also can be used to find pages whose URLs contain all the specified words.
AROUND() Finds webpages with words that are in a certain proximity to one another.
cache: Shows the version of the webpage from Google’s cache.
contains: Finds webpages that contain links to a particular type of file (such as pdf, mp3). This function is unique to Bing.
define: Presents a dictionary definition.
ext: ext: Returns only webpages with the file extension you specify (such as htm). Note: Bing includes this operator in its current list, but our tests could not produce reliable results.
filetype: filetype: Finds results of a single type only (such as pdf).
filetype: filetype: Finds results of a single type only (such as pdf).
feed: Finds RSS / Atom feeds on a site for the search term.
hasfeed: Finds webpages with RSS / Atom feed on the search term.
in This converts units of measure like temperature, currency, etc.
info: Presents some information that Bing has about a webpage such as related pages from the site, external pages talking about the page, and related results. This operator is not listed on the current Bing documentation, but our tests show that it continues to work.
intext: Shows pages that contain a specific word in their body text.
intitle: intitle: Finds pages that include a specific word as part of the indexed title tag.
inurl: Finds pages that include a specific keyword in their indexed URLs.
allinurl: Finds a specific URL in the search engine’s index. Also can be used to find pages whose URLs contain all the specified words.
inanchor: Finds webpages that use a specified keyword as anchor text in a link from the page.
inbody: Finds webpages that use a specified keyword in the body section of the page.
ip: Finds sites hosted by a certain IP address.
language: Find webpages in a specified language.
location: Finds webpages from a certain country / region.
map: Finds a map result for the query.
movie: Finds information about movies.
OR OR Finds webpages that have either query when used in between two queries. Must be capitalized to work correctly.
prefer: Adds emphasis to a search term to refine the results further.
related: Finds related sites to the domain you input.
site: site: Restricts the search to pages within a particular domain and all its subdomains.
source: Finds news results from a specific news source in Google News.
stocks: Displays stock information for a specific ticker symbol.
url: Checks if a domain is in the Bing index.
weather: Shows weather for a specific location.
***** ***** Acts like a wildcard that can take the place of any word or phrase. Example: tallest * in the world
Excludes results that contain the word following the minus sign. Place this operation at the end of your search query.
” “ ” “ Finds instances of the exact text within the quotation marks everywhere it appears in the search engine’s index.
@ Searches social media for a certain query when put in front of the word(s).
$ Searches for a price when put in front of the query.
# Searches for hashtags.
Searches a range of numbers when put in between two numbers.
() Finds or excludes webpages with a group of words contained within the parentheses.

Duckduckgo Syntax

duckduckgo.com/duckduckgo-help-pages/results/syntax

Search Operators

Example Result
cats dogs Results about cats or dogs
"cats and dogs" Results for exact term “cats and dogs”. If no or few results are found, we’ll try to show related results.
~"cats and dogs" Experimental syntax: more results that are semantically similar to “cats and dogs”, like “cats & dogs” and “dogs and cats” in addition to “cats and dogs”.
cats -dogs Fewer dogs in results
cats +dogs More dogs in results
cats filetype:pdf PDFs about cats. Supported file types: pdf, doc(x), xls(x), ppt(x), html
dogs site:example.com Pages about dogs from example.com
cats -site:example.com Pages about cats, excluding example.com
intitle:dogs Page title includes the word “dogs”
inurl:cats Page URL includes the word “cats”

If advanced syntax was used in a query and no results are found, we’ll try to show related results.

Please note: we are aware some of our advanced syntax isn’t operating 100% correctly on all queries and are actively working on it. It is unfortunately a non-trivial issue given we get our private results from a variety of sources.

Search Directly on Other Sites

  • Use \ to go to directly to the first search result. For example, \futurama.
  • Use ! to search other sites’ search engines directly. Remember, though, because your search is actually taking place on that other site, you are subject to that site’s policies, including its data collection practices. For example, [!a blink182](https://duckduckgo.com/?q=!a blink182) searches Amazon.com for blink182. There are thousands of sites covered!
  • Add !safeon or !safeoff to the end of your search to turn on and off safe search for that search.

Images

OSINT resources for images

OSINT tools for analysing images can help you identify their contents. Images from social media platforms and other public websites are an easy way to gather lots of valuable data.

Various tools can be used to extract relevant data from images, such as faces, text, logos, and other identifying markers. This data can also be analyzed using a variety of techniques, including facial recognition software, optical character recognition (OCR), and image analysis algorithms to identify key elements within the image.

When OSINT is applied to images it had many potential applications, such as offensive security, fraud detection, brand monitoring, locating missing people, and counterintelligence activities. However, it is important to consider the ethical implications of using OSINT tools in this context, particularly when analyzing sensitive personal information without consent.

Reverse Image Search
EXIF Data
Physical Location
Identify Locations

Tools not listed on other pages:

exiftool.org - A command-line tool that extracts metadata from images.
fotoforensics.com - A web tool that can detect signs of manipulation.
citizenevidence.amnestyusa.org - Verify the authenticity of an image.

Subsections of Images

Reverse Image Search

Strip out exif data from images before uploading for search. Right click and check properties.

Reverse image search example:

  • drag and drop to upload image: images.google.com

  • Click on “Find images source”

    • It appears to look for all locations of the exact image.
  • Go back to front page.

  • Drag the selection markers so that it’s only selecting the part of the image that you want to search for, then try Find image source again. Go back and forth as much as needed.

    • May not work that well for some images.
    • May work really well for other images (buildings, landmarks, etc.)
  • Remove twitter from search: Jonas Hellborg -twitter.com

  • “NAME” - probably just photos uploaded by NAME.

  • “Photos of NAME” - will get you a different full list of photos.

Yandex reverse image search
yandex.com/images/

  • Drag and drop and image to get some results.
    • It should find more images, similar images.

TinEye

TinEye - Reverse Image Search
tineye.com/

Upload an image to search.

Other

socialcatfish.com/reverse-image-search - Reverse image search engine.
https://www.wolframalpha.com/input/?i=image+identify - Identify objects, landmarks, and other items within images.
pimeyes.com/en (paid)

EXIF Data

Viewing EXIF Data

EXIF - Exchangeable Image File

EXIF data can provide a lot of information. It’s data in a phone that can be tied back to the person who took the photo. It can tell you a location, device, and other details.

Sites for viewing EXIF data

jimpl.com
exifdata.com
exif.tools
exif.regex.info - offline

Linux command line tool:

exiftool image.jpg

Remove exif data

Sites: jimpl.com/remove-exif

Command Line: Install exiftool

sudo apt install libimage-exiftool-perl

Run in a directory to remove data from all images including subdirectories:

exiftool -overwrite_original -recurse -all= *

Using exiftool to remove data can take a while depending on how many images there are.

GPS Coordinates

Can get GPS coordinates if they exist in the photo data and search.
gps-coordinates.net

Can use google maps to get an overhead view (when searching for physical weaknesses, etc).

Physical Location

Go to Google maps, find a location and go to satellite view. Look at everything to see if there are any weaknesses or ways to get it without too much trouble. (Check for other satellite services if Google doesn’t have a current image)

  • You’re trying to find ways into the building that won’t make you look suspicious.
    • Somewhere close by where you might be able to fly a drone.
  • Drive around to possibly see anything in person.
  • Is there private access?
  • Are the paths blocked or guarded?
  • Is there anywhere to park that’s not suspicious?
  • Try to get into street view on map.
    • Are there any doors?
      • Badge, card readers.
      • What are the people doing,?
      • What are they wearing?
      • Keep asking these kinds of questions.
  • You can apply all of these things to people.

Email

Methodology

Start with a google search (“Who is in THIS role at THIS company?”) Then go to phonebook.cz, hunter.io or equivalent to identify the email formatting. Try to find the person and discover or guess the pattern or format. Go to tools.emailhippo.com or equivalent to verify the emails, but sometimes you get false positives. You probably will only be verifying emails and not doing any kind of interaction. Clearbit Connect is limited so be careful how much you use it.

Subsections of Email

Discovering Email Addresses

Methodology

  1. Start with a google search. If you’re looking for a specific person or person with a role/position - “Who is in THIS role at THIS company?”
  2. Go to phonebook.cz, hunter.io or equivalent to identify the email formatting.
  3. Try to find the person and discover or guess the format.
  4. Go to tools.emailhippo.com or equivalent to verify the emails. Sometimes you get false positives.
  5. You’ll mostly likely be just verifying emails with any interaction.
  6. Clearbit Connect (is limited so be careful how much you use it).

Format Research

  • Research format of email addresses.
  • Use gmail login to see if an email is valid. Enter email and see if it’s already taken. You can also try to reset gmail password to get hints of the recovery email.
    • Don’t underestimate forgot password.

Emails that you have found or know about:

  • Password spraying.
  • Credential stuffing.

Email Research

Verify emails

Clearbit Connect Chrome extension:
chromewebstore.google.com/detail/clearbit-connect-free-ver/pmnhcgfcafcnkbengdcanjablaabjplo

theHarvester tool gathers names, emails, IPs, subdomains, and URLs:
github.com/laramies/theHarvester

Hunting for breached passwords (think of the method not the tool):
dehashed.com (paid service)

Check if an email was breached.

Tools by themayor - dievus

Passwords

Steps

  • Search through various databases of breached credentials.
  • Look for patterns in the passwords that might have been repeated or rearranged.
  • You might be able to use the same password and/or a variation of the password elsewhere.

Subsections of Passwords

Breached Passwords

dehashed.com (Paid service)

Search by different elements:

  • name
  • email
  • password
  • username
  • IP address
  • domain
  • address
  • phone
  1. Collect all the data, find patterns.
  2. Try to find other emails and see if you can connect them to the same person.
  3. They might use the same password.
  4. Connect everything together and notate everything so it can be replicated.

hashes.org - no longer online.
reddit.com/r/DataHoarder/comments/ohlcye/hashesorg_archives_of_all_cracked_hash_lists_up
github.com/rarecoil/hashes.org-list

hashmob.net/
HashMob allows anyone to submit hashes discovered in database breaches (or other sources) and share them with the community so that everyone can collaborate on recovering the original plaintexts.

Note: You’ll probably have to pay for anything that is extensive and current.

weleakinfo.io (need to pay)
leakcheck.io (need to pay)
snusbase.com (need to pay)
scylla.so (coming soon?)
haveibeenpwned.com
haveibeenpwned.com/API/v2
breachdirectory.org

github.com/thewhiteh4t/pwnedOrNot
github.com/khast3x/h8mail

Usernames

Any verified or guessed usernames can be researched and verified if possible on social media sites.

Searching through forums, boards or messengers can also reveal a lot about someone’s online persona and activities. Usernames can be used as keywords to search for information on these types of platforms and can be an excellent way to find more relevant data. Using search operators to fine tune your queries on Google, DuckDuckGo, etc. can also provide better results.

Subsections of Usernames

Usernames and Accounts

There may be other tools listed in other sections of these notes that also work for investigating usernames.

Website Tools

github Tools

Validate

Check or try to validate the existence of usernames on various social media websites.

wikipedia.org/wiki/List_of_social_networking_services

People

Most of these sites are US based unless you can find other locations. Take these sites with a grain of salt or be skeptical when using them. Some of the results can be misleading.

Websites

Check google.com

  • Cached data, next to link.
  • “Firstname Lastname” Los Angeles
  • “Firstname Middlename Lastname” Los Angeles

Subsections of People

Voter Records

You can get a lot of useful information from voter records. You can search by state and county to find someone. All you need is an address that was known at some time or a current address.

voterrecords.com

Note: Only use this for research on people, other than yourself, when you have full permission.

This information should actually not be public, but it is so it’s up for grabs to anyone.

Phone Numbers

Hunting for good phone numbers

PhoneInfoga is one of the most advanced tools to scan international phone numbers. It allows you to first gather basic information such as country, area, carrier and line type, then use various techniques to try to find the VoIP provider or identify the owner.
github.com/sundowndev/phoneinfoga

Try Google first. Use different types: (555-555-1212 or 5555551212 or (555) 555-1212) and try the numbers in quotes too. It’s a hit or miss. A lot of websites are sketchy and should be ignored.

  • Some people spell out phone numbers so you can try search for that.
  • Search using “phone emoji” before name -📱- ☎️
  • Search in white pages.
  • Try using the forgot password feature on websites.
    • Yahoo, Google, etc.
    • Be careful you don’t send a verification code to the user.

Websites

Note: Do not log in to these sites using anything or any users the connect back to you.

Birthdates

Use Google to search everywhere for birthdates. The can sometimes be discovered on any kind of forum or social media website.

  • Firstname Lastname Birthday
  • “Firstname Lastname” Birthday
  • “Firstname Lastname” intext:birthday
  • “Firstname Lastname” intext:“happy birthday”
  • “Username” intext:“happy birthday”
  • “Username” intext:“happy birthday” site:twitter.com
  • “Username” intext:“happy birthday” site:facebook.com
  • “Username” intext:“happy birthday” site:linkedin.com

Resumes

Resumes can sometimes disclose personal information.

use Google to search for files or websites that might have something.

  • firstname lastname resume
  • firstname lastname resume filetype:pdf
  • “firstname lastname” resume filetype:pdf
  • “firstname lastname” resume filetype:doc
  • “firstname lastname” resume site:google.com
  • “firstname lastname” resume site:drive.google.com
  • “firstname lastname” resume site:dropbox.com
  • “firstname lastname” resume site:scribd.com
  • “firstname lastname” site:linkedin.com

Social Media

When using OSINT when researching social media platforms of a target, it is important to understand the context of the information being collected and how it may be interpreted by others. Social media profiles can provide valuable insights into a person’s interests, hobbies, political beliefs, and even their personal relationships. However, it is also important to consider the potential consequences of sharing private or sensitive information online, especially when using OSINT tools that allow for automated data extraction from various sources.

Note: Due to all the changes happening on some social media sites, a lot of the amazing tools we could use are now dead or severely broken.

Facebook

Twitter

  • Followerwonk : Search, compare and analyze people on Twitter (free and paid version).
  • Sparktoro : Audience research (free and paid version).
  • Twexplorer : Search the most common terms, hashtags, and links (you need login).
  • Real Top Tweeps : Shows an interaction overview on Twitter.
  • TweetBeaver : Shows different type data on Twitter (you need login).
  • Twitter Advanced Search : Advanced Search on Twitter.
  • Account Analysis : Evaluate and analyse Twitter profiles (free and paid version).
  • Spoonbill : See profile changes on Twitter (you need login).
  • Twint : Twitter Intelligence Tool.

Instagram

  • Search my bio : Search Instagram user bios.
  • Followerwonk for Instagram : Search for Instagram influencers and users.
  • Instadp : Downloader Tool for Instagram.
  • Instahunter : Fetch data from Instagram’s Web API without login.
  • Osintgram : Perform analysis on Instagram account of any users by its nickname.
  • Instaloctrack : Scrape geotagged locations - output in JSON & interactive map.
  • Instagram Scraperk : Scrapes and downloads an instagram user’s photos and videos.
  • Instaloader : Downloads photos, videos, hashtags, stories.
  • Sterraxcyl : Information on an Instagram account from its following & followers.

Snapchat

  • Snapchat : Search for hotspots around the world.
  • Dizkover : Full-featured social media platform that helps you discover people on Snapchat.
  • Ghostdex : Search for Snapchat users.
  • Ghostcodes : Browse through Snapchat categories and users.
  • Add me contacts : Search Snapchat usernames.
  • Snapmap Archiver : download Snapmaps from a specific location.

TikTok

Lists of Tools

On github/gitbook

Tools

On github:

Other Website Tools

  • search.illicit.services - Records Search - Forwards here: search.0t.rocks
  • hashatit.com - Search with active hashtags across many social media platforms.
  • map.snapchat.com - See geotagged posts shared by other users from across the globe.
  • boardreader.com - Search for content found on blogs, open forums, and message boards.
  • usa.liveuamap.com - See what’s happening in real time with certain events.
  • pagefreezer.com/webpreserver - Browser-based plugin compatible with Chrome and Edge. Capture social media posts and comments and store - them on their computers or servers.
  • mention.com/en - Social Mention (Like Hashatit) is a social media search engine, but this tool looks at specific terms and phrases rather than hashtags.
  • trendsmap.com - Search through trending Twitter keywords and relevant hashtags.

Subsections of Social Media

Twitter

You have to log in to be able to do anything. twitter.com

Search Examples:

  • Check in: Top - Latest - People - Media - Lists
  • nba (search term)
  • #nbadraft (keyword)
  • "nba draft pick" (specific search)
  • from:thecybermentor (from)
  • to:thecybermentor (to)
  • @thecybermentor (tagging)
  • from:thecybermentor since:2019-02-01 until:2019-03-01
  • to:thecybermentor since:2019-02-01 until:2019-03-01
  • "nba draft pick" since:2019-02-01 until:2019-03-01
  • from:thecybermentor nba
  • geocode:34.0200392,-118.741382,10km
  • geocode:34.0200392,-118.741382,10km to:thecybermentor
  • twitter.com/search-advanced

These sites are dead after the violent takeover and ultimate destruction:

Websites that are still working, sort of, but not that useful now:

twitonomy.com
tinfoleak.com

Tweetdeck is dead: tweetdeck.com
Unless you pay for this: pro.twitter.com

thecybermentor left twitter: linktr.ee/thecybermentor

Facebook

You have to log in to be able to do anything.

Search examples:

  • mark zuckerberg
    • Check all the relevant side tabs.
    • All tab - all posts
    • People tab - profiles
    • Photos
  • photos of mark zuckerberg

Check profile page of a user if anything is public.

Note: the websites below may not function or work right due to the changes in facebook.

https://sowdust.github.io/fb-search/ is now located here: sowsearch.info

intelx.io/tools?tab=facebook

Instagram

  • You can use the search to find people.
  • Main search - #thecybermentor
  • On a users home page check who/what they are following.
    • Check for relationships or close connections.
    • Anyone with the same last name?
    • Follow hash tags.
  • Who is following them?
  • Have they made any posts?
  • Have they been tagged?
  • Not as good on the website.
  • Better search results on the phone app.
  • If the profile isn’t public you wouldn’t be able to access anything.
  • Sometimes people have multiple profiles.
  • Sometimes the subject can be found on someone else’s profile.
    • Relatives, friends, neighbors, etc.
    • Pictures might be on a different persons profile.

google.com

  • Search: thecybermentor site:instagram.com
  • Search: thecybermentor instagram.com

Other Sites:

New sites I’m unsure about:

Github Tools:

Reddit

reddit.com is one of the best resources to find stuff.

Use the search bar at the top:

  • Example: the cyber mentor
  • Example: “the cyber mentor”
  • Use the sort options.
  • Go to the users page if it exists.

Using Google:

  • “the cyber mentor” site:reddit.com
  • “firstname lastname” site:reddit.com
  • “the cyber mentor” site:reddit.com intext:oscp

Linkedin

Try to make a fake sock account. Be careful to not get banned or shadow banned.

Scrapes employees from a LinkedIn company page… github.com/shellfarmer/WeakestLink

  • If images are available you can try reverse image search.
  • Try searching an account’s username on google.
  • Check contact info for anything useful.
  • Check location, activities.
  • Check profile sections, experience, education, etc.
  • Check external links.
  • Check connections to other people, accounts.
  • LION (open network) members accept requests to connect.

Tiktok

They are more locked down these days, but you might be able to gather some valuable info.

  • Check videos for info.
  • Use images for reverse image search, etc.

Subsections of Websites

Gathering Information

You can start with google.com to see what’s out there.

Search terms:

  • tcm-sec.com
  • "tcm-sec.com"
  • site:tcm-sec.com
  • site:tcm-sec.com heath
  • site:tcm-sec.com heath -academy
  • Check images if no sites/domains show up.

Gather as much information as you can about the target site.

  • IP addresses
  • Physical addresses
  • Google tags/analytics
  • Technology

Websites and online tools

Some of these sites can search using multiple types of data.

Internet Services (IP, ISP, location)

DNS Techniques:

Podcast on a penetration test, social engineering, incident response:
darknetdiaries.com/episode/22

Tools on github

Subdomains

Subdomain Hunting

When hunting down subdomains you are looking for developer or staging versions of a site, or admin login pages that are not public or easily found on the internet.

Website tools are not the best way to scan for subdomains, but you can try google and a couple others to see if anything interesting shows up.

Search google.com

  • site:tesla.com
  • site:tesla.com -www
  • site:tesla.com -www -forums inurl:dev
  • site:tesla.com -www -forums inurl:admin
  • site:tesla.com -www -forums inurl:console

Other website tools

pentest-tools.com - scans are limited and you may have to create an account now.
pentest-tools.com/information-gathering/find-subdomains-of-domain

spyse.com - Shut down.

Shodan and Wayback

Shodan

shodan.io - Website tool to discover all kinds of stuff connected to the internet.

  • Click on explore to see what is possible. It will show you the query being used.
  • It may show screenshots of what the loaded IP address looks like.
  • Search examples:
    • Click on one of the cameras.
    • Copy the IP address or you can try any IP address.
    • anydomain.com - but may work better with an Ip address.
    • city:atlanta - you should see quite a few results.
    • city:atlanta port:3389 - check for remote desktop.
    • city: atlanta port:3389 org:choopa - specific organization.
    • city: atlanta port:3389 org:choopa-business - narrow it down more.
    • Click Images tab to see just the images.
    • You can click to look at the details of a host.
    • You can find vulnerable systems.

web.archive.org

web.archive.org - non-profit library of millions of free books, movies, music, websites, etc.

  • https://anydomain.com - the highlighted spots are where you can find screenshots.
  • https://amazon.com - should show some versions of the site from a long time ago.

Google cached websites

  • Go to google.com and search for a domain.
  • Click on the 3 dot menu, then on the arrow to show more options, click on Cached.
  • You might find some data in the cached version

Other Command line tools

Businesses

OSINT is essentially a mix of all the tools covered in this course and the strategies on how to use them so you will see the same tools again and again. There are a lot of things you can use for researching a company. You can identify the employees, who is running the company, who the executives are. Depending on the size of the company, you can figure out the organizational structure. You can look up the social media sites that the company and the employees are using. You can look at job descriptions and how the company hires people.

You are looking for information that can help you identify people and places, information that can be found through what employees are putting online, especially if it’s a physical engagement and/or social engineering. You need to find out everything about the company and narrow it down.

Subsections of Businesses

Hunting Business Info

You might be able to find useful information from photos and videos. Is there a dress code? Is there a badge? Who are the employees you are looking at. Can you see their office, desk, computers, applications, OS, badges, phones, inside the office, etc.

  • linkedin.com
    • Search - from a profile that has no connections.
      • tcm security
      • check tabs and look for information
      • About
      • People
        • images - right click, open in new tab, save photos, reverse image search.
        • copy “position title” and search it on google.
          • "IT Solutions Engineer at TCM Security"
          • find linkedin or other profiles online.
          • site:linkedin.com "* at TCM Security" (with wildcard)
          • might be “false positives” - non-employees showing up.
          • site:linkedin.com/in/ "* at TCM Security"
          • site:linkedin.com/pub "* at TCM Security"
      • Videos

Database of companies (requires a little digging through internal and external links):
opencorporates.com
You can search for companies and/or individuals.

Database of companies:
aihitdata.com

Job search:
indeed.com
Sometimes the job details will have a lot of information, software the company uses. Search for companies, positions, people.

Company search (indeed.com):
google.com

  • Jobs can be found that are not listed on a companies Indeed.com pages.
  • "Empirical Concepts Inc" site:indeed.com
  • Also look up just the company to see if they have a jobs or careers page on their own website or other sites like linkedin.com.

Wireless

Currently there is only one website that is at the top and the best place to research wireless networks.

wigle.net (pronounced why-gull)

  • Free to register - go ahead and create an account and log in.

What is wigle?

The term war driving can be used here. This is where you drive around and collect data about the networks in your area. This website has done exactly this on a impressively massive scale.

Every purple instance you can see is a wireless network and numbers appear to be countless. You can zoom in and see data on each wireless network. It doesn’t help that much unless you are looking at a specific neighborhood or location. You can type in an address, latitude/longitude, SSID, or MAC Address to find a location.

The most important value is when you go to View -> Advanced Search. You can search a lot of different elements. You can narrow down where and what you are looking for. The data you find may not be current. You can click on map to see the location.

  • On an assessment you might get access to a network and see that there is a wireless network attached to it. In this case, you can use wigle.com to try to locate that wireless network.
  • If you obtain credentials for the wireless network and can find it’s location, can you use them in any way?
  • If you have the name of the SSID, can you use that to find the location?

OSINT Tools

It is very important to learn how to use the different tools, frameworks, and eventually how to automate them. It will make everything run a lot faster and smoother. It’s also a good idea to learn how to research the tools. Learn more about the tools you are using while realizing that the tools may change over time and that there may be other tools out there. Some tools may stop working so you’ll need to find something to replace those.

Subsections of OSINT Tools

Image and Location

More tools can be found if you do some research.

google.com

  • exif tool site:github.com

exiftool - Might have to install it.

apt search exiftool                           
Sorting... Done
Full Text Search... Done

libimage-exiftool-perl/kali-rolling 12.67+dfsg-1 all
  library and program to read and write meta information in multimedia files
sudo apt install libimage-exiftool-perl    
[sudo] password for kali:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libcompress-raw-lzma-perl libmime-charset-perl libsombok3 libunicode-linebreak-perl
Suggested packages:
  libposix-strptime-perl libencode-eucjpascii-perl libencode-hanextra-perl libpod2-base-perl
The following NEW packages will be installed:
  libcompress-raw-lzma-perl libimage-exiftool-perl libmime-charset-perl libsombok3 libunicode-linebreak-perl
0 upgraded, 5 newly installed, 0 to remove and 1284 not upgraded.
Need to get 4,114 kB of archives.
After this operation, 24.7 MB of additional disk space will be used.
Do you want to continue? [Y/n]
exiftool dog.JPG             
ExifTool Version Number         : 12.67
File Name                       : dog.JPG
Directory                       : .
File Size                       : 3.9 MB
File Modification Date/Time     : 2023:12:28 10:59:18-05:00
File Access Date/Time           : 2023:12:28 11:01:19-05:00
File Inode Change Date/Time     : 2023:12:28 11:01:19-05:00
File Permissions                : -rwxrwx---
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
Make                            : Apple
Camera Model Name               : iPhone 4S
Orientation                     : Rotate 90 CW
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Software                        : 5.0.1
Modify Date                     : 2012:03:11 12:01:53
Y Cb Cr Positioning             : Centered
Exposure Time                   : 1/1842
F Number                        : 2.4
Exposure Program                : Program AE
ISO                             : 64
Exif Version                    : 0221
Date/Time Original              : 2012:03:11 12:01:53
Create Date                     : 2012:03:11 12:01:53
Components Configuration        : Y, Cb, Cr, -
Shutter Speed Value             : 1/1842
Aperture Value                  : 2.4
Brightness Value                : 10.39054726
Metering Mode                   : Multi-segment
Flash                           : Off, Did not fire
Focal Length                    : 4.3 mm
Subject Area                    : 1631 1223 881 881
Flashpix Version                : 0100
Color Space                     : sRGB
Exif Image Width                : 3264
Exif Image Height               : 2448
Sensing Method                  : One-chip color area
Exposure Mode                   : Auto
White Balance                   : Auto
Focal Length In 35mm Format     : 35 mm
Scene Capture Type              : Standard
Sharpness                       : Normal
GPS Latitude Ref                : North
GPS Longitude Ref               : West
GPS Altitude Ref                : Above Sea Level
GPS Time Stamp                  : 17:30:26
GPS Img Direction Ref           : True North
GPS Img Direction               : 191.2603175
Compression                     : JPEG (old-style)
Thumbnail Offset                : 914
Thumbnail Length                : 9959
Image Width                     : 3264
Image Height                    : 2448
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Aperture                        : 2.4
Image Size                      : 3264x2448
Megapixels                      : 8.0
Scale Factor To 35 mm Equivalent: 8.2
Shutter Speed                   : 1/1842
Thumbnail Image                 : (Binary data 9959 bytes, use -b option to extract)
GPS Altitude                    : 182 m Above Sea Level
GPS Latitude                    : 41 deg 40' 43.20" N
GPS Longitude                   : 83 deg 39' 21.00" W
Circle Of Confusion             : 0.004 mm
Field Of View                   : 54.4 deg
Focal Length                    : 4.3 mm (35 mm equivalent: 35.0 mm)
GPS Position                    : 41 deg 40' 43.20" N, 83 deg 39' 21.00" W
Hyperfocal Distance             : 2.08 m
Light Value                     : 14.0

Emails and Breached Data

Hunting Emails and Breached Data

theHarvester: github.com/laramies/theHarvester

It performs open source intelligence (OSINT) gathering to help determine a domain’s external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources

Note: - Some websites may start to block you if you are hitting them too much, such as google.com might block you if you are searching too much with theHarvester or other tools like this.

 theHarvester -h              
*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 4.3.0                                              *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*                                                                 *
*******************************************************************
usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-p] [-s] [--screenshot SCREENSHOT] [-v] [-e DNS_SERVER] [-t]
                    [-r [DNS_RESOLVE]] [-n] [-c] [-f FILENAME] [-b SOURCE]

theHarvester is used to gather open source intelligence (OSINT) on a company or domain.

options:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Company name or domain to search.
  -l LIMIT, --limit LIMIT
                        Limit the number of search results, default=500.
  -S START, --start START
                        Start with result number X, default=0.
  -p, --proxies         Use proxies for requests, enter proxies in proxies.yaml.
  -s, --shodan          Use Shodan to query discovered hosts.
  --screenshot SCREENSHOT
                        Take screenshots of resolved domains specify output directory: --screenshot output_directory
  -v, --virtual-host    Verify host name via DNS resolution and search for virtual hosts.
  -e DNS_SERVER, --dns-server DNS_SERVER
                        DNS server to use for lookup.
  -t, --take-over       Check for takeovers.
  -r [DNS_RESOLVE], --dns-resolve [DNS_RESOLVE]
                        Perform DNS resolution on subdomains with a resolver list or passed in resolvers, default False.
  -n, --dns-lookup      Enable DNS server lookup, default False.
  -c, --dns-brute       Perform a DNS brute force on the domain.
  -f FILENAME, --filename FILENAME
                        Save the results to an XML and JSON file.
  -b SOURCE, --source SOURCE
                        anubis, baidu, bevigil, binaryedge, bing, bingapi, bufferoverun, brave, censys, certspotter, criminalip, crtsh,
                        dnsdumpster, duckduckgo, fullhunt, github-code, hackertarget, hunter, hunterhow, intelx, otx, pentesttools,
                        projectdiscovery, rapiddns, rocketreach, securityTrails, sitedossier, subdomainfinderc99, threatminer, urlscan,
                        virustotal, yahoo, zoomeye
theHarvester -d tesla.com -b all -l 50

theHarvester -d tesla.com -b yahoo -l 50

breach-parse: github.com/hmaverickadams/breach-parse

A tool for parsing breached passwords

Install: `sudo ./install.sh`

Download breached password list from magnet located here: `magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337`

If you don't store the password list (BreachCompilation) in `/opt/breach-parse`, specify the location like:

`breach-parse @gmail.com gmail.txt "~/Downloads/BreachCompilation/data"`

Run `breach-parse` for instructions

The breach compilation database is around 44GB. You have to download it and place it in the breach-parse directory.

h8mail github.com/khast3x/h8mail

h8mail is an email OSINT and breach hunting tool using different breach and reconnaissance services, or local breaches such as Troy Hunt’s “Collection1” and the infamous “Breach Compilation” torrent.

Requires API-keys and a lot of them are paid. You also can use that same breach compilation database with h8mail. One problem is that it can’t run a search that’s based on just a domain.

 pip3 install h8mail              
Defaulting to user installation because normal site-packages is not writeable
Collecting h8mail
  Downloading h8mail-2.5.6-py3-none-any.whl (34 kB)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from h8mail) (2.31.0)
Installing collected packages: h8mail
Successfully installed h8mail-2.5.6
h8mail -t target@example.com

h8mail -t targets.txt -bc ../Downloads/BreachCompilation/ -sk

h8mail -t targets.txt -gz /tmp/Collection1/ -sk

EmailHarvester: github.com/maldevel/EmailHarvester

Usernames and Accounts

WhatsMyName - Not the same tool now.
github.com/WebBreacher/WhatsMyName

WhatsMyName (WMN) consists of a JSON file with detections in it. Submissions from people all over the world are included. When a request is made to one of those sites from a tool like the ones in the next section, the server replies with data that will match one of our detections.

Website/Apps using WhatsMyName:

sherlock - Not to be confused with Sherlock.ps1
github.com/sherlock-project/sherlock

 sherlock thecybermentor 

  [*] Checking username thecybermentor on:

[+] AllMyLinks: https://allmylinks.com/thecybermentor
[+] BuyMeACoffee: https://buymeacoff.ee/thecybermentor
[+] Clubhouse: https://www.clubhouse.com/@thecybermentor
[+] GitHub: https://www.github.com/thecybermentor
[+] HackerOne: https://hackerone.com/thecybermentor
[+] Keybase: https://keybase.io/thecybermentor
[+] Linktree: https://linktr.ee/thecybermentor
[+] Nightbot: https://nightbot.tv/t/thecybermentor/commands
[+] Patreon: https://www.patreon.com/thecybermentor
[+] Reddit: https://www.reddit.com/user/thecybermentor
[+] TryHackMe: https://tryhackme.com/p/thecybermentor
[+] Twitch: https://www.twitch.tv/thecybermentor
[+] Twitter: https://twitter.com/thecybermentor
[+] mastodon.cloud: https://mastodon.cloud/@thecybermentor
[+] metacritic: https://www.metacritic.com/user/thecybermentor

blackbird

 python blackbird.py -u thecybermentor   

    ▄▄▄▄    ██▓    ▄▄▄       ▄████▄   ██ ▄█▀ ▄▄▄▄    ██▓ ██▀███  ▓█████▄
    ▓█████▄ ▓██▒   ▒████▄    ▒██▀ ▀█   ██▄█▒ ▓█████▄ ▓██▒▓██ ▒ ██▒▒██▀ ██▌
    ▒██▒ ▄██▒██░   ▒██  ▀█▄  ▒▓█    ▄ ▓███▄░ ▒██▒ ▄██▒██▒▓██ ░▄█ ▒░██   █▌
    ▒██░█▀  ▒██░   ░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒██░█▀  ░██░▒██▀▀█▄  ░▓█▄   ▌
    ░▓█  ▀█▓░██████▒▓█   ▓██▒▒ ▓███▀ ░▒██▒ █▄░▓█  ▀█▓░██░░██▓ ▒██▒░▒████▓
    ░▒▓███▀▒░ ▒░▓  ░▒▒   ▓▒█░░ ░▒ ▒  ░▒ ▒▒ ▓▒░▒▓███▀▒░▓  ░ ▒▓ ░▒▓░ ▒▒▓  ▒
    ▒░▒   ░ ░ ░ ▒  ░ ▒   ▒▒ ░  ░  ▒   ░ ░▒ ▒░▒░▒   ░  ▒ ░  ░▒ ░ ▒░ ░ ▒  ▒
    ░    ░   ░ ░    ░   ▒   ░        ░ ░░ ░  ░    ░  ▒ ░  ░░   ░  ░ ░  ░
    ░          ░  ░     ░  ░░ ░      ░  ░    ░       ░     ░        ░
        ░                  ░                     ░               ░

                                        Made with ❤️️ by p1ngul1n0

[!] Searching 'thecybermentor' across 582 social networks
[+] - #16 Twitter Archived account found - http://archive.org/wayback/available?url=https://twitter.com/thecybermentor [200 OK]
[+] - #19 Xhamster account found - https://xhamster.com/users/thecybermentor [200 OK]
[+] - #12 Github account found - https://github.com/thecybermentor [200 OK]
   |--Name:
   |--Nickname:           thecybermentor


   |--picture: https://avatars.githubusercontent.com/u/75207118?v=4?s=400
[+] - #41 Ebay account found - https://www.ebay.com/usr/thecybermentor [200 OK]
[+] - #80 HackerOne account found - https://hackerone.com/thecybermentor?type=user [200 OK]
[+] - #1 Facebook account found - https://www.facebook.com/thecybermentor [200 OK]
[+] - #7 Instagram account found - https://www.picuki.com/profile/thecybermentor [200 OK]
   |--Name: Heath Adams
   |--Bio:             Living my best life.
   |--Followers: 70,496
   |--Following: 38
   |--picture: https://cdn1.picuki.com/hosted-by-instagram/q/yep6IPkO1EBGZyPbcMUVwONSiqxxRQlN.jpeg
[+] - #15 Xbox Gamertag account found - https://www.xboxgamertag.com/search/thecybermentor [200 OK]
   |--Name: TheCyberMentor
   |--picture: https://images.weserv.nl/?url=https://images-eds-ssl.xboxlive.com/image?url=8Oaj9Ryq1G1_p3lLnXlsaZgGzAie6Mnu24_PawYuDYIoH77pJ.X5Z.MqQPibUVTcS9jr0n8i7LY1tL3U7AiafSCYxKvpXj31MkoG3bO_PRAaZnxiCXXhJwXdM2GFciVMQ65NJp_gJqzkZPkN4cbjqg--&format=png&maxage=1d&output=webp&w=90&h=90
[+] - #25 WordPress Site account found - https://thecybermentor.wordpress.com/ [200 OK]
[+] - #14 Linktree account found - https://linktr.ee/thecybermentor [200 OK]
   |--Name: @thecybermentor
   |--Description: Linktree. Make your link do more.
   |--picture: https://assets.production.linktr.ee/profiles/_next/static/logo-assets/default-meta-image.png
[+] - #117 BugBounty account found - https://bugbounty.gg/members/thecybermentor/ [200 OK]
[+] - #45 Armor Games account found - https://armorgames.com/user/thecybermentor [200 OK]
[+] - #312 GitHub account found - https://github.com/thecybermentor [200 OK]
[+] - #147 Fark account found - https://www.fark.com/users/thecybermentor [200 OK]
Traceback (most recent call last):
  File "/opt/blackbird/blackbird.py", line 298, in <module>
    asyncio.run(findUsername(arguments.username, interfaceType, arguments.csv))
  File "/usr/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/opt/blackbird/blackbird.py", line 58, in findUsername
    userFile = open(pathSave, "w")
               ^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/opt/blackbird/results/thecybermentor.json'

Phone Numbers

phoneinfoga: github.com/sundowndev/phoneinfoga
PhoneInfoga is one of the most advanced tools to scan international phone numbers. It allows you to first gather basic information such as country, area, carrier and line type, then use various techniques to try to find the VoIP provider or identify the owner. It works with a collection of scanners that must be configured in order for the tool to be effective. PhoneInfoga doesn’t automate everything, it’s just there to help investigating on phone numbers.

Needs country code before number. This would be a US number:

phoneinfoga scan -n 15555551212

Start localhost server:

phoneinfoga serve -p 8080 

Load http://localhost:8080/#/ in a web browser.

Social Media

Note: Most of these tools are currently either broken or don’t work at all due to the changes in social media services. For example Twint is dead.

All in one

snscrape: github.com/JustAnotherArchivist/snscrape

choose from 'facebook-community', 'facebook-group', 'facebook-user', 'instagram-hashtag', 'instagram-location', 'instagram-user', 'mastodon-profile', 'mastodon-toot', 'reddit-search', 'reddit-submission', 'reddit-subreddit', 'reddit-user', 'telegram-channel', 'twitter-cashtag', 'twitter-community', 'twitter-hashtag', 'twitter-list-posts', 'twitter-profile', 'twitter-search', 'twitter-trends', 'twitter-tweet', 'twitter-user', 'twitter-users', 'vkontakte-user', 'weibo-user'

A few tests with this tool were unsuccessful but it might possibly work for some of the services.
It scrapes things like user profiles, hashtags, or searches and returns the discovered items, e.g. the relevant posts from these social networking services.

  • Facebook: user profiles, groups, and communities (aka visitor posts)
  • Instagram: user profiles, hashtags, and locations
  • Mastodon: user profiles and toots (single or thread)
  • Reddit: users, subreddits, and searches (via Pushshift)
  • Telegram: channels
  • Twitter: users, user profiles, hashtags, searches (live tweets, top tweets, and users), tweets (single or surrounding thread), list posts, communities, and trends
  • VKontakte: user profiles
  • Weibo (Sina Weibo): user profiles

Twitter

Twint is no longer maintained due to changes in twitter.
twint: github.com/twintproject/twint

Another tool but it probably doesn’t work now, after changes in June 2023.
github.com/markowanga/stweet

Another tool but haven’t tested it yet.
github.com/Altimis/Scweet

Instagram

Doesn’t appear to work now.
InstagramOSINT: github.com/sc1341/InstagramOSINT

List of Social Media Tools

github.com/osintambition/Social-Media-OSINT-Tools-Collection

Websites

Firefox extension:
Wappalyzer

whatweb - command line.
whatweb https://domain.com

whois - command line.
whois domain.com

httprobe: github.com/tomnomnom/httprobe
amass: github.com/owasp-amass/amass

Subdomains

More subdomain tools:
github.com/topics/subdomain-enumeration

Command Examples:

subfinder -d domain.com

sublist3r -d domain.com

bbot -t z3r0r3z.com -f subdomain-enum -rf passive
bbot -s -t z3r0r3z.com -f subdomain-enum -rf passive

assetfinder --subs-only domain.com >> domain-com-subdom.txt
assetfinder domain.com | grep domain.com | sort -u
assetfinder domain.com | grep domain.com > domain.txt
cat domain.txt | grep dev
cat domain.txt | grep sta
cat domain.txt | grep admin

amass enum -d domain.com

cat domain.txt | sort -u | httprobe -s -p https:443

gowitness single https://domain.com
gowitness file -f ./alive_gowitness.txt -P captures_gowitness/ --no-http

bbot example - partial output:

 bbot -t z3r0r3z.com -f subdomain-enum -rf passive
[INFO] Loaded defaults from /home/kali/.local/pipx/venvs/bbot/lib/python3.11/site-packages/bbot/defaults.yml
[INFO] Creating BBOT config at /home/kali/.config/bbot/bbot.yml
[INFO] Creating BBOT secrets at /home/kali/.config/bbot/secrets.yml
[INFO] 
[INFO] ### MODULES ###
 
[....] (Too much to paste here)

[INFO] Finishing scan
[INFO] asn: +---------+------------------+--------------+----------------+-------------------------+-----------+
[INFO] asn: | ASN     | Subnet           | Host Count   | Name           | Description             | Country   |
[INFO] asn: +=========+==================+==============+================+=========================+===========+
[INFO] asn: | AS63410 | 109.150.165.0/22 | 6            | PRIVATECOSYSTEMS | PrivateEcoSystems Petworks | US        |
[INFO] asn: +---------+------------------+--------------+----------------+-------------------------+-----------+
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | Module          | Produced           | Consumed                     |
[INFO] aggregate: +=================+====================+==============================+
[INFO] aggregate: | certspotter     | 4 (4 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | leakix          | 4 (4 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | columbus        | 3 (3 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | crt             | 3 (3 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | massdns         | 3 (3 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | dnsdumpster     | 2 (2 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | hackertarget    | 2 (2 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | otx             | 2 (2 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | wayback         | 2 (2 DNS_NAME)     | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | CNAME           | 2 (2 DNS_NAME)     | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | azure_tenant    | 1 (1 AZURE_TENANT) | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | speculate       | 1 (1 DNS_NAME)     | 4 (3 DNS_NAME, 1 IP_ADDRESS) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | A               | 1 (1 IP_ADDRESS)   | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | anubisdb        | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | azure_realm     | 0                  | 5 (5 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | digitorus       | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | dnscommonsrv    | 0                  | 5 (5 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | myssl           | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | nsec            | 0                  | 3 (3 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | rapiddns        | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | riddler         | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | sitedossier     | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | subdomaincenter | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | threatminer     | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | urlscan         | 0                  | 1 (1 DNS_NAME)               |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | ipneighbor      | 0                  | 1 (1 IP_ADDRESS)             |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | PTR             | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | SOA             | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | NS              | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | AAAA            | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | host            | 0                  | 0                            |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] output.csv: Saved CSV output to /home/kali/.bbot/scans/scheming_kyle/output.csv
[INFO] output.human: Saved TXT output to /home/kali/.bbot/scans/scheming_kyle/output.txt
[INFO] output.json: Saved JSON output to /home/kali/.bbot/scans/scheming_kyle/output.ndjson
[INFO] output.subdomains: Saved subdomains to /home/kali/.bbot/scans/scheming_kyle/subdomains.txt
[SUCC] Scan scheming_kyle completed in 40 seconds with status FINISHED
[INFO] Saved word cloud (9 words) to /home/kali/.bbot/scans/scheming_kyle/wordcloud.tsv

Set up go to run in bash/zsh:

nano ~/.bashrc
nano ~/.zshrc

export GOPATH=$HOME/go 
export GOROOT=/usr/lib/go 
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin 

source ~/.bashrc
source ~/.zshrc

Set up go to run in fish:

vim ~/.config/fish/config.fish

set -x GOPATH $HOME/go
set -x PATH $PATH $GOPATH/bin

source ~/.config/fish/config.fish

Frameworks

Tools

  • recon-ng
  • Spiderfoot
  • sn0int
  • etc. Check in Kali and online for more.

recon-ng

hackertarget.py

[recon-ng][default] > marketplace search

[recon-ng][default] > marketplace install hackertarget

[recon-ng][default] > modules load hackertarget

[recon-ng][default][hackertarget] > info

[recon-ng][default][hackertarget] > options set SOURCE domain.com

[recon-ng][default][hackertarget] > run

[recon-ng][default][hackertarget] > show hosts

[recon-ng][default][hackertarget] > back
[recon-ng][default] >

profiler.py

Dec 12, 2023: If your profiler.py is printing errors in red here is probably how you can fix it:
github.com/lanmaster53/recon-ng-marketplace/pull/246

To make it easier, I put all the file locations and modifications here:

recon-ng-marketplace Edit #1
Edit: /home/kali/.recon-ng/modules/recon/profiles-profiles/profiler.py at line 30.

   def module_thread(self, site, user):
        d = dict(site)
        # if d['valid'] == True:
        if d.get('valid', True) == True:
            self.verbose(f"Checking: {d['name']}")

recon-ng-marketplace Edit #2
Edit: /home/kali/.recon-ng/modules/recon/profiles-profiles/profiler.py at line 30.

meta = {
  'name': 'OSINT HUMINT Profile Collector',
  'author': 'Micah Hoffman (@WebBreacher), Brendan Burke (@gbinv)',
  # 'version': '1.1',
  'version': '1.2',
  'description': 'Takes each username from the profiles table and searches a variety of web sites for those users. The list of valid sites comes from the parent project at https://github.com/WebBreacher/WhatsMyName',
  'comments': (

recon-ng-marketplace Edit #3
Edit: /home/kali/.recon-ng/modules.yml on line 1101 and 1105.

  files: []
  last_updated: '2023-12-30'
  name: OSINT HUMINT Profile Collector
  path: recon/profiles-profiles/profiler
  required_keys: []
  version: '1.2'
- author: Robert Frost (@frosty_1313, frosty[at]unluckyfrosty.net)
  dependencies: []

After updating those files you should be able to run it.

[recon-ng][default] > marketplace install profiler

[recon-ng][default] > modules load profiler

[recon-ng][default][profiler] > info

[recon-ng][default][profiler] > options set SOURCE thecybermentor

[recon-ng][default][profiler] > run

[recon-ng][default][profiler] > show profiles

Maltego

A great tool, especially if you have access to API keys.

  • Create an account, install maltego on Kali, launch it and log in.
  • API keys are needed for most of the Hub Partners, but it some free recon.
  • Click the + at the top right to open a new graph.
  • Type domain in the search and drag it over to the graph area.
  • Rename the domain to the target.
  • Right click on the Domain Entity and select from the list of Transforms.
  • Testing All Transforms here.
    • Click on the “double” arrow to begin.
    • Click on the + area to see what it does and the arrow to return.
  • After setting the Required Inputs, click Run.
  • In the results, click on anything to see more, add notes, etc.
  • You can select an item from the results and run another Transform on it.
    • Emails, domains, companies, etc.
    • Then select another item from here and run a Transform again.
  • If you run it on a company that’s been around for a while and has a decent presence, you should gather a lot of data like emails, DNS entries, subdomains, IP addresses, open ports/services, locations, people, etc.

Other Tools

tracelabs.org
Trace Labs is a nonprofit organization whose mission is to accelerate the family reunification of missing persons while training members in the tradecraft of open source intelligence (OSINT).

hunch.ly

  • Pricing: 30 day free trial, $129.99 per year, Team (quote).
  • Setup Example
    • Create a new case.
    • Fill out “Selectors” for things you want to find.
      • username, name, email address, etc.
      • Keep adding new items that you find.
      • Filter results in History for each Selector.
    • Fill out “Tags” for grouping findings.
      • Breached Passwords
      • Social Media
      • Videos, Images
      • Phone Numbers
      • People
      • Set up default tags.
      • Filter results in History for each Tag.
    • Create a To Do list.
    • Check Settings that you may want.
      • Highlight Selectors
    • Webpages will be listed in history.
    • Go to google and turn on with “Capture” toggle.
    • Assign captures to the new case.
    • Start searching on google.
    • Start opening websites that you find.
    • You may start finding selectors that you created.
    • Right click on page for some options.
    • Assign tags to websites.
    • Add notes, captures images.
    • In the History you can check google cache or wayback machine.
    • When you’re done you can export all the data as a report if necessary.

Automation

Custom Ideas

Creating a script for subdomain recon:

  • Save whois to file.
  • Scan for subdomains and save to files.
  • Check for subdomains that are live and accessible.
  • Take screenshots of live subdomains.
  • Do this over HTTPS/443 only.

The original idea for this basic script was inspired by thecybermentor.
I took the original and started modifying it for my own private testing.

github.com/z3r0r3za/reconesh

#!/bin/bash

# recone.sh - Some basic automated scanning.
# ##############################################
# Some need to be uncommented if you want to use
# them. Tools on github used in this script:
# nmap (open ports), whois, subfinder, sublist3r, 
# bbot, assetfinder, amass, httprobe, gowitness.

# Store 200 header status code as true or false.
up=$(wget --spider --server-response $1 2>&1 | grep '200\ OK' | wc -l)
# Does first argument exist? If not, print usage and exit.
# Is the domain up? If not, inform user, print usage and exit.
if [ $# -eq 0 ]; then
    echo "A domain wasn't specified."
    echo "Usage: recone.sh domain.com"
    exit 1
elif [ "$up" = 0 ]; then
    echo "That domain is down or doesn't exist. "
    echo "Usage: recone.sh domain.com"
    exit 1
fi

# Get first argument, the domain and save it.
domain=$1
# Set some colors
RED="\033[1;31m"
GREEN="\033[1;32m"
RESET="\033[0m"
# Set up directories. Add timestamp to base directory. 
base_directory="${domain}_$(date +'%Y%m%dT%H%M%S')"
nmap="$base_directory/nmap"
ferox="$base_directory/ferox"
information="$base_directory/info"
subdomains="$base_directory/subdomains"
screenshots="$base_directory/screenshots"
dirs=("$nmap" "$ferox" "$information" "$subdomains" "$screenshots")
validate_domain="^([a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$"

# Check if domain is valid.
if [[ "$domain" =~ $validate_domain ]]; then
    # Create directories for domain.
    echo "Creating directories for the domain..."
    #for path in "$nmap" "$ferox" "$information" "$subdomains" "$screenshots"; do
    for path in ${dirs[@]}; do
        if [ ! -d "$path" ]; then
            mkdir -p "$path"
            echo "$path"
        fi
    done
else
    echo "$domain is not a valid domain."
    exit 1
fi

# Get IP address and run nmap to get open ports.
# Uncomment nmap if open ports are needed.
# #############################################
echo -e "${GREEN} [+]${RED} Run dig for IP and nmap for ports...${RESET}"
dig +short $domain > "$nmap/ip_address.txt"
ip=$(dig +short $domain | head -n 1)
echo "IP address is: ${ip}"
#nmap -p- --min-rate 10000 -oA "$nmap/open" $ip

# Run whois.
# #############################################
echo -e "${GREEN} [+]${RED} Check whois...${RESET}"
whois $domain > "$information/whois.txt"

# Run subfinder or sublist3r below.
# https://github.com/projectdiscovery/subfinder
# Example: subfinder -d domain.com > domain.com/subdomains/subfinder_domains.txt
# #############################################
echo -e "${GREEN} [+]${RED} Run subfinder...${RESET}"
subfinder -d $domain > "$subdomains/found.txt"

# Run sublist3r and remove characters from output.
# ORIGINAL: https://github.com/aboul3la/Sublist3r
# The newer fork hasn't been tested with this script.
# NEWER FORK: https://github.com/RoninNakomoto/Sublist3r2
# The sed commands may need adjustments if sublist3r output changes.
# subfinder might find more. sublist3r hasn't been finding every subdomain.
# Example: sublist3r -d domain.com > domain.com/subdomains/sublist3r_results.txt
# #############################################
#echo -e "${GREEN} [+]${RED} Run sublist3r...${RESET}"
#dom=".${domain}"
#sublist3r -d $domain > $subdomains/sublist3r_results.txt
#sed -n '/\'"$dom"'/p' "$subdomains/sublist3r_results.txt" | tee "$subdomains/sublist3r_domains.txt" >/dev/null
#sed -i 's/....$//' "$subdomains/sublist3r_domains.txt"
#sed -i 's/^.....//' "$subdomains/sublist3r_domains.txt"
#cp -a "$subdomains/sublist3r_domains.txt" "$subdomains/found.txt"

# Run bbot
# https://github.com/blacklanternsecurity/bbot
# dir - Get and save newest directory and subdomains scan bbot created.
# May not work if your user is root, or might ask for password. Not tested.
# #############################################
#echo -e "${GREEN} [+]${RED} Run bbot...${RESET}"
#bbot -s -t $domain -f subdomain-enum -rf passive
#dir=$(ls -td $HOME/.bbot/scans/*/ | head -1)
#cp -a $dir/subdomains.txt $subdomains/bbot_domains.txt
#cp -a $dir/output.txt $subdomains/bbot_output.txt

# Run assetfinder.
# https://github.com/tomnomnom/assetfinder
# Example: assetfinder domain.com | grep domain.com > domain.com/subdomains/assetfinder_found.txt
# #############################################
echo -e "${GREEN} [+]${RED} Run assetfinder...${RESET}"
assetfinder $domain | grep $domain >> "$subdomains/found.txt"

# Run amass.
# https://github.com/owasp-amass/amass
# It can take a long time to run so uncomment if you want to run it.
# #############################################
#echo -e "${GREEN} [+]${RED} Run Amass. This could take a while...${RESET}"
#amass enum -d $domain >> "$subdomains/found.txt"

# Run httprobe or cat the output of just subdomains to httprobe.
# https://github.com/tomnomnom/httprobe
# #############################################
echo -e "${GREEN} [+]${RED} Run httprobe, see what's accessible...${RESET}"
cat "$subdomains/found.txt" | grep $domain | sort -u | httprobe -prefer-https | grep https | sed 's/https\?:\/\///' | tee -a "$subdomains/alive.txt"

# Run gowitness using httprobe output.
# https://github.com/sensepost/gowitness
# #############################################
echo -e "${GREEN} [+]${RED} Run gowitness, taking screenshots...${RESET}"
gowitness file -f "$subdomains/alive.txt" -P "$screenshots/" --no-http

# Run feroxbuster and extract accessible files.
# https://github.com/epi052/feroxbuster
# This is unfinished and not tested that much yet.
# #############################################
#echo -e "${GREEN} [+]${RED} Run feroxbuster, save status 200s...${RESET}"
#if [[ $(wget -S --spider https://$domain  2>&1 | grep 'HTTP/1.1 200 OK') ]]; then  
#    echo "HTTPS: true"
#    feroxbuster -u "https://$domain" -o "$ferox/directories.txt"
#elif [[ $(wget -S --spider  http://$domain  2>&1 | grep 'HTTP/1.1 200 OK') ]]; then
#    echo "HTTP: true"
#    feroxbuster -u "http://$domain" -o "$ferox/directories.txt"
#fi
#grep -E '^[2][0]{2}' "$ferox/directories.txt" > "$ferox/accessible_dirs1.txt"
#sed 's@.*//@@' "$ferox/accessible_dirs1.txt" > "$ferox/accessible_dirs2.txt"

Other Tools

photon: github.com/s0md3v/Photon
Data Extraction: URLs (in-scope & out-of-scope), URLs with parameters (example.com/gallery.php?id=2), Intel (emails, social media accounts, amazon buckets etc.), Files (pdf, png, xml etc.), Secret keys (auth/API keys & hashes), JavaScript files & Endpoints present in them, Strings matching custom regex pattern, Subdomains & DNS related data.

 photon -u https://domain.com    
      ____  __          __
     / __ \/ /_  ____  / /_____  ____
    / /_/ / __ \/ __ \/ __/ __ \/ __ \
   / ____/ / / / /_/ / /_/ /_/ / / / /
  /_/   /_/ /_/\____/\__/\____/_/ /_/ v1.2.2

[+] URLs retrieved from robots.txt: 24
[~] Level 1: 25 URLs
[!] Progress: 25/25
[~] Level 2: 338 URLs
[!] Progress: 338/338
[~] Crawling 13 JavaScript files
[!] Progress: 13/13
--------------------------------------------------
[+] Files: 12
[+] Intel: 2
[+] Robots: 24
[+] Internal: 837
[+] Scripts: 13
[+] External: 81
[+] Fuzzable: 104
[+] Endpoints: 37
--------------------------------------------------
[!] Total requests made: 377
[!] Total time taken: 2 minutes 0 seconds
[!] Requests per second: 3
[+] Results saved in domain.com directory