→ https://github.com/TCM-Course-Resources/Open-Source-Intellingence-Resources

OSINT is a multi-methods methodology for collecting, analyzing and making decisions about data accessible in publicy available sources to be used in an intellifence context.

Intelligence Lifecycle

Planning and Direction
Collection
Processing and Exploitation
Analysis and Production
Dissemination and Integration

Sock Puppets

The point of Sock puppet is to not draw attention to yourself. So, create fake accounts, fake credentials, fake identity. etc

Resources

Creating an Effective Sock Puppet for OSINT Investigations – Introduction: https://jakecreps.com/sock-puppets/

The Art Of The Sock: https://www.secjuice.com/the-art-of-the-sock-osint-humint/

Reddit - My process for setting up anonymous sockpuppet accounts: https://www.reddit.com/r/OSINT/comments/dp70jr/my_process_for_setting_up_anonymous_sockpuppet/

Fake Name Generator: https://www.fakenamegenerator.com/

This Person Does not Exist: https://www.thispersondoesnotexist.com/

Privacy.com: https://privacy.com/join/LADFC - *Referral link. We each get $5 credit on sign up.

Creating Sock Puppet

Come up with a persona for the sockpuppet account
Use fake name generator = ‘https://www.fakenamegenerator.com/’
Use This Person does not exist to create a image in AI = ‘https://www.thispersondoesnotexist.com/’
Get a burner phone, any brand that accept a mint mobile SIM card
Get a burner credit card from = https://privacy.com/
Set up amazon account.
Buy two Mint Mobile SIM cards
Send to an Amazon Pickup box, which can be anonymous
Get a VPN that u can set to the physical area the same as your sockpuppet
Set up the Mint Mobile trial account somewhere away from your home
Use the Mint Mobile to set up all websites u need
At least a google and protonmal account
After that, set up all the accounts with your trial mint SIM, set up 2FA on all accounts
After the 2FA, change the phone number to one you have more permanent access such as MySudo or Google Voice
Make sure everything works
Destroy the SIM card
Wipe the phone.

Search Engine Operators

Google - https://www.google.com/

Google Advanced Search - https://www.google.com/advanced_search

Google Search Guide - http://www.googleguide.com/print/adv_op_ref.pdf

Bing - https://www.bing.com/

Bing Search Guide - https://www.bruceclay.com/blog/bing-google-advanced-search-operators/

Yandex - https://yandex.com/

DuckDuckGo - https://duckduckgo.com/

DuckDuckGo Search Guide - https://help.duckduckgo.com/duckduckgo-help-pages/results/syntax/

Baidu - http://www.baidu.com/

Common Google Options = Same as using advanced search

- intext:<term that shows inside a webpage>
- inurl:<term that shows in url>
- intitle:<term that show in title of articles>
- site:<example.com>
- filetype:pdf, docx, xlxs, etc
-  # <exclude some term of the search>
+ # <add some term to the search>
“” # <search specifics terms>

Image OSINT

Reverse Image Searching

Google Image Search: https://images.google.com

Yandex: https://yandex.com

TinEye: https://tineye.com

Viewing EXIF (exchangeable image file) Data

→ http://exif.regex.info/exif.cgi

Physical Location OSINT

Look at satelites images, street view

On site reconassaince with drones

Geographical Locations

GeoGuessr: https://www.geoguessr.com

GeoGuessr: The Top Tips, Tricks and Techniques

→ https://somerandomstuff1.wordpress.com/2019/02/08/geoguessr-the-top-tips-tricks-and-techniques/’

Email OSINT

Resources

Hunter.io: https://hunter.io/

Phonebook.cz; https://phonebook.cz/

VoilaNorbert: https://www.voilanorbert.com/

Email Hippo: https://tools.verifyemailaddress.io/

Email Checker: https://email-checker.net/validate

Clearbit Connect: https://chrome.google.com/webstore/detail/clearbit-connect-supercha/pmnhcgfcafcnkbengdcanjablaabjplo?hl=en

Same lesson:

Reconnaissance from PEH

Password OSINT

Hunting Breached Password

Dehashed: https://dehashed.com/

WeLeakInfo: https://weleakinfo.to/v2/

LeakCheck: https://leakcheck.io/

SnusBase: https://snusbase.com/

Scylla.sh: https://scylla.sh/

HaveIBeenPwned: https://haveibeenpwned.com/

Hunting Usernames and Accounts

NameChk: https://namechk.com/

WhatsMyName: https://whatsmyname.app/

NameCheckup: https://namecheckup.com/

Search for People

WhitePages: https://www.whitepages.com/

TruePeopleSearch: https://www.truepeoplesearch.com/

FastPeopleSearch: https://www.fastpeoplesearch.com/

FastBackgroundCheck: https://www.fastbackgroundcheck.com/

WebMii: https://webmii.com/

PeekYou: https://peekyou.com/

411: https://www.411.com/

Spokeo: https://www.spokeo.com/

That’sThem: https://thatsthem.com/

Voter Records: https://www.voterrecords.com

Phone Numbers:

TrueCaller: https://www.truecaller.com/

CallerID Test: https://calleridtest.com/

Infobel: https://infobel.com/

Discovering Birthdates:

google = “name or username” intext:”happy birthday” site:twitter, face, linkedin etc

Searching Resumes:

google = “name” resume site: linkedin.com

Twitter

"" = specific terms
from:<user>
to:<user>
from:<user> since:<year-month-day> until:<Y-M-D>
geocode:<lat, lon, radius>
advanced search

Resources

Social Bearing - https://socialbearing.com/

Twitonomy - https://www.twitonomy.com/

Sleeping Time - http://sleepingtime.org/

Mentionmapp - https://mentionmapp.com/

Tweetbeaver - https://tweetbeaver.com/

Spoonbill.io - http://spoonbill.io/

Tinfoleak - https://tinfoleak.com/

TweetDeck - https://tweetdeck.com/

Facebook

Sowdust Github - https://sowdust.github.io/fb-search/

IntelligenceX Facebook Search - https://intelx.io/tools?tab=facebook

Instagram

Wopita - https://wopita.com/

Code of a Ninja - https://codeofaninja.com/tools/find-instagram-user-id/

InstaDP - https://www.instadp.com/

ImgInn - https://imginn.com/

Snapchat

Snapchat Maps - https://map.snapchat.com

Website OSINT

BuiltWith - https://builtwith.com/

Domain Dossier - https://centralops.net/co/

DNSlytics - https://dnslytics.com/reverse-ip

SpyOnWeb - https://spyonweb.com/

Virus Total - https://www.virustotal.com/

Visual Ping - https://visualping.io/

Back Link Watch - http://backlinkwatch.com/index.php

View DNS - https://viewdns.info/

Search for reverse ip lookup, whois, dns report, ip location finder, port scanner, etc

Subdomains

Pentest-Tools Subdomain Finder - https://pentest-tools.com/information-gathering/find-subdomains-of-domain#

Spyse - https://spyse.com/

crt.sh - https://crt.sh/

Extra

Shodan - https://shodan.io

city:<x>
port:<x>
org:<organization>

Wayback Machine - https://web.archive.org/

Hunting Businesses

Open Corporates - https://opencorporates.com/

AI HIT - https://www.aihitdata.com/

indeed - https://br.indeed.com/

Go to linkedin

search for:

information, location, etc
employes
badges

in google:

site:linkedin.com/in/ “* at company”

Wireless OSINT

WiGLE - https://wigle.net/

Lab building

VMWare Workstation Player - https://www.vmware.com/ca/products/workstation-player/workstation-player-evaluation.html

VirtualBox - https://www.virtualbox.org/wiki/Downloads

TraceLabs OSINT VM - https://www.tracelabs.org/initiatives/osint-vm

TraceLabs OSINT VM Installation Guide - https://download.tracelabs.org/Trace-Labs-OSINT-VM-Installation-Guide-v2.pdf

Working with Tools

Image and Location OSINT

apt install libimage-exiftool-perl

Emails and breachead Data

breach-parse - https://github.com/hmaverickadams/breach-parse

theHarvester -d tesla.com -b google -l 500

# -d = domain
# -b - source
# -l = length
./breach-parse.sh @tesla.com tesla.txt

h8mail -t shark@tesla.com -bc "/opt/breach-parse/BreachCompilation/" -sk

Username and Account OSINT

whatsmyname -u <username>

sherlock <username>

Phone Number OSINT

phoneinfoga scan -n 14082492815
phoneinfoga serve -p 8080

pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twint
pip3 install --upgrade aiohttp_socks

Twint - https://github.com/twintproject/twint

Twint:

-u = user
-s = somethin the user specifically said
--year
--since "Y-M-D hour:min:sec"
--folowers
--following

Website OSINT

wappalyzer firefox extension
whatweb

whois <domain>

nano ~/.bashrc

export GOPATH=$HOME/go 
export GOROOT=/usr/lib/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

source ~/.bashrc

go get -u github.com/tomnomnom/httprobe
go get -u github.com/tomnomnom/assetfinder
GO111MODULE=on go get -u -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder
go get -u github.com/sensepost/gowitness
export GO111MODULE=on
go get -v github.com/OWASP/Amass/v3/…

subfinder -d <domain>
assetfinder <domain>
amass enum -d <domain>
cat <domain>.txt | sort -u | httprobe -s -p https:443
gowitness file -f ./alive.txt -P ./pics --no-http

Subfinder - https://github.com/projectdiscovery/subfinder

Assetfinder - https://github.com/tomnomnom/assetfinder

httprobe - https://github.com/tomnomnom/httprobe

Amass - https://github.com/OWASP/Amass

GoWitness - https://github.com/sensepost/gowitness/wiki/Installation

Exploring OSINT Frameworks

FinalRecon
LittleBrother
Maltego
recon-ng
Marketplace search

marketplace install <module>
modules load <module>
info
options set SOURCE <domain>
run
show hosts
back

profiler module

- Sn0int
- Spiderfoot
- WikiLeaker

Extra tool

Hunchly - https://hunch.ly

its a chrome extension works like burp, you activate and then go to web to search pages while the hunchly get data that we want

photon -u <domain>

Automating Website OSINT

#!/bin/bash

domain=$1
RED="\033[1;31m"
RESET="\033[0m"

info_path=$domain/info
subdomain_path=$domain/subdomains
screenshot_path=$domain/screenshots

if [ ! -d "$domain" ];then
  mkdir $domain
fi

if [ ! -d "$info_path" ];then
  mkdir $info_path
fi

if [ ! -d "$subdomain_path" ];then
  mkdir $subdomain_path
fi

if [ ! -d "$screenshot_path" ];then
  mkdir $screenshot_path
fi

echo -e "${RED} [+] Checkin' who it is...${RESET}"
whois $1 > $info_path/whois.txt

echo -e "${RED} [+] Launching subfinder...${RESET}"
subfinder -d $domain > $subdomain_path/found.txt

echo -e "${RED} [+] Running assetfinder...${RESET}"
assetfinder $domain | grep $domain >> $subdomain_path/found.txt

#echo -e "${RED} [+] Running Amass. This could take a while...${RESET}"
#amass enum -d $domain >> $subdomain_path/found.txt

echo -e "${RED} [+] Checking what's alive...${RESET}"
cat $subdomain_path/found.txt | grep $domain | sort -u | httprobe -prefer-https | grep https | sed 's/https\?:\/\///' | tee -a $subdomain_path/alive.txt

echo -e "${RED} [+] Taking dem screenshotz...${RESET}"
gowitness file -f $subdomain_path/alive.txt -P $screenshot_path/ --no-http

Additional Resources

TraceLabs - https://www.tracelabs.org/

Innocent Lives Foundation - https://www.innocentlivesfoundation.org/

Alethe Denis - https://twitter.com/AletheDenis

Joe Gray - https://twitter.com/C_3PJoe

IntelTechniques - https://inteltechniques.com/

OSINT Flowcharts - https://inteltechniques.com/blog/2018/03/06/updated-osint-flowcharts/

Share on

Twitter Facebook LinkedIn

2 - Open-Source Intelligence (OSINT)

Intelligence Lifecycle

Sock Puppets

Resources

Creating Sock Puppet

Search Engine Operators

Common Google Options = Same as using advanced search

Image OSINT

Reverse Image Searching

Viewing EXIF (exchangeable image file) Data

Physical Location OSINT

Geographical Locations

Email OSINT

Resources

Same lesson:

Password OSINT

Hunting Breached Password

Hunting Usernames and Accounts

Search for People

Social Media OSINT

Twitter

Resources

Facebook

Instagram

Snapchat

Website OSINT

Subdomains

Extra

Hunting Businesses

Wireless OSINT

Lab building

Working with Tools

Image and Location OSINT

Emails and breachead Data

Username and Account OSINT

Phone Number OSINT

Social Media OSINT

Website OSINT

Exploring OSINT Frameworks

Extra tool

Automating Website OSINT

Additional Resources

Share on