OSINT Investigations

December 8, 2016 | Views: 10761

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I am sure many people that use OSINT are aware of these tools and links; however, information, and acquiring that information from all sources, is relevant and should never be overlooked. Hopefully, this will come in handy for OSINT investigations.

I have listed some resources that are known within the hacker community in acquiring information on many entities, this includes all aspects of people and companies from email searches, username searches, phrases, phone numbers and even pictures.

Many of the resources are free however some do charge an access fee for a more thorough search. I am unable to suggest which of these services are worth the money as I have never paid for a resource as the information is out there somewhere and just needs to be found

  1. Understanding who owns a domain is very easy online, however sometimes a domain is protected by cloud flare, this can stop and investigation in its tracks very quickly. Without waiting time for policy and emails from a web hoster one is able to sometimes be able to get around Cloudflare and get the correct IP address with some handy online tools. These are: https://dnsdumpster.com/ and http://www.crimeflare.com/cfs.html
  2. One of the BEST Free DNS lookup tools on the internet: The NSA uses this. https://www.robtex.com/
    another noteworthy DNS tool to use is http://serversniff.net.w3snoop.com/ besides this the only one that comes to mind that will probably already be in your arsenal is http://whois.domaintools.com/
  3. Social networks can be used to find family relations however moose roots can be found to do the same thing without letting on that someone has looked at your profile. They are also good to find password reset questions. http://birth-records.mooseroots.com/ and http://marriage-divorce-records.mooseroots.com/ This one is good to be able to find sub-sites. http://www.mooseroots.com
    Another good site to mention is https://www.advancedbackgroundchecks.com/ this is great for background checks and a good resource to find a person’s location if one has a vague idea of where someone lives. https://www.advancedbackgroundchecks.com/
  4. While this site links off to other sites (some requiring money) it does give some good information. This is has gone downhill of late and is not as good as it once was, still worth mentioning though http://www.peekyou.com.
  5. Search for emails, names, usernames here: http://com.lullar.com/ Not as many of results returned as other sites. Though, in saying that, there are not as many links to commercial sites either.
  6. One of my personal favorites! http://checkusernames.com/ Not meant for profiling but works well for the task. Able to find a specific username on many sites. From there you are able to look at the profile that has taken the username. Saves time in checking out accounts on each site.
  7. This one is similar to the above website but claims to check over 500 sites instead. Probably a good paid site http://knowem.com/ this is beyond my financial capacity I have never used it but I understand from others that it is very useful.
  8. This was once a Spock “Single Point of Contact by Keyword). This has changed over the years and isn’t as good anymore. It changed when it was bought out by a company named Intelius. You are able to search; name, phone, email and screen name. Unfortunately only for US data and is now commercial. http://www.zabasearch.com/
  9. Able to search name, email, username and phone. Results can be noisy not to mention the links to paid sites. Can be a nice starting point to lead to other areas. https://pipl.com/
  10. This one is very similar to the above website good for footprinting: http://www.123people.com/ links that are given are for some paid and some not. I am unable to evaluate any of the commercial sites as I find it more of a challenge to find the information without paying.
  11. This one can be a bit of a tart or information tease. It gives some good results but most are for commercial sites. It is a good starting point to lead to other quires. http://www.spokeo.com/
  12. Search people by name or keyword. You’re able to use this as a username search as well I have found. http://webmii.com/
  13. Good to find where someone works. Much of the information is from LinkedIn or Indeed.com http://www.zoominfo.com/
  14. A picture finding website, this is good in finding duplicate pictures of a profile account to see it’s been stolen from another account or to be able to link the picture to other websites. http://tineye.com/
  15. Sometimes people upload documents or pictures but remove them. This site might help to find deleted info. http://www.archive.org/web/web.php
  16. This is the hacker search engine without going onto the deep web this is available for the surface users: https://www.shodan.io/
  17. Great site for a multitude of reasons. Online networking tools including a port forward tester phone number geolocator reverse email look-up and more. http://www.yougetsignal.com/
  18. Add-ons for Firefox can be very valuable. One, in particular, that I would name is Passive Recon: https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
  19. Another favorite of mine is http://www.yougetsignal.com/ go check it out! Many tools are available.
  20. Number one in my books Maltego: https://www.paterva.com/web7/index.php
  21. A paid version of the above is https://www.palantir.com/
  22. This one is pretty good too, should be in any OSINT investigators tool list: http://dradisframework.org/
  23. Linux tools: Metagoofil is great OSINT information gathering tools. Able to extract metadata from a target. Able to extract MAC address. This gives an attacker an idea of the hardware used in the network. Can be used to guess the type of OS running and the network names. It is also good at extracting network path information which can be used to map the network. Brute force is an available function with this tool. http://www.edge-security.com/metagoofil.php
  24. Google hacking database. OSINT is not complete without some google hacking. This helps in understanding Dorks and search quires while helping find information on google. https://www.exploit-db.com/google-hacking-database/
  25. FOCA is also a good network infrastructure mapping tool and can be used for OSINT. http://null-byte.wonderhowto.com/how-to/hack-like-pro-extract-metadata-from-websites-using-foca-for-windows-0155076/
  26. Social Engineer Toolkit. Tool for as you can see…social engineering. Includes spear phishing and web attack vectors. Can work with Metasploit: http://www.social-engineer.org/framework/se-tools/computer-based/social-engineer-toolkit-set/
  27. This tool allows us to gather the geolocation that is related to information about users from social networking platforms. http://www.geocreepy.com/
  28. This automates recon from, Linkedin, Jigsaw, Shodan and others. Good Linux tool https://bitbucket.org/LaNMaSteR53/recon-ng

*Others would argue that GREP, the Linux command, is better than all of these combined! I; however, wouldn’t go that far. It is very useful, though.

All the tools mentioned should get you off to a good start. Bookmark the sites! Trust me they will come in handy in some way or another. Please be good with this information. With great knowledge comes great responsibility! (Insert other cheesy movie quotes about responsibility) :p

A good hacker and researcher understand the following: Don’t be lame and use them for malicious activities. Or I WILL find you and make an example out of you!
Ok maybe over the top a little, but be responsible and don’t use it to DOX!

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
17 Comments
  1. Thanks RUBINS. In my experience I’ve had more success with shodan. The registration on Censys and the limit restrictions can be a pain without giving information away even if its fake. Shodan seems to give better resutls when searching for things like “SSH port:’22” or already infected boxs’ with trojans to play with “port: ‘6666’’ Also the fingerprints are amazing with shodan. Another that you might like to play around with is https://www.zoomeye.org/

  2. Nice article, some links are new to me. Can I ask if which is better of the two search engines: 1) https://censys.io/ 2) https://www.shodan.io/

    • Thanks RUBINS. In my experience I’ve had more success with shodan. The registration on Censys and the limit restrictions can be a pain without giving information away even if its fake. Shodan seems to give better resutls when searching for things like “SSH port:’22” or already infected boxs’ with trojans to play with “port: ‘6666’’ Also the fingerprints are amazing with shodan. Another that you might like to play around with is https://www.zoomeye.org/

      #There really needs to be a delete comment option…sigh

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel