OSINT

OSINT Multitool

Google Account Enumeration

This writeup from Sector035 gives a detailed walk through of how to get a wealth of information from a Google account such as a @gmail.com email address.

Some of the steps for doing this require you to actually sign in to a Google account, and to add the target as a contact. A burner account or sock puppet are recommended if you are doing this for a real engagement.

https://developers.google.com/identity/sign-in/web/people https://developers.google.com/people/api/rest/v1/people/get

Multipurpose

  • https://shodan.io/

  • https://www.zoomeye.org/

  • https://leakix.net/

  • https://www.yougetsignal.com/

  • https://intelx.io/

  • https://pentest-tools.com/

RiskIQ’s Community Edition -

Threat Hunter

  • Access the most comprehensive internet data sets available to track adversaries across the internet

  • Pivot across passive DNS, WHOIS, SSL certificates, web trackers, and more

  • Enrich internal controls and logs to uncover, understand, and respond to external threats

  • Monitor threat infrastructure for changes or new, similar artifacts

Threat Defender

  • Understand your Digital Footprint® and how you’re exposed from the outside in

  • Discover unknown assets, exposures, and vulnerabilities

  • Get alerts when your brand or trademarked terms appear in new domains and WHOIS contact information

  • View digital assets details such as domain attributes, IP address, and registrant details

https://censys.io/ - Attack surface enumeration

Discover every asset in your attack surface, known or unknown.

Domain/IP Recon

  • https://domainbigdata.com/

  • https://viewdns.info/

  • http://bgp.he.net/

  • https://rapiddns.io/

  • https://dnsdumpster.com/

  • https://www.whoxy.com/

https://www.robtex.com/ - Good for geo-location of IP origin

Robtex is used for various kinds of research of IP numbers, Domain names, etc

Robtex uses various sources to gather public information about IP numbers, domain names, host names, Autonomous systems, routes etc. It then indexes the data in a big database and provide free access to the data.

https://opendata.rapid7.com/sonar.fdns_v2/

Project Sonar produces a Forward DNS dataset every week or so. This data is created by extracting domain names from a number of sources and then sending an ANY query for each domain. The sources used to build the list of domains include:

  • Reverse DNS (PTR) Records

  • Common Name and SubjectAltName fields from SSL Certificates

  • HTML elements and Location headers seen in HTTP responses

  • Zone files from COM, INFO, ORG, NET, BIZ, INFO and other TLDs

  • Zone files from gTLDs

The data format is a gzip-compressed JSON file, where each line of the file is a JSON document with attributes for the record name, type, value and time of resolution.

Mail server blacklist enumerator

  • http://multirbl.valli.org/

Dark web exposure

  • https://immuniweb.com/radar/

New acquisitions

  • https://crunchbase.com/

Email

Social Media

Social media search engine

Accounts registered by email

Enumerate usernames

Twitter

Instagram

Facebook

Skype

Forums

Pastebin

Search with results grouped by topic

Source code search engines

Credential Leak Sites

Run by Troy Hunt, haveibeenpwned.com is one of the best for checking whether an email address has been involved in a credential breach.

Not all of these sites below are trustworthy. Do not enter any credentials that are in use, or you plan to use into any searches!

  • https://link-base.org/index.php

  • http://xjypo5vzgmo7jca6b322dnqbsdnp3amd24ybx26x5nxbusccjkm4pwid.onion/

  • http://pwndb2am4tzkvold.onion

  • https://weleakinfo.to/

  • https://www.dehashed.com/search?query=

  • https://rslookup.com

  • https://leakcheck.net

  • https://snusbase.com

  • https://leakpeek.com

  • https://breachchecker.com

  • https://leak-lookup.com

  • https://weleakinfo.to

  • https://leakcheck.io

  • http://scylla.sh

  • http://scatteredsecrets.com

  • https://joe.black/leakengine.html

  • https://services.normshield.com/data-breach

  • https://leakedsource.ru/main/

  • https://leaked.site/

  • https://ghostproject.fr/

  • https://haveibeensold.app/

  • https://vigilante.pw/

  • https://nuclearleaks.com/

  • https://hashes.org/

  • https://leak.sx/

  • https://leakcorp.com/login

  • https://private-base.info/

  • https://4iq.com/

  • https://intelx.io

  • https://leakprobe.net

If you like this content and would like to see more, please consider buying me a coffee!

Last updated