OSINT
Last updated
Last updated
This writeup from Sector035 gives a detailed walk through of how to get a wealth of information from a Google account such as a @gmail.com email address.
Some of the steps for doing this require you to actually sign in to a Google account, and to add the target as a contact. A burner account or sock puppet are recommended if you are doing this for a real engagement.
https://developers.google.com/identity/sign-in/web/people https://developers.google.com/people/api/rest/v1/people/get
https://shodan.io/
https://www.zoomeye.org/
https://leakix.net/
https://www.yougetsignal.com/
https://intelx.io/
https://pentest-tools.com/
Threat Hunter
Access the most comprehensive internet data sets available to track adversaries across the internet
Pivot across passive DNS, WHOIS, SSL certificates, web trackers, and more
Enrich internal controls and logs to uncover, understand, and respond to external threats
Monitor threat infrastructure for changes or new, similar artifacts
Threat Defender
Understand your Digital Footprint® and how you’re exposed from the outside in
Discover unknown assets, exposures, and vulnerabilities
Get alerts when your brand or trademarked terms appear in new domains and WHOIS contact information
View digital assets details such as domain attributes, IP address, and registrant details
https://censys.io/ - Attack surface enumeration
Discover every asset in your attack surface, known or unknown.
https://domainbigdata.com/
https://viewdns.info/
http://bgp.he.net/
https://rapiddns.io/
https://dnsdumpster.com/
https://www.whoxy.com/
https://www.robtex.com/ - Good for geo-location of IP origin
Robtex is used for various kinds of research of IP numbers, Domain names, etc
Robtex uses various sources to gather public information about IP numbers, domain names, host names, Autonomous systems, routes etc. It then indexes the data in a big database and provide free access to the data.
https://opendata.rapid7.com/sonar.fdns_v2/
Project Sonar produces a Forward DNS dataset every week or so. This data is created by extracting domain names from a number of sources and then sending an
ANY
query for each domain. The sources used to build the list of domains include:
Reverse DNS (PTR) Records
Common Name and SubjectAltName fields from SSL Certificates
HTML elements and Location headers seen in HTTP responses
Zone files from COM, INFO, ORG, NET, BIZ, INFO and other TLDs
Zone files from gTLDs
The data format is a gzip-compressed JSON file, where each line of the file is a JSON document with attributes for the record name, type, value and time of resolution.
http://multirbl.valli.org/
https://immuniweb.com/radar/
https://crunchbase.com/
https://hunter.io/
Email Domain enumeration
Fake email sender
This page is in Russian!
Can search by language or feature
Search public repositories
Searches for "secrets" inside git code repos
FOSS version at https://github.com/eth0izzle/shhgit
Run by Troy Hunt, haveibeenpwned.com is one of the best for checking whether an email address has been involved in a credential breach.
Not all of these sites below are trustworthy. Do not enter any credentials that are in use, or you plan to use into any searches!
https://link-base.org/index.php
http://xjypo5vzgmo7jca6b322dnqbsdnp3amd24ybx26x5nxbusccjkm4pwid.onion/
http://pwndb2am4tzkvold.onion
https://weleakinfo.to/
https://www.dehashed.com/search?query=
https://rslookup.com
https://leakcheck.net
https://snusbase.com
https://leakpeek.com
https://breachchecker.com
https://leak-lookup.com
https://weleakinfo.to
https://leakcheck.io
http://scylla.sh
http://scatteredsecrets.com
https://joe.black/leakengine.html
https://services.normshield.com/data-breach
https://leakedsource.ru/main/
https://leaked.site/
https://ghostproject.fr/
https://haveibeensold.app/
https://vigilante.pw/
https://nuclearleaks.com/
https://hashes.org/
https://leak.sx/
https://leakcorp.com/login
https://private-base.info/
https://4iq.com/
https://intelx.io
https://leakprobe.net
If you like this content and would like to see more, please consider buying me a coffee!