Links

OSINT tools

CeWL

cewl [options] <url>
Example: cewl -m 6 -w megacorp-cewl.txt www.megacorpone.com
-d = depth to spider, default 2
-m = minimum word length, default 3
-w = write the output to file, include file name
-c = count, show word count for each word entry
-v = verbose

FOCA

  • Metadata search tool that can search, download and analyze all documents on a domain and provide a list of metadata
  • Metadata often includes users, directories, printers, emails, passwords, operating systems/software and servers

Hunter

  • From the site: "Hunter lets you find professional email addresses in seconds and connect with the people that matter for your business."

Netcraft

OSINT framework

Phonebook.cz

Recon-ng

  • Module based framework for web information gathering
  • Run tool (Kali): recon-ng
  • Search available modules: marketplace search $keyword
  • Learn about available modules: marketplace info $modulename
  • Add a module: marketplace install module
  • Load module: modules load $modulename
    • Display required parameters: info
    • Configure options: options set $option
    • Execute module: run
  • Information from each module used is stored in a database
    • Exit module: back
    • Display information: show

Shodan

  • Allows searching for computers and IoT devices
  • May reveal items that should be in scope but were not included by the client
  • Search by client name; devices outside the client's IP range are likely managed by third parties

Social media tools

  • Social-Searcher - a search engine for social media sites
  • Twofi - scans a user's Twitter feed and generates wordlists
  • linkedin2username - a script for generating username lists based on LinkedIn data

TheHarvester

  • Gathers emails, names, subdomains, IP addresses, and URLs from multiple search engines
  • Run with (Kali): Theharvester -d cisco.com -b google
    • -d: specifies the target domain
    • -b: specifies which data source to search

whois enumeration

  • Regular lookup: whois somesite.com
  • Reverse lookup: whois $ipaddress