OSINT tools

CeWL

• Ruby tool that spiders websites and generates wordlists for use in dictionary attacks.

• https://github.com/digininja/CeWL (included in Kali)

cewl [options] <url>
Example: cewl -m 6 -w megacorp-cewl.txt www.megacorpone.com
-d = depth to spider, default 2
-m = minimum word length, default 3
-w = write the output to file, include file name
-c = count, show word count for each word entry
-v = verbose

FOCA

• Metadata search tool that can search, download and analyze all documents on a domain and provide a list of metadata

• Metadata often includes users, directories, printers, emails, passwords, operating systems/software and servers

• https://github.com/ElevenPaths/FOCA

Hunter

• From the site: "Hunter lets you find professional email addresses in seconds and connect with the people that matter for your business."

• https://hunter.io/

Netcraft

• Provides various functions including DNS information and technologies being used on a site.

• https://www.netcraft.com/tools/#internet-research

OSINT framework

• Massive directory of OSINT tools arranged by function

• https://osintframework.com

Phonebook.cz

• Lists all domains, email addresses, and URLs associated with a domain.

• https://phonebook.cz/

Recon-ng

• Module based framework for web information gathering

• Run tool (Kali): recon-ng

• Search available modules: marketplace search $keyword

• Learn about available modules: marketplace info $modulename

• Add a module: marketplace install module

• Load module: modules load $modulename

  • Display required parameters: info

  • Configure options: options set $option

  • Execute module: run

• Information from each module used is stored in a database

  • Exit module: back

  • Display information: show

Shodan

• Allows searching for computers and IoT devices

• May reveal items that should be in scope but were not included by the client

• Search by client name; devices outside the client's IP range are likely managed by third parties

• https://www.shodan.io/

Social media tools

• Social-Searcher - a search engine for social media sites

• Twofi - scans a user's Twitter feed and generates wordlists

• linkedin2username - a script for generating username lists based on LinkedIn data

TheHarvester

• Gathers emails, names, subdomains, IP addresses, and URLs from multiple search engines

• Run with (Kali): Theharvester -d cisco.com -b google

  • -d: specifies the target domain

  • -b: specifies which data source to search

whois enumeration

• Regular lookup: whois somesite.com

• Reverse lookup: whois $ipaddress