# OSINT tools

### CeWL 

* Ruby tool that spiders websites and generates wordlists for use in dictionary attacks.
* <https://github.com/digininja/CeWL> (included in Kali)

```
cewl [options] <url>
Example: cewl -m 6 -w megacorp-cewl.txt www.megacorpone.com
-d = depth to spider, default 2
-m = minimum word length, default 3
-w = write the output to file, include file name
-c = count, show word count for each word entry
-v = verbose
```

### FOCA

* Metadata search tool that can search, download and analyze all documents on a domain and provide a list of metadata
* Metadata often includes users, directories, printers, emails, passwords, operating systems/software and servers
* <https://github.com/ElevenPaths/FOCA>

### Hunter

* From the site: "Hunter lets you find professional email addresses in seconds and connect with the people that matter for your business."
* <https://hunter.io/>

### Netcraft

* Provides various functions including DNS information and technologies being used on a site.
* <https://www.netcraft.com/tools/#internet-research>

### OSINT framework

* Massive directory of OSINT tools arranged by function
* <https://osintframework.com>

### Phonebook.cz

* Lists all domains, email addresses, and URLs associated with a domain.&#x20;
* <https://phonebook.cz/>

### Recon-ng

* Module based framework for web information gathering
* Run tool (Kali): `recon-ng`
* Search available modules: `marketplace search $keyword`
* Learn about available modules: `marketplace info $modulename`
* Add a module: `marketplace install module`
* Load module: `modules load $modulename`
  * Display required parameters: `info`
  * Configure options: `options set $option`
  * Execute module: `run`&#x20;
* Information from each module used is stored in a database
  * Exit module: `back`
  * Display information: `show`

### Shodan

* Allows searching for computers and IoT devices
* May reveal items that should be in scope but were not included by the client
* Search by client name; devices outside the client's IP range are likely managed by third parties
* <https://www.shodan.io/>

### Social media tools

* [Social-Searcher](https://www.social-searcher.com/) - a search engine for social media sites
* [Twofi](https://www.kali.org/tools/twofi/) - scans a user's Twitter feed and generates wordlists
* [linkedin2username](https://github.com/initstring/linkedin2username) - a script for generating username lists based on LinkedIn data

### TheHarvester

* Gathers emails, names, subdomains, IP addresses, and URLs from multiple search engines
* Run with (Kali): `Theharvester -d cisco.com -b google`
  * -d: specifies the target domain
  * -b: specifies which data source to search

### whois enumeration

* Regular lookup: `whois somesite.com`
* Reverse lookup: `whois $ipaddress`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.oncyberwar.com/1.-reconnaissance-osint/cewl.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.