OSINT tools
CeWL
Ruby tool that spiders websites and generates wordlists for use in dictionary attacks.
https://github.com/digininja/CeWL (included in Kali)
FOCA
Metadata search tool that can search, download and analyze all documents on a domain and provide a list of metadata
Metadata often includes users, directories, printers, emails, passwords, operating systems/software and servers
Hunter
From the site: "Hunter lets you find professional email addresses in seconds and connect with the people that matter for your business."
Netcraft
Provides various functions including DNS information and technologies being used on a site.
OSINT framework
Massive directory of OSINT tools arranged by function
Phonebook.cz
Lists all domains, email addresses, and URLs associated with a domain.
Recon-ng
Module based framework for web information gathering
Run tool (Kali):
recon-ngSearch available modules:
marketplace search $keywordLearn about available modules:
marketplace info $modulenameAdd a module:
marketplace install moduleLoad module:
modules load $modulenameDisplay required parameters:
infoConfigure options:
options set $optionExecute module:
run
Information from each module used is stored in a database
Exit module:
backDisplay information:
show
Shodan
Allows searching for computers and IoT devices
May reveal items that should be in scope but were not included by the client
Search by client name; devices outside the client's IP range are likely managed by third parties
Social media tools
Social-Searcher - a search engine for social media sites
Twofi - scans a user's Twitter feed and generates wordlists
linkedin2username - a script for generating username lists based on LinkedIn data
TheHarvester
Gathers emails, names, subdomains, IP addresses, and URLs from multiple search engines
Run with (Kali):
Theharvester -d cisco.com -b google-d: specifies the target domain
-b: specifies which data source to search
whois enumeration
Regular lookup:
whois somesite.comReverse lookup:
whois $ipaddress
Last updated