Table of Contents
Hello learners, in this article we will learn about how we can use different OSINT tools and find some very interesting information that is publicly available on the internet. OSINT has become more relevant now due to the Internet and social media , so with that in mind, let's get started!
What is OSINT?
OSINT aka Open source Intelligence is the data and information that is retrieved from all kinds of sources like Social media , Search engines , Domains , DNS Names , emails , journals , newspapers and what not. All these resources are scanned for information and can be used by an Ethical hacker or a Threat hunter depending upon the requirements.
Governments and political parties have long used newspapers and television broadcasts to track military , political and economical activities. But, with the rise of Internet , social media and modern industry lead to vast amounts of information publicly available. So, OSINT is now more crucial than ever.
How does OSINT work ?
There is no predefined way or method to know how OSINT work actually. It’s because there are various OSINT tools available in the market that can be used for various purposes. So, you can think of the process like this i.e any thing that you can obtain over the internet and traditional media can be used for OSINT and one of the most easiest way to gather information is using Google Dorks.
Let’s take an example like the below :
Suppose an organisation have a Github/Bitbucket repository and they have a team of 6 working on a Ruby on Rails application . Now, you can navigate to Github and find their repository and see who is working on which part of the application and then use their names to find out their social media accounts , emails etc…
The information you will get from a proper OSINT will range from
- Domains
- DNS Names
- Emails
- Links between people
- Documents
- Affiliations
- Social media handles
- IP addresses
- Geo location
- Organisations
Legal effects of OSINT
It all depends on the country you live and for what purpose you are using OSINT for. OSINT is legal in US and UK, but still you need to follow a clearly defined framework so that you don’t cause any legal complications.
Example: If you are performing OSINT upon an organisations request then it’s perfectly legal , but if you are stalking your Ex Gf or stalking a person then its outright illegal.
Top 5 OSINT Tools
We will cover the following top 5 OSINT Tools in this tutorial:
- Maltego
- Shodan
- Google Dorks
- Recon-ng
- Harvester
1. Maltego
Maltego can be said the best tool available in the market for OSINT because it grabs the information from various kinds of resources and also presents them in graphs and visuals for an easier review. The graphs contain information such as email , organisation , domains , Nameservers and a lot more. Maltego uses Java, so it is available on Windows , Mac and Linux and is available in many Hacking distro’s like Kali Linux and Parrot OS.
Installation
For Ubuntu / Debian
wget https://maltego-downloads.s3.us-east-2.amazonaws.com/linux/Maltego.v4.2.19.13940.linux.zip
unzip Maltego.v4.2.19.13940.linux.zip
cd bin
./maltego
For Mac OS
brew install maltego
For Kali Linux
sudo apt install maltego
Maltego Usage
1. Open Maltego and click on New --> Create new Graph
2. After that, all you have to do is select an Entity from the Entity Palette which is on the left side.
3. Let's check what happens if we select Domain. Select domain and drag it to the Graph.
4. Click on the default domain which is white in colour and replace it with your domain.
5. Now click right click on the domain in the graph and select All Transforms and click on Run.
6. You will be able to see all the domains, documents , name servers and a lot of information.
You can perform the same for all the other entities and obtain a lot of information you need from Maltego.
2. Shodan
Shodan can be basically called a deep search engine because just like how we use Google dorks, Shodan also has its own dorks which we can use to find CC Cameras , printers , databases , ftp servers, open ports, vulnerable instances and what not. Shodan is a must use tool when you are looking at a large scale for CVE’s , vulnerable instances.
There is no application you can download for Shodan. You can directly visit their website to create an account and start using it. You can also buy a plan for more better features like more number of requests ,API Access , Network Monitoring and etc..
Examples of Shodan dorks
1. country:DE
2. country:US port:22
3. os:"windows 7"
4. country:US x-jenkins 200
5. title:"citrix gateway"
3. Google Dorks
Search engines like Google and bing make finding information easy and simple, particularly if we want to shop , find an address , looking for a job. However, you can use these search engines more advanced by making use of the search operators.
There are various kinds of operators available :
- Inurl:
- intitle:
- intext:
- site:
- cache:
- filetype:
- |
- -
- OR
- AND
We can make use of these operators to filter out any information we need from Google or Bing.
Let’s see some examples how we can use Google dorks to find information!
Dork: Deepak Prasad site:twitter.com
Dork: inurl:security intext:vulnerability
Dork: site: edmodo.com
Dork: site:*.at responsible disclosure
4. Recon-ng
Recon-ng is one of the easiest tools available to use for your OSINT purposes. If you have ever used Metasploit , then you will find the syntax and interface very similar. Recon-ng has its own modules inbuilt through which we can find information like social media handles , email addresses , domains , files and etc. You can also write your own modules and use them if you want to.
Recon-ng can also be used as a recon tool while you are doing Web Penetration testing , so it can be said to an ultimate tool for Web pentesters Recon and OSINT. You can create your own workspace in Recon-ng too. All the recon or OSINT will be done by inserting values into Db schema.
There are multiple tables in the db module:
companies|contacts|credentials|domains|hosts|leaks|locations|netblocks|ports|profiles|pushpins|repositories|vulnerabilities
Installation
Ubuntu/Debian
git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
recon-ng
For Mac OS
brew install recon-ng
For Kali
Recon-ng is installed by default , but if it’s not installed , you can install by using this command
sudo apt install recon-ng
Recon-ng Usage
Before we start the using Recon-ng, we have to perform some commands in recon-ng using
marketplace install all ---> Install all the modules [image in media] workspaces create Osint ---> Create a workspace for us. db schema ---> Check the Database schema db insert domains ---> Use this command and enter your domain
Only after you execute these 4 commands , you can start using Recon-ng.
Search for modules installed
modules search hack
Load the module you searched
modules load recon/domain-hosts/hackertarget
Set Options Source to Default to use the domains inserted into Db Schema
options set SOURCE default
Last and final, use command run and you will be able to find lot's of subdomains. There are various modules installed in recon-ng and you can always load them and set options for each module and run them according to your need.
5. Harvester
Harvester is an open source tool made with python which is very easy to use and configure. It can be used to find domains , email addresses , IP’s , employee names , open ports and etc. It grabs the information from many sources like google , bing , Anubis, censys, shodan and 15 more.
Installation
You can install theHarvester on Linux OS using the following commands :
git clone https://github.com/laramies/theHarvester
cd theHarvester
pip3 install -r requirements.txt
For Mac OS
brew install theharvester
For Kali
If you are running recent kali version then it is already installed, if not you can always run the following command
sudo apt install theharvester
Harvester Usage
Search email addresses and domains from example.com and using Google as data source.
theHarvester -d example.com -b google
Set limits to your results.
theHarvester -d example.com -l 400 -b google
Save the result in HTML file by using -f option.
theHarvester -d example.com -b google -f results.html
Bonus Tips
Checkout Tineye if you want to find data using an image because it can reverse search the image for you and find details about it. If you want to find some source code of a particular organisation then you can use Searchcode because it grabs codes from Github , Bitbucket , Gitlab , Google code and more resources.
Conclusion
In this article, we have learnt what actually OSINT is and how we can use 5 different OSINT tools to find out any information ranging from email addresses to CC TV cameras. If you are just getting started in Ethical hacking, then please check out other articles on our website. Please let us know if you encounter any issues in the comments below.
