The most precious commodity in today’s world is not oil, but Data. It is collected, analyzed and sold by so many companies around the globe to benefit their purpose while folks inadvertently give permissions to such companies by accepting “terms and conditions”. While such companies collect data that might not be in public domain, there are many individuals as well who collect data that is in public domain. Not every such individual is a hacker, there are many professions that require them to utilize social engineering and extract public information about an entity that could be a person, a company or even some other hardware device.
Source Intelligence (OSINT) refers to the process of gathering information about an entity (a person, organisation or some device) using publicly available sources (as opposed to clandestine sources). Over the past many years, a lot of tools and programs have been created by open source community which can be used to gather such public information. This blog post focuses on some of such tools.
It should be noted that this blog post is only for educational purposes only and it is not to promote invading someone’s privacy. This blog post is intended to bring awareness among people of many such tools that exist so as to enable them better protect themselves when online
An open-source program written by a seasoned security programming enthusiast Raphaël who keep the repository highly up to date (last commit was yesterday from the time of writing this blog post) is undoubtedly one of the top choices among various other programmers when they start OSINT’ing (yeah, I just used OSINT as a verb, but believe me many people do that). You can use a phone number and extract quite a lot of information related to the phone number. It can also distinguish between actual phone numbers and disposable web phone number which uses VoIP.
The repository for PhoneInfoga is hosted here.
Although the repository has a very elaborate explanation, but Raphaël also wrote a blog post on Medium where he explains how to think intuitively when using OSINT to extract information about an entity. What you can take away from that blog post is how vulnerable you are if you share such information publicly. It certainly gives you an insight on how information is collected and how you can stay secure.
Maybe you think, why would someone try to use OSINT methods for your information, but remember, your information can give away some crucial information about someone else in your friend or family circle and hence when you protect yourself, you are protecting your loved ones too.
Popularized by an Amazon prime web series Mr. Robot, an Algerian developer name Manniso created this open source program which offers many services like information gathering, wireless testing to check your network is safe and well protected or not and lot of other Penetration testing services like port scanning, WordPress plug-in scanning, SQL injection scanning, making a Bluetooth honeypot and so on which makes it a one stop shop for all the commonly used tools.
The repository is hosted here
This repository is also maintained and updated regularly (last commit was 15 days ago at the time of writing this post). The repository has a decently written Readme file explaining usage for each and every service the tool offer.
One of my personal favorites is Sherlock. The name coincides with the fictional character of a private detective Sherlock Holmes who solves crime mysteries like no other. Sherlock tool hunts down social media accounts based on a username across various major social networks. So, if you have a friend who happen to use same username for many of his social media accounts, you will know where exactly he had created account and then you can blackmail him to go for a movie with you or pay for your pop-corns as you know his/her dirty little secret.
This open source project was started by a software developer named “Siddharth Dushantha” from Norway and later joined by “Yahya Sayad Arbabi”. Both the developers are incredibly talented.
The project is hosted here
This repository is maintained well and kept up to date (last commit was 5 hours ago) and has a verbose explanation for usage of the tool. It is highly unlikely that anyone would face any trouble using this tool given so precise explanations. Also, check out their startchart which shows their popularity growing so fast.
Whois is a an open source program built into Linux operating system using which you can find more information about a domain name like where it is registered, it’s registered office and other stuff provided the domain details are in public domain. Whenever you register a domain name, you have the option to make this information public or keep it private. Many private domain names now a days opt to keep it private in which case, it becomes hard to find such information. However, when a company goes public with IPO (Initial Public Offering), it has to make a lot of information as public including information of their domain registrations. Some companies even give Postal code, telephone, fax numbers as well. Using this information, you can be sure of their location geographically.
Whois is build in linux OS and there are many websites as well which query the whois database.
You can use whois from a terminal or you can use whois from websites like here.
Launched by a computer programmer John Matherly back in year 2009, Shodan serves as an open source search engine which can be used to find devices connected to the internet. Many devices across the globe are connected to internet and offer open access to anyone. Shodan collects data mostly on web servers (like on port number 80, 8080, 443, 8443), as well as FTP (port 21), SSH (port 22), Telnet (port 23), SNMP (port 161), IMAP (ports 143, or (encrypted) 993), SMTP (port 25), SIP (port 5060), and Real Time Streaming Protocol (RTSP, port 554). The latter can be used to access webcams and their video stream.
The name itself is a reference to Shodan, a character from the System Shock video game series, where Shodan is a fictional Artificial Intelligence (A.I.) much like the Ultron which is also a fictional A.I. character in the Marvel Universe.
Shodan can be accessed here.
Red hawk is very popular among OSINTers (and yeah, I used it as a noun this time). Its unique ability to detect a target’s Content Management System (CMS) like whether the website is running on WordPress, Drupal, Joomla, Wix, Squarespace etc., services offered by server, cloudflare detection, Geo-IP lookup, DNS lookup, reverse IP lookup, page ranking as per Alexa and port scanning. Basically whatever information a domain might have, pretty much everything.
The repository is hosted here.
The repository has not been update for the last one year but it still works as it says. I checked them myself.
Apart from these OSINT tools, there are many other tools which can prove to be useful when using OSINT methods like spoofing your own IP/email address when using OSINT tools using Lazy Script, another tool which is more often used in hacking (lets hope it is used for ethical purposes :p)
To conclude, virtual world is as unsafe as the real one. It all depends on us, how well informed we are and how much care we take ourselves. Now since you know how such information is collected, you can take better decision in virtual world (e.g, don’t use same usernames for all the social accounts, use VPN’s to connect to internet, you can check yourself how exposed you are in the virtual world)
I know, It has been a long pause since my last blog post. But I had couple of blog posts in drafts. Hopefully I will be publishing a few more very soon. Stay tuned, stay healthy and stay safe. Peace.