• Stars
    star
    155
  • Rank 240,864 (Top 5 %)
  • Language
  • License
    MIT License
  • Created about 3 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Your go-to resource for all things OSINT

OSINT Encyclopedia

Credit: Cham423

This checklist is designed to increase the success of your open-source intelligence (OSINT) operations by collecting a comprehensive list of information about your target. Understanding the fundamentals of OSINT is a prerequisite to using this checklist, as detailed technical operations will not be captured here. This list will be a working document that is driven by the community and maintained by Optiv.

OSINT Checklist for ALL Engagements

  • Social Media
    • Corporate/Busniess Controlled Content
      • LinkedIn
      • Facebook
      • Instagram
    • Employee Controlled Content
      • Instagram facility analysis
      • Instagram hashtag review
  • Office 365
    • getuserrealm.srf
  • DNS
    • dnsdumpster
    • amass
    • horizontal (other domains owned by the same entity) and vertical (subdomain) domain enumeration
      • viewdns
      • whoisxmlapi domain research suite
      • riskiq
  • Host Enumeration
    • WHOIS
    • shodan
    • censys
    • spyse
  • Domain flyovers
    • aquatone
  • Document Metadata Analysis
    • pull large sites from google/aquatone report
    • pymeta
    • pull down manually

Meta Sites

The following links are additional lists and frameworks that can assist while performing OSINT.

Mail Blacklist Check

The following services allow you to check whether a domain or IP address is present on several blacklists. Additionally, this can help troubleshoot email delivery issues while performing phishing campaigns.

WHOIS

https://whois.arin.net/ui/advanced.jsp

  • Primary source
  • Manual web browsing

https://viewdns.info/

  • Multiple tools

https://domainbigdata.com/

  • Allows host correlation based on site registrant
  • Third-party

https://whoisology.com/#advanced

  • Reverse WHOIS search based on multiple parameters
  • Third-party

https://whoisfreaks.com/pricing/whois-database.html

https://www.whoisxmlapi.com/

  • Largest dataset available (800M+ domains)
  • $24,000 per year for full access to current and historical WHOIS data (for commercial license)
  • Has an API with many functions that is more affordable than the commercial license
  • Free license allows for 500 queries per month

Domains

https://domains-monitor.com/

  • Allows downloading a raw list of all registered domains in all zones
  • Updates quarterly with updated/deleted domains
  • Provides list of registration emails
  • $90 per year for access

https://networksdb.io/

https://www.expireddomains.net/

  • Monitors and lists domains that are expiring
  • Includes alexa rank and archive.org details for domains, allowing users to select valuable domains
  • Free to signup

DNS

https://dnsdumpster.com/

https://www.robtex.com/

Website Lookup

  • https://website.informer.com/
    • Gives generalized information about a website and a screenshot of the homepage. daily visitors, hosting info, alexa ranking
    • Paywall: no
    • Bot Detection: unknown
  • https://archive.ph/
    • Allows snapshotting of a webpage by providing a URL. also allows retrieving screenshots and text data from previously archived sites
    • Similar to wayback machine
    • Paywall: no
    • Bot Detection: unknown
  • https://www.page2images.com/URL-Live-Website-Screenshot-Generator
    • Generates screenshots of urls, 15 seconds or more per url
    • No cost solution
    • Bot detection: unknown

Phishing Site Lookup

  • https://www.phishtank.com/

    • Crowdsourced link submission and verification allows the community to determine phish validity
    • Limited reliability and visibility into anything more than the URL of a potential phishing site
    • Indicates whether site is online or offline
    • No cost solutions
    • API: yes, email verification required. commercial use allowed, has per hour request limit
    • Bot detection: hCaptcha (website)
  • https://openphish.com/

    • Raw feed of phishing urls
      • Free version updates every 12 hours, in text file format
      • Paid version updates more quickly and allows multiple formats (CSV or JSON)
    • Has IP address listing of recent phishing site
    • Provides global statistics of phishing attacks
      • What brands are being spoofed
      • What ASNs are most commonly hosting phishing attacks

    Twitter

    https://tinfoleak.com/

    • Shows devices, locations, etc. for a given Twitter handle
    • Requires email registration
    • Slow and requires capcha submitted for each request
    • No bulk capabilities

    Phone Number Validation

    https://phonevalidator.com/phone-validator-api.aspx

    • Shows phone number type (CELL PHONE, LANDLINE, VOIP, TOLL-FREE or UNKNOWN)
    • 0.004 per number pricing ($4 per 1000 phone numbers)
    • Useful for smishing to confirm that you can text a phone number

    Corporate Databases

    https://opencorporates.com/

    • Registration/incorporation articles for corporate entities
    • Shows registered trademarks, logos, and historical data
    • Shows branch locations
    • Can search by officer (person) as well to expand based on company involvement

    Github

    https://github.com/BishopFox/GitGot

    • Searches github for potentially sensitive info
    • Semi-interactive, prompts user to manually review then enumerates based on feedback
    • Python, last commit Sep 2020

    Mobile Emulators

    https://www.genymotion.com/

    • SaaS based mobile emulator
    • Pay as you go
    • Focused around app testing

Paywalled

Search engines:

  • Yandex - Russian google
  • Baidu - Chinese google
  • Goo - Japanese google
  • 2lingual.com - Can query search engines in two languages at a time, results are displayed side-by-side

More Repositories

1

ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.
Go
2,730
star
2

Freeze

Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
Go
1,405
star
3

Mangle

Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
Go
1,163
star
4

Ivy

Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.
Go
738
star
5

Freeze.rs

Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
Rust
708
star
6

Go365

An Office365 User Attack Tool
Go
621
star
7

Talon

A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory environment.
Go
431
star
8

mobile-nuclei-templates

390
star
9

Registry-Recon

Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon
321
star
10

Dent

A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
Go
296
star
11

InsecureShop

An Intentionally designed Vulnerable Android Application built in Kotlin.
Kotlin
231
star
12

blemon

Universal BLE Monitoring with Frida (or Objection)
JavaScript
95
star
13

Microsoft365_devicePhish

A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow
Python
92
star
14

rest-api-goat

Python
69
star
15

KnockKnock

Enumerate valid users within Microsoft Teams and OneDrive with clean output.
Python
56
star
16

rustyIron

rustyIron is a tool that takes advantage of functionality within Ivanti's MobileIron MDM solution to perform single-factor authentication attacks. rustyIron can locate the MobileIron MDM authentication endpoint, validate the authentication strategy of the environment, perform user enumeration, brute-force registration PIN values, and perform single-factor authentication attacks.
Go
43
star
17

airCross

airCross is a tool that takes advantage of API functionality within VMWare's AirWatch MDM solution to perform single-factor authentication attacks. airCross can locate AirWatch authentication endpoint, validate the authentication strategy of the environment, collect GroupID authentication values, conduct single-factor authentication, and perform user enumeration, in some instances.
Go
39
star
18

CVE-2020-15931

Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability
Go
25
star
19

nvdsearch

A National Vulnerability Database (NVD) API query tool
Go
17
star
20

doppelganger

Doppelgänger is firmware that runs on ESP32 devices that can be embedded within commercially available RFID readers with the intent of capturing access control card data while performing physical security assessments. Doppelgänger keeps the operator's ease of access, maintenance, and operational communications in mind.
C++
13
star
21

DATP_Queries

Microsoft Defender ATP Advanced Hunting Queries
10
star
22

Yara-Rules

YARA
9
star
23

netneedle

Network based steganography based control channels and chat.
C
8
star
24

showSSID

Python
7
star
25

Luhn-Calculator

A very simple Burp extension to make it easier to enumerate credit cards in the Intruder.
Python
6
star
26

burp-reset-a-tron

reset-a-tron Burp extension
Python
6
star
27

android-ndk-crackme

A simple NDK-based application on which to demonstrate some important attack strategies.
Java
5
star
28

burp-IBM-WebSphere-Portlet-Decoder

BurpSuite plugin for decoding IBM WebSphere Portlet States
Python
5
star
29

burp-java-deserializer

Java
4
star
30

warmap-go

CSS
4
star
31

VisualLockPickingWorkstation

The Visual Lock Picking Workstation is a Raspberry Pi enclosure which makes it possible to capture live video from a cutaway lock. It is intended as an instructional device which can be used to display the inner workings of a lock while teaching lock picking.
4
star
32

burpshellshock

Shellshock scanner for Apache MOD_CGI
Java
3
star
33

azure_runbooks

2
star
34

talus_client

Python
2
star
35

pyautoaws

Simple Python wrapper for Terraform/Ansible to build AWS resources
HCL
2
star
36

checkpassword-.net

HIBP Pwned Passwords API Client for .NET apps
C#
2
star
37

talus

Python
2
star
38

Lightning-Action-Editor

Java
1
star
39

azure-api-management-tracing-helper

Java
1
star
40

captcha-solve

Python
1
star
41

checkpassword-java

HIBP Pwned Passwords API client for Java projects
Java
1
star
42

terraform-eks

Terraform/Amazon EKS Deployment Starter Scripts
HCL
1
star