Open Source Intelligence

1. Google. Just learning how to google properly is a huge step forward. Using quotes, commas, and other tricks to narrow down
   1. Your results will give you more than enough data for most searches, and provide leads and threads to start pulling. Learn to make googles algorithm work for you- start off broadly, with a name and a state, then start narrowing down your searches.
2. Think outside the box. Start googling first names, and interests. For instance, I found results on myself by searching: Katelyn, Ohio, Rugby that I didn’t find when searching my full name. Google usernames, email addresses, phone numbers- any data that you have available.
3. Then move on to searching the same things with DuckDuckGo. It brings up results that google won’t show, like private blogs and chan sites, though it’s kind of a pain in the ass because it brings you to the first page every time you navigate away.
4. Then use social media. Start searching Facebook, Twitter, Instagram, Reddit. Use a sock account for Facebook, so you don’t show up in anyone’s “people you may know”.
5. For specific chan searches, I prefer https://archived.moe as it covers every chan archive.
6. If you are searching for a target, rather than looking to clean up your own data- take notes. Write down everything that may be relevant. Usernames, interests, relationships, etc… when you hit a dead end, start searching with those too.
7. The wayback machine is your friend. Learn it, use it.
8. BE PATIENT. You may have to scroll through a LOT of useless data before striking gold, but don’t try to determine what’s useless until you know. I’ve found people using very innocuous info before.
9. I’ve started using http://hunch.ly to keep things organized, and it’s been a lifesaver. I highly recommend it for anyone who is using OSINT beyond just cleaning up their own info- (which, I think EVERYONE, no matter who you are, should do. Know what’s out there.)
10. There are many tools out there for diving deeper, but there are also many that will give you overly broad results and waste your time. Really, just learning to search properly is the best way anyone can get started, and is enough for 98% of people
11. Use a good VPN and make sure you’re logged out of any gmail and social media, especially if you’re searching for other people’s info. Just because it’s annoying to have those searches infect your own data.
12. search yourself REGULARLY. Learn how to get rid of results that you don’t want publicly available- most can be removed by a form on the website, or simply asking politely. Your online footprint is important. Set up google alerts as well.
13. you should ALSO be checking haveibeenpwned to make sure your accounts aren’t compromised while you’re at it.

(taken from Twitter thread "how to start doing OSINT stuff")

• OSINT Framework
• https://dehashed.com/
• OSINT.team – OSINT researcher chat

• @IntelTechniques
• Katelyn Bowden

• sn0int – semi-automatic OSINT framework and package manager built for IT security professionals and bug hunters.
• Spiderfoot - OSINT automation tool integrating with many data sources, providing methods for analysis, comes with a web interface.
• theHarvester – gathers emails, names, subdomains, IPs and URLs using multiple public data sources
• ReconMap – collaborative hacking with task-based upload system.
• detectem – detect software and its version on websites.
• Octosuite – GitHub users, repositories and organizations

• Shodan – search for devices connected to the internet.
• Wigle – DB of wireless networks, with statistics
• Grep App – Search across >500.000 Git repos
• Binary Edge – scans the internet for threat intelligence
• ONYPHE – collects cyber-thread intelligence data
• GreyNoise – search for devices connected to the internet
• Censys – assessing attack surface for internet connected devices
• Hunter – search for email addresses belonging to a website
• Fofa – search for various threat intelligence
• ZoomEye – gather information about targets
• LeakIX – search publicly indexed information
• IntelligenceX – search TOR, I2P, data leaks, domains and emails
• Netlas – search and monitor internet connected assets
• URL Scan – Free service to scan and analyse websites
• PublicWWW – Marketing and affiliate marketing research
• FullHunt – search and discover attack surfaces
• crt.sh – search for TLS certificates logged by Certificate Transparency (CT) log
• Vulners – search vulnerabilities in a large DB
• Pulsedive – search for threat intelligence
• Packet Storm Security – browse latest vulns and exploits
• GrayHatWarfare Bucket search – search public S3 buckets

• Maltego – proprietary visual link analysis tool with open source intelligence (OSINT) plugins, data mining and information gathering and representation on a node based graph.
• Faraday IDE – Collaborative Penetration Test and Vulnerability Management Platform