OSINT Notes

on under OSINT
4 minute read

Dumping notes from my personal repo of tools and techniques.

Sock Generation:

  • https://thispersondoesnotexist.com
  • https://elfqrin.com/fakeid.php

Webapps:

  • https://hunter.io
    1. sign in
    2. dashboard
    3. enter domain & search
    4. lists findings and “Most common patter:”
    Most common pattern for my target is output as {f}{last}@domain
    Also listed job titles as found
    Also lists source each email was pulled from
    CAN EXPORT TO CSV
  • https://Google.com
    Search for “google search operators”
    site: to search only within site - to remove from results filetype: to search only for that doc type Combine these in single strings for best results
  • https://osintframework.com
  • https://builtwith.com
    Add domain, search
  • https://www.wappalyzer.com/
    Add domain, search
  • https://linkedin.com
    Search by Company, scrape to generate list of emails by email format (f)(lastname)@(domain)
  • https://twitter.com
  • https://haveibeenpwned.com/
  • https://mxtoolbox.com
    Confirm Domain hosts, use email address verification, check for open relay
  • https://shodan.io
    Check them domains and IPs

Tools:
https://github.com/Datalux/Osintgram
https://github.com/sherlock-project/sherlock
https://www.kali.org/tools/theharvester/
https://www.kali.org/tools/recon-ng/
https://github.com/sundowndev/phoneinfoga

Resources (breach dumps):
https://github.com/hmaverickadams/breach-parse
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
https://github.com/jivoi/awesome-osint

GAP ANALYSIS METHODOLOGY
Gap analysis takes stock of the initial information that you have and then applies four simple questions to identify what to do next. This can be applied to bring structure and order to your OSINT research.
The four questions are:
1) What do I know?
2) What does this mean?
3) (So) What do I need to know?
4) How do I find out?
REFERENCE: https://nixintel.info/osint/using-gap-analysis-for-smarter-osint-quiztime4th-march-2020/

PASSWORD RESET
Lack of standardization in approaches to password reset functions which can be used to obtain the partial telephone numbers and emails of target accounts.
FACEBOOK: You will be met with a screen displaying alternative contact methods that can be used to reset the password as seen in the post above. It also accurately uses the number of asterisks that match the length of the email addresses.
GOOGLE: You will be asked to enter the last password remembered which can be anything you want and the next screen will display a redacted recovery phone number with the last 2 digits if one is on file.
TWITTER: Entering a Twitter username will yield a redacted email address on file with the first 2 characters of the email username and the first letter of the email domain. It also accurately uses the number of asterisks that match the length of the email address.
YAHOO: Will display a redacted alternate email address if on file. Displays accurate character count as well as first character and last 2 characters of email username along with full domain. MICROSOFT: Displays redacted phone number with last 2 digits. 226
PINTEREST: Displays a user’s profile as well as a redacted email address without an accurate character count.
INSTAGRAM: Automatically initiates a reset and emails the user. Do not use.
LINKEDIN: Automatically initiates a reset and emails the user. Do not use.
FOURSQUARE: Automatically initiates a reset and emails the user. Do not use.
REFERENCE: https://exploits.run/password-osint/

FIND TELEGRAMS GROUPS BY LOCATION

  1. Use a mobile phone / Android Emulator
  2. Download a GPS-spoofer
  3. Spoof location to target location
  4. Open up Telegram
  5. Click on three dots
  6. Click on “Contacts”
  7. Click on “Add people nearby”
  8. Have fun! REFERENCE:
    https://twitter.com/aware_online/status/1234951508325781509

FIND TWITTER ACCOUNTS BY EMAIL

  1. Sign in on Gmail
  2. Open “Contacts” 228
  3. Add email address of target
  4. Sign in on Twitter
  5. Download “GoodTwitter” add-on
  6. Open privacy settings
  7. Click “Find friends”
  8. Upload Gmail contacts
  9. Have fun! REFERENCE:
    https://twitter.com/aware_online/status/1234763437219164160

FIND TWEETS BASED ON LOCATION

  1. Find location in Google Maps
  2. Right click > “What’s here?”
  3. Click on GPS coordinates
  4. Copy GPS coordinates
  5. Go to Twitter.com
  6. Use “geocode:LATT,LONG,0.1km”
  7. Have fun! REFERENCE:
    https://twitter.com/aware_online/status/1235661987113295872

SPOOF BROWSER LOCATION GOOGLE CHROME

  1. Open dev tools (F12)
  2. Click on “Console” tab
  3. Click on “ESC” button = “console drawer”
  4. Click on “Sensors”
  5. Select location/fill in coordinates
  6. Have fun!
    NOTE: IP address might still reveal your location!
    REFERENCE:
    https://twitter.com/aware_online/status/1236210589128671234

TikTok PROFILES JSON FORMAT!

  1. Navigate to https://tiktok.com/node/share/user/@{username}?isUniqueId=true
  2. replace {username} with username of target
  3. Have fun!
    • Find profile pic in 720x720 format
    • Find follower/liker count
    • & Scrape it!
      Want it in 1080x1080 format?
  4. Go to TikTok profile http://tiktok.com@{username}
  5. Open dev tools (F12)
  6. Click on “Network tab”
  7. Refresh page (F5)
  8. Select “XHR” tab 229
  9. Double click on “api/user/detail/”
  10. Open “AvatarLarger” link
  11. Have fun! REFERENCE:
    https://twitter.com/aware_online/status/1237104037520117760

FIND Google Maps REVIEWS (LOCATION) FROM GOOGLE ID!

  1. Goto hangouts.google.com
  2. In top left search bar, paste in their gmail address
  3. Once their gmail pops up in the little reactive results pane, r-click > Inspect.
  4. In the Developer pane that opens, look up a few lines for the hovercard-iod value. Copy it, that’s their Google ID.
  5. Goto google.com/maps/contrib/TheirGoogleID
    Now you have their general location, per the reviews they’ve left at various geographical locations.
OSINT
comments powered by Disqus
 LinkedIn
Github