Threat Intelligence Information Gathering - OSINT Analysis
What is OSINT?
Open-source intelligence (OSINT) is the way of collecting information from publicly available sources published. OSINT operations, whether practiced by IT security pros, malicious hackers, or state-sanctioned intelligence operatives, use advanced techniques to search through the vast haystack of visible data to find the needles they're looking for to achieve their goals—and learn information that many don't realize is public.
I will cover the below tools of Kali Linux for Open-source intelligence (OSINT) Anaysis.
CaseFile gives you the ability to quickly add, link, and analyze data having the same graphing flexibility and performance as Maltego without the use of transforms. Combining Maltego's fantastic graph and link analysis this tool allows for analysts to examine links between manually added data to mind map your information.
CaseFile is a visual intelligence application that can be used to determine the relationships and real world links between hundreds of different types of information.
It gives you the ability to quickly view second, third and n-th order relationships and find links otherwise undiscoverable with other types of intelligence tools.
CaseFile comes bundled with many different types of entities that are commonly used in investigations allowing you to act quickly and efficiently. CaseFile also has the ability to add custom entity types allowing you to extend the product to your own data sets.
USAGE n/a; GUI tool EXAMPLE n/a, GUI tool
creepy is an application that allows you to gather geolocation-related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation. As you can see Cree.py is just that – CREEPY, but what a great tool to gather information and build profiles on targets.
USAGE n/a, GUI tool EXAMPLE n/a, GUI tool
DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, TCP port scan, whois lookups, and more. The information are gathered with the following methods:
Perform an Internet Number whois lookup.
Retrieve possible uptime data, and system and server data.
Perform a SubDomain search on a target host.
Perform an E-Mail address search on a target host.
Perform a TCP Portscan on the host target.
A Modular program allowing user-specified modules
How to install: sudo apt install dmitry USAGE dmitry [options] <file> <url> EXAMPLE dmitry –help (DMitry help) EXAMPLE man dmitry (DMitry complete documentation) EXAMPLE dmitry -iwns -o example.out google.com
jigsaw is a simple ruby script for enumerating information about a company's employees. It is useful for Social Engineering or Email Phishing
USAGE jigsaw [options] <url>
EXAMPLE jigsaw -s Google
EXAMPLE ./jigsaw.rb -i 215043 -r google -d google.com
N Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego can locate, aggregate, and visualize this information. Maltego is a program that can be used to determine the relationships and real-world links between people, groups of people (social networks), companies, organizations, websites, phrases, affiliations, documents and files, internet infrastructure (domains, DNS names, netblocks, IP addresses).
USAGE n/a, GUI tool EXAMPLE n/a, GUI tool
Metagoofil is an information gathering tool designed for extracting metadata of public/indexed
documents (pdf,doc,xls,ppt,odp,ods) available in the target/victim websites.
The output is a file that can reveal:
relevant metadata information
usernames (potential targets for brute force attacks on open services like ftp, pop3, auths in web apps, ...)
list of disclosed paths in the metadata
USAGE python metagoofil.py <option>
-d <domain> Domain to search
-f <type> Filetype to download (all,pdf,doc,xls,ppt,odp,ods, etc)
-l <number> Limit of results to work with (default 100)
-o <path> Output file (html format)
-t <path> Target directory to download files
How to install: sudo apt install metagoofil EXAMPLE python metagoofil.py \ -d ******club.net \ -l 100 \ -f all \ -o output.html \ -t output-files
TheHarvester aims at gathering e-mail accounts and subdomain names from:
USAGE theharvester [options]
-d <domain> domain to search or company name
-b <src> data source (google,bing,pgp,linkedin)
-s <start> start in result number X (default 0)
-v verify host name via DNS resolution
-l <limit> limit the number of results to work with (bing goes from 50 to 50 results, Google 100 to 100, and pgp doesn't use this option)
How to install: sudo apt install theharvester EXAMPLE ./theHarvester.py -d microsoft.com -l 500 -b bing
Twitter Words Of Interest - twofi uses Twitter to help generate lists based on searches for keywords related to the list that is being cracked. An expanded idea is being used in twofi which will take multiple search terms and return a word list sorted by most common first. Also given a list of Twitter usernames the script will bring back approximately the last 500 tweets for each user and use those to create the list.
How to install: sudo apt install twofi USAGE term1,term2,term3 ,…(no spaces) USAGE username1,username2,username3 ,…(no spaces and no @) OPTIONS text --help, -h: show help --count, -c: include the count with the words --min_word_length, -m: minimum word length --term_file, -T file: a file containing a list of terms --terms, -t: comma separated search terms quote words containing spaces, no space after commas --user_file, -U file: a file containing a list of users --users, -u: comma separated usernames
Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
Detect typo squatters profiting from typos on your domain name
Protect your brand by registering popular typos
Identify typo domain names that will receive traffic intended for another domain
Conduct phishing attacks during a penetration test
How to install: sudo apt install urlcrazy USAGE ./urlcrazy [options] <domain> EXAMPLE ./urlcrazy example.com