Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

435 lines
43 KiB

3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
2 years ago
2 years ago
  1. # Open Source Intelligence
  2. ## Table of Contents
  3. - [General](#general)
  4. - [Articles/Writeups](#writeups)
  5. - [Presentations & Talks](#talks)
  6. - [Tools](#tools))
  7. - [CVS/Git/Similar](#cvs)
  8. - [DNS Stuff/related](#dns)
  9. - [Email Gathering](#email)
  10. - [Fancy Search Engines](#search)
  11. - [Search Engine Dorks](#gh)
  12. - [Site Specific Tools](#site)
  13. - [Social Media Search/Enumeration](#social)
  14. - [Company/People Searching](#ppl)
  15. - [Reference Sites](#reference)
  16. - [Miscellaneous](#misc)
  17. #### Sort
  18. * Add list of Sources:
  19. * UCC - Uniform Commercial Code;
  20. * DOC - Current Industrial Patents;
  21. * DMV - Vehicle Ownership applications;
  22. * Patents - Patent DBs;
  23. * Operating Licenses/Permits;
  24. * Trade Journals;
  25. * [keyhacks](
  26. * Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
  27. * [Threat Intel RSS Feeds via Twitter Lists - Joe Hopper](
  29. * [Username enumeration techniques and their value - Ben Williams](
  30. * [WhatsMyName](
  31. * This repository has the unified data required to perform user and username enumeration on various websites. Content is in a JSON file and can easily be used in other projects
  32. * [git-all-secrets](
  33. * A tool to capture all the git secrets by leveraging multiple open source git searching tools
  37. *
  38. * [How To Tell Stories: A Beginner’s Guide For Open Source Researchers - Natalia Antonova](
  41. * [GitHub for Bug Bounty Hunters - Ed Overflow](
  42. * [pastebin_scraper](
  43. *
  48. * [MailInt - Profiling China based Employees](
  49. * [Giggity](
  50. * Get information about an organization, user, or repo on github. Stores all data in a json file, organized in a tree of dictionaries for easy database transfer or data analysis. All done through the github api, with or without authentication (authentication highly recommended)
  54. * [asint collection -](
  55. * [cloud_enum](
  56. * Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
  57. * [SingleFile](
  58. * SingleFile is a Web Extension compatible with Chrome, Firefox (Desktop and Mobile), Chromium-based Edge, Vivaldi, Brave, Waterfox, Yandex browser, and Opera. It helps you to save a complete web page into a single HTML file.
  61. * [Weaponizing Corporate Intel - Mike Felch and Beau Bullock(B-Sides Orlando 2019)](
  62. * Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front. Often times testers only resort to using publicly available tools which can overlook critical assets. In this presentation, we will begin by examining some commonly overlooked methods to discover external resources. Next, we will show how to discover employees of a target organization and quickly locate their social media accounts. Finally, we will strategically identify and weaponize personal information about the employees to target the organization directly using new attack techniques. Attendees will learn an external defense evasion method, a new process to gain credentialed access, and be the first to receive a newly released tool! While the approach is designed to assist offensive security professionals, the presentation will be informative for technical and non-technical audiences; demonstrating the importance of security-awareness for everyone.
  63. * [ODIN](
  64. * ODIN aims to automate the basic recon tasks used by red teams to discover and collect data on network assets, including domains, IP addresses, and internet-facing systems. The key feature of ODIN is the data management and reporting. The data is organized in a database and then, optionally, that database can be converted into an HTML report or a Neo4j graph database for visualizing the data.
  65. * [Open Source Intelligence Gathering: Techniques, Automation, and Visualization - Christopher Maddalena](
  66. Remove hidden data and personal information by inspecting documents, presentations, or workbooks
  68. * [yar](
  69. * yar is an OSINT tool for reconnaissance of repositories/users/organizations on Github. Yar clones repositories of users/organizations given to it and goes through the whole commit history in order of commit time, in search for secrets/tokens/passwords, essentially anything that shouldn't be there. Whenever yar finds a secret, it will print it out for you to further assess. Yar searches either by regex, entropy or both, the choice is yours. You can think of yar as a bigger and better truffleHog, it does everything that truffleHog does and more!
  70. --------------------
  71. ### <a name="general"></a>General
  72. * **General**
  73. * SWOT - Strengths, Weaknesses, Opportunities, Threats
  74. * **101**
  75. * [Open Source Intelligence - Wikipedia](
  76. * **Articles/Writeups**
  77. * [Hunting Pastebin with PasteHunter](
  78. * [Open Source Intelligence Gathering 101 -](
  79. * [Open Source Intelligence Gathering 201 -](
  80. * [Open Source Intelligence Gathering: Techniques, Automation, and Visualization - Christopher Maddalena](
  81. * [The OSINT Connection: Intelligence In Executive Protection -](
  82. * **Alerting**
  83. * [Google Trends](
  84. * See what are the popular related topics people are searching for. This will help widen your search scope.
  85. * [Google Alerts](
  86. * Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your queries.
  87. * [PasteLert](
  88. * PasteLert is a simple system to search and set up alerts (like google alerts) for entries. This means you will automatically recieve email whenever your term(s) is/are found in new pastebin entries!
  89. * **Educational**
  90. * [Intelligence Gathering - PTES](
  91. * [Corporate Espionage without the Hassle of Committing Felonies](
  92. * [NATO Open Source Intelligence Handbook](
  93. * [OSINT toolbag guide - pdf](
  94. * [Intel Briefing: The Future of OSINT - Robert Munks](
  95. * This is an extract of a 60 minute live webcast available to subscribers of Jane's Intelligence Centres. In this briefing focusing on the future of open source intelligence collection, Jane's analysts will explore the following themes: A 'golden age' of open-source and social media intelligence; prospects for valuable open sources to 'go dark'; commercial satellite imagery and industry expands and future challenges for organisations conducting OSINT.
  96. * **OSINT Based News**
  97. * [JustSecurity](
  98. * Just Security is an online forum for the rigorous analysis of U.S. national security law and policy. We aim to promote principled and pragmatic solutions to national security problems that decision-makers face. Our Board of Editors includes individuals with significant government experience, civil society attorneys, academics, and other leading voices. Just Security is based at the Center for Human Rights and Global Justice at New York University School of Law.
  99. * [OSINTInsight](
  100. * [Janes](
  101. * [bell?ngcat](
  102. * By and for citizen investigative journalists
  103. * [NightWatch](
  104. * NightWatch is an executive commentary and analysis of events that pose or advance threats to US national security interests. It is deliberately edgy in the interest of clarity and brevity. As a product for executives, the distribution and all feedback comments are anonymous.
  105. * [RSOE EDIS - Emergency and Disaster Information Service](
  106. * **Resources**
  107. * [Awesome-OSINT](
  108. * [OSINT Framework](
  109. * [OSINT Resources - greynetwork2](
  110. * [Intel Techniques - Links](
  111. * [toddington - resources](
  112. * [onstrat - osint](
  113. *,175&folderid=0&user=Mediaquest
  114. * [Open Source Intelligence (OSINT) Tools & Resources -](
  115. * Seems pretty good.
  116. * [](
  117. * [Open Source Intelligence Resources -](
  118. * [OSINT - onstrat](
  119. * **IntelTechniques OSINT Flowcharts**
  120. * [Email Address](
  121. * [Domain Name](
  122. * [Real Name](
  123. * [Telephone #](
  124. * [Location](
  125. * [User Name](
  126. * **Writeups**
  127. * [Fantastic OSINT and where to find it - blindseeker/malware focused](
  128. * [Some blog posts describing/bringing you up to speed on OSINT by krypt3ia](
  129. * [Glass Reflections in Pictures + OSINT = More Accurate Location](
  130. * [Exploring the Github Firehose](
  131. * [OSINT Through Sender Policy Framework (SPF) Records](
  132. * [Hunting with ꓘamerka 2.0 aka FIST (Flickr, Instagram, Shodan, Twitter)](
  133. * [ꓘamerka 2.0 aka FIST (Flickr, Instagram, Shodan, Twitter)](
  134. * Build interactive map of cameras, printers, tweets and photos. The script creates a map of cameras, printers, tweets and photos based on your coordinates. Everything is clearly presented in form of interactive map with icons and popups.
  135. * **Talks & Presentations**
  136. * [Cognitive Bias and Critical Thinking in Open Source Intelligence - Defcamp 2014](
  137. * [Dark Arts of OSINT Skydogcon](
  138. * [Developing a Open Source Threat Intelligence Program—Edward McCabe](
  139. * What if you could get out in front of common threats such as botnets, scanners and malware? Good news, you can. Learn about one geeks struggle with life on the Internet of (bad) things when it comes to being online, identifying “odd” things, and developing an Open Source Threat Intelligence Program from Open Source Tools and Public Sources.
  140. * [Corporate Espionage: Gathering Actionable Intelligence Via Covert Operations - Brent White - Defcon22](
  141. * [How to Use Python to Spy on Your Friends: Web APIs, Recon ng, & OSINT](
  142. * [Practical OSINT - Shane MacDougall](
  143. * There’s more to life to OSINT than google scraping and social media harvesting. Learn some practical methods to automate information gathering, explore some of the most useful tools, and learn how to recognize valuable data when you see it. Not only will we explore various tools, attendees will get access to unpublished transforms they can use/modify for their own use.
  144. * [Pwning People Personally - Josh Schwartz](
  145. * [You're Leaking Trade Secrets - Defcon22 Michael Schrenk](
  146. * Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
  147. * [ZOMG Its OSINT Heaven Tazz Tazz](
  148. * **OSINT Tools/Resources** <a name="tools"></a>
  149. * **Tools**
  150. * **DNS**
  151. * [blacksheepwall](
  152. * blacksheepwall is a hostname reconnaissance tool
  153. * **All-in-One**
  154. * [Maltego](
  155. * Description: What you use to tie everything together.
  156. * [Oryon C Portable]()
  157. * Oryon C Portable is a web browser designed to assist researchers in conducting Open Source Intelligence investigations. Oryon comes with dozens of pre-installed tools and a select set of links cataloged by category – including those that can be found in the OI Shared Resources.
  158. * [OSINT Mantra](
  159. * [Recon-ng](
  160. * Description: Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
  161. * [TouchGraph SEO Browser](
  162. * Use this free Java application to explore the connections between related websites.
  163. * [Th3inspector](
  164. * Tool that automates OSINT collection. Seems to gather from a variety of sources. Perl script.
  165. * [gasmask](
  166. * All in one Information gathering tool - OSINT
  167. * **Certificate Transparency**
  168. * [ct-exposer](
  169. * An OSINT tool that discovers sub-domains by searching Certificate Transparency logs. Certificate Transparency (CT) is an experimental IETF standard. The goal of it was to allow the public to audit which certificates were created by Certificate Authorities (CA). TLS has a weakness that comes from the large list of CAs that your browser implicitly trusts. If any of those CAs were to maliciously create a new certificate for a domain, your browser would trust it. CT adds benefits to TLS certificate trust: Companies can monitor who is creating certificates for the domains they own. It also allows browsers to verify that the certificate for a given domain is in the public log record. These logs end up being a gold mine of information for penetration testers and red teams.
  170. * **Data Manipulation**
  171. * [Danger-zone](
  172. * Correlate data between domains, ips and email addresses, present it as a graph and store everything into Elasticsearch and JSON files.
  173. * [Article](
  174. * [OpenRefine](
  175. * Description: OpenRefine is a power tool that allows you to load data, understand it, clean it up, reconcile it to master database, and augment it with data coming from Freebase or other web sources. All with the comfort and privacy of your own computer.
  176. * [OSRFramework](
  177. * OSRFramework is a GNU AGPLv3+ set of libraries developed by i3visio to perform Open Source Intelligence tasks. They include references to a bunch of different applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction and many others. At the same time, by means of ad-hoc Maltego transforms, OSRFramework provides a way of making these queries graphically as well as several interfaces to interact with like OSRFConsole or a Web interface.
  178. * **Geolocation**
  179. * [](
  180. * Description: Creepy is a geolocation OSINT tool. Gathers geolocation related information from online sources, and allows for presentation on map, search filtering based on exact location and/or date, export in csv format or kml for further analysis in Google Maps.
  181. * **Research Collection/Organization**
  182. * [](
  183. * Paid web archiving tool
  184. * [](
  185. * Research Collection/Organization Tool
  186. * **Search Engine**
  187. * [](
  188. * Description: DescriptionShodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.
  189. * **Company/People Searching** <a name="ppl"></a>
  190. * [](
  191. * [LittleSis](
  192. * LittleSis is a free database of who-knows-who at the heights of business and government.
  193. * [Jigsaw](
  194. * Jigsaw is a prospecting tool used by sales professionals, marketers and recruiters to get fresh and accurate sales leads and business contact information.
  195. * [Spokeo](
  196. * Spokeo is a people search engine that organizes white pages listings, public records and social network information into simple profiles to help you safely find and learn about people.\
  197. * [Hoovers](
  198. * Search over 85 million companies within 900 industry segments; Hoover's Reports Easy-to-read reports on key competitors, financials, and executives
  199. * [Market Visual](
  200. * Search Professionals by Name, Company or Title
  201. * [Glass Door](
  202. * Search jobs then look inside. Company salaries, reviews, interview questions, and more all posted anonymously by employees and job seekers.
  203. * [192](
  204. * Find people, businesses and places in the UK with Directory enquiries, a people finder, business listings and detailed maps with aerial photos.
  205. * [corporationwiki](
  206. * [orbis](
  207. * Company information across the globe
  208. * **Country Specific Resources**
  209. * **USA**
  210. * [SEC EDGAR Search](
  211. * [US Congressional Research Service -](
  212. * **CVS/Git/Similar Focused** <a name="cvs"></a>
  213. * [repo-supervisor](
  214. * [GitPrey](
  215. * GitPrey is a tool for searching sensitive information or data according to company name or key word something.The design mind is from searching sensitive data leakling in Github:
  216. * [git-all-secrets](
  217. * A tool to capture all the git secrets by leveraging multiple open source git searching tools
  218. * [github-firehose](
  219. * A library that will connect to github and emit events from the Github Event API in near-real-time
  220. * [Exploring the Github Firehose](
  221. * [Gitem](
  222. * Gitem is a tool for performing Github organizational reconnaissance.
  223. * [Truffle Hog](
  224. * Searches through git repositories for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed that contain high entropy.
  225. * [dvcs-ripper](
  226. * Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
  227. * [Truffle Hog](
  228. * Searches through git repositories for high entropy strings, digging deep into commit history
  229. * [DVCS-Pillage](
  230. * Pillage web accessible GIT, HG and BZR repositories. I thought it would be useful to automate some other techniques I found to extract code, configs and other information from a git,hg, and bzr repo's identified in a web root that was not 100% cloneable. Each script extracts as much knowledge about the repo as possible through predictable file names and known object hashes, etc.
  231. * [gitdigger](
  232. * gitDigger: Creating realworld wordlists from github hosted data.
  233. * [gitrob](
  234. * Gitrob is a command line tool which can help organizations and security professionals find sensitive information lingering in publicly available files on GitHub. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information. Looking for sensitive information in GitHub repositories is not a new thing, it has been [known for a while]( that things such as private keys and credentials can be found with GitHub's search functionality, however Gitrob makes it easier to focus the effort on a specific organization.
  235. * [reposcanner](
  236. * Python script to scan Git repos for interesting strings
  237. * [gitleaks](
  238. * Searches full repo history for secrets and keys
  239. * [Reposcanner](
  240. * Reposcanner is a python script to search through the commit history of Git repositories looking for interesting strings such as API keys, inspired by truffleHog.
  241. * **DNS Stuff** <a name="dns"></a>
  242. * [dauntless](
  243. * Tools for analysing the forward DNS data set published at
  244. * [dnstwist](
  245. * Domain name permutation engine for detecting typo squatting, phishing and corporate espionage
  246. * [typofinder](
  247. * Typofinder for domain typo discovery
  248. * **Domain Recon**
  249. * **Tools**
  250. * [Waybackpack](
  251. * Waybackpack is a command-line tool that lets you download the entire Wayback Machine archive for a given URL.
  252. * [domain - jhaddix](
  253. * Recon-ng and Alt-DNS are awesome. This script combines the power of these tools with the ability to run multiple domains within the same session. TLDR; I just want to do my subdomain discovery via ONE command and be done with it. Only 1 module needs an api key (/api/google_site) find instructions for that on the recon-ng wiki. Script to enumerate subdomains, leveraging recon-ng. Uses google scraping, bing scraping, baidu scraping, yahoo scraping, netcraft, and bruteforces to find subdomains. Plus resolves to IP
  254. * [check0365](
  255. * checkO365 is a tool to check if a target domain is using O365
  256. * **Email Gathering/Reconnaissance** <a name="email"></a>
  257. * **Articles/Writeups**
  258. * [OSINT Through Sender Policy Framework Records](
  259. * [The most complete guide to finding anyone’s email - Timur Daudpota](
  260. * **Tools**
  261. * [SimplyEmail](
  262. * What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.
  263. * [Email Reconnaissance and Phishing Template Generation Made Simple](
  264. * [theHarvester](
  265. * theHarvester is a tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers).
  266. * [](
  267. * For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.
  268. * [Cr3dOv3r](
  269. * Cr3dOv3r simply you give it an email then it does two simple jobs (but useful): Search for public leaks for the email and if it any, it returns with all available details about the leak (Using hacked-emails site API). Now you give it this email's old or leaked password then it checks this credentials against 16 websites (ex: facebook, twitter, google...) then it tells you if login successful in any website!
  270. * [Infoga](
  271. * Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using API. Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet.
  272. * **Facial Mapping Data**
  273. * [Social Mapper](
  274. * Social Mapper is a Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale. It takes an automated approach to searching popular social media sites for targets names and pictures to accurately detect and group a person’s presence, outputting the results into report that a human operator can quickly review.
  275. * **Fancy Search Engines** <a name="search"></a>
  276. * [Entity Cube](
  277. * EntityCube is a research prototype for exploring object-level search technologies, which automatically summarizes the Web for entities (such as people, locations and organizations) with a modest web presence.
  278. * [Silobreaker](
  279. * Enterprise Semantic Search Engine, allows virtualisation of data, analytics and exploration of key data.
  280. * [iSeek](
  281. * Another handy search engine that break results down into easy to manage categories.
  282. * [Carrot2](
  283. * Carrot2 organizes your search results into topics. With an instant overview of what's available, you will quickly find what you're looking for.
  284. * [Sqoop](
  285. * OSINT search engine of public documents(handy)
  286. * [GlobalFileSearch](
  287. * An FTP Search Engine that may come in handy.
  288. * [NAPALM FTP Indexer](
  289. * **General Meta Data** <a name="meta"></a>
  290. * [Just-Metadata](
  291. * Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has "analysis" modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.
  292. * [MetaGooFil](
  293. * Description: Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company. The tool will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.
  294. * [Metashield Analyzer](
  295. * Description: Metadata documents can help a malicious user to obtain information that is beyond our control in an enterprise environment. Metashield Analyzer is an online service that allows easily check if your office documents contain metadata.
  296. * [PowerMeta](
  297. * PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.
  298. * **General Data Scrapers** <a name="scrape"></a>
  299. * [XRAY](
  300. * XRay is a tool for recon, mapping and OSINT gathering from public networks.
  301. * [NameCheck](
  302. * Search usernames across multiple services/domain registries
  303. * [TheHarvester](From:
  304. * Description: The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.
  305. * [OSINT OPSEC Tool](
  306. * Description: The OSINT OPSEC Tool monitors multiple 21st Century OSINT sources real-time for keywords, then analyses the results, generates alerts, and maps trends of the data, finding all sorts of info people probably don't want others to see...
  307. * [Pattern](
  308. * Pattern is a web mining module for Python. It has tools for: Data Mining: web services (Google,; Twitter, Wikipedia), web crawler, HTML DOM parser; Natural Language Processing: part-of-speech taggers, n-gram search, sentiment analysis, WordNet; Machine Learning: vector space model, clustering, classification (KNN, SVM, Perceptron); Network Analysis: graph centrality and visualization.
  309. * **Paste-Site Scrapers**
  310. * [sniff-paste](
  311. * Multithreaded pastebin scraper, scrapes to mysql database, then reads pastes for noteworthy information.
  312. * **Search Engine Dorks** <a name="gh"></a>
  313. * **101**
  314. * [Google Hacking for Penetration Testers](
  315. * [How to Find (Almost) Anything on Google - Barbara Davidson](
  316. * **Databases/Lists**
  317. * [ExpoitDB archive of the google hacking database](
  318. * [Google Hacking Database](
  319. * We call them 'googledorks': Inept or foolish people as revealed by Google. Whatever you call these fools, you've found the center of the Google Hacking Universe!
  320. * [4500+ Google Dork List 2018 -](
  321. * [List of Google ASE Queries/Dorks - @payloadartist](
  322. * **Tools**
  323. * [GooHak](
  324. * Automatically launch google hacking queries against a target domain to find vulnerabilities and enumerate a target.
  325. * [Google Hacking - Search Diggity tool](
  326. * SearchDiggity 3.1 is the primary attack tool of the Google Hacking Diggity Project. It is Bishop Fox’s MS Windows GUI application that serves as a front-end to the most recent versions of our Diggity tools: GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, FlashDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotInMyBackYard Diggity.
  327. * [GoogD0rker](
  328. * GoogD0rker is a tool for firing off google dorks against a target domain, it is purely for OSINT against a specific target domain. Designed for OSX originally however googD0rker txt now works on all nix platforms.
  329. * **Network Information Search Engines** <a name="nin"></a>
  330. * [Whoisology](
  331. * Whoisology is a domain name ownership archive with literally billions of searchable and cross referenced domain name whois records.
  332. * **Site Specific** <a name="site"></a>
  333. * **AWS**
  334. * [AWSBucketDump](
  335. * AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you're not afraid to quickly fill up your hard drive.
  336. * **Facebook**
  337. * [pymk-inspector](
  338. * The pymk-inspector is a tool built by Gizmodo's Special Projects Desk that we used for our investigation into Facebook's people you may know (pymk) algorithm.
  339. * [Find FB profiles by Email](
  340. * **Github**
  341. * [profile-summary-for-github](
  342. * Tool for visualizing GitHub profiles
  343. * [Github dorks - finding vulns](
  344. * **LinkedIn**
  345. * [InSpy](
  346. * A LinkedIn enumeration tool
  347. * [linkedin](
  348. * Linkedin Scraper using Selenium Web Driver, Firefox 45, Ubuntu and Scrapy
  349. * [LinkedInt: A LinkedIn scraper for reconnaissance during adversary simulation](
  350. * [LinkedIn Gatherer](
  351. * [socilab](
  352. * This site allows users to visualize and analyze their LinkedIn network using methods derived from social-scientific research. Full sample output is shown here. The site is free and open-source. Have fun!
  353. * [Linkedin_profiles](
  354. * This script uses selenium to scrape linkedin employee details from a specified company. If the script isn't working, you can always browse to the desired company's employee page and paste in the link on line 69 like this: "employees_page = url"
  355. * [The Secrets of LinkedIn](
  356. * Grabbing usernames/connections(link analysis)
  357. * [The Endorser](
  358. * An OSINT tool that allows you to draw out relationships between people on LinkedIn via endorsements/skills.
  359. * [ScrapedIn](
  360. * this tool assists in performing reconnaissance using the website/API. Provide a search string just as you would on the original website and let ScrapedIn do all the dirty work. Output is stored as an XLSX file, however it is intended to be used with Google Spreadsheets. After importing the XLSX into Google Spreadsheets there will be a "dataset" worksheet and a "report" worksheet.
  361. * [Gathering Usernames from Google LinkedIn Results Using Burp Suite Pro - BHIS](
  362. * [GatherContacts](
  363. * A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results.
  364. * [linkedin2username](
  365. * [Raven](
  366. * raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin.
  367. * **Tinder**
  368. * [OSINT: Advanced tinder capture](
  369. * **Twitter**
  370. * [OneMillionTweetMap](
  371. * This page maps the last geolocalized tweets delivered by the twitter stream API. ... YES - IN REAL-TIME - and we keep "only" the last one million tweets.
  372. * [tweets_analyzer](
  373. * Tweets metadata scraper & activity analyzer
  374. * [Tweet Archivist](
  375. * [tweets_analyzer](
  376. * Tweets metadata scraper & activity analyzer
  377. * [Tinfoleak](
  378. * tinfoleak is a simple Python script that allow to obtain: basic information about a Twitter user (name, picture, location, followers, etc.); devices and operating systems used by the Twitter user; applications and social networks used by the Twitter user; place and geolocation coordinates to generate a tracking map of locations visited; show user tweets in Google Earth!; download all pics from a Twitter user; hashtags used by the Twitter user and when are used (date and time); user mentions by the the Twitter user and when are occurred (date and time); topics used by the Twitter user
  379. * [How to Find the Twitter ID from an Email Address -](
  380. * [Twint](
  381. * Formerly known as Tweep, Twint is an advanced Twitter scraping tool written in Python that allows for scraping Tweets from Twitter profiles without using Twitter's API. Twint utilizes Twitter's search operators to let you scrape Tweets from specific users, scrape Tweets relating to certain topics, hashtags & trends, or sort out sensitive information from Tweets like e-mail and phone numbers. I find this very useful, and you can get really creative with it too. Twint also makes special queries to Twitter allowing you to also scrape a Twitter user's followers, Tweets a user has liked, and who they follow without any authentication, API, Selenium, or browser emulation.
  382. * [twitterBFTD](
  383. * Twitter back from the death looks in a user tweets history for domain names that are available for registration.
  384. * [Blogpost](
  385. * **Social Media Search/Enumeration** <a name="social"></a>
  386. * [CheckUsernames](
  387. * Check the use of your brand or username on 160 Social Networks
  388. * [NameCHK](
  389. * Check to see if your desired username or vanity url is still available at dozens of popular Social Networking and Social Bookmarking websites.
  390. * [Scythe](
  391. * The ability to test a range of email addresses across a range of sites (e.g. social media, blogging platforms, etc...) to find where those targets have active accounts. This can be useful in a social engineering test where you have email accounts for a company and want to list where these users have used their work email for 3rd party web based services.
  392. * [Social Mention](
  393. * Social Mention is a social media search engine that searches user-generated content such as blogs, comments, bookmarks, events, news, videos, and more
  394. * [Whos Talkin](
  395. * social media search tool that allows users to search for conversations surrounding the topics that they care about most.
  396. * [sherlock-js](
  397. * Find usernames across over 75 social networks - NodeJS remake of sdushantha/sherlock
  398. * [sherlock](
  399. * Python tool to find usernames across social networks
  400. * **Tor**
  401. * [ExoneraTor](
  402. * Enter an IP address and date to find out whether that address was used as a Tor relay: