Passive Reconnaissance

To gather intelligence without actively engaging the target.

 
In the passive recon phase, we’re planning our future steps by passively collecting information on the target.
Few examples:
~ Any email formats found?
~ What names can we find related to the target?
~ Sensitive data found on social media? Badges, passwords, or software in pics?
~ Any exposed credentials in dumps? Repeat password patterns?
~ What’s the business structure. Who holds the keys?
~ Any sensitive information in open website/domain records?
~ Start mapping network topology.

This is a list of tools which use passive reconnaissance techniques(E.g., OSINT, etc) to gather information on the target.
 
⚠️ Some resources may contain techniques that act outside passive reconnaissance and may actively engage the target. ⚠️

Regarding my notes:

• The brackets() after each tool will indicate if the tool is:
  1. (built-in) = available in Kali’s repo. Simple sudo apt update && sudo apt install *tool*
  2. (external) = outside Kali’s repo. It’ll need downloaded then installed.
  3. (website) = part of a website.
  4. There’s others but they’re self-explanatory.
• I’ll also try specifying any restrictions I know of.
  1. API access needed.
  2. Paywalls.
  3. etc.

AIO Tools

1. Aware Online - (website)

   • Resources, tutorials, etc.
   • Company based in Netherlands.

2. awesome osint - (website)

   • Awesome OSINT is a large collection of resources dedicated to anything OSINT.

3. Hunchly - (chrome extension) - Trial available

   • Chrome extension for organizing your findings and exporting them. It can auto screenshot as you go.

4. IntelTechniques - (website)

   • Great resource for OSINT anything. Tools included.

5. _IntelligenceX - (website) - Free account required.

   • Tools which can be used for many different OSINT purposes.
   • Email format validation, DNS records, etc

6. Maltego CE - (built-in) - APIs aren’t needed but can help widen your net.

   • Great link analysis tool for the aggregated data it collects. Helps visualize paths of data points, etc.
   • Maltego Essentials Youtube Playlist - Youtube playlist for learning Maltego.

7. OSINT Combine - (website)

   • AIO site that hosts many useful online tools.
   • E.g., Darkweb, socials, usernames, etc

8. OSINT Framework - (website)

   • Fun interactive site that can help you see the paths of OSINT but, honestly, I’ve never use it.

9. Pentest-Tools.com - (website) - Limited without subscription.

   • Many limited use tools.
   • Access by clicking hamburger menu then Tools.

10. recon-ng - (built-in)

    • “Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.”
    • Great framework for OSINT gathering. It has a similar feeling to metasploit since it uses modules, “run”, etc

AIO VM

1. Trace Labs Organization - (external - VM VMware & VirtualBox)
   • “Trace Labs is a nonprofit organization whose mission is to accelerate the family reunification of missing persons while training members in the tradecraft of open source intelligence (OSINT).”
   • This VM was created for OSINT. Updated regularly. Privacy focused.
   • Trace Labs Github.
   • Latest Trace Labs OSINT VM.

Accounts(Usernames)

1. CheckUserNames - (website)

   • Website that helps find where a username may be in use, or not in use.

2. GHunt - (external & website)

   • CLI script, and online now, which can help you dig into anything Google, including accounts.

3. iDCrawl - (website)

   • Search for usernames across different online platforms.

4. Maigret - (external)

   • Fork of Sherlock that creates a dossier of a person by username.

5. NameChecker - (website)

   • Search for usernames across different online platforms.

6. NameCheckUp - (website)

   • Search for usernames across different online platforms.

7. Sherlock - (built-in)

   • “Hunt down social media accounts by username across social networks”
   • Tool built-in to Kali which allows you to search many different social networks for a username.
   • Sherlock’s Github Pages website

8. WhatsMyName Web - (website)

   • A very thorough tool that searches the web for usernames and names.

Breaches/Dumps

Dumps

1. 1.4B Breach Compilation - (Torrent Link)

2. Rockyou2021.txt - Collection of wordlists combined - (Torrent Link)

3. psbdmp.ws (website) - API available.

   • Biggest archive(database) of paste dumps.

Search Breaches/Dumps

1. search.0t.rocks (website)

   • 14B records to sift through. 😄 - Older DB though.

2. DEHASHED (external website & API) - No account required but limited. API available through subscription.

   • Search dumps and chain emails, hashes, and passwords while looking for reuse across different accounts.

3. Breach Parse - (external)

   • A tool for parsing breached passwords.
   • Works well with 1.4B Breach Compilation.

4. haveibeenpwned(HIBP) (external website & API) - API available through subscription.

   • The website allows you to search through a large updated database of data dumps for either emails or passwords. It’s active and updated regularly.
   • API subscription available. You send API the first 5 characters of a hash and API responses with a list of hashes matching the sent prefix.

5. Facebook Data Breach Checker - (website)

   • Searches through 533 million Facebook accounts for dumped phone number.
   • Uses k-anonymity to ensure privacy.

6. LeakCheck - (website) - Account required.

   • Alternative to HIBP and dehashed.

7. SnusBase - (website) - Account required.

   • Indexes information from websites which had data breaches.

Bucket search engines

S3 bucket search

1. GrayHatWarfare (website) - Free = limited range. Registered = double free range. Premium = unlimited w/ full path search.
   • S3 bucket search engine.

Businesses

1. AIHIT - (website) - Account creation and/or subscription may be needed.

   • Company database aggregator.

2. BBB - (website)

   • Local business search. Find phone numbers, addresses, names, and reviews/complaints.

3. Bloomberg - (website) - Account creation and/or subscription may be needed.

   • Find history and news on a company, including public finances.

4. OpenCorporates - (website)

   • Largest legal-entity database holding copyleft Open Database License.

5. LinkedIn - (website)

   • Great place to find badge photos, employee lists, tech stack through job applications, etc.
   • Companies may not share sensitive information but employees do. 😄

6. NerdyData - (website)

   • Get a list of websites that use certain technologies, plus the company’s tech spend data.

Code Search

1. grep.app - (website)

   • Search across a half million git repos.
   • Great place to dig for leaked secrets, etc.

2. RepoSearch - (website)

   • Search for source code across SVN and Github repos.

3. PublicWWW - (website)

   • Search through a web page’s HTML, JS, and CSS code.
   • Updated regularly.

4. SearchCode - (website)

   • Searches Bitbucket, CodePlex, Fedora Project, Gitlab, Github, Gitorious, Google Android source codes.

Darkweb Search Engines

1. BizNar - (website)

   • Deep Web search engine.

2. real-world-onion-sites - (website)

   • “This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services.”

Domains

Domain AIO

1. assetfinder - (built-in)

   • Domain and subdomain discovery using passive methods written in golang.

2. CentralOps.net - (website)

   • Domain & network WHOIS, DNS records, service scan, traceroute, etc.

3. ViewDNS.info - (website)

   • Collection of domain level tools.

DNS & Records

1. DNS Dumpster - (website)

   • DNS & Whois recon and research.

2. dnsenum (built-in)

   • Multithreaded perl script that enumerates DNS information and non-contiguous IP blocks.

3. DNSRecon (built-in)

   • Very flexible and effective DNS scanning and enumeration tool.
   • Ability to use external passive means along with local wordlist fuzzing techniques for discovery.

4. Fierce (built-in)

   • A DNS reconnaissance tool for locating non-contiguous IP space.

Subdomains

1. Amass by OWASP - (built-in)

   • Open-source CLI for enumerating and discovering subdomains.
   • Defaults to passive recon but active is an option.

2. CRT.sh - (website)

   • Search digital certificates of subdomains.
   • Great subdomain tool!

3. DNSlytics - (website)

   • Find domains sharing the same IP or subnet.

4. SpyonWeb.com - (website)

   • Similar to DNSlytics above.

5. Subfinder - (built-in)- Many API options but not required.

   • Passive subdomain enumeration using golang.
   • Works really well even without APIs.

6. Sublist3r - (built-in)

   • Python tool for enumerating subdomains via OSINT.
   • Older but still useful in some situations.

Was it a Tor Relay

1. Exonerator(Tor Project) - (website)
   • Search IP and/or date to find out if IP was used as Tor relay.

Emails

1. ClearBit (Chrome Extension) - Account required.

   • Confirm and cross reference emails found.

2. DEHASHED (external website & API) - No account required but limited. API requires subscription.

   • Chain emails, hashes, passwords and look for reuse across different accounts.

3. Email Hippo (website) - No account required.

   • Verify if an email is real or fake.

4. h8mail (external) - May require access to various APIs

   • Email OSINT & Password breach hunting tool, locally or using premium services. Supports chasing down related email.
   • Digs through local databases or remote databases for findings.
   • API restrictions.

5. hunter.io (built-in and website) - Free is limited.

   • Email address search engine/parser.

6. phonebook.cz (website) - _Intelx account required(free).

   • Email address search engine, plus more.

7. Zen (external) - Supports HIBP API.

   • Find emails of Github users.

File Search Engines

Any File Type Search

1. dedigger - (website)

   • Find public files in Google drives.

2. File Pursuit - (website)

   • “Search the web for files, videos, audios, eBooks & much more.”

3. FileSearch - (website)

   • Search archives, programs, videos, music, books, and more.

4. DLL Dump - (website) - Careful downloading DLLs. Malicious warning!

   • Free collection of DLL files free for download.

Document & Slide Search

1. BASE - (website)

   • “BASE is one of the world’s most voluminous search engines especially for academic web resources.”

2. CORE - (website)

   • Searches world’s largest collection of open access research papers.

3. FreeFullPDF - (website)

   • “Find free scientific publications in PDF format”

4. Google Scholar - (website)

   • Google search for anything scholar.

Video Search

1. deturl - (website)

   • Download any youtube video by adding “pwn” to beginning of youtube video… pwnyoutube.com/watch?v=*********

2. filmot - (website)

   • Search within Youtube Subtitles.

3. Youtube DataViewer - (website)

   • Quickly extract Youtube video data by providing link.

Forums Search

1. boardreader - (website)

   • Searches various forums, blogs, reviews and news via APIs.

2. builtwithFlarum - (website)

   • Discover Flarum made discussion boards.

GeoLocation

Search GeoLoc

1. GeoCreepy - (external)

   • Creepy Github
   • A geolocation OSINT tool. Offers geolocation information gathering through social networking platforms.

2. Google Earth - (website)

   • Google Earth. Find locations based on GPS coordinates, etc.

3. Youtube GeoFind - (website)

   • Find GeoLocation information on Youtube channels, etc

GeoLoc Practice

1. GeoGuessr - (Website & phone app)
   • Game for everyone. Gamified OSINT through google maps.

Images

Exif Data

1. ExifTool - (built-in)

   • CLI app for reading and writing exif, GPS, IPTC, XMP, and other meta info in image, audio, PDF, and video.

2. libexif - (external)

   • Library written in portable C.
   • Read and writes exif metadata in image files.

Reverse Image Search

1. Foto Forensics - (website)

   • Provides access to cutting-edge tools for digital photo forensics.
   • Service was retired but then recreated, by ‘Hacker Factor’ with the goal of providing “…a free service that provides an introduction to photo forensics.”
   • Foto Forensics tutorial.

2. Google Lens - (website)

   • AI driver reverse image search.
   • Click the little colored camera to open upload feature. Upload image or input image URL.

3. PimEyes - (website) - Subscription may be needed. Try page source for found image URL?

   • Reverse image search.
   • For better results turn off safe search but result may become NSFW!

4. TinyEye - (website)

   • Image search and recognition company with reverse image search.

Stock Images

1. FreeImages - (website)

   • Free stock images.

2. Free Stocks - (website)

   • Free stock images.

3. pixabay - (website)

   • Free stock images.

4. unsplash - (website)

   • Free hi-res images. Unique.

IoT/Device Search

1. censys - (website) - Free account required for personal use.

   • censys.com How-To Guide

2. Netlas - (website)

   • Intel apps that provide IP address, domains, websites, web Apps, IoT, and other assets.

3. Shodan.io - (website) - Free account required. Lifetime subscriptions on sale at random.

   • Shodan How-To Guide
   • Search IP to do service scans.
   • city:city - will show devices in city area.
   • port:port - will search for port only.
   • org:organization - will search org specified.

Leaks

1. Offshore Leaks Database - (website)
   • Search leak databases

Online Cameras

Insecam - (website)
* Live camera directory.
* Uses Shodan to find cameras then indexes them.

Organizations

1. Trace Labs Organization - (website - VM VMware & VirtualBox)

   • “Trace Labs is a nonprofit organization whose mission is to accelerate the family reunification of missing persons while training members in the tradecraft of open source intelligence (OSINT).”
   • This VM was created for OSINT. Updated regularly. Privacy focused.

2. International Consortium of Investigative Journalists - (website)

   • Source for investigations, news, and host of publicly made leaks.
   • They also take in leaked data.

3. Innocent Lives Foundation - (website)

   • “Identify anonymous child predators and help bring them to justice.

Persons

1. Federal Bureau of Prisons - (website)

   • Searches prisons for inmates by number or name.

2. Fast Background Check - (website)

   • Searches public records for personal information. It’s quick too.

3. Fast People Search - (website)

   • Can find relatives, phone, address, etc.
   • Decent at finding active phone numbers.

4. iDCrawl - (website)

   • Person search engine. Photos, socials, usernames, address, etc.

5. Jury Records - (website)

   • Searches jury cases for linked persons.

6. peekyou - (website)

   • Uses other site searches to find person information.

7. TruePeopleSearch - (website)

   • Finds address(with google maps), phone, relatives, associates, etc.

8. Webmii - (website)

   • Person search but includes some social platforms too.

9. White Pages - (website)

   • One of the largest person contact and background databases.

Phone Numbers

1. CallerID Test - (website) - 5 searches a day.

   • Free phone number search. Locates city, state, and phone provider.

2. infobel - (website)

   • Phone search across North America, South America, Europe, Asia, Africa, Australia and the Pacific, and the Middle East.
   • USA version called us-info

3. true caller - (website & phone app) - Registration required.

   • Searches phones numbers.
   • Many cellular phones have this integrated for caller ID.

Social Platforms

Facebook

1. Facebook Friend List Scraper - (external)

   • “OSINT tool to scrape names and usernames from large friend lists on Facebook, without being rate limited.”

2. fb-sleep-stats - (external)

   • “Use Facebook to track your friends’ sleeping habits”

3. Facebook ID Lookup - (website)

   • “Facebook ID finder can help you find your or someone’s Facebook numeric user ID easily”

Instagram

1. Tools By CodeOfaNinja - (website)

   • Various tools, including social ID finders.

2. HashTagify - (website)

   • Search instagram hashtags.

3. Osintgram - (external)

   • “Osintgram is a OSINT tool on Instagram. It offers an interactive shell to perform analysis on Instagram account of any users by its nickname”.

4. sterraxcyl - (external)

   • “Instagram OSINT tool to export and analyze followers | following with their details”.

5. Toutatis - (external)

   • “Toutatis is a tool that allows you to extract information from instagram accounts such as e-mails, phone numbers and more”.

LinkedIn

1. InSpy - (external)
   • Python based LinkedIn enumeration tool requiring Hunter.io API key.

Pinterest

1. Aware-Online Pinterest OSINT Guide - (website)

Reddit

1. Subreddits - (website)

   • Discover new subreddits.

2. Reddit Comment Search - (website)

   • Find all comments posted by user.

Snapchat

1. Snapchat Map - (website)
   • Built-in search engine for snapchat, including map.

Telegram

1. Telegram Nearby Map - (external)
   • Discover the location of nearby Telegram users.

Tumblr

1. Tumblr 2013 data breach search - (website)

Twitter

1. Nitter - (external & website)

   • Free and open source front-end for searching twitter(x) without an account.
   • Nitter Github

2. foller.me - (website)

   • “Twitter analytics shows followers, hashtags, topics, mentions, and other statistics for any public Twitter profile.”

Threat Intel

1. AlienVault - (website)

   • Open Threat Exchange neighborhood watch of the threat intel community.

2. Rescure - (website)

   • Feeds of malicious IPs, domains, and Malware hashes updated every 24hrs.

Voter Records

1. Voter Records - (website)
   • Political research tool which searches public records released by US states.

Web *

Web History

1. Archive.org - (website)

   • OG Wayback Machine by Internet Archive.

2. Archive.is - (website)

   • Archive tool which time capsules web pages.

3. Visual Ping - (website)

   • Visually look at a webpages for changes.

4. Stored.Website - (website)

   • Pulls web cache from selected source.

5. waybackpack - (external)

   • “Download the entire Wayback Machine archive for a given URL.”

6. waybackpy - (external)

   • API to interface with wayback machine APIs.

Web Search Engines

Google

1. Google Hacking for Penetration Testers - (PDF)

   • BlackHat presentation covering “Google Hacking for Penetration Testers”.

2. Google Advanced Search - (website)

   • Helps you run Google operators aka dorks.

3. Dork-Search.com - (website)

   • Google search techniques built into the search bar.

4. Google-Dorking - (website)

   • Site of Google search techniques and tools.

5. Google Guide - (website)

   • Small PDF guide to google search techniques & operators.

6. Google Hacking Database - (website)

   • Google dorks created by offsec minded individuals.

7. Google Trends - (website)

   • “Google Trends is a website by Google that analyzes the popularity of top search queries in Google Search across various regions and languages. The website uses graphs to compare the search volume of different queries over time.” per Wikipedia.

Other Search Engines

1. Aol - (website)

   • Aol search engine.

2. Ask - (website)

   • Ask search engine.

3. Baidu - (website)

   • China’s google…

4. Bing - (website)

   • Microsoft search engine.
   • Bing search guide.
   • Advanced Bing search keywords.

5. DuckDuckGo - (website)

   • Privacy focused search engine.
   • DuckDuckGo search guide.

6. Wolfram Alpha - (website)

   • Computational knowledge engine.

7. Yahoo - (website)

   • Yahoo search engine.
   • Yahoo search guide.

8. Yandex - (website)

   • Russia’s google…

Web Techstack

1. BuiltWith - (website)

   • Search a websites techstack.

2. netcraft - (website)

   • Find infrastructure and techstack.

Wireless

1. aircrack-ng - (built-in)

   • AIO wireless security suite.
   • Contains both passive and active recon tools, along with many exploitation tools.

2. WiGLE - (website)

   • Wireless Geographic Logging Engine.
   • Searchable central database of world-wide wireless networks.

Wordlists

Wordlist Creation

1. ceWL (Custom Word List Generator) - (built-in)

   • Ruby based app which crawls URL returns a list of words.

2. CUPP (Custom User Passwords Profiler) - (built-in)

   • After OSINT, takes user input and creates a custom wordlist based off user input like birthday, name, etc.

3. Mentalist - (external)

   • Wordlist and rules creation tool.

4. namemash.py - (external)

   • Takes first and last name as user input and spits out possible combinations.
   • Useful for after finding names via OSINT.

Wordlist Downloads

1. Bruteforce-database repo - (external)

   • Various wordlists in one repo.

2. InfoSecWarrior repo - (external)

   • Various wordlists buried inside the repos.

3. SecLists repo - (built-in)

   • Updated collection of wordlists.
   • Located under /usr/share/wordlists/SecLists

Additional

Certifications to earn

1. McAfee Institute - (website)
   • More info @ CISA’s webpage.
   • “The Certified in Open Source Intelligence (C|OSINT) program is the first and only globally recognized and accredited board certification on open source intelligence.”