Skip to main content

OSINT Toolkit

Person, phone, DNS, IP, etc. XYZ-INT tools.

With great power comes great responsibility - I've used some of these to execute successful, but most importantly authorized, spear-phishing campaigns against real people.

GEOINT

Person Lookup

  • Voter Records
  • TruePeopleSearch
  • That's Them
  • OfficialUSA
  • Google Dorking and pivoting off artifacts
  • State Resident Databases
  • SOCMINT! (Facebook, LinkedIn, Instagram, you name it!)
    • Tips and Wisdom:
      • The spouse (or family) always gives you away.
      • Look up combinations and alterations of the name you know with middle names, nicknames, spouse names, locations, etc. < Don't get stuck by not accounting for someone changing their name or omitting part of their name
      • Sometimes, social media provides you nothing, and sometimes it provides everything you may possibly need.

Notes on looking up someone's appearances in court cases, wanted lists, and registries (United States):

  • finding the local county court for someone's residence, and then looking up their name, can show you cases that person has been a part of in relation to that court (parking violations, dissolutions of marriage, felony and misdemeanor arrests, etc.).
  • States have active wanted persons and "public access system" lists of varying types. (E.g., Florida's)
  • At the national level, there are tools/databases like the National Offender Registry and FBI Fugitives list

Phone Lookup

Whois // DNS

  • Whoxy Domain Search Engine (WHOIS lookups and reverse lookups)
  • Whois.com
  • NsLookup.io
  • ViewDNS.info (Shoutout Michael Bazzel!)
    • Note that a good combination is to do an "IP History" lookup to find the IP address that hosts a website, and then putting the IP address into the "Reverse IP Lookup" to find other sites hosted on the same server. Great pivoting technique!
    • Also note that multiple WHOIS sites may be required to find usable information on a target/entity

IP Address

NFTs

Reverse Image Searching

  • Tineye (looks for exact matches across the internet)
  • Google Reverse Image Search (gives approximate matches)

Misc.

Dorking Cheatsheet:

  • Quotation Marks
  • before:YYYY-MM-DD
  • after:YYYY-MM-DD
  • filetype:pdf
  • site:xyz.com
    • (minus sign) Complicated Query Example: ("passwords.txt" OR "leaked-passwords.csv" OR "secrets.txt") AND intitle:"index" -of Note: Dorking can be used to supplement pretty much everything on this list. Dorking with an email address, malware string, crypto address, etc. can yield very interesting information from unexpected gold mines.