Skip to main content

OSINT Toolkit

Person, phone, DNS, IP, etc. tools. With great power comes great responsibility - I've used these to execute successful, but most importantly authorized, spear-phishing campaigns against real people.

Person Lookup

  • Voter Records
  • TruePeopleSearch
  • That's Them
  • OfficialUSA
  • State Resident Databases
  • SOCMINT! (Facebook, LinkedIn, Instagram, you name it!)
    • Tips and Wisdom:
      • The spouse (or family) always gives you away.
      • Look up combinations and alterations of the name you know with middle names, nicknames, spouse names, locations, etc. < Don't get stuck by not accounting for someone changing their name or omitting part of their name
      • Sometimes, social media provides you nothing, and sometimes it provides everything you may possibly need.

Phone Lookup

Whois // DNS

  • Whoxy Domain Search Engine (WHOIS lookups and reverse lookups)
  • Whois.com
  • NsLookup.io
  • ViewDNS.info (Shoutout Michael Bazzel!)
    • Note that a good combination is to do an "IP History" lookup to find the IP address that hosts a website, and then putting the IP address into the "Reverse IP Lookup" to find other sites hosted on the same server. Great pivoting technique!
    • Also note that multiple WHOIS sites may be required to find usable information on a target/entity

IP Address

NFTs

Reverse Image Searching

  • Tineye (looks for exact matches across the internet)
  • Google Reverse Image Search (gives approximate matches)

Misc.

  • WiFi Networks: Wigle.net (need an account)
  • VIN NUMBERS: easily searchable
  • AnyRun Threat Intelligence (Statistics, charts, recent events, reports, and MITRE ATT&CK)
  • Construction Companies' Current Bids and Projects: https://projects.constructconnect.com/
  • Tech Stack Identification: company job postings, social media postings, fingerprinting (check out Wappalyzer), proxies and headers, website source code analysis, so on and so forth.

Dorking Cheatsheet:

  • Quotation Marks
  • before:YYYY-MM-DD
  • after:YYYY-MM-DD
  • filetype:pdf
  • site:xyz.com
    • (minus sign) Complicated Query Example: ("passwords.txt" OR "leaked-passwords.csv" OR "secrets.txt") AND intitle:"index" -of Note: Dorking can be used to supplement pretty much everything on this list. Dorking with an email address, malware string, crypto address, etc. can yield very interesting information from unexpected gold mines.