OSINT Toolkit

Person, phone, DNS, IP, etc. XYZ-INT tools.

With great power comes great responsibility - I've used some of these to execute successful, but most importantly authorized, spear-phishing campaigns against real people.

GEOINT

• Dual Maps (multi-perspective maps utility)
• OSM Search (Overpass Turbo Alternative by Bellingcat) (query OpenStreetMap)

Person Lookup

• Voter Records
• TruePeopleSearch
• That's Them
• OfficialUSA
• Google Dorking and pivoting off artifacts
• State Resident Databases
• SOCMINT! (Facebook, LinkedIn, Instagram, you name it!)
  • Tips and Wisdom:
    • The spouse (or family) always gives you away.
    • Look up combinations and alterations of the name you know with middle names, nicknames, spouse names, locations, etc. < Don't get stuck by not accounting for someone changing their name or omitting part of their name
    • Sometimes, social media provides you nothing, and sometimes it provides everything you may possibly need.

Notes on looking up someone's appearances in court cases, wanted lists, and registries (United States):

• finding the local county court for someone's residence, and then looking up their name, can show you cases that person has been a part of in relation to that court (parking violations, dissolutions of marriage, felony and misdemeanor arrests, etc.).
• States have active wanted persons and "public access system" lists of varying types. (E.g., Florida's)
• At the national level, there are tools/databases like the National Offender Registry and FBI Fugitives list

Phone Lookup

• FoneFinder (Gives location and provider)
• Telephone Prefixes: Wikipedia1, Wikipedia2

Whois // DNS

• Whoxy Domain Search Engine (WHOIS lookups and reverse lookups)
• Whois.com
• NsLookup.io
• ViewDNS.info (Shoutout Michael Bazzel!)
  • Note that a good combination is to do an "IP History" lookup to find the IP address that hosts a website, and then putting the IP address into the "Reverse IP Lookup" to find other sites hosted on the same server. Great pivoting technique!
  • Also note that multiple WHOIS sites may be required to find usable information on a target/entity

IP Address

• ipinfo.io

NFTs

• Nyckel NFT Finder
• Etherscan (Wallet Addresses, Specific NFTs, Transactions, etc.)
• Opensea.io
• OKX Exchange

Reverse Image Searching

• Tineye (looks for exact matches across the internet)
• Google Reverse Image Search (gives approximate matches)

Misc.

• WiFi Networks: Wigle.net (need an account)
• VIN NUMBERS: easily searchable
• AnyRun Threat Intelligence (Statistics, charts, recent events, reports, and MITRE ATT&CK)
• Construction Companies' Current Bids and Projects: https://projects.constructconnect.com/
• Tech Stack Identification: company job postings, social media postings, fingerprinting (check out Wappalyzer), proxies and headers, website source code analysis, so on and so forth.
• Australian Business Number lookup (this came in useful in one of my investigations into a business email compromise)

Dorking Cheatsheet:

• Quotation Marks
• before:YYYY-MM-DD
• after:YYYY-MM-DD
• filetype:pdf
• site:xyz.com
• • (minus sign) Complicated Query Example: ("passwords.txt" OR "leaked-passwords.csv" OR "secrets.txt") AND intitle:"index" -of Note: Dorking can be used to supplement pretty much everything on this list. Dorking with an email address, malware string, crypto address, etc. can yield very interesting information from unexpected gold mines.