OSINT recon guide

This will be a living document and will get content added and/or updated as often as possible.

OSINT-recon-guide

Open Source Intelligence [OSINT] describes a wide range of vital sources of data for hackers, pentesters, and attackers. Some of the resources used are social media platforms, public forums, and public records.

Reconnaissance [Recon] is one of the first steps in executing a Penetration Test to better assist cyber security & business functions. When used by an attacker, Recon can indicate susceptible ways in which they can engage with targeted systems used to gain malicious, unauthorized access.

To safely begin to Recon information, there are certain prerequisites that should be part of your field kit or hacker tool box to minimize your cyber exposure:

HARDWARE

Some hardware examples are: Raspberry Pi, a small single-board computer that fits in the palm of your hand; and a small hand-held RFID Reader/Writer that can easily be used on an elevator to copy someone’s entry badge.

There are many types of portable covert hardware that can be very useful in different situations such as:

UberToothLAN TurtleKeyGrabber
Rubber DuckyWiFi PineappleLockpick Set

You can check: Hacker Warehouse, Hacker Gadgets or Hak5 for these and other products.

SOFTWARE

Tools Summary

  • Nmap: For network and port scanning.
  • Wireshark: For network traffic analysis.
  • OpenVAS/Nessus: For vulnerability scanning.
  • Router Web Interface: For managing router settings and connected devices.
  • PRTG Network Monitor/SolarWinds: For comprehensive network monitoring.

SOCK PUPPETS

During recon, you want to retain all anonymity and to be as non-identifiable, unreachable, and untrackable as possible. For these purposes, it is recommended that you create and use a Sock Puppet account.

This Person Does Not Exist

A Sock Puppet is a fake, deceptive identity created for Recon and/or Social Engineering purposes, to ensure any tracking methods cannot be used to trace back to you and/or your personal accounts.

Fake Name Generator can randomly provide an entire fake identity.

Privacy allows you to create security-focused, masked transactions via a virtual credit/debit card account.

X Doesn’t Exist is a collection of sites that have realistic yet fake versions of just about anything to help create a Sock Puppet.

Y.at allows you to create & purchase a unique, universal emoji username/website URL/payment address link.

GITHUB REPOSITORIES

Eagle Eye allows you to use a reverse image search to find social media accounts.

Th3 Inspector is a multi-Information Gathering tool.

Trape tracks & executes social engineering attacks in real time.

WEBSITES

ChatGPT is a state-of-the-art multi-language AI model created by OpenAI that uses advanced technology to respond to text-based input that emulates human conversation.

Chrome Data Scraper is an automated data extraction tool for any website, that uses AI to extract data from web pages and exports it as Excel or CSV files.

Domain Big Data can provide domain name registrant, history, and owner information.

Google Account Finder will provide an email lookup and give you the Google Account ID number.

Know Em will check over 500 social networks and over 150 domains for usernames.

SearX is a metasearch engine that uses over 70 search services.

Spytox search for personal information on over 275 million people.

That’s Them search for addresses, coordinates, phones, emails, etc.

WEB BROWSERS [In Alphabetical Order]

BindaryEdge.io | Purpose: Attack Surface

Censys.io | Purpose: Servers

CRT.sh | Purpose: Certificate Search

FullHunt.io | Purpose: Attack Surface

Google.com | Purpose: Google Dorks

Grep.app | Purpose: Source Code

Greynoise.io | Purpose: Threat Intel

Hunter.io | Purpose: Email

IntelX.io | Purpose: OSINT

Onyphe.io | Purpose: Servers

Shodan.io | Purpose: Servers

Socradar.io | Purpose: Threat Intelligence

URLScan.io | Purpose: Websites

Vulners.com | Purpose: Vulnerabilities

Wigle.net | Purpose: WiFi

PRIVACY SEARCH ENGINES

Duck Duck Go
Does not collect or store personal data, with unbiased search results and anonymous web surfing.

Startpage
Does not store personal data, search history, or IP tracking.

Qwant
No tracking of searches or advertising tracking, no selling of personal data.

You can see more at OSINT Framework.

NOTE: As always, remember to follow basic cyber security Tips before any online activity.