% osint, recon, reconnaissance, intelligence # Sherlock - username search sherlock # Sherlock - multiple usernames sherlock # Maigret - username search (better) maigret # theHarvester - all sources theHarvester -d -b all # theHarvester - specific sources theHarvester -d -b google,linkedin,twitter # Subfinder - subdomain enumeration subfinder -d # Subfinder - with output subfinder -d -o subdomains.txt # Amass - subdomain enum amass enum -d # Amass - passive only amass enum -passive -d # Certificate transparency lookup curl -s "https://crt.sh/?q=%.&output=json" | jq -r '.[].name_value' | sort -u # DNS enumeration dig ANY dig MX dig TXT # Zone transfer attempt dig axfr @ # Whois lookup whois # Reverse whois (by email) # Use viewdns.info or whoxy.com # Google dorking - site specific # site: filetype:pdf # Google dorking - login pages # site: inurl:login OR inurl:admin # Google dorking - exposed files # site: filetype:sql OR filetype:env OR filetype:log # Wayback machine URLs waybackurls # GitHub dorking - secrets # org: password OR api_key OR secret # Shodan - host info shodan host # Shodan - search shodan search "hostname:" # Shodan - org search shodan search 'org:""' # Email verification curl "https://api.hunter.io/v2/email-verifier?email=&api_key=" # SpiderFoot scan spiderfoot -s -o output.html # Recon-ng recon-ng # Then: marketplace install all # workspaces create # modules load recon/domains-hosts/hackertarget # Social media - Instagram OSINT # instaloader # Image reverse search # Google Images, TinEye, Yandex # Metadata extraction exiftool # GPS from image exiftool -gpslatitude -gpslongitude # Check if email is breached # haveibeenpwned.com API or dehashed.com $ username: echo "" $ domain: echo "" $ ip: echo "" $ nameserver: echo "" $ company_name: echo "" $ email: echo "" $ api_key: echo "" $ target: echo "" $ image: find . -name "*.jpg" -o -name "*.png" 2>/dev/null | head -5