djedi/security-cheatsheets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
security-cheatsheets/infosec/osint.md

405 lines
8.4 KiB
Markdown
Raw Permalink Blame History

# OSINT Cheatsheet
Quick reference for Open Source Intelligence gathering, reconnaissance, and information discovery.
---
## Search Engine Operators
### Google Dorking
| Operator | Description | Example |
|----------|-------------|---------|
| `site:` | Search within site | `site:example.com` |
| `filetype:` | Find file types | `filetype:pdf` |
| `intitle:` | Search in title | `intitle:"index of"` |
| `inurl:` | Search in URL | `inurl:admin` |
| `intext:` | Search in body | `intext:password` |
| `cache:` | Cached version | `cache:example.com` |
| `"..."` | Exact match | `"admin login"` |
| `*` | Wildcard | `"admin * password"` |
| `-` | Exclude | `site:example.com -www` |
| `OR` | Either term | `admin OR login` |
| `..` | Number range | `$100..$500` |
### Useful Dorks
```
# Find exposed directories
intitle:"index of" "parent directory"
# Find login pages
inurl:login OR inurl:admin OR inurl:portal
# Find exposed files
site:example.com filetype:pdf OR filetype:doc OR filetype:xls
# Find config files
filetype:env OR filetype:cfg OR filetype:conf
# Find backup files
filetype:bak OR filetype:old OR filetype:backup
# Find exposed databases
filetype:sql "insert into" OR "create table"
# Find credentials
intext:password filetype:log
"username" "password" filetype:csv
# Find vulnerable pages
inurl:php?id=
inurl:index.php?id=
```
### Other Search Engines
- **Bing**: Similar operators, sometimes different results
- **DuckDuckGo**: Privacy-focused, `site:`, `filetype:`
- **Yandex**: Better for Russian/Eastern European content
- **Baidu**: Chinese content
---
## Domain & Website OSINT
### DNS & Whois
```bash
# Whois lookup
whois example.com
# DNS records
dig example.com ANY
dig example.com MX
dig example.com TXT
nslookup -type=any example.com
# Zone transfer (if allowed)
dig axfr @ns1.example.com example.com
```
### Online Tools
| Tool | URL | Purpose |
|------|-----|---------|
| ViewDNS | viewdns.info | DNS, IP, whois |
| SecurityTrails | securitytrails.com | Historical DNS |
| DNSDumpster | dnsdumpster.com | DNS recon |
| crt.sh | crt.sh | Certificate transparency |
| Shodan | shodan.io | Internet-connected devices |
| Censys | censys.io | Similar to Shodan |
| BuiltWith | builtwith.com | Technology profiler |
| Wappalyzer | wappalyzer.com | Tech detection |
| Wayback Machine | web.archive.org | Historical snapshots |
### Subdomain Enumeration
```bash
# Amass
amass enum -d example.com
# Subfinder
subfinder -d example.com
# Sublist3r
sublist3r -d example.com
# Certificate transparency
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u
# DNS brute force
gobuster dns -d example.com -w wordlist.txt
```
### Technology Detection
```bash
# Whatweb
whatweb example.com
# Wappalyzer CLI
wappalyzer https://example.com
```
---
## Email OSINT
### Email Verification
| Tool | URL |
|------|-----|
| Hunter.io | hunter.io |
| EmailHippo | emailhippo.com |
| Verify Email | verify-email.org |
| Email-Checker | email-checker.net |
### Email Discovery
```bash
# theHarvester
theHarvester -d example.com -b all
# Hunter.io API
curl "https://api.hunter.io/v2/domain-search?domain=example.com&api_key=YOUR_KEY"
```
### Email Header Analysis
| Tool | URL |
|------|-----|
| MXToolbox | mxtoolbox.com/EmailHeaders.aspx |
| Google Admin Toolbox | toolbox.googleapps.com/apps/messageheader |
---
## Username & People OSINT
### Username Search
| Tool | URL | Purpose |
|------|-----|---------|
| Namechk | namechk.com | Username availability |
| WhatsMyName | whatsmyname.app | Cross-platform search |
| Sherlock | github.com/sherlock-project | CLI username search |
| Maigret | github.com/soxoj/maigret | Sherlock alternative |
```bash
# Sherlock
python3 sherlock username
# Maigret
maigret username
```
### People Search
| Tool | Purpose |
|------|---------|
| Pipl | People search engine |
| Spokeo | US people search |
| BeenVerified | Background checks |
| ThatsThem | Free people search |
| TruePeopleSearch | Free US lookup |
| Webmii | Aggregated web presence |
### Social Media
| Platform | OSINT Approach |
|----------|----------------|
| LinkedIn | Company employees, roles, connections |
| Twitter/X | Public posts, followers, connections |
| Facebook | Public profiles, photos, check-ins |
| Instagram | Photos, locations, stories |
| GitHub | Code, email in commits, contributions |
---
## Image OSINT
### Reverse Image Search
| Tool | URL |
|------|-----|
| Google Images | images.google.com |
| TinEye | tineye.com |
| Yandex Images | yandex.com/images |
| Bing Images | bing.com/images |
### Metadata Extraction
```bash
# ExifTool
exiftool image.jpg
# View GPS coordinates
exiftool -gpslatitude -gpslongitude image.jpg
# Remove metadata
exiftool -all= image.jpg
```
### Geolocation
| Tool | URL |
|------|-----|
| GeoGuessr | geoguessr.com |
| Google Earth | earth.google.com |
| Mapillary | mapillary.com |
| SunCalc | suncalc.org |
---
## Password & Breach OSINT
### Breach Databases
| Tool | URL | Notes |
|------|-----|-------|
| Have I Been Pwned | haveibeenpwned.com | Check if email breached |
| DeHashed | dehashed.com | Paid breach search |
| LeakCheck | leakcheck.io | Email/username search |
| IntelX | intelx.io | Multiple data types |
| Snusbase | snusbase.com | Breach database |
### Password Policy Discovery
```bash
# Check password policies in AD
crackmapexec smb target -u user -p pass --pass-pol
```
---
## Business & Company OSINT
### Company Information
| Tool | URL | Purpose |
|------|-----|---------|
| OpenCorporates | opencorporates.com | Global company database |
| Crunchbase | crunchbase.com | Startup/company info |
| LinkedIn | linkedin.com | Employees, structure |
| SEC EDGAR | sec.gov/edgar | US public filings |
| Companies House | companieshouse.gov.uk | UK company data |
### Financial
| Tool | URL |
|------|-----|
| Bloomberg | bloomberg.com |
| Yahoo Finance | finance.yahoo.com |
| Google Finance | google.com/finance |
---
## Network & Infrastructure OSINT
### Shodan
```bash
# CLI
shodan search "hostname:example.com"
shodan host 1.2.3.4
# Common queries
org:"Target Company"
hostname:example.com
port:22
product:Apache
ssl.cert.subject.cn:example.com
```
### Censys
```bash
# Search syntax
services.http.response.html_title:"Example"
ip:1.2.3.4
autonomous_system.name:"Example ISP"
```
### BGP & ASN
| Tool | URL |
|------|-----|
| BGP.he.net | bgp.he.net |
| ASN Lookup | asnlookup.com |
| BGPView | bgpview.io |
---
## Wireless OSINT
| Tool | URL | Purpose |
|------|-----|---------|
| Wigle | wigle.net | WiFi network database |
| WifiMap | wifimap.io | WiFi passwords |
---
## OSINT Tools - CLI
### theHarvester
```bash
# All sources
theHarvester -d example.com -b all
# Specific sources
theHarvester -d example.com -b google,linkedin,twitter
```
### Recon-ng
```bash
# Start
recon-ng
# Install modules
marketplace search
marketplace install all
# Set workspace
workspaces create example
db insert domains
domains add example.com
# Run modules
modules load recon/domains-hosts/hackertarget
run
```
### SpiderFoot
```bash
# Run scan
spiderfoot -s example.com -o output.html
```
### Maltego
- GUI-based relationship mapping
- Entity transformations
- Visualize connections
---
## OSINT Workflow
```
1. Define scope and objectives
2. Passive reconnaissance
- Search engines
- Social media
- Public records
3. Domain/Infrastructure
- DNS, Whois
- Subdomains
- Technology stack
4. People/Organization
- Employees
- Email addresses
- Usernames
5. Breach data
- Exposed credentials
- Data leaks
6. Document findings
- Organize data
- Create report
```
---
## Sock Puppets
### Creating Fake Identities
- Use AI-generated photos (thispersondoesnotexist.com)
- Create dedicated email (ProtonMail)
- Use VPN/Tor
- Build history over time
- Keep consistent persona
### Operational Security
- Separate browser/profile
- No real personal info
- Different IP addresses
- Avoid linking accounts
---
## Resources
### Websites
- [OSINT Framework](https://osintframework.com/)
- [IntelTechniques](https://inteltechniques.com/)
- [OSINT Dojo](https://www.osintdojo.com/)
- [Bellingcat](https://www.bellingcat.com/)
### Books
- "Open Source Intelligence Techniques" by Michael Bazzell
- "The OSINT Handbook" by Dale Meredith
### Training
- [TCM Security OSINT Fundamentals](https://academy.tcm-sec.com/)
- [SANS SEC487](https://www.sans.org/cyber-security-courses/open-source-intelligence-gathering/)
Reference in a new issue View git blame Copy permalink