I realized the other day when doing some OSINT research that I’ve collected quite the set of tools online. My bookmarks are getting a little out of hand so for my own reference, I figured I’d dump them into a blog post so when I’m trying to remember what tool I used for what – it will be easier to find and also give an idea of what I use. This list does NOT include tools like nmap, maltego, whois, nslookup, etc. – it’s a collection of online tools only.
People/Companies
- For people, the first thing I do is a Google search, with their name in quotes – like “bob smith”. This will usually give you lots of initial data and starting points. I will often go beyond just the .com and use the regional google for whatever country they are located in – this will sometimes give you more details.
- Sometimes you can also get additional details through bing and duckduckgo as well – but digging past the first few pages of google will often times give you what you really need. If you’ve got someone with a somewhat dark past – the next thing to fire-up is tor and do some searching on the dark web
- Companies – Crunchbase and LinkedIn are great places to start. If you know where they operate or are incorporated, you can also typically dig up info at the state secretary of state (who handles inc, llc, etc. filings)
Servers/Sites
- https://rtsak.com/ip-lookup & http://robtex.com– Can get you some good info if you have a server IP, domain, etc., Can list other sites hosted on the same servers, using same nameservers – which can come in handy, graphs & DNSBL info.
- https://viewdns.info – has lots of tools. My favorite go to for reverse whois lookup when you are trying to tie an entity to other domains.
- https://www.dnstree.com – actually uses robtex.com for some of it’s info – you can enter a domain or IP and get lots of details.
- http://domaininfoapi.org – great tool for getting tons of info related to a domain name.
- https://www.yougetsignal.com/ – meh, it’s ok and sometimes gives me info but usually ends up at a dead end. I will use this after trying other resources first.
- http://dnstrails.com/ – great tool for when you can’t find current info on a domain. It sometimes will provide historical data.
- https://who.is/ – another tool to find historical data – but often requires you to pay to get the data.
- https://shodan.io – great when you are looking for related info on servers, networks, open ports, etc.
- https://censys.io – Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed.
- Search Engine Caches – great tool when you need to try to get something that you can’t find.
Other
- http://osintframework.com/ – this has TONS of options and can be used for everything from identity research to servers.
- https://inteltechniques.com/menu.html – This will hit multiple search engines at once if you don’t find what you need
- https://ahmia.fi (for tor searches)
- https://community.riskiq.com/ – so I haven’t actually used this yet, but it was mentioned by a co-worker. If I can ever get their registration page to work correctly I might give it a try.
- https://hashkiller.co.uk – this has come in handy a few times. Occasionally I come across a hash that I can feed this and get a result.
- https://crackstation.net/ – sometimes works when hashkiller fails.
- Deobfuscate Javascript – greate for RE javascript malware.
- Source code searching
