DISCLAIMER
I am in no way responsible for any abuse, misuse, or any questionable actions in which someone uses these tools or methods below. OSINT is an information-gathering technique that can be used by ANYBODY and on ANYBODY! Also I'd like for anyone to be aware that some of the domains (such as exposed.lol) may be expired, if so check the curated list or the other links listed.
Now why did I make this readme you may ask?
People in the states at least trust their info way to much on the internet and seeing how the internet has now affected our daily lives it's practically indistinguishable from reality now; what's real is now fake - what's fake is now real. tit for tat basically. Do what you must with this readme file, spread this on the net for all I care really and feel free to contribute on either a fork or on your own project (even on my own projects listed). Feel free to clone and spread this info out there or to fork or maybe make a rentry document if you want.
If you find this useful feel free to donate to this monero address:
8BPdcsLtA5iWLNTWvYzUVyTWtQkM62e8r7xqAuwjXTSC4RcoSWqpmtyLsMYvz3QNZtT1rbgPUnmVpMAudhxTn6zkRxUFcZN
A list of OSINT/OPSEC tools I made, forked, and/or use. First, let's talk about the definitions.
- OPSEC
- Open Source Intelligence (OSINT)
- Who uses Open-Source Intelligence (OSINT)?
- Sources of OSINT
- Real world examples of OSINT
- Tools
- People search tools (in the states)
- Grey literature
- Breached Data
- Social Media
- Curated lists
- Archive tools
- Identifying
- Protecting and controlling critical information
It's a security discipline and operations function that involves a continuous cycle of:
- Identifying critical information and indicators (CII)
- Critical information and indicators are essential components of Operations Security aimed at protecting sensitive data that could be exploited by adversaries. Critical Information includes unclassified or controlled unclassified information about activities, intentions, capabilities, or limitations that adversaries can use to gain an advantage. Indicators are observable actions or pieces of information that reveal critical details about operations, such as sudden changes in procedures or increased security measures. Protecting this information involves identifying vulnerabilities and implementing countermeasures to prevent unauthorized disclosure
- Analyzing potential threats and vulnerabilities
- Assessing risks
- Developing countermeasures to protect CII
is used to protect information and activities from adversaries. It helps identify and protect sensitive information that could give an adversary an advantage. OPSEC principles can be applied in daily life, such as not sharing personal information like a DOB, street address, email, phone number.
Examples of OPSEC mistakes include:
- Over-sharing personal information online
- Leaving unused social media profiles online
- Accidentally interacting with a target on social media
OPSEC supplements other security disciplines rather than replacing them.
-
Use services that can conceal your identity:
-
Telegram is normie-tier as it isn't encrypted (Telegram does not use end-to-end) by default and requires a phone number. Only encryption you'll get is the secret chat option which; other than that it's all stored in their severs.
-
Read more about this here on Telegram’s Approach to Encryption. Since Telegram does not use end-to-end encryption by default, it could theoretically hand over the content of messages to law enforcement. OH Wait it just did.
-
- Unlike any other existing messaging platform, SimpleX has no identifiers assigned to the users - not even random numbers. This protects the privacy of who are you communicating with, hiding it from SimpleX platform servers and from any observers.
-
Signal is encrypted by default but requires a phone number; however signal can't give anything out even by court order because of state of the art encryption even on user accounts and phone numbers. Meaning when you delete an account on signal and they Subpoena information about you or your account; they'll get basically squat.
-
-
Tor/VPN/XMR:
- Tor isn't bad but will get rate limited by CAPTCHA.
- Mullvad is a good VPN (Virtual Private Network) as it accepts XMR (Monero), which can't be traced back to you if you mine XMR with your own node (machine/device/computer). Note: VPNs are useless if you have bad OPSEC, same with Tor.
- Here is a list of bad opsec to give you an idea of what not to do with tor and other services (such as a VPN).
-
Usernames/credentials/Identification:
- Use different usernames and credentials on different websites.
- Use a word spinner to change sentences for identity concealment.
- Generate a face or use a non-identifiable profile picture.
- Avoid making enemies online and don't be noticeable (i.e., don't be a turd).
- Regularly OSINT yourself to check your online presence.
To start you SHOULD OSINT yourself and see if you can remove yourself within the list of these sites: Here's a curated list to opt out And here's some good opsec.
-
Opsec tools
- List of opsec tools will be here
-
OSINT is the practice of collecting and analyzing information from public sources to address specific intelligence needs. OSINT is used by government agencies and commercial organizations for various purposes, including:
- Reconnaissance
- Cyber crime investigations
- Market trend analysis
- Brand positioning analysis
- Measuring risk to an organization
- Understanding the actor, tactics, and targets
- Gather real-time information
- Make informed decisions
- Receive early warnings of potential threats
-
National Security and Intelligence Agencies, Law Enforcement, Businesses, Cybersecurity and Cyber-crime Groups, Privacy-Conscious People, Non-Governmental Organizations
- The CIA, Defense Intelligence Agency (DIA), and Office of the Director of National Intelligence (ODNI) all use OSINT.
- OSINT can protect citizens (private or otherwise) from identity theft, sexual violence, and abuse.
- OSINT can monitor competitors, investigate new markets, and plan marketing activities.
- OSINT can gather intelligence about specific targets online.
- OSINT can check how outsiders can break into their computing devices.
- OSINT can be used on oneself to secure privacy.
- Bellingcat, the Center for Information Resilience, and Oryx use OSINT.
- And you! Yes, you can use OSINT.
OSINT can gather information from various sources, including:
-
- Public data refers to all information made freely available by government bodies or local collectivities. This data is in the public domain. It is different to open data, which is a subset of public data. Open data is structured and well-maintained data that is therefore easier to understand, access and consume. By contrast public data can be difficult to find, or (in the case of public bodies), require the submission of a Freedom of Information Act to retrieve it.
-
Professional and academic publications
- Academic Publication means the publication of an abstract, article or paper in a journal or electronic repository, or its presentation at a conference or seminar.
-
-
Commercial Data means any and all data and information relating to an identified or identifiable Person (whether the information is accurate or not), alone or in combination with other information, which Person is or was an actual or prospective customer of, or consumer of products offered by, the VS Business or L Brands Business, as applicable.
-
Commercial Data means any and all data and information relating to an identified or identifiable Person (whether the information is accurate or not), alone or in combination with other information, which Person is or was an actual or prospective customer of, or consumer of products or services offered by, the LoyaltyOne Business and/or ADS Business, as applicable.
-
Commercial Data means any and all data collected or otherwise processed by the Seller Entities relating to a customer of the Business.
-
-
-
Grey literature is "Information produced on all levels of government, academics, business and industry in electronic and print formats not controlled by commercial publishing i.e. where publishing is not the primary activity of the producing body."
-
Grey literature can be useful for your research, but finding resources requires different tactics than you'd use for commercially published materials. This is because many types of grey literature are not indexed in some of the more common research tools like PubMed, CINAHL, Scopus, etc.
-
In the year 2016, a basket weaving image board used OSINT to pay some supposed terroist a vist from a govt in Russia resulting in airstrikes.
-
- In 2016, during the complex Syrian Civil War, various rebel groups—some with good intentions and others with nefarious motives—sought to overthrow President Assad. The chaos allowed terrorist groups to flourish, prompting intervention from the United States and Russia, with the former supporting rebels and the latter aiding Assad. An anonymous user on 4chan's Syria General board (SG) claimed that a Syrian rebel group, Jaysh al-Izza, posted a video on YouTube revealing their secret encampment. The group, linked to Al-Qaeda, was seen by 4chan users as a target. A notable 4chan user, Ivan Sirenko, who had connections with the Russian military, received the coordinates from the 4chan community and tweeted them to the Russian Ministry of Defense. This led to an airstrike on the encampment. Two months later, the same rebel group posted another video showing a new training camp. 4chan users once again pinpointed the location using landmarks seen in the video. After thorough verification, they sent the coordinates to Ivan, who facilitated another Russian airstrike.
UPDATE: Turns out it was a really complex war the 4chan got involved in, still keeping this up as a key example however; the main issue is that they exposed their training locations with geographic locations to the internet like complete morons. Thus bad opsec.
In 2017, Shia LaBeouf had a protest due to Trumps election; this resulted in a basket weaving image board using OSINT and sky patterns to figure out where a flag is.
- In 2017, 4chan users managed to track down and replace Shia LaBeouf's "He Will Not Divide Us" protest flag. Using only the live-stream footage of the flag, they analyzed flight patterns, star positions, and a tweet to locate the flag in Greeneville, Tennessee. A local troll then honked his car horn until the sound was picked up on the live-stream, pinpointing the exact location. The flag was replaced with a Trump hat, marking the end of this elaborate trolling operation.
OSINT tools can access and analyze information from sources beyond traditional search engines. Be mindful as some info can be out of date or incorrect such as:
- Phone number
- Street Address
- IP Address (Dunno if anyone REALLY uses that but will list)
Anyhow, here are some tools I use for OPSEC/OSINT:
-
Google dorks
- Google-FU - uses Google to lookup info on someone or something; may get rate limited
-
Bio-metric investigation
- Facecheck.ID - A tampermonkey script that is improved by me, bypasses payment requirements and gives you the links on where the images were orginated from.
-
Email + username investigations
-
Sherlock - similar to Blackbird but more robust and developed; caution with imgur red herrings
- GUI for Sherlock - uses the CLI as a backend; commands are bascially the same.
-
maigret - find connections VIA a username; a fork of sherlock
- A GUI Tool - uses the CLI as a backend; commands are going to basically be the same.
-
Hudson rock API extractor - for emails and usernames; not automated but uses Flask, checks email compromises
-
holehe - caution with imgur for false positives; similar to Sherlock
-
Geolocation
- Google maps - good to pinpoint where someone/thing is and compare landmarks from somewhere
-
Generalized Toolkit
- OSINT rocks - search hudson; holehe, gmail (ghunt) and skype. Can also use telephone number; domain and username lookups.
-
For additonal tools see Curated lists
DISCLAIMER: Most of the email info found on these sites appear to be from a databrech from long ago; subjects on these sites can and possibly will still use their email found on these sites as people will rarely change email providers due to TFA + password managers unless if the email itself has been compromised in any way, shape, or form OR if they've changed emails due to harrasment, spam, etc etc.
| gives out | can lookup |
|---|---|
| Age | Name |
| Address | Phone |
| Numbers | Address |
| gives out | can lookup |
|---|---|
| IP | address |
| addresses | |
| Numbers | IP |
| VIN |
| gives out | Can lookup |
|---|---|
| DOB | Name |
| Address | Phone |
| Phone Number | Address |
| gives out | can lookup |
|---|---|
| names | names |
| username | username |
| phone | phone |
- Peekyou - search by first last name and username
Gives out info such as:
| gives out | can lookup |
|---|---|
| age | First and last name + state |
| social media's | username |
| emails | |
| addresses |
- webmii - search by first last name
| gives out | can lookup |
|---|---|
| Social | First and last name |
| search results |
- publicrecords - use this with fastpeople search or other people search engines
| gives out | can lookup |
|---|---|
| Name | First and last name |
| Address | Address, city, state |
| Partial phone number |
DISCLAIMER: OnlineSearches powered by Intelius® offers a free people search directory that includes basic information, such as name, address, and partial phone numbers. In performing a search, you may ultimately be directed to Intelius.com where additional information is offered for a fee.
| What You Can Look Up | What It Spits Out |
|---|---|
| Name and Address | Addresses & Locations – Approximate locations of people based on public records. |
| Names & Residents – Lists people who may be associated with a particular address. | |
| Property Details – Ownership history and home value estimates. | |
| IP Geolocation Data – Sometimes used for mapping visitor locations on websites. | |
| Demographic Data – May include age, possible relatives, and historical records. |
- For additonal tools see Curated lists
Use this site; do not register, check a voter registration. Will probably need more info in some states; while other need less.
-
Have I Been Pwned - Check if an email has been compromised in a data breach.
-
Breach Directory - Check email and usernames for a breach; will return partial password hashes
- The following information is imported into the BreachDirectory database:
- First 4 characters of each password.
- SHA-1 hash of each password.
- Length of each password.
- Usernames.
- Emails.
-
EXPOSED (May be expired as of writing) - Check email with password hashes, limted with only 4 Checks per 12hrs; feel free to use TOR.
-
pentester - same as exposed almost but has more info for free; doesn't need the use of TOR. REALLY GOOD!
-
breachvip - needs a login to perform searches; breach.vip is the largest Minecraft DB search engine. We aim to provide a means to assess what data has been leaked in said breaches, at no cost to the public. Enjoy Searching. sounds memey
-
leakpeek - Can only use 5 searches for a free search, will hide most info but with some sluting and the tools listed you should get an idea of WHAT. also use tor if you can to bypass the search limit. Other than that if you really need more details on what was leaked you may need to buy a plan.
-
hashes - Decrypt the hashes you find to get a password possibly linked to a database or username.
-
For additonal tools see Curated lists
If you happen to have a breached database on your person
- Icebreaker - uses python and is good for databases that are less than 1000GB; feel free to try it with the demo python script supplied. Comes with a windows EXE for both.
-
Instagram
- picuki - an anon Instagram browser that works if you know a username. It's good tool for figuring out land markers inside a photo.
-
Twitter
- sotwe - an anon twitter browser that actually works.
Pro-tips for social media:
Facebook: For private facebook accounts, you can either use a fake facebook account (difficult due to Zucc's anti-spoofing features) OR use inspect element and simulate a mobile device (or use an actual phone), so long as you have a link to that account or POST. (be sure you are logged out or in Private mode).
Linkedin: Sometimes linkedin will not give you the account, to combat this you'll need to either create an account or wait a minute (cookies probably, could be IP+HW ID's beats me)
-
For additonal tools see the Curated lists below
-
Awesome OSINT - a curated list of OSINT tools, blogs, and videos
-
OSINT Framework - a larger list of tools
-
OSINT Resources - Collection of OSINT resources that seems to be more up to date (includes NSFW)
-
A whole reddit wiki from the OSINT community
-
A list of social media, maps, domains, etc also listed in cipher387's OSINT collection.
OPT OUT
-
A whole big ass list to opt out and to compare info.
- link extractor and archive uses archive.ph - useful on basic webpages. Requires manual intervention (text edits FIND+REPLACE).
Additonal tools:
- For additonal tools see the curated-lists above