A list of OSINT tools I made, forked, and/or use. First, let's talk about the definitions.
DISCLAIMER
I am in no way responsible for any abuse, misuse, or any questionable actions in which someone uses these tools or methods below. OSINT is an information-gathering technique that can be used by ANYBODY and on ANYBODY!
- OPSEC
- Open Source Intelligence (OSINT)
- Who uses Open-Source Intelligence (OSINT)?
- Sources of OSINT
- Real world examples of OSINT
- How to OSINT
- Tools
- People search tools (in the states)
- Breached Data
- Social Media
- Curated lists
- Spoofing, fake email generation
- Archive tools
OPSEC (Operations Security) is a systematic process for:
- Identifying
- Protecting and controlling critical information
It's a security discipline and operations function that involves a continuous cycle of:
- Identifying critical information and indicators (CII)
- Critical information and indicators are essential components of Operations Security (OPSEC) aimed at protecting sensitive data that could be exploited by adversaries. Critical Information includes unclassified or controlled unclassified information about activities, intentions, capabilities, or limitations that adversaries can use to gain an advantage. Indicators are observable actions or pieces of information that reveal critical details about operations, such as sudden changes in procedures or increased security measures. Protecting this information involves identifying vulnerabilities and implementing countermeasures to prevent unauthorized disclosure
- Analyzing potential threats and vulnerabilities
- Assessing risks
- Developing countermeasures to protect CII
OPSEC is used to protect information and activities from adversaries. It helps identify and protect sensitive information that could give an adversary an advantage. OPSEC principles can be applied in daily life, such as not sharing personal information like a DOB, street address, email, phone number.
Examples of OPSEC mistakes include:
- Over-sharing personal information online
- Leaving unused social media profiles online
- Accidentally interacting with a target on social media
OPSEC supplements other security disciplines rather than replacing them.
-
Use services that can conceal your identity:
-
Telegram is normie-tier as it isn't encrypted (Telegram does not use end-to-end) by default and requires a phone number. Only encryption you'll get is the secret chat option which; other than that it's all stored in their severs.
-
Read more about this here on Telegram’s Approach to Encryption. Since Telegram does not use end-to-end encryption by default, it could theoretically hand over the content of messages to law enforcement. OH Wait it just did.
-
- Unlike any other existing messaging platform, SimpleX has no identifiers assigned to the users - not even random numbers. This protects the privacy of who are you communicating with, hiding it from SimpleX platform servers and from any observers.
-
Signal is encrypted by default but requires a phone number; however signal can't give anything out even by court order because of state of the art encryption even on user accounts and phone numbers. Meaning when you delete an account on signal and they Subpoena information about you or your account; they'll get basically squat.
-
-
Tor/VPN/XMR:
- Tor isn't bad but will get rate limited by CAPTCHA.
- Mullvad is a good VPN (Virtual Private Network) as it accepts XMR (Monero), which can't be traced back to you if you mine XMR with your own node (machine/device/computer). Note: VPNs are useless if you have bad OPSEC, same with Tor.
-
Usernames/credentials/Identification:
- Use different usernames and credentials on different websites.
- Use a word spinner to change sentences for identity concealment.
- Generate a face or use a non-identifiable profile picture.
- Avoid making enemies online and don't be noticeable (i.e., don't be a turd).
- Regularly OSINT yourself to check your online presence.
To start you SHOULD OSINT yourself and see if you can remove yourself within the list of these sites: Here's a curated list to opt out
-
OSINT is the practice of collecting and analyzing information from public sources to address specific intelligence needs. OSINT is used by government agencies and commercial organizations for various purposes, including:
- Reconnaissance
- Cyber crime investigations
- Market trend analysis
- Brand positioning analysis
- Measuring risk to an organization
- Understanding the actor, tactics, and targets
- Gather real-time information
- Make informed decisions
- Receive early warnings of potential threats
-
National Security and Intelligence Agencies, Law Enforcement, Businesses, Cybersecurity and Cyber-crime Groups, Privacy-Conscious People, Non-Governmental Organizations
- The CIA, Defense Intelligence Agency (DIA), and Office of the Director of National Intelligence (ODNI) all use OSINT.
- OSINT can protect citizens (private or otherwise) from identity theft, sexual violence, and abuse.
- OSINT can monitor competitors, investigate new markets, and plan marketing activities.
- OSINT can gather intelligence about specific targets online.
- OSINT can check how outsiders can break into their computing devices.
- OSINT can be used on oneself to secure privacy.
- Bellingcat, the Center for Information Resilience, and Oryx use OSINT.
- And you! Yes, you can use OSINT.
OSINT can gather information from various sources, including:
-
- Public data refers to all information made freely available by government bodies or local collectivities. This data is in the public domain. It is different to open data, which is a subset of public data. Open data is structured and well-maintained data that is therefore easier to understand, access and consume. By contrast public data can be difficult to find, or (in the case of public bodies), require the submission of a Freedom of Information Act to retrieve it.
-
Professional and academic publications
- Academic Publication means the publication of an abstract, article or paper in a journal or electronic repository, or its presentation at a conference or seminar.
-
-
Commercial Data means any and all data and information relating to an identified or identifiable Person (whether the information is accurate or not), alone or in combination with other information, which Person is or was an actual or prospective customer of, or consumer of products offered by, the VS Business or L Brands Business, as applicable.
-
Commercial Data means any and all data and information relating to an identified or identifiable Person (whether the information is accurate or not), alone or in combination with other information, which Person is or was an actual or prospective customer of, or consumer of products or services offered by, the LoyaltyOne Business and/or ADS Business, as applicable.
-
Commercial Data means any and all data collected or otherwise processed by the Seller Entities relating to a customer of the Business.
-
-
-
Grey literature is "Information produced on all levels of government, academics, business and industry in electronic and print formats not controlled by commercial publishing i.e. where publishing is not the primary activity of the producing body."
-
Grey literature can be useful for your research, but finding resources requires different tactics than you'd use for commercially published materials. This is because many types of grey literature are not indexed in some of the more common research tools like PubMed, CINAHL, Scopus, etc.
-
In the year 2016, a basket weaving image board used OSINT to pay some supposed terroist a vist from a govt in Russia resulting in airstrikes.
-
- In 2016, during the complex Syrian Civil War, various rebel groups—some with good intentions and others with nefarious motives—sought to overthrow President Assad. The chaos allowed terrorist groups to flourish, prompting intervention from the United States and Russia, with the former supporting rebels and the latter aiding Assad. An anonymous user on 4chan's Syria General board (SG) claimed that a Syrian rebel group, Jaysh al-Izza, posted a video on YouTube revealing their secret encampment. The group, linked to Al-Qaeda, was seen by 4chan users as a target. A notable 4chan user, Ivan Sirenko, who had connections with the Russian military, received the coordinates from the 4chan community and tweeted them to the Russian Ministry of Defense. This led to an airstrike on the encampment. Two months later, the same rebel group posted another video showing a new training camp. 4chan users once again pinpointed the location using landmarks seen in the video. After thorough verification, they sent the coordinates to Ivan, who facilitated another Russian airstrike.
In 2017, Shia LaBeouf had a protest due to Trumps election; this resulted in a basket weaving image board using OSINT and sky patterns to figure out where a flag is.
- In 2017, 4chan users managed to track down and replace Shia LaBeouf's "He Will Not Divide Us" protest flag. Using only the live-stream footage of the flag, they analyzed flight patterns, star positions, and a tweet to locate the flag in Greeneville, Tennessee. A local troll then honked his car horn until the sound was picked up on the live-stream, pinpointing the exact location. The flag was replaced with a Trump hat, marking the end of this elaborate trolling operation.
- Gather information about yourself, become your own threat actor; use the tools below and come up with your own conclusions. Use people search engines and public data about yourself and most importantly don't overshare on the internet or have such a large footprint.
OSINT tools can access and analyze information from sources beyond traditional search engines. Be mindful as some info can be out of date or incorrect such as:
- Phone number
- Street Address
- IP Address (Dunno if anyone REALLY uses that but will list)
Anyhow, here are some tools I use:
-
Word spinners
-
Article spinner, with basic and advanced paraphrase - can only use standard.
-
Another article spinner, no advanced paraphrase; doesn't have different langs
-
Article rewriter this rewriter keeps SEO in mind for search rankings; after a few tries it WILL ask for a login, use TOR to bypass.
-
-
Wanna use different langs for free?
-
SEO Tools
-
Google dorks
-
Bio-metric investigation
-
Email + username investigations
-
Sherlock, similar to Blackbird but more robust and developed; caution with imgur red herrings
-
maigret, find connections VIA a username; a fork of sherlock
-
holehe, caution with imgur for false positives; similar to Sherlock
-
Geolocation
-
Generalized Toolkit
- OSINT rocks: search hudson; holehe, gmail (ghunt) and skype. Can also use telephone number; domain and username lookups.
-
For additonal tools see Curated lists
DISCLAIMER: Most of the email info found on these sites appear to be from a databrech from long ago; subjects on these sites can and possibly will still use their email found on these sites as people will rarely change email providers due to TFA + password managers unless if the email itself has been compromised in any way, shape, or form OR if they've changed emails due to harrasment, spam, etc etc.
gives out | can lookup |
---|---|
Age | Name |
Address | Phone |
Numbers | Address |
gives out | can lookup |
---|---|
IP | address |
addresses | |
Numbers | IP |
VIN |
gives out | Can lookup |
---|---|
DOB | Name |
Address | Phone |
Phone Number | Address |
gives out | can lookup |
---|---|
names | names |
username | username |
phone | phone |
Gives out info such as:
gives out | can lookup |
---|---|
age | First and last name + state |
social media's | username |
emails | |
addresses |
gives out | can lookup |
---|---|
Social | First and last name |
search results |
gives out | can lookup |
---|---|
Name | First and last name |
Address | Address, city, state |
Partial phone number |
DISCLAIMER: OnlineSearches powered by Intelius® offers a free people search directory that includes basic information, such as name, address, and partial phone numbers. In performing a search, you may ultimately be directed to Intelius.com where additional information is offered for a fee.
- For additonal tools see Curated lists
-
Have I Been Pwned: Check if an email has been compromised in a data breach.
-
Breach Directory: Check email and usernames for a breach; will return partial password hashes
- The following information is imported into the BreachDirectory database:
- First 4 characters of each password.
- SHA-1 hash of each password.
- Length of each password.
- Usernames.
- Emails.
-
EXPOSED: Check email with password hashes, limted with only 4 Checks per 12hrs; feel free to use TOR.
-
leakpeek: Can only use 5 searches for a free search, will hide most info but with some sluting and the tools listed you should get an idea of WHAT. also use tor if you can to bypass the search limit. Other than that if you really need more details on what was leaked you may need to buy a plan.
-
hashes: Decrypt the hashes you find to get a password possibly linked to a database or username.
-
For additonal tools see Curated lists
-
Instagram
- picuki - an anon Instagram browser that works if you know a username a great tool for figuring out land markers inside a photo.
-
Twitter
-
For additonal tools see Curated lists
-
Awesome OSINT, a curated list of OSINT tools, blogs, and videos
-
A whole reddit wiki from the OSINT community
-
A list of social media, maps, domains, etc also listed in this github repo.
OPT OUT
- A whole big ass list to opt out and to compare info.
- Email address + username + name generation
DISCLAIMER: Cock.li may be having issues:
After:
My fellow rtrds: cock.li has not "shut down". You may need to read more than the first line. Anyone suggesting you migrate your account to Gmail, Yahoo, Proton, etc. should not have been using cock.li in the first place. Normal$!gs get off my f*!#ing board. Feel free to migrate, I don't have any good suggestions though. Try that on Proton! PW changes and maybe registration will be back within a couple days.
Before:
LIBERTY CANARY
Date updated: See the PGP Signed Version
Cock.li is in 100% control of all of its hardware, and the service is still operating normally. The website (account registration+pw change) is currently offline.
Cock.li will shut down before becoming complicit in crimes against its own user base under duress of any government or organization.
Cock.li is not under duress of any government or organization.
I'd probably recommend using something other than cock.li; use any domain from cock.li and use a different email service provider. However, if you decide to use cock.li, you can check out how to enable it in the given link.
However feel free to check the status of cock.li wth the provided site here https://cock.li/
- link extractor and archive; uses archive.ph - useful on basic webpages. Requires manual intervention.
Additonal tools:
- For additonal tools see Curated lists