There are numerous open-source intelligence (OSINT) tools available for cybersecurity professionals and researchers to gather information and conduct reconnaissance activities. These tools help in collecting data from various sources and analyzing it to identify security risks, gather information about targets, or gain insights into different entities. In this article, we will discuss some of these OSINT tools and their features.
One such tool is Maltego CE, which offers a free version with limited features. However, users can opt for the desktop version of Maltego XL, which costs $1,999 per instance. For large-scale commercial use, server installations start at $40,000 and come with a complete training program. Maltego CE allows users to visualize data and relationships between different entities, making it an ideal tool for OSINT investigations.
Mitaka is another popular tool available as a Chrome extension and Firefox add-on. It enables users to search over six dozen search engines for IP addresses, domains, URLs, hashes, ASNs, Bitcoin wallet addresses, and various indicators of compromise (IOCs) directly from their web browser. The extension acts as a shortcut to various online databases, saving users time and effort. Additionally, there is an alternative extension called Sputnik for those who prefer a more limited set of search options.
Spiderfoot is a free OSINT reconnaissance tool that integrates with multiple data sources to gather and analyze various types of information. It can gather and analyze IP addresses, CIDR ranges, domains and subdomains, ASNs, email addresses, phone numbers, names and usernames, BTC addresses, and more. With over 200 modules, Spiderfoot is ideal for red teaming reconnaissance activities, allowing users to discover more information about their targets or identify any unintended exposures on the internet. It is available on GitHub and comes with both a command-line interface and a web-based GUI.
Spyse is described as the “most complete internet assets registry” and is relied upon by projects like OWASP and IntelligenceX. It collects publicly available data on websites, their owners, associated servers, and IoT devices. The collected data is analyzed by the Spyse engine to identify security risks and connections between different entities. While a free plan is available, developers planning on building apps using the Spyse API may require a paid subscription.
BuiltWith is a tool that allows users to find out the technology stack used by popular websites. It can detect whether a website is using platforms like WordPress, Joomla, or Drupal as its content management system (CMS) and provide further details about the tech stack. BuiltWith can also generate a list of known JavaScript/CSS libraries and plugins installed on the websites, as well as provide information about frameworks, server information, analytics, and tracking. It can be used for reconnaissance purposes and combined with website security scanners like WPScan to identify security vulnerabilities impacting a website.
Intelligence X is a unique archival service and search engine that preserves historic versions of web pages and entire leaked data sets. It aims to preserve data sets, regardless of their objectionable or controversial nature. For example, Intelligence X has previously preserved a list of vulnerable Fortinet VPNs and plaintext passwords related to these VPNs. It has also indexed data collected from the email servers of prominent political figures and preserved footage from significant events like the 2021 Capitol Hill riots. This tool can be invaluable for intelligence gathering, political analysis, news reporting, and security research.
DarkSearch.io is a useful platform for researchers exploring the dark web. It allows users to search the dark web without needing to go through the .onion versions or use Tor. DarkSearch.io is free, but it also offers a free API for running automated searches. It can be a valuable starting point for researchers who want to explore the dark web and gather information from it.
Grep.app is a tool that allows users to search across half a million git repositories on the internet. It efficiently searches for specific strings, making it useful for identifying IOCs, vulnerable code, or malware in open-source software repositories. Twitter users and journalists have used Grep.app to estimate the number of repositories using specific code uploaders. It can be a powerful tool for researchers and analysts looking to identify and analyze code repositories for security vulnerabilities or malicious code.
Recon-ng is a powerful tool written in Python that automates OSINT activities. It has a similar interface to the popular Metasploit Framework, making it user-friendly for those familiar with Metasploit. Recon-ng provides an interactive help function, which is lacking in many Python modules, reducing the learning curve for developers. It has a modular framework with built-in functionality for tasks like output standardization, database interaction, web requests, and API key management. Recon-ng allows developers to create automated modules and perform searches on publicly available data, saving time and effort. It is free and open-source, with comprehensive information and best practices available in the wiki.
TheHarvester is a simple but effective tool for capturing public information outside an organization’s network. It can find emails, names, subdomains, IPs, and URLs using various sources, including popular search engines like Bing and Google, as well as lesser-known ones like dogpile, DNSdumpster, and the Exalead meta data engine. TheHarvester can also utilize Netcraft Data Mining and the AlienVault Open Threat Exchange. It is recommended to use the tool as a reconnaissance step prior to penetration testing or similar exercises.
Shodan is a dedicated search engine used to find intelligence about devices in the internet of things (IoT). It can also be used to discover open ports and vulnerabilities on targeted systems. Shodan is capable of examining operational technology (OT) used in industrial control systems, making it valuable for gathering OSINT in industries that deploy both information technology and OT.
These OSINT tools offer different features and capabilities, catering to the needs of cybersecurity professionals, researchers, and analysts. By leveraging these tools, users can gather valuable information, identify security risks, and gain insights into different entities and their connections. Whether it’s visualizing data, searching the dark web, analyzing code repositories, or gathering intelligence on IoT devices, these tools can significantly enhance OSINT activities.