OSINT Tips

OSINT Tips⚑

Recon⚑

• http://bgp.he.net
• https://whois.arin.net/ui/
• https://apps.db.ripe.net/db-web-ui
• https://reverse.report
• https://www.shodan.io

https://crunchbase.com <-- acquisitions

domlink.py <-- compare whois results

built with browser extension <-- shows links of analytics trackers

vhost/subdomain discovery⚑

• Amass - dns recon
• subfinder - dns recon
• massdns <-- brute forcing - better than ffuf?

All.txt wordlist https://gist.github.com/jhaddix content/dir wordlist content_discovery_all.txt

Enumeration⚑

Masscan

brutespray.py

Eyewitness.py - visual identification

tomnomnom - waybackurls script

Xmind organization <-- visualize output

Burp_vulners_scan <-- plugin to identify cve for findings

ZAP ajax spider and other crawlers for heavy js pages

Linkfinder app - find links in js files

To find js files burp pro engagement tools > find scripts

Links⚑

• Bellingcat’s OSINT Toolkit
• SSL Certificate Search
• DNSdumpster
• Google Hacking Database
• Hunter
• Social Searcher
• SpiderFoot
• Wayback Machine
• What's that site running
• Who Posted What