Advanced tools for specific purposes can be found in their specific sections, here is a list of advanced tools and APIs for several purposes simultaneously.
Maltego
- Reconnaissance on a Person
Start a Machine > Person-Email Address
Then it gather a number of email addresses associated with that name. Not all of these will be linked to our target, but all will be linked to the name. We need to next select which of these addresses we want to work with.
- Recon a Target Network
Here, we are focusing on the network footprinting, so our choices are:
Company Stalker (this gathers email information)
Footprint L1 (basic information gathering)
Footprint L2 (moderate amount of information gathering)
Footprint L3 (intense and the most complete information gathering)
Recon-ng
Recon-ng is a full-featured web reconnaissance framework written in Python.
- Installation and updates
To install it:
cd ~/Downloads/Programs
git clone https://github.com/lanmaster53/recon-ng. git
cd recon-ng
python3 -m venv recon-ngEnvironment source recon-ngEnvironment/bin/activate
sudo pip install -r REQUIREMENTS
deactivate
To update your version of Recon-ng:
cd ~/Downloads/Programs/recon-ng
git pull https://github.com/lanmaster53/recon-ng.git
- Basics
./recon-ng from its directory launches the application.
help reveals commands and explanations.
marketplace search will reveal the current functions available.
marketplace info —> receive details about a specific item, example: marketplace info virustotal
input —> Show modules inputs
To remove sources and add fresh ones:
options unset SOURCE
options set SOURCE cnn.com
- Workspaces
A workspace creation must be done before conducting any search.
workspaces list —> lists active workspaces
workspaces create OSINT —> Creates “OSINT” workspace
workspaces load OSINT2 —> switch to workspace “OSINT2”
To delete our previous work and start fresh (Note that deleting a workspace removes all associated data and reports. Make sure you have exported your evidence):
workspaces list
workspaces remove OSINT
workspaces create location
- Profiler module
This module queries usernames.
marketplace install profiler
modules load profiler
options set SOURCE inteltechniques
run
show profiles —> To view results
Example, to add shodan API key and locate the same user in different platforms:
recon-ng
search marketplace
keys add shodan_api 123456
keys list
marketplace install profiler
modules load profiler
info
options set SOURCE {username}
run
- Host Discovery Modules
marketplace install bing_domain_web
marketplace install google site web
modules load {one of the above}
options set SOURCE {target, ex: ccn.com}
run
show hosts
- Domain suffix Discovery Module
There are many top-level domains (TLDs) aside from .com and .org. Executing this module will scout the various TLDs such as net, tv, and others.
marketplace install brute_suffix
modules load brute_suffix
options set SOURCE {target website}
run
show domains
- Contact Discovery Modules
marketplace install pg_search
modules load pg_search
This will scan all of the stored domains that we have located and search for any email addresses associated with public PGP keys within those domains.
run
show contacts
- Target's AV by Querying DNS
recon-ng
use discovery/info_disclosure/cache_snoop
dig {target.com} ns
set NAMESERVER {Gathered nameserver, ex: 216.92.3.91}
run
- Report Creation
back
marketplace install html
modules load html
options set CUSTOMER IntelTechniques
options set CREATOR M.Bazzell
run
- Installation
cd ~/Downloads/Programs
git clone https://github.com/smicallef/spiderfoot.git
cd spiderfoot
python3 -m venv spiderfootEnvironment
source spiderfootEnvironment/bin/activate
sudo pip install -r requirements. txt
deactivate
- Usage
To launch the service:
python3 ./sf.py -1 127.0.0.1:5001
After launching the Spiderfoot program within Firefox, click the "New Scan" option. Provide a name for your session and a domain.
Choose your desired "Use case" and click "Run scan".
Choose the level of access appropriate for your investigation. The scan will launch and may take a while to complete, possibly hours.
The "Browse" button in the upper left allows you to start peering into the data found about your target.
The "Graph" button displayed a detailed chart of connections from my domain to external sources. I cannot overstate that I am only presenting a handful of interesting nuggets. This application scouts a domain, IP address, or email address for hundreds of data points which may provide value. Clicking the "Scans" button provides options to stop, re-run, or delete a scan result. It also provides a status summary of each current scan, and you can execute numerous scans simultaneously.
Copy #!/usr/bin/env bash
cd ~/Downloads/Programs/spiderfoot
python3 ./sf.py -l 127.0.0.1:5001 &
sleep 5
firefox http://127.0.0.1:5001 Desktop Shortcut:
Copy [Desktop Entry]
Type=Application
Name=Spiderfoot
Categories=Network;OSINT
Exec=/home/osint/Documents/scripts/spiderfoot.sh
Icon=/home/osint/Documents/icons/spiderfoot.png
Terminal=true People Data Labs
http://peopledatalabs.com
Too good to be true.
This "people data" collection company offers 1,000 free queries of their premium data sets to anyone, and they accept masked email addresses such as 33mail, Anonaddy, and Simple Login.
Create a free trial account and "Get API Key”.
The results are presented as text in ]SON format.
The following URL submits a query for "sean@peopledatalabs.com" in any browser:
https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key=5c0ck097aa376bb7741a1022p122223d45chs&email=sean@peopledatalabs.com
The following queries an U.S. number:
https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key=5c0ck097aa376bb7741a1022p12222e3d45chs&phone=+12225551212
We can also query by social network profile, such as a Twitter, Facebook, or LinkedIn username:
Twitter: https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key-5cOck097a376bb7741a1022p122223d45chs&profile=www.twitter.com/inteltechniques
Facebook: https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key=5cOck097aa376bb7741a1022p122223d45chs&profile=www.facebook.com/inteltechniques
LinkedIn: https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key=5cOck097aa376bb7741a1022p122223d45chs&profile=www.linkedin.com/inteltechniques
Full Contact
http://fullcontact.com
The first step is to obtain a trial API key. You will need to send a request and specifically ask to test their "Enrich" product, and it might help to explain that you are hoping to match email addresses and telephone numbers within your "leads" to personal identifiers.
Replace "XXXXX" with your own trial API key.
- FullContact Email:
Copy curl -X POST
https://api.fullcontact.com/v3/person.enrich
\
-H 'Authorization: Bearer XXXX' \
-H "Content-Type: application/json" \
-d '{
"emails": [
"' example@gmail.com '"
]
}' | python3 -mjson.tool - FullContact Phone:
Copy curl -X POST
https://api.fullcontact.com/v3/person.enrich
\
-H 'Authorization: Bearer XXXX' \
-H "Content-Type: application/json" \
-d '{
"phones": [
"+1202551212"
]
}' | python3 -mjson.tool
Copy curl -X POST
https://api.fullcontact.com/v3/person.enrich
\
-H 'Authorization: Bearer XXXX' \
-H "Content-Type: application/json" \
-d '{
"profiles": [
{
"service": "twitter",
"username": "inteltechniques"
}
]
}' | python3 -mjson.tool Breach Directory
breachdirectory.org
This service allows query of email address, username, password, domain, or hash value against popular known data breaches.
First, you will need to obtain a free API key from Beach Directory's Rapid API repository at https://rapidapi.com/rohan-patta/api/breachdirectory .
Once you have that, you would replace "XXXXX" in the following examples with your own key.
- Breach Directory Email
Copy wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- 'https://breachdirectory.p.rapidapi.com/?func=auto&term=' $data '' > $data -BD.txt - Breach Directory Username
Copy wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- 'https://breachdirectory.p.rapidapi.com/?func=auto&term=' $data '' > $data -BD.txt - Breach Directory Password
Copy wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- 'https://breachdirectory.p.rapidapi.com/?func=password&term=' $data '' > $data -BD.txt - Breach Directory Domain
Copy wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- 'https://breachdirectory.p.rapidapi.com/?func=domain&term=' $data '' > $data -BD.txt - Breach Directory Hash
Copy wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- '
https://breachdirectory.p.rapidapi.com/?func=dehash&term=' $data '' > $data -BD.txt IntelTechniques API Search Tool
Combine API Tools from this page and othe APIs that serve for specific purposes and can be found in their corresponding sections.
Browser-based tool, is better the "Custom API script" .
Code at API.html .
Custom api.sh script
Queries through multiple APIs that can serve for all-purposes and can be found in this page, and other that serve for specific purposes and can be found in their respective sections.
Replace any instance of XXXX with your own API keys.
Copy #!/usr/bin/env bash
opt1 = "PDL Email"
opt2 = "PDL Phone"
opt3 = "PDL Twitter"
opt4 = "PDL Facebook"
opt5 = "PDL LinkedIn"
opt6 = "Twilio Phone"
opt7 = "Twilio Validation"
opt8 = "Twilio OpenCNAM"
opt9 = "Twilio DataAxle"
opt10 = "Twilio Ekata"
opt11 = "Twilio Ekata Validate"
opt12 = "Telnyx Phone"
opt13 = "CID Name"
opt14 = "FullContact Email"
opt15 = "FullContact Phone"
opt16 = "FullContact Twitter"
opt17 = "Breach Directory Email"
opt18 = "Breach Directory Username"
opt19 = "Breach Directory Password"
opt20 = "Breach Directory Domain"
opt21 = "Breach Directory Hash"
opt22 = "WhoisXMLAPI"
opt23 = "WhoxyHistorical"
domainmenu=$(zenity --list --title "API Tool" --radiolist --column "" --column "" TRUE "$opt1" FALSE "$opt2" FALSE "$opt3" FALSE "$opt4" FALSE "$opt5" FALSE "$opt6" FALSE "$opt7" FALSE "$opt8" FALSE "$opt9" FALSE "$opt10" FALSE "$opt11" FALSE "$opt12" FALSE "$opt13" FALSE "$opt14" FALSE "$opt15" FALSE "$opt16" FALSE "$opt17" FALSE "$opt18" FALSE "$opt19" FALSE "$opt20" FALSE "$opt21" FALSE "$opt22" FALSE "$opt23" --height=650 --width=300)
case $domainmenu in
$opt1 )
data = $( zenity --entry --title "PDL Email" --text "Email Address" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl 'https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key=XXXX&email=' $data '' > $data -PDL.txt
open ~/Documents/API/
exit ;;
$opt2 )
data = $( zenity --entry --title "PDL Phone" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl 'https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key=XXXX&phone=' $data '' > $data -PDL.txt
open ~/Documents/API/
exit ;;
$opt3 ) n
data = $( zenity --entry --title "PDL Twitter" --text "Twitter Username" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl 'https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key=XXXX&profile=www.twitter.com/'$data'' > $data-PDL-TW.txt
open ~/Documents/API/
exit ;;
$opt4 )
data = $( zenity --entry --title "PDL Facebook" --text "Facebook Username" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl 'https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key=XXXX&profile=www.facebook.com/'$data'' > $data-PDL-FB.txt
open ~/Documents/API/
exit ;;
$opt5 )
data = $( zenity --entry --title "PDL LinkedIn" --text "LinkedIn Username" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl 'https://api.peopledatalabs.com/v5/person/enrich?pretty=true&api_key=XXXX&profile=www.linkedin.com/'$data'' > $data-PDL-LI.txt
open ~/Documents/API/
exit ;;
$opt6 )
data = $( zenity --entry --title "Twilio Phone" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X GET 'https://lookups.twilio.com/v1/PhoneNumbers/+1' $data '?Type=caller-name&Type=carrier' \
-u XXXX:XXXX | python3 -mjson.tool > $data -TW.txt
open ~/Documents/API/
exit ;;
$opt7 )
data = $( zenity --entry --title "Twilio Validation" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X GET 'https://lookups.twilio.com/v1/PhoneNumbers/+1' $data '?AddOns=real_phone_validation_rpv_turbo' \
-u XXXX:XXXX | python3 -mjson.tool > $data -TW-V.txt
open ~/Documents/API/
exit ;;
$opt8 )
data = $( zenity --entry --title "Twilio OpenCNAM" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X GET 'https://lookups.twilio.com/v1/PhoneNumbers/+1' $data '?AddOns=telo_opencnam' \
-u XXXX:XXXX | python3 -mjson.tool > $data -TW-O.txt
open ~/Documents/API/
exit ;;
$opt9 )
data = $( zenity --entry --title "Twilio DataAxle" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X GET 'https://lookups.twilio.com/v1/PhoneNumbers/+1' $data '?AddOns=dataaxle_bizinfo' \
-u XXXX:XXXX | python3 -mjson.tool > $data -TW-D.txt
open ~/Documents/API/
exit ;;
$opt10 )
data = $( zenity --entry --title "Twilio Ekata" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X GET 'https://lookups.twilio.com/v1/PhoneNumbers/+1' $data '?AddOns=ekata_reverse_phone' \
-u XXXX:XXXX | python3 -mjson.tool > $data -TW-E.txt
open ~/Documents/API/
exit ;;
$opt11 )
data = $( zenity --entry --title "Twilio Ekata Validate" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X GET 'https://lookups.twilio.com/v1/PhoneNumbers/+1' $data '?AddOns=ekata_phone_valid' \
-u XXXX:XXXX | python3 -mjson.tool > $data -TW-EV.txt
open ~/Documents/API/
exit ;;
$opt12 )
data = $( zenity --entry --title "Telnyx Phone" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X GET \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
--header "Authorization: Bearer XXXX" \
"https://api.telnyx.com/v2/number_lookup/+1$data?type=carrier&type=caller-name" | python3 -mjson.tool > $data-Telnyx.txt
open ~/Documents/API/
exit ;;
$opt13 )
data = $( zenity --entry --title "CID Name" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl 'https://dip.cidname.com/' $data '/XXXX&output=raw&reply=none' > $data -CID.txt
open ~/Documents/API/
exit ;;
$opt14 )
data = $( zenity --entry --title "FullContact Email" --text "Email Address" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X POST https://api.fullcontact.com/v3/person.enrich \
-H 'Authorization: Bearer XXXX' \
-H "Content-Type: application/json" \
-d '{
"emails": [
"' $data '"
]
}' | python3 -mjson.tool > $data -FC.txt
open ~/Documents/API/
exit ;;
$opt15 )
data = $( zenity --entry --title "FullContact Phone" --text "Phone Number" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X POST https://api.fullcontact.com/v3/person.enrich \
-H 'Authorization: Bearer XXXX' \
-H "Content-Type: application/json" \
-d '{
"phones": [
"+1' $data '"
]
}' | python3 -mjson.tool > $data -FC.txt
open ~/Documents/API/
exit ;;
$opt16 )
data = $( zenity --entry --title "FullContact Twitter" --text "Twitter Username" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl -X POST https://api.fullcontact.com/v3/person.enrich \
-H 'Authorization: Bearer XXXX' \
-H "Content-Type: application/json" \
-d '{
"profiles": [
{
"service": "twitter",
"username": "' $data '"
}
]
}' | python3 -mjson.tool > $data -FC.txt
open ~/Documents/API/
exit ;;
$opt17 )
data = $( zenity --entry --title "Breach Directory Email" --text "Email Address" )
mkdir ~/Documents/API/
cd ~/Documents/API/
wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- 'https://breachdirectory.p.rapidapi.com/?func=auto&term=' $data '' > $data -BD.txt
open ~/Documents/API/
exit ;;
$opt18 )
data = $( zenity --entry --title "Breach Directory Username" --text "Username" )
mkdir ~/Documents/API/
cd ~/Documents/API/
wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- 'https://breachdirectory.p.rapidapi.com/?func=auto&term=' $data '' > $data -BD.txt
open ~/Documents/API/
exit ;;
$opt19 )
data = $( zenity --entry --title "Breach Directory Password" --text "Password" )
mkdir ~/Documents/API/
cd ~/Documents/API/
wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- 'https://breachdirectory.p.rapidapi.com/?func=password&term=' $data '' > $data -BD.txt
open ~/Documents/API/
exit ;;
$opt20 )
data = $( zenity --entry --title "Breach Directory Domain" --text "Domain" )
mkdir ~/Documents/API/
cd ~/Documents/API/
wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- 'https://breachdirectory.p.rapidapi.com/?func=domain&term=' $data '' > $data -BD.txt
open ~/Documents/API/
exit ;;
$opt21 )
data = $( zenity --entry --title "Breach Directory Hash" --text "Hash" )
mkdir ~/Documents/API/
cd ~/Documents/API/
wget --quiet \
--method GET \
--header 'X-RapidAPI-Key: XXXX' \
--header 'X-RapidAPI-Host: breachdirectory.p.rapidapi.com' \
--output-document \
- 'https://breachdirectory.p.rapidapi.com/?func=dehash&term=' $data '' > $data -BD.txt
open ~/Documents/API/
exit ;;
$opt22 )
data = $( zenity --entry --title "WhoisXMLAPI" --text "Domain" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl 'https://whois-history.whoisxmlapi.com/api/v1?apiKey=XXXX&domainName='$data'&mode=purchase' | python3 -mjson.tool > $data-WhoisXML.txt
open ~/Documents/API/
exit ;;
$opt23 )
data = $( zenity --entry --title "WhoxyHistorical" --text "Domain" )
mkdir ~/Documents/API/
cd ~/Documents/API/
curl 'https://api.whoxy.com/?key=XXXX&history=' $data '' | python3 -mjson.tool > $data -Whoxy.txt
open ~/Documents/API/
exit ;;
esac Desktop shortcut:
Copy [Desktop Entry]
Type=Application
Name=API Tool
Categories=Application;OSINT
Exec=/home/osint/Documents/scripts/api.sh
Icon=/home/osint/Documents/icons/api.png
Terminal=true 