Looking to level up your open source intelligence (OSINT) efforts for your next security engagement?
There’s no shortage of OSINT tools, techniques, and other resources – in fact, there’s so much stuff, it’s a little overwhelming to try and sort through it all. Writing a “best of” or otherwise “cumulative” list would be a futile endeavor, so instead, we compiled 9 OSINT tools and other miscellaneous resources we find useful.
Disagree with our choices? Want to suggest another tool for us to check out? Hit Bishop Fox up on Discord, Reddit, or Twitter to tell us. We’ll be posting a comprehensive list of all kinds of security tools in November, and we’ll consider any recommendations we receive!
Tool #1: Trace Labs OSINT VM Version 2
Why We Like It: Trace Labs is a nonprofit that has quite the name in the OSINT world – the mission of the organization is to help find missing people and reunite them with their families (more on that here). They have other available OSINT resources, but we wanted to focus on the OSINT Virtual Machine (v2). This VM is the go-to for all OSINT engagements. The VM comes with an incredibly expansive list of tools that allow you to quickly and easily get up and running in a dedicated environment.
Tool #2: OSINT Framework
Creator: Justin Nordine (@jnordine)
Why We Like It: No OSINT tool list would be complete without the OSINT Framework. The OSINT Framework contains resources for finding information about targets via social networking, instant messaging, metadata, and more. From these categories, you can narrow your search further and even further. No matter what kind of information you’re seeking, the OSINT Framework more than likely has a resource for you.
Tool #3: email2phonenumber
Why We Like It: The name of the tool says it all; you just need a target’s email address, and with that information alone, it’s possible to retrieve their phone number. The tool works several different ways. It scrapes websites for phone number digits (initiating password resets via the email address), generates phone numbers based on the country’s Phone Numbering Plan, and brute-forces by iterating over a list of numbers and initiating password resets to obtain associated email addresses.
Like the other OSINT tools on this list, it depends on publicly available data. For more information on how email2phonenumber works, watch this BSides Las Vegas 2019 presentation
Tool #4: SpiderFoot
Creator: SpiderFoot (@SpiderFoot)
Why We Like It: Automation can be an invaluable asset in security (as this blog post from Zach Zeitlin illustrates). SpiderFoot applies automation to OSINT. It can make your OSINT efforts much faster and much more powerful; it even works while you sleep! Introduced to the world in 2005, SpiderFoot has kept foot (pun intended) with the times, as today’s attack surface is significantly vaster than the attack surface of nearly 20 years ago. There are two ways to use SpiderFoot; you can get the open source version or the HX version
Tool #5: Phonebook.cz
Why We Like It: With Phonebook.cz, you enter a website domain or subdomain – and voila! It returns a list of related email addresses. This is certainly a useful OSINT tool to have in your back pocket, especially if you’re on an engagement that requires social engineering prowess. Intelligence X, the security company behind Phonebook, is also responsible for several other OSINT tools that are worth your time.
Tool #6: sublist3r
Creator: Ahmed Aboul-Ela
Why We Like It: Have you ever needed to find the subdomains of a target domain? If so, this is the tool for the job. sublist3r is a Python-based tool that quickly enumerates subdomains. This tool is designed for security engineers and developers to identify assets that are otherwise unknown. sublist3r leverages search engines such as Google, Yahoo, and Bing to find subdomains that have been mapped on other websites. This tool also has the option to brute-force subdomains via a wordlist, which comes in handy for finding otherwise hidden subdomains!
Tool #7: theHarvester
Creator: Christian Martorella
Why We Like It: There are few OSINT tools – or pen testing tools in general – as well regarded in the security community as theHarvester. And with good reason; when provided a domain or company name, this tool proceeds to gather email addresses, names, subdomains, IPs, and URLs. All the information it grabs can be found on an organization’s external footprint.
Tool #8: GitGot
Creator: Jake Miller (@TheBumbleSec)
Why We Like It: Former Bishop Fox Researcher Jake Miller created several popular tools in his tenure here (such as GadgetProbe and RMIScout), and GitGot was his contribution to the world of OSINT. GitGot is a semi-automated, feedback-driven tool designed to scour public GitHub data for sensitive secrets. This tool can significantly reduce time spent searching for promising leads while testing, bringing you the information you need to get the most impact.
Tool #9: Karma_v2
Creator: Dheerajmadhukar (@Dheerajmadhukar)
Why We Like It: Karma touts that it offers pen testers and other security researchers the ability to comb through “deep information, more assets, WAF/CDN bypassed IPs, internal/external infra[structure], publicly exposed leaks” for info about a particular target. Leaks it searches in include WordPress, CloudFront, Jenkins, and Kubernetes. One caveat about Karma_v2 is that it requires premium Shodan access to use (which is helpful to have anyway, if you can spend the money).
Other OSINT Resources to Explore
Aside from these aforementioned tools, there are many other resources available to help enhance your OSINT skills. If you’re just starting out, give the CIA guide “Sailing the Sea of OSINT in the Information Age” a read. Also, be sure to read “Defining Second Generation Open Source Intelligence (OSINT) for the Defense Enterprise” by the Rand Corporation.
Finally, it’s worth iterating that OSINT is a discipline. There are plenty of techniques for finding people, assets, and information on the internet. The OSINT community is expansive, and used among security researchers, IT personnel, and even law enforcement. In fact, as alluded to earlier, OSINT is often used to help find missing people – making it an extremely beneficial discipline to add to your repertoire.
Happy (information) hunting!
Like This List? Check Out Our Other Pen Testing Tools Lists:
- 9 Post-Exploitation Tools for Your Next Penetration Test
- 9 Red Team Tools For a Successful Red Teaming Engagement
- The Pen Testing Tools We’re Thankful for in 2019
- The Pen Testing Tools We’re Thankful for in 2020
Even More Resources
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.