Passive OSINT Search Engines

Sharing my passive OSINT toolbox. Prepared to be whelmed.

10 months ago

Latest Post Sources by joshua

When approaching a target, sometimes you want to gather all the information you can before you go loud and bang on their proverbial digital door. These tools below are some that I use in my rotation when breaking ground on a new test. I will update this list as resources move in and out of my use.

Shodan is probably the most popular OSINT tool out there. Shodan is a service that actively scans any and all IP space, aaaaaand all the ports that may or may not come along with it. This allows you to search for individual services running, keywords, banners, basically, if the service is telling the world what it is doing, Shodan will let you find it in a very clean interface. There is a free membership, though your search results are limited, register and see more results, though it is limited. Once a year around the US "shopping holiday" Black Friday, the membership fee drops to $5 USD.

Censys is a tool that's very similar to Shodan. You can define IPs or domains and get the same-ish results. Censys does provide a premium service, tho this seems to be geared towards enterprises. Censys does have an interesting feature that is more fleshed out than I've experienced within Shodan; Certificate searching. This is an easy way to declare a domain,  then look for Let's Encrypt certs, as this will probably turn up several phishing domains.

Fofa is another Shodan/Censys tool. Some have called Fofa a front end of Shodan, however, I've seen some results appear in one and not the other. As it appears that Fofa is China based, I'm gonna go on a limb and say that one may just have more routes available to it than the other. Nonetheless, it's still worth dropping a query in to see what is available.

BinaryEdge is our last scan-all-the-things tool. BE makes this really easy for when you may or may not want to type in long queries. You can simply enter a domain, and check a box for IoT devices, web servers, or databases. You can also have it only display any media it can pull down, whether that is an RDP or VLC screenshot, or a snap from a webcam.

Grayhat Warfare is a search engine for open Amazon buckets. While this tool is very hit and miss, it still gives plenty of insight into working directory structures, technologies used, and sometimes internal naming schemes. Every so often you come across gold, (i.e., internal documents) and that makes running a query through this very worth it.

Greynoise is a tool that lets you search for known scanning devices on the internet. Think of it like the anti-Shodan. If you have a feeling an IP you are seeing is performing any kind of scanning, Greynoise will tell you if its a repeat offender, and what it is exactly scanning for.

Hunter.io is a great resource for finding and "validating" email addresses. I have validate in quotes as this is about 50%~ accurate or so. However, searching for email addresses by domain is very handy and is very passive as they've done the work for you already. It has a paid plan, but with a basic account you can perform up to 50 searches a month.

WiGLE is the de-facto source for locating WiFi SSIDs. Enter an SSID and WiGLE will show you any place that SSID has been detected (when reported). As this is service that relies on user uploaded-data, it can be incomplete. However, this is still a good start when hunting something.

urlscan.io is a great resource for getting a load of info on a website all in one place. Input a domain and urlscan comes back with a screenshot of the page, the technologies in place, IP information, AS, DNS, requests made and where. There is a lot to digest. I value the HTTP transactions tab as it shows the file paths found during the scan. Very useful, especially on large sites.

DNSdumpster is one of many DNS tools that exist online and in this guide. What I like most from DNSdumpster is the domain map image that it creates when you run a query. This is good for both red and blue teams as the information it draws out is equally beneficial.

FindSubDomains like the above is a DNS enumeration tool. I've seen it discover and report more subdomains than any other similar tool out there. It also displays a number of graphs that makes determining where and how a domain is laid out very easy.

SecurityTrails is again, another DNS tool. This is another place I frequent when I need to ensure that I've gotten all the information I possibly can. They also offer API access as well and claim to give more information, but, I cannot say whether it's worth the trouble, or what more information there may be. I probably need to look into integrating this into a proper tool pending there are no gotchas.

Robtex is the final DNS tool I have to list (woo). Robtex is kind of the kitchen sink for passive DNS tools. The shared section offers a lot of information on what else may be hiding in the same space as your target. There are some paid options, though I feel the reverse DNS information would be the only information worth paying for.

Certificate Search is exactly what it sounds like. However, this tool also shows you a history for many many past issued and expired certs for the domain you query.

HaveIBeenPwned is rarely unknown to infosec professionals. This tool allows you to input an email and will display in detail, which data breaches the email has been a part of. This is just a great service to subscribe to in general, especially with how often breaches are nowadays.

GhostProject is a simple tool. Plug in an email, gives you a password. This is a project from the near 50gb dump of creds found online in late 2017. Must donate a few dollars to get access to the full password, but sometimes, the sample given is enough to get an idea for your own fuzzing.

WayBackMachine needs no introduction. This is as old as they get and just as useful. Every now and then you'll look something up in here and find pages that were indexed holding very valuable and relevant information.

Google. Dorking. That's it.

joshua

Published 10 months ago