This page will be a quick rundown of each OSINT (Open Source Intelligence) tools and what they can be used for. There are many use cases of OSINT such as; investigations, reconnaissance (as part of penetration testing), payload creation, troubleshoot DNS problems, email infrastructure issues, or even website problems. OSINT saves time.
So are you looking to become a more efficient cybersecurity professional?
The secret sauce lies in mastering OSINT! 🌍 Don’t neglect this essential skill, or you risk wasting time during investigations. ⏳ ⏰
Here are my favorite OSINT and why:
1- CyberChef
I know we commonly use CyberChef for decoding Base64 encoded commands…but I actually use it more commonly to defang a series of IP addresses.
You are monitoring an environment and you discovered a botnet activity coming from several IP addresses? Pop them all in CyberChef and make it defang all of the IP addresses for you before you add them to your report!
2- URL2PNG [or WannaBrowser]
It is sad that not enough people use this OSINT… There is a malicious link in the logs or in a suspicious looking e-mail? You don’t have a sandbox setup to run this link in and observe? Even if you do, do you wish there was a much quicker and easier way to just take a peek at what is behind the link?
Well, URL2PNG will do that for you. Just throw in any URL and you get a screenshot of that URL’s landing page! It is definitely most helpful when investigating suspicious URLs within emails where the credential harvester or a payload under a cloud drive is waiting for you.
3- AbuseIPDB
Not a day goes by without me spamming this tool with IP lookups. Probably the quickest way to check and report IP addresses that are involved in previous malicious activity. Of course, it is not possible to certainly rely on these reports sometimes as there may always be a malicious IP address that hasn’t been reported by anyone yet!
4- AnyRun Malware Reports
Did you discover a file hash or a very suspicious-looking URL? Just navigate to the malware analysis reports section and access tons of malware analysis and URL analysis reports!
These reports can tell you about all the connections a process makes (makes it easy to spot if a bot is communicating with a command & control server), process tree, and a sandbox environment where the suspected payload can be executed and analyzed! It is dynamic malware analysis made easy!
5- VirusTotal
Of course, finally a veteran in this field… My early interactions with VirusTotal were during the years of downloading software online from random websites [WinRAR or games] where distributors (sometimes hackers) would share a VirusTotal report alongside with a download link of their software to convince you that their software is safe for you to download. Although I do miss how fun the early 2000s were, I am just glad to see how many improvements are made in terms of internet browsing technology, software distribution, and especially in terms of cybersecurity!
I would say this is equivalent to what AbuseIPDB is but in terms of file hash analysis and simple URL analysis. It is perfect to get a quick glance at an IoC to support/disprove your suspicion!
6- Internet Archive (aka Way Back Machine)
Do you ever wish good old days? You wish you could go back in time to way things were on your favorite website? Well, please enter the Way Back Machine.
There are so much you can do with this tool but here is a good use case; your favorite website isn’t acting right, or you have received an URL in an email that looks like a legitimate website but something is off… You can see how a website have changed overtime using this tool. It is fantastic to spot recently compromised websites which can now being used for malicious purposes.
7- Whois
Another great tool to bust phishing infrastructures. It can reveal details regarding the registrant and also registration date of a given website. Typically, newer domains will be more suspicious especially when it comes to phishing investigations. There are some use cases of this for offensive purposes as well. Perhaps, we will discover more about this when we get to targeting domains and their sub-domains.
Are you looking to become a red-teamer? Do you get mesmerized when you can just infiltrate systems…of course ethically! Well, here is a tool that will make your life a little bit easier by generating payloads; ready to deliver!
You can create any type of reverse or bind shells using this tool. Additionally, it is able to create MSFVenom and HoaxShells as well. We will dive deeper into MSFVenom under Red Team Content. It is a pretty cool and very powerful payload generation tool that is part of the MetaSploit framework.
9- Google
Best OSINT tool ever. I hope you know why already. There are actually so much more to Google than we typically use as well. If you never heard of it before, I highly recommend checking out Google Dorks. The link I shared for Google Dorks is exploit-db. It is also a great website to find vulnerabilities and exploits. Of course it is often used by black hat hackers as well. Tread carefully on this website.
10- MXToolBox
From investing suspicious email domain to troubleshooting why your emails are not delivering, you can use this tool truly like a tool box for all things email and DNS related. Using the Super Tool, you can check if a given domain is blacklisted for naughty behavior in the past. For example, if it was used in a phishing campaign in the past, there is a high chance you will see it.
MX Lookup tool is essential for all email admins. It will display details of your SPF, DMARC, and DKIM which are three protocols that are the backbone of email deliverability and filtering untrusted messages.
BONUS: Here is your “Swiss knife” OSINT for everything website: OSINT4ALL
Free Cybersecurity Education 